- #SPLUNK INPUTS.CONF FULL#
- #SPLUNK INPUTS.CONF SOFTWARE#
For the IAM user to get the Config snapshots: GetUser.For the Config snapshots: DeliverConfigSnapshot.For the SQS subscribed to the SNS Topic that collects Config notifications:.
For the S3 bucket that collects your Config logs:.Set the following permissions in your AWS configuration: Grant IAM permissions to access the S3 bucket and SQS to the AWS account that the add-on uses to connect to your AWS environment.Ĭonfigure AWS permissions for the Config input.Subscribe the SQS exclusively to the SNS Topic that you created.If you used the AWS console, the Resource Lookup page displays. Verify that you completed the setup process.
Specify a new S3 bucket to save the data and an SNS Topic to which Splunk software streams Config notifications. Configure AWS Config to produce SNS notifications, and then create the SQS that the add-on can access. The Splunk Add-on for AWS collects events from a SQS that subscribes to the Simple Notification Service (SNS) notification events from AWS Config. Disable or delete testing configurations before releasing your configuration in production.Ĭonfigure AWS services for the Config input. Multiple enabled modular inputs can cause conflicts when trying to delete SQS messages or S3 records that another modular input is attempting to access and parse. Configure a single enabled Config modular input for each unique SQS. See for a full list of supported regions. This data source is available only in a subset of AWS regions, which does not include China.
Configure an AWS Config input for the Splunk Add-on for Amazon Web Services on your data collection node through Splunk Web. Configure Simple Queue Service (SQS)-based S3 inputs to collect AWS data. Configure Config inputs either through Splunk Web or configuration files. See Configure AWS permissions for all Splunk Add-on for AWS inputs at once. You can skip this step and configure AWS permissions at once, if you prefer. Configure AWS permissions for the Config input. Configure AWS services for the Config input. See Manage accounts for the Splunk Add-on for AWS. You must manage accounts for the add-on as a prerequisite. Saves you from using a really large initCrcLength (performance hit) but you don't get stuck with unread files due to similar CRCs.Configure Config inputs for the Splunk Add-on for AWSĬomplete the steps to configure Config inputs for the Splunk Add-on for Amazon Web Services (AWS): This is good for something like IIS logs that have large headers, but different file names for each new log. You can also use crcSalt = to salt the CRC with the file name. One is changing the top of the file within the first initCrcLength bytes so a new CRC is calculated, another is using btprobe to reset the file, third is to salt the CRC.ĬrcSalt is a string that's added to the first initCrcLength bytes of the file to change the CRC to force an entire monitor statement to reingest the data associated with all that input statements monitored files (so be careful with it!). There are a couple of ways to change the CRC to make splunk no longer recognize the file, forcing it to reread it. It stores this along with how far it's read in to a file in the fishbucket ($SPLUNK_DB/fishbucket). It uses those charterers to calculate a CRC hash. Splunk uses a certain amount of characters (as defined by initCrcLength, default being 256) to identify a file that it's already read.
0 kommentar(er)
