I'm trying to add AWS Cloudtrail as a device in the SIEM.
Have followed the Data Source Configuration Guide for AWS, can do a successful test connection, but there is no data coming into the SIEM from AWS.
Just wondering if anyone out there has experienced similar issues and managed to overcome them?
Actually yes - the issue is now resolved.
MIGHT NOT BE THE SAME ISSUE AS YOU, but in this instance basically the issue was with a certificate from AWS being untrusted by the SIEM.
To see if the issue is what you are also experiencing, check the cloudtrail logs (/var/log/messages/cloudtrail or something along those lines - not sure exactly). If there are messages relating to unfound or untrusted certificates, that is your problem and you'll need to get an update from McAfee.
When you say "get an update from McAfee", are you meaning updating the certificate from the McAfee side? Or actually updating our McAfee ESM product for it to work? Thanks!
Sorry to keep asking, but I can't find where to see the actual logs from cloudtrail. We have API logs from cloudtrail in ELK but I can't find anything with "McAfee" as the search word. Where did you find yours? Thanks!
I looked in the log and found the following message, is this what you had as well?
3505:Mar 1 14:14:27 McAfee libJobServer.so: Test connect failed with the following error: NotOk ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.