Data Manager

Troubleshooting Manual

Troubleshoot AWS GuardDuty data ingestion

Troubleshoot the Amazon GuardDuty data ingestion process.

If the AWS accounts are configured in an administrator-member relation to monitor GuardDuty finding, the EventBridge event rules and Kinesis Data Firehose delivery stream will not be created in the member accounts. The findings from each member account's region will be available in the administrator account's region and will be ingested to Splunk from the administrator account.

GuardDuty events cannot be found

AWS GuardDuty events cannot be found.

Cause

AWS GuardDuty is not enabled or is not configured correctly, or Splunk HEC is not configured correctly.

Solution

  1. In AWS, check if GuardDuty is enabled in the region of the AWS account you are trying to get data from. See the Getting started with GuardDuty topic in the AWS documentation for more information.
  2. To enable GuardDuty, perform the following steps:
    1. Log into the GuardDuty administrator account. If your account is setup as a member account, you will not be able to enable GuardDuty.
    2. Click the "Enable GuardDuty" link to enable GuardDuty. The "Enable GuardDuty" link won't be available if you are signed in as a member account.
  3. If GuardDuty is already enabled and you still still don't see the events you are looking for, check the Splunk side HEC configuration. See the HTTP Event Collector (HEC) configuration reference topic in this manual to troubleshoot Splunk software-side HEC configurations.
  4. If the HEC token is present and is enabled, navigate to GuardDuty on your AWS account and check if you have any findings.
  5. If there are findings and data is not flowing to your Splunk Cloud deployment, in AWS, navigate to EventBridge > Rules in the same region and check if SplunkDMGuardDutyDeliveryStream exists.
  6. In AWS, navigate to Kinesis > Delivery streams, and check for SplunkDMGuardDutyDeliveryStream.
  7. If the SplunkDMGuardDutyDeliveryStream stream exists, navigate to the Monitoring tab and see if events are being generated in AWS.
  8. For debugging issues during AWS Kinesis Firehose stream, refer to Troubleshoot AWS Kinesis Firehose data ingestion.
  9. If you are still facing issues, in Data Manager, delete the data input and recreate it.
  10. If the configuration is correct and your data still cannot be found, Contact Splunk Support.
Last modified on 05 September, 2024
Troubleshoot AWS SecurityHub data ingestion   Troubleshoot AWS IAM Access Analyzer data ingestion

This documentation applies to the following versions of Data Manager: 1.11.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters