Related Answers
Download topic as PDF
Configure Metadata inputs for the Splunk Add-on for AWS
The Description input was deprecated in version 6.2.0 of the Splunk Add-on for AWS. The Metadata input has been added as a replacement. To continue data collection for the Description input, move your workloads to the Metadata input.
Complete the steps to configure Metadata inputs for the Splunk Add-on for Amazon Web Services (AWS):
- You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
- Configure AWS services for the Metadata input.
- Configure AWS permissions for the Metadata input.
- Configure Metadata inputs either through Splunk Web or configuration files.
Configure Metadata permissions
Required permissions for IAM: GetUser, ListUsers, GetAccountPasswordPolicy, ListAccessKeys, GetAccessKeyLastUsed, ListPolicies, GetPolicyVersion, ListUserPolicies, ListAttachedUserPolicies
Required permissions for EC2 resources: DescribeInstances, DescribeReservedInstances, DescribeSnapshots, DescribeRegions, DescribeKeyPairs, DescribeNetworkAcls, DescribeSecurityGroups, DescribeSubnets, DescribeVolumes, DescribeVpcs, DescribeImages, DescribeAddresses
Required permissions for Lambda: ListFunctions
Required permissions for RDS: DescribeDBInstances
Required permissions for CloudFront, if you are in a region that supports CloudFront: ListDistributions
Required permissions for ELB: DescribeLoadBalancers, DescribeInstanceHealth, DescribeTags, DescribeTargetGroups, DescribeTargetHealth
Required permissions for S3: ListAllMyBuckets, GetAccelerateConfiguration, GetBucketCORS, GetLifecycleConfiguration, GetBucketLocation, GetBucketLogging, GetBucketTagging
See the following sample inline policy to configure Metadata input permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeReservedInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeRegions",
"ec2:DescribeKeyPairs",
"ec2:DescribeNetworkAcls",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DescribeImages",
"ec2:DescribeAddresses",
"lambda:ListFunctions",
"rds:DescribeDBInstances",
"cloudfront:ListDistributions",
"iam:GetUser",
"iam:ListUsers",
"iam:GetAccountPasswordPolicy",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:ListUserPolicies",
"iam:ListAttachedUserPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeListeners",
"s3:ListAllMyBuckets",
"s3:GetAccelerateConfiguration",
"s3:GetBucketCORS",
"s3:GetLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketTagging"
],
"Resource": [
"*"
]
}
]
}
Configure a Metadata input using Splunk Web
To configure inputs in Splunk Web:
- Click Splunk Add-on for AWS in the navigation bar on Splunk Web home.
- Click Create New Input > Metadata.
- Fill out the fields as described in the following table:
| Argument in configuration file | Field in Splunk Web | Description |
|---|---|---|
account
|
AWS Account | The AWS account or EC2 IAM role the Splunk platform uses to access your Metadata data. In Splunk Web, select an account from the drop-down list. In aws_metadata_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the automatically discovered EC2 IAM role.
|
regions
|
AWS Regions | The AWS regions for which you are collecting Metadata data. In Splunk Web, select one or more regions from the drop-down list. In aws_metadata_tasks.conf, enter one or more valid AWS region IDs, separated by commas. See https://docs.aws.amazon.com/general/latest/gr/rande.html#d0e371. |
apis
|
APIs/Interval (seconds) | APIs you want to collect data from, and intervals for each API, in the format of <api name>/<api interval in seconds>,<api name>/<api interval in seconds>. The default value in Splunk Web is ec2_volumes/3600,ec2_instances/3600,ec2_reserved_instances/3600,ebs_snapshots/3600,elastic_load_balancers/3600,vpcs/3600,vpc_network_acls/3600,cloudfront_distributions/3600,vpc_subnets/3600,rds_instances/3600,ec2_key_pairs/3600,ec2_security_groups/3600 |
aws_iam_role
|
Assume Role | The IAM role to assume, see Manage accounts for the Splunk Add-on for AWS. |
sourcetype
|
Source type | A source type for the events. Enter aws:metadata.
|
index
|
Index | The index name where the Splunk platform puts the Metadata data. The default is main. |
Configure a Metadata input using configuration files
To configure a Metadata input using configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_metadata_tasks.conf using the following template:
[<name>] account = <value> regions = <values split by commas> apis = <value> aws_iam_role = <value> sourcetype = <value> index = <value>
Here is an example stanza that collects metadata data from all supported APIs:
[desc:splunkapp2] account = splunkapp2 regions = us-west-2 apis = ec2_volumes/3600, ec2_instances/3600, ec2_reserved_instances/3600, ebs_snapshots/3600, classic_load_balancers/3600, application_load_balancers/3600, vpcs/3600, vpc_network_acls/3600, cloudfront_distributions/3600, vpc_subnets/3600, rds_instances/3600, ec2_key_pairs/3600, ec2_security_groups/3600, ec2_images/3600, ec2_addresses/3600, lambda_functions/3600, s3_buckets/3600, iam_users/3600, iam_list_policies/3600 aws_iam_role = iam_users sourcetype = aws:metadata index = default
|
PREVIOUS Configure miscellaneous inputs for the Splunk Add-on for AWS |
NEXT Configure Inspector v2 inputs for the Splunk Add-on for AWS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!