Skip to main content
Lantern Home

 

Splunk Lantern

Following best practices for ingesting data from your AWS environment

  1. Last updated
  2. Save as PDF

Effectively collecting and utilizing information from your cloud environment is paramount for maintaining operational visibility, security, and performance. Amazon Web Services (AWS) offers a vast array of services, generating critical data that, when properly ingested and monitored, can provide invaluable insights into your organization's health and efficiency. However, navigating the myriad AWS services and architectural patterns for data ingestion can be complex.   

This article serves as a guide, offering service-specific recommendations for ingesting data from your AWS environment into the Splunk platform. There are multiple methods for ingesting data from AWS. The Splunk Validated Architecture (SVA) for AWS discusses each of these methods in detail and helps you understand which method is best for your use case. The guidance for each of the services below builds upon the guidance in AWS SVA.

AWS services

Amazon API Gateway

The recommended approach is to configure CloudWatch logging for your REST APIs in API Gateway, and then use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to Splunk HTTP Event Collector via Amazon Data Firehose. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch.

Click to see available resources

AWS Cost and Usage Reports (CUR) 

The recommended approach is to configure the Splunk Add-on for AWS to pull your Cost and Usage reports.

Click to see available resources

Splunk GitHub: Configure Billing (Cost and Usage Report) inputs for the Splunk Add-on for AWS

Amazon CloudFront Access Logs

The recommended approach is to configure CloudWatch logging for CloudFront, and then use Data Manager to deploy and monitor the infrastructure to push the access logs from CloudWatch to Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the access logs from CloudWatch.

Click to see available resources

AWS CloudHSM

Audit logging is automatically enabled in all AWS CloudHSM clusters. It cannot be disabled or turned off, and no settings can prevent AWS CloudHSM from exporting the logs to CloudWatch Logs. The recommended approach is to use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch. 

Click to see available resources

AWS CloudTrail 

The recommended approach is to configure CloudTrail to send events to CloudWatch, and then use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch or S3. 

Click to see available resources

AWS CloudTrail Lake 

The recommended approach is to configure the Splunk Add-on for AWS to pull the data from your CloudTrail Lake. 

Click to see available resources

Splunk GitHub: Configure CloudTrail Lake inputs for the Splunk Add-on for AWS 

Amazon CloudWatch Logs

The recommended approach is to use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch. 

Click to see available resources

Amazon CloudWatch Metrics 

The recommended approach is to configure the Splunk Add-on for AWS to pull your CloudWatch Metrics.

Click to see available resources

Splunk GitHub: Configure CloudWatch inputs for the Splunk Add-on for AWS

AWS Config Snapshots

The recommended approach is to configure the Splunk Add-on for AWS to pull your Config Snapshots. 

Click to see available resources

Splunk GitHub: Configure Config inputs for the Splunk Add-on for AWS 

AWS Config Rules 

The recommended approach is to configure the Splunk Add-on for AWS to pull your Config Rule data.

Click to see available resources

Splunk GitHub: Configure Config Rules inputs for the Splunk Add-on for AWS 

Amazon DocumentDB 

The recommended approach is to configure monitoring of your DocumentDB using CloudWatch, and then use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch. 

If you use Amazon DocumentDB as a data source, you must enable audit logging both on your cluster and on Amazon DocumentDB in order to export logs to your CloudWatch log group for the accounts and regions that you select. See Monitoring Amazon DocumentDB with CloudWatch.

Click to see available resources

Amazon EKS

The recommended approach is to enable logging and monitoring in EKS, and then use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch. 

For additional Kubernetes logs and metrics, the recommended approach is to deploy the Splunk OpenTelemetry Collector.

Click to see available resources

AWS Elastic Load Balancer (ELB) Access Logs

The recommended approach is to enable access logs for your Application Load Balancers, and then use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch. 

Click to see available resources

Amazon GuardDuty 

The recommended approach is to enable GuardDuty in your accounts, and then use Data Manager to deploy and monitor the infrastructure to push the GuardDuty findings to Splunk HTTP Event Collector. 

Click to see available resources

IAM Access Analyzer 

The recommended approach is to enable IAM Access Analyzer in your accounts, and then use Data Manager to deploy and monitor the infrastructure to push the data to Splunk HTTP Event Collector.

Click to see available resources

AWS IAM Credential Reports 

The recommended approach is to use Data Manager to deploy and monitor the infrastructure to push the IAM Credential Reports to the Splunk HTTP Event Collector. 

Click to see available resources

Splunk Help: Onboard AWS in Data Manager

Amazon Inspector (v2) 

The recommended approach is to configure the Splunk Add-on for AWS to pull your Inspector v2 data.

Click to see available resources

Splunk GitHub: Configure Inspector v2 inputs for the Splunk Add-on for AWS 

AWS Lambda 

Lambda logs are sent to CloudWatch by default. The recommended approach is to use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to the Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch.

Click to see available resources

Metadata 

The recommended approach is to use Data Manager to deploy and monitor the infrastructure to push the Metadata to the Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the Metadata. 

Click to see available resources

Amazon RDS

The recommended approach is to configure RDS to publish database logs to CloudWatch, and then use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to the Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull the logs from CloudWatch. 

Click to see available resources

Amazon S3 

The recommended approach is to use Data Manager to deploy and monitor the infrastructure to pull data incrementally from S3 using SQS. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull data incrementally from S3 using SQS. 

Click to see available resources

Amazon S3 Access Logs 

The recommended approach is to configure accessing logging in S3, and then use Data Manager to deploy and monitor the infrastructure to pull data incrementally from S3 using SQS. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull data incrementally from S3 using SQS. 

Click to see available resources

AWS Security Hub

The recommended approach is to enable Security Hub in your accounts, and then use Data Manager to deploy and monitor the infrastructure to push the Security Hub events to Splunk HTTP Event Collector. 

Click to see available resources

Amazon Security Lake 

The recommended approach is to configure the Splunk Add-on for AWS to pull your Security Lake data.

Click to see available resources

Splunk GitHub: Configure Security Lake inputs for the Splunk Add-on for AWS 

AWS Transit Gateway Flow logs

The recommended approach is to configure the Splunk Add-on for AWS to incrementally pull your Transit Gateway Flow logs from S3 using SQS.

Click to see available resources

Splunk GitHub: Configure Transit Gateway Flow Logs inputs for the Splunk Add-on for AWS

Amazon VPC Flow logs

The recommended approach is to configure your VPC to publish Flow logs to CloudWatch, and then use Data Manager to deploy and monitor the infrastructure to push the logs from CloudWatch to Splunk HTTP Event Collector. 

If Data Manager is not available to you, the next best option is to configure the Splunk Add-on for AWS to pull logs from CloudWatch. 

Click to see available resources

Additional resources

These additional resources might help you understand and implement this guidance: