cancel
Showing results for 
Search instead for 
Did you mean: 

Setup CloudTrail as data source in ESM

I have an on-prem ESM/ELM combo running v9.5.1 MR2 (with access to internet thru a proxy). I'm trying to setup CloudTrail as a data source, but I can't get past the connection test error. I SSH'd to the appliance an successfully pinged sqs.us-east-1.amazonaws.com

McAfee-ENMELM-4600 ~ # ping sqs.us-east-1.amazonaws.com

PING queue.amazonaws.com (72.21.207.173): 56 data bytes

64 bytes from 72.21.207.173: icmp_seq=0 ttl=232 time=66.805 ms

64 bytes from 72.21.207.173: icmp_seq=1 ttl=232 time=68.868 ms

64 bytes from 72.21.207.173: icmp_seq=2 ttl=232 time=66.931 ms

64 bytes from 72.21.207.173: icmp_seq=3 ttl=232 time=60.580 ms

McAfee/Intel tech support is telling me they don't support going thru a proxy, and that's why I can't connect. Has anyone successfully set this up? Looking in the logs I find the following at the bottom of the log shown below:

Use of uninitialized value $try in concatenation (.) or string at /usr/lib/perl5/site_perl/5.16.1/Amazon/SQS/Simple/Base.pm line 136.

ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.

----- [[ ( 4) logging categories ]] ----------------

  L_ERROR : fatal exceptions                  libcontrol

  L_WARN  : non-fatal exceptional conditions  libcontrol

  L_DEBUG : debug information                 /usr/bin/perl

  L_INFO  : normal execution information      /usr/bin/perl

----- [[ applied output ]] ------------------------

  -> fileset   path : /var/log/cloudtrail.log

               files: 10

               size : 1 meg(s) or 1048576b

              redir : yes

----- [[ applied filters ]] -----------------------

  +L_ERROR|L_WARN|L_INFO  : +0x0040001800000000000000000000000b

$VAR1 = {

          'datasource_url' => 'https://sqs.us-east-1.amazonaws.com/3XXXXXXXXXXX4/CloudTrail',

          'protocol' => 'api',

          'poll_interval' => '300',

          'type_orig' => '551',

          'userid' => 'AXXXXXXXXXXXXXXXXXXXA',

          'parser' => 'asp',

          'collector_orig' => 'cloudtrail',

          'password' => 'UXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=',

          'ipsid' => '1XXXXXXXXXXXXXXXXXXXX0',

          'timeout' => '300',

          'pool' => 'XXXX Pool',

          '_KEY' => 'CloudTrail',

          'elm_logging' => 1,

          'ip_address' => '127.0.0.1',

          'id' => 126,

          'collector' => 'cloudtrail',

          'parsing' => 1,

          'protocol_orig' => 'api',

          'created' => '1468857985',

          'override' => 'collector,protocol',

          'type' => '551'

        };

Jul 18 16:11:23 L_INFO  15957|Execution parameters:

Jul 18 16:11:23 L_INFO  15957|##########################################

Jul 18 16:11:23 L_INFO  15957|        IPSID: 126

Jul 18 16:11:23 L_INFO  15957|      SQS URL: https://sqs.us-east-1.amazonaws.com/3XXXXXXXXXXXXXXX4/CloudTrail

Jul 18 16:11:23 L_INFO  15957| Vis. Timeout: 300

Jul 18 16:11:23 L_INFO  15957|Poll Interval: 300

Jul 18 16:11:23 L_INFO  15957|    AccessKey: AXXXXXXXXXXXXXXXXA

Jul 18 16:11:23 L_INFO  15957|##########################################

$VAR1 = bless( {

                 'SecretKey' => 'aXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1',

                 'AWSAccessKeyId' => 'AXXXXXXXXXXXXXXXXA',

                 'Version' => '2012-11-05',

                 'Endpoint' => 'http://queue.amazonaws.com',

                 'SignatureVersion' => 2

               }, 'Amazon:Smiley FrustratedQS:Smiley Frustratedimple' );

Use of uninitialized value $try in concatenation (.) or string at /usr/lib/perl5/site_perl/5.16.1/Amazon/SQS/Simple/Base.pm line 136.

ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.

3 Replies

Re: Setup CloudTrail as data source in ESM

There have been issues with some users with expired certificates for amazon as well.

We were told about this KB - https://kc.mcafee.com/corporate/index?page=content&id=KB86969

But it didn't work for us.  And support closed my ticket... 

Re: Setup CloudTrail as data source in ESM

​, Thanks for the response. I'm still trying to get the Test Connection to work. After that, I may have other issues to resolve.

Re: Setup CloudTrail as data source in ESM

Try the 9.6 release.  Check that your proxy (if proxying SSL) has the new Baltimore Digicert certificate installed as a trusted root. 

https://forums.aws.amazon.com/ann.jspa?annID=3544