Splunk® Enterprise

Add AWS Config Rules data: Single instance

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure inputs for the Splunk Add-on for AWS

About configuring inputs

Configure Config Rules inputs to collect Config Rules data (source type: aws:config:rules).

Configure an Config Rules input for the Splunk Add-on for AWS on your data collection node through Splunk Web (recommended), or in local/aws_config_rule_tasks.conf. This data source is only available in a subset of AWS regions, which does not currently include China or GovCloud. See the AWS documentation for a full list of supported regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region.

Choose a configuration option:

  • Configure a Config Rules input using Splunk Web (recommended)
  • Configure a Config Rules input using configuration file

Input configuration overview

You can use the Splunk Add-on for AWS to collect data from AWS. For each supported data type, one or more input types are provided for data collection.

Follow these steps to plan and perform your AWS input configuration:

Users adding new inputs must have the admin_all_objects role enabled.

  1. Click input type to go to the input configuration details.
  2. Follow the steps described in the input configuration details to complete the configuration.

Configure a Config Rules input using Splunk Web

To configure inputs using Splunk Web, click on Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then click Create New Input > Config Rules.

Argument in configuration file Field in Splunk Web Description
aws_account AWS Account The AWS account or EC2 IAM role the Splunk platform uses to access your Config Rules data. In Splunk Web, select an account from the drop-down list. In aws_config_rule_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the autodiscovered EC2 IAM role.
region Region The AWS region that contains the Config Rules. In aws_config_rule_tasks.conf, enter the region ID. See the AWS documentation for more information.
rule_names Config Rules Config Rules names in a comma-separated list. Leave blank to collect all rules.
sourcetype Source Type A source type for the events. Enter a value only if you want to override the default of aws:config:rule. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
index Index The index name where the Splunk platform puts the Config Rules data. The default is main.
polling_interval Polling Interval The data collection interval, in seconds. The default is 300 seconds.

Here is an example stanza that collects Config Rules data for just two rules. 

[splunkapp2:us-east-1]
aws_account = splunkapp2
region = us-east-1
index = aws
polling_interval = 300
sourcetype = aws:config:rule
rule_names=required-tags,restricted-common-ports

Configure a Config Rules input using configuration file

To configure the input using the configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_config_rule_tasks.conf using the following template. 

[<name>]
account = <value>
region = <value>
rule_names = <value>
sourcetype = <value>
polling_interval = <value>
index = <value>
Last modified on 10 July, 2019
 

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters