Troubleshoot AWS EC2 Security Group data ingestion
Troubleshoot AWS EC2 Security Group data ingestion process.
AWS EC2 Security Group data cannot be found
AWS EC2 Security Group data cannot be found
Cause
AWS EC2 is not configured correctly and data is not being ingested from AWS EC2 Security Group.
Solution
- Make sure that there are EC2 Security Groups in the account and region you are working with, and you have waited at least 3 hours after you created the input.
- Navigate to Data Management. Click the Data Input Details tab, and go to the Account Establishment Details section.
- If a stack is in FAILED state, refer to Deployment Status: Failed for more troubleshooting steps.
- Verify that the Splunk HTTP Event Collector (HEC) configuration is correct. Refer to Troubleshoot the HEC Configuration for more troubleshooting steps. Make sure the indexer acknowledgement is disabled for the HEC token of the input you are troubleshooting.
- Verify that the data ingestion pipeline has been setup correctly in the account and region. There are two EventBridge rules you must check, the pattern rule
SplunkDMMetadataEC2SGPatternRule
which is triggered when a new EC2 Security Group is created, and the schedule ruleSplunkDMMetadataEC2SGScheduleRule
which is triggered periodically every 3 hours to trigger the Lambda function that fetches the existing EC2 Security Groups data.- Navigate to Amazon EventBridge console in the account and region and under Rules verify that
SplunkDMMetadataEC2SGPatternRule
andSplunkDMMetadataEC2SGScheduleRule
exist. - Verify that the target for both rules is set to
SplunkDMMetadataEC2SG
Lambda function and the status is Enabled. - Verify that the Event pattern for
SplunkDMMetadataEC2SGPatternRule
and Event Schedule forSplunkDMMetadataEC2SGScheduleRule
are correct.
- Navigate to Amazon EventBridge console in the account and region and under Rules verify that
- If any of the above EventBridge Rules or Lambda Function do not exist, delete the Data Input and recreate it.
- If the data ingestion pipeline is setup correctly, click on Metrics for the rule and check when the event rule was last triggered.
- Navigate to the Lambda console in the region and select
SplunkDMMetadataEC2SG
. Verify that the Environment variables on the Lambda function matches the Input ID and the HEC token configuration for that input. - If there is any discrepancy with this configuration, delete the Data Input and recreate it.
- If the configuration is correct and your data still cannot be found, debug the
SplunkDMMetadataEC2SG
Lambda function.- Select Monitor and verify if the Lambda function was invoked by looking at Invocations metrics. Make sure to select the appropriate time range.
- If the Lambda function was invoked in that time interval, then check the Throttles and Error count metrics. If any of the Throttles and Error count metrics is non-zero, check the logs of the Lambda function by clicking on View logs in CloudWatch.
- If the configuration is correct and your data still cannot be found, Contact Splunk Support.
Troubleshoot AWS EC2 Instance data ingestion | Troubleshoot AWS EC2 Network ACL data ingestion |
This documentation applies to the following versions of Data Manager: 1.8.2, 1.8.3
Feedback submitted, thanks!