Configure AWS data collection for Splunk App for Infrastructure
Admin privileges are required to configure data collection.
To collect data and monitor your AWS accounts, add your AWS account information to the Splunk App for Infrastructure (SAI) and collect data from your entities such as EC2, EBS, ELB, and CloudWatch logs. For more information about these AWS metrics, see:
- Monitoring Your Instances Using CloudWatch on the Amazon website
- Monitoring the Status of Your Volumes on the Amazon website
- CloudWatch Metrics for Your Classic Load Balancer on the Amazon website
- List the available CloudWatch metrics for your instances on the Amazon website
After you add AWS data and validate new entities are connected, start monitoring your infrastructure from the Investigate tab of SAI. You can group your entities to monitor them more easily, and drill down into the Analysis Workspace to further analyze your infrastructure.
Prerequisites
- AWS Add-on version 5.0.0. For more information, see Splunk Add-on requirements.
- If configuring on an on-premises instance, you need your AWS account Name, Key ID, and Secret Key.
- If configuring on an AWS EC2 instance, you need to configure an IAM role for AWS data collection.
If you plan to collect AWS data, install these apps and add-ons on a heavy forwarder:
Steps
Step 1: Connect to your AWS account
For on-premises instances:
- In the SAI user interface, click the Add Data tab.
- In the left panel click AWS.
- Enter a Name to identify an AWS account.
- Enter the account's Key ID and Secret Key, and select a Region Category.
- Click Add AWS account.
For AWS EC2 instances:
- In the SAI user interface, click the Add Data tab.
- In the left panel click AWS.
- Attach IAM role. Click the instructions link for directions for how to attach an IAM role needed for AWS data collection, or see Configure Identity and Access Management (IAM) permissions for AWS data collection. There can be only one IAM role attached to an instance, and the user interface updates when the IAM role is detected.
- Click Verify IAM role attachment. A green checkmark and an identified IAM detected role display.
Step 2: Collect data from AWS
- Select the AWS Entity Types you want to collect data from.
- Select the AWS Regions that apply.
- If you want to collect data from CloudWatch Logs, select Yes and click Add AWS data source. When setting up CloudWatch Logs agent configuration in AWS, edit the log stream name (log_stream_name) with a unique name (instance_id) for each log group within the configuration file. This defines the log stream's identity for correlation of logs to individual instances and metric data. For example:
Select the region and enter the log file name. Click the Add to add more log files.
[/var/log/messages] file = /var/log/messages log_group_name = /var/log/messages log_stream_name = {instance_id}
- Click Update AWS data source.
Step 3: Once your AWS account is added, verify your data connection
- When a connection is made to your AWS account(s), connected entities display.
- If no new entities are connected after a few minutes, click Refresh.
- When new entities are connected, click Take a look now to view your host.
Collect Linux/Unix metrics and logs with Splunk App for Infrastructure | Collect Windows metrics and logs with Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only, 2.2.0 Cloud only, 2.2.1, 2.2.3 Cloud only, 2.2.4, 2.2.5
Feedback submitted, thanks!