3 Replies Latest reply on Jul 20, 2016 11:44 AM by infoseced

    Setup CloudTrail as data source in ESM

    michael.yin

      I have an on-prem ESM/ELM combo running v9.5.1 MR2 (with access to internet thru a proxy). I'm trying to setup CloudTrail as a data source, but I can't get past the connection test error. I SSH'd to the appliance an successfully pinged sqs.us-east-1.amazonaws.com

      McAfee-ENMELM-4600 ~ # ping sqs.us-east-1.amazonaws.com

      PING queue.amazonaws.com (72.21.207.173): 56 data bytes

      64 bytes from 72.21.207.173: icmp_seq=0 ttl=232 time=66.805 ms

      64 bytes from 72.21.207.173: icmp_seq=1 ttl=232 time=68.868 ms

      64 bytes from 72.21.207.173: icmp_seq=2 ttl=232 time=66.931 ms

      64 bytes from 72.21.207.173: icmp_seq=3 ttl=232 time=60.580 ms

       

      McAfee/Intel tech support is telling me they don't support going thru a proxy, and that's why I can't connect. Has anyone successfully set this up? Looking in the logs I find the following at the bottom of the log shown below:

      Use of uninitialized value $try in concatenation (.) or string at /usr/lib/perl5/site_perl/5.16.1/Amazon/SQS/Simple/Base.pm line 136.

      ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.

       

       

       

      ----- [[ ( 4) logging categories ]] ----------------

       

       

        L_ERROR : fatal exceptions                  libcontrol

        L_WARN  : non-fatal exceptional conditions  libcontrol

        L_DEBUG : debug information                 /usr/bin/perl

        L_INFO  : normal execution information      /usr/bin/perl

       

       

      ----- [[ applied output ]] ------------------------

       

       

        -> fileset   path : /var/log/cloudtrail.log

                     files: 10

                     size : 1 meg(s) or 1048576b

                    redir : yes

       

       

      ----- [[ applied filters ]] -----------------------

       

       

        +L_ERROR|L_WARN|L_INFO  : +0x0040001800000000000000000000000b

       

       

      $VAR1 = {

                'datasource_url' => 'https://sqs.us-east-1.amazonaws.com/3XXXXXXXXXXX4/CloudTrail',

                'protocol' => 'api',

                'poll_interval' => '300',

                'type_orig' => '551',

                'userid' => 'AXXXXXXXXXXXXXXXXXXXA',

                'parser' => 'asp',

                'collector_orig' => 'cloudtrail',

                'password' => 'UXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=',

                'ipsid' => '1XXXXXXXXXXXXXXXXXXXX0',

                'timeout' => '300',

                'pool' => 'XXXX Pool',

                '_KEY' => 'CloudTrail',

                'elm_logging' => 1,

                'ip_address' => '127.0.0.1',

                'id' => 126,

                'collector' => 'cloudtrail',

                'parsing' => 1,

                'protocol_orig' => 'api',

                'created' => '1468857985',

                'override' => 'collector,protocol',

                'type' => '551'

              };

      Jul 18 16:11:23 L_INFO  15957|Execution parameters:

      Jul 18 16:11:23 L_INFO  15957|##########################################

      Jul 18 16:11:23 L_INFO  15957|        IPSID: 126

      Jul 18 16:11:23 L_INFO  15957|      SQS URL: https://sqs.us-east-1.amazonaws.com/3XXXXXXXXXXXXXXX4/CloudTrail

      Jul 18 16:11:23 L_INFO  15957| Vis. Timeout: 300

      Jul 18 16:11:23 L_INFO  15957|Poll Interval: 300

      Jul 18 16:11:23 L_INFO  15957|    AccessKey: AXXXXXXXXXXXXXXXXA

      Jul 18 16:11:23 L_INFO  15957|##########################################

      $VAR1 = bless( {

                       'SecretKey' => 'aXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1',

                       'AWSAccessKeyId' => 'AXXXXXXXXXXXXXXXXA',

                       'Version' => '2012-11-05',

                       'Endpoint' => 'http://queue.amazonaws.com',

                       'SignatureVersion' => 2

                     }, 'Amazon::SQS::Simple' );

      Use of uninitialized value $try in concatenation (.) or string at /usr/lib/perl5/site_perl/5.16.1/Amazon/SQS/Simple/Base.pm line 136.

      ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.