Splunk® Supported Add-ons

Splunk Add-on for AWS

Download manual as PDF

Download topic as PDF

Configure Config Rules inputs for the Splunk Add-on for AWS

Configure Config Rules inputs to collect Config Rules data (source type: aws:config:rules).

Configure a Config Rules input for the Splunk Add-on for AWS on your data collection node through Splunk Web (recommended), or in local/aws_config_rule_tasks.conf.

Choose a configuration option:

Configure a Config Rules input using Splunk Web

To configure inputs using Splunk Web, click Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then click Create New Input > Config Rules. Fill out the fields as described in the table:

Argument in configuration file Field in Splunk Web Description
aws_account AWS Account The AWS account or EC2 IAM role the Splunk platform uses to access your Config Rules data. In Splunk Web, select an account from the drop-down list.
region Region The AWS region that contains the Config Rules. See the AWS documentation for more information.
rule_names Config Rules Config Rules names in a comma-separated list. Leave blank to collect all rules.
sourcetype Source Type A source type for the events. Enter a value only if you want to override the default of aws:config:rule. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
index Index The index name where the Splunk platform puts the Config Rules data. The default is main.
polling_interval Polling Interval The data collection interval, in seconds. The default is 300 seconds.

Configure a Config Rules input using configuration files

To configure the input using the configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_config_rule_tasks.conf using the following template:

[<name>]
account = <value>
region = <value>
rule_names = <value>
sourcetype = <value>
polling_interval = <value>
index = <value>

Here is an example stanza that collects Config Rules data for just two rules.

[splunkapp2:us-east-1]
account = splunkapp2
region = us-east-1
rule_names=required-tags,restricted-common-ports
sourcetype = aws:config:rule
polling_interval = 300
index = aws
PREVIOUS
Configure Config inputs for the Splunk Add-on for AWS
  NEXT
Configure Inspector inputs for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters