Troubleshoot AWS EC2 Network ACL data ingestion
Troubleshoot AWS EC2 Network ACL data ingestion process.
AWS EC2 Network ACL data cannot be found
AWS EC2 Network ACL data cannot be found.
Cause
AWS EC2 Network ACL is not configured correctly and data is not being ingested from AWS EC2 Network ACLs.
Solution
- Check if there are any EC2 Network ACLs in the account and region you are working with, and you have waited at least 3 hours after you created the input.
- Navigate to Data Management. Click the Data Input Details tab, and go to the Account Establishment Details section.
- If a stack is in FAILED state, refer to Deployment Status: Failed for more troubleshooting steps.
- Verify that the Splunk HTTP Event Collector (HEC) configuration is correct. Refer to Troubleshoot the HEC Configuration for more troubleshooting steps. Make sure the indexer acknowledgement is disabled for the HEC token of the input you are troubleshooting.
- Verify that the data ingestion pipeline has been setup correctly in the account and region. There are two EventBridge rules you must check, the pattern rule
SplunkDMMetadataEC2NetworkAclPatternRule
which is triggered only when a new EC2 Network ACL is created, and the schedule ruleSplunkDMMetadataEC2NetworkAclScheduleRule
which is triggered periodically every 3 hours to trigger the Lambda function that fetches the existing EC2 Network ACL data.- Navigate to Amazon EventBridge console in the account and region and under Rules verify that
SplunkDMMetadataEC2NetworkAclPatternRule
andSplunkDMMetadataEC2NetworkAclScheduleRule
exist. - Verify that the target for both rules is set to the
SplunkDMMetadataEC2NetworkAcl
Lambda function, and the status is Enabled. - Verify that the Event pattern for
SplunkDMMetadataEC2NetworkAclPatternRule
and Event Schedule forSplunkDMMetadataEC2NetworkAclScheduleRule
are correct. - If either of the EventBridge Rules or Lambda Functions do not exist, delete the Data Input and recreate it.
- Navigate to Amazon EventBridge console in the account and region and under Rules verify that
- If the data ingestion pipeline is setup correctly, click on Metrics for the rule and check when the event rule was last triggered.
- Navigate to the Lambda console in the region and select
SplunkDMMetadataEC2NetworkAcl
. Verify that the Environment variables on the Lambda function match the Input ID and the HEC token configuration for that input. - If there is any discrepancy with this configuration, delete the Data Input and recreate it.
- If the configuration is correct and your data still cannot be found, debug the
SplunkDMMetadataEC2NetworkAcl
Lambda function.- Select "Monitor" and verify that the Lambda function was invoked by looking at Invocations metrics. Make sure to select the appropriate time range.
- If the Lambda function was invoked in that time interval, then check the Throttles and Error count metrics. If any of the Throttles and Error count metrics is non-zero, check the logs of the Lambda function by clicking on View logs in CloudWatch.
- If the configuration is correct and your data still cannot be found, Contact Splunk Support.
Troubleshoot AWS EC2 Security Group data ingestion | Troubleshoot AWS IAM User data ingestion |
This documentation applies to the following versions of Data Manager: 1.8.2, 1.8.3
Feedback submitted, thanks!