I'm trying to add AWS Cloudtrail as a device in the SIEM.
Have followed the Data Source Configuration Guide for AWS, can do a successful test connection, but there is no data coming into the SIEM from AWS.
Just wondering if anyone out there has experienced similar issues and managed to overcome them?
Did you figure out any alternative option? I thought of pulling the logs directly from the s3 bucket but can't figure it out either... Thanks!
Actually yes - the issue is now resolved.
MIGHT NOT BE THE SAME ISSUE AS YOU, but in this instance basically the issue was with a certificate from AWS being untrusted by the SIEM.
To see if the issue is what you are also experiencing, check the cloudtrail logs (/var/log/messages/cloudtrail or something along those lines - not sure exactly). If there are messages relating to unfound or untrusted certificates, that is your problem and you'll need to get an update from McAfee.
When you say "get an update from McAfee", are you meaning updating the certificate from the McAfee side? Or actually updating our McAfee ESM product for it to work? Thanks!
Sorry to keep asking, but I can't find where to see the actual logs from cloudtrail. We have API logs from cloudtrail in ELK but I can't find anything with "McAfee" as the search word. Where did you find yours? Thanks!
The logs you are looking for are on the SIEM ESM itself. Should be in /var/log/messages and the file should be called CloudTrail or something similar.
I looked in the log and found the following message, is this what you had as well?
3505:Mar 1 14:14:27 McAfee libJobServer.so: Test connect failed with the following error: NotOk ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.