cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Setup CloudTrail as data source in ESM

I have an on-prem ESM/ELM combo running v9.5.1 MR2 (with access to internet thru a proxy). I'm trying to setup CloudTrail as a data source, but I can't get past the connection test error. I SSH'd to the appliance an successfully pinged sqs.us-east-1.amazonaws.com

McAfee-ENMELM-4600 ~ # ping sqs.us-east-1.amazonaws.com

PING queue.amazonaws.com (72.21.207.173): 56 data bytes

64 bytes from 72.21.207.173: icmp_seq=0 ttl=232 time=66.805 ms

64 bytes from 72.21.207.173: icmp_seq=1 ttl=232 time=68.868 ms

64 bytes from 72.21.207.173: icmp_seq=2 ttl=232 time=66.931 ms

64 bytes from 72.21.207.173: icmp_seq=3 ttl=232 time=60.580 ms

McAfee/Intel tech support is telling me they don't support going thru a proxy, and that's why I can't connect. Has anyone successfully set this up? Looking in the logs I find the following at the bottom of the log shown below:

Use of uninitialized value $try in concatenation (.) or string at /usr/lib/perl5/site_perl/5.16.1/Amazon/SQS/Simple/Base.pm line 136.

ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.

----- [[ ( 4) logging categories ]] ----------------

  L_ERROR : fatal exceptions                  libcontrol

  L_WARN  : non-fatal exceptional conditions  libcontrol

  L_DEBUG : debug information                 /usr/bin/perl

  L_INFO  : normal execution information      /usr/bin/perl

----- [[ applied output ]] ------------------------

  -> fileset   path : /var/log/cloudtrail.log

               files: 10

               size : 1 meg(s) or 1048576b

              redir : yes

----- [[ applied filters ]] -----------------------

  +L_ERROR|L_WARN|L_INFO  : +0x0040001800000000000000000000000b

$VAR1 = {

          'datasource_url' => 'https://sqs.us-east-1.amazonaws.com/3XXXXXXXXXXX4/CloudTrail',

          'protocol' => 'api',

          'poll_interval' => '300',

          'type_orig' => '551',

          'userid' => 'AXXXXXXXXXXXXXXXXXXXA',

          'parser' => 'asp',

          'collector_orig' => 'cloudtrail',

          'password' => 'UXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=',

          'ipsid' => '1XXXXXXXXXXXXXXXXXXXX0',

          'timeout' => '300',

          'pool' => 'XXXX Pool',

          '_KEY' => 'CloudTrail',

          'elm_logging' => 1,

          'ip_address' => '127.0.0.1',

          'id' => 126,

          'collector' => 'cloudtrail',

          'parsing' => 1,

          'protocol_orig' => 'api',

          'created' => '1468857985',

          'override' => 'collector,protocol',

          'type' => '551'

        };

Jul 18 16:11:23 L_INFO  15957|Execution parameters:

Jul 18 16:11:23 L_INFO  15957|##########################################

Jul 18 16:11:23 L_INFO  15957|        IPSID: 126

Jul 18 16:11:23 L_INFO  15957|      SQS URL: https://sqs.us-east-1.amazonaws.com/3XXXXXXXXXXXXXXX4/CloudTrail

Jul 18 16:11:23 L_INFO  15957| Vis. Timeout: 300

Jul 18 16:11:23 L_INFO  15957|Poll Interval: 300

Jul 18 16:11:23 L_INFO  15957|    AccessKey: AXXXXXXXXXXXXXXXXA

Jul 18 16:11:23 L_INFO  15957|##########################################

$VAR1 = bless( {

                 'SecretKey' => 'aXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1',

                 'AWSAccessKeyId' => 'AXXXXXXXXXXXXXXXXA',

                 'Version' => '2012-11-05',

                 'Endpoint' => 'http://queue.amazonaws.com',

                 'SignatureVersion' => 2

               }, 'Amazon::SQS::Simple' );

Use of uninitialized value $try in concatenation (.) or string at /usr/lib/perl5/site_perl/5.16.1/Amazon/SQS/Simple/Base.pm line 136.

ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.

3 Replies
Highlighted

Re: Setup CloudTrail as data source in ESM

There have been issues with some users with expired certificates for amazon as well.

We were told about this KB - https://kc.mcafee.com/corporate/index?page=content&id=KB86969

But it didn't work for us.  And support closed my ticket... 

Highlighted

Re: Setup CloudTrail as data source in ESM

​, Thanks for the response. I'm still trying to get the Test Connection to work. After that, I may have other issues to resolve.

Highlighted

Re: Setup CloudTrail as data source in ESM

Try the 9.6 release.  Check that your proxy (if proxying SSL) has the new Baltimore Digicert certificate installed as a trusted root. 

https://forums.aws.amazon.com/ann.jspa?annID=3544

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community