Skip to main content

Splunk Lantern turns 5 on May 28th. Thank you for being one of our 750,000 annual users!
Click here to join our Slack channel to tell us what you love about the site or what content you'd like to see more of.

 

Splunk Lantern

Analyzing AWS service action errors

 

CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Any user, role, or service that attempts successfully or unsuccessfully to act as a service in AWS will generate a log containing information about that event. You want to use errors in those logs not only for alerting, but for proactive security hunting.

Data required

Amazon Web Services: CloudTrail

How to use Splunk software for this use case

  1. Run the following search. You can optimize it by specifying an index and adjusting the time range

    sourcetype=aws:cloudtrail
    |stats count BY errorCode
    |sort - count
  2. After you find errors you want to investigate, run the following search:
    sourcetype=aws:cloudtrail errorCode=<error name>
    |table awsregion eventName userName src_ip userAgent errorMessage

Search explanation

Splunk Search Explanation
sourcetype=aws:cloudtrail Search only AWS CloudTrail logs.
|stats count BY errorCode Calculate a count total for each error code.
|sort - count Sort with the most frequently occurring first.
errorCode=<error name> Search for more information on a specific error.
|table awsregion eventName userName src_ip userAgent errorMessage Display the results in a table with columns in the order shown.

Next steps

This additional Splunk resource might help you understand and implement these recommendations:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.