
Configure Inspector v2 inputs for the Splunk Add-on for AWS
Complete the steps to configure Inspector v2 inputs for the Splunk Add-on for Amazon Web Services (AWS):
- You must manage accounts for the add-on as a prerequisite. See the Manage accounts for the Splunk Add-on for AWS topic in this manual.
- Configure AWS services for the Inspector v2 input.
- Configure AWS permissions for the Inspector v2 input.
- Configure Inspector v2 inputs either through Splunk Web or configuration files.
Configure Amazon Inspector v2 permissions
You need these required permissions for Inspector v2:
Describe*
List*
See the following sample inline policy to configure Inspector v2 input permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector2:Describe*", "inspector2:List*" ], "Resource": "*" } ] }
For more information, see http://docs.aws.amazon.com/IAM/latest/UserGuide/list_inspector.html.
Configure an Inspector v2 input using Splunk Web
To configure inputs using Splunk Web:
- Click Splunk Add-on for AWS in the navigation bar on Splunk Web home.
- Click Create New Input > Inspector > Inspector (v2).
- Use the following table to complete the fields for the new input in Splunk Web or in the .conf file:
Argument in configuration file | Field in Splunk Web | Description |
---|---|---|
account
|
AWS Account | The AWS account or EC2 IAM role the Splunk platform uses to access your Inspector findings. In Splunk Web, select an account from the drop-down list. In aws_inspector_v2_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the automatically discovered EC2 IAM role. |
regions
|
AWS Region | The AWS region that contains the data. In aws_inspector_v2_tasks.conf, enter region IDs in a comma-separated list. |
sourcetype
|
Source type | A source type for the events. Enter a value only if you want to override the default of aws:inspector:v2:findings . Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
|
index
|
Index | The index name where the Splunk platform puts the Inspector findings. The default is main. |
polling_interval
|
Pooling interval | The number of seconds to wait before the Splunk platform runs the command again. The default is 300 seconds. |
Configure an Inspector v2 input using configuration files
To configure the input using the configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_inspector_v2_tasks.conf
using the following template:
[<name>] account = <value> region = <value> index = <value> polling_interval = <value> sourcetype = <value>
The following is an example stanza that collects Inspector v2 findings:
[splunkapp2:us-west-2] account = splunkapp2 region = us-west-2 index = default polling_interval = 300 sourcetype = aws:inspector:v2:findings
PREVIOUS Configure Metadata inputs for the Splunk Add-on for AWS |
NEXT Configure VPC Flow Logs inputs for the Splunk Add-on for AWS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!