nstonesplunk
commented
5 years ago Hi @connor-tyndall
Thanks for the request!
From previous investigation, implementing AWS Description and AWS CloudWatch Metrics will require pulling on an interval and some form of persisted store for error handling and guaranteed eventual delivery. We have prototyped this but ran into issues/concerns with Lambda timeouts and the additional DynamoDB infrastructure. This is still something we are iterating on since it really is one of the main missing pieces to populate the Splunk App for AWS serverlessly.
s3 access logs are also tricky but can follow the same path as AWS Config snapshots do now (s3 -> Lambda -> Splunk) or perhaps route through s3 -> Lambda -> CloudWatch logs -> Firehose -> Splunk. I will look into this further.
connor-tyndall
gliptak
kerryhatcher
Currently, we have to bring in AWS CloudWatch Metrics, Description, and S3 Access Logs via modular inputs using EC2 Heavy Forwarders via the Splunk Add-on for AWS. Although this works, it provides challenges in terms of scale, whereas we are looking to use "serverless" methods rather than long-running instances.
https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatch https://docs.splunk.com/Documentation/AddOns/released/AWS/DescriptionInput https://docs.splunk.com/Documentation/AddOns/released/AWS/SQS-basedS3