AWS CloudTrail SQS integration issues

bil15 · March 15, 2022, 8:04pm

Hello!
I'm trying to ingest AWS CloudTrail logs via AWS integration in Fleet using S3 input (SQS).
I followed this article to configure CloudTrail logs forwarding to SQS:
https://docs.rapid7.com/insightidr/aws-cloudtrail-sqs/

I've installed integration on Fleet server agent itself and customized configuration like this (Queue URL is 100% correct).

But I'm constantly facing an error:

Message: Failed processing <mark>SQS</mark> message
Error Message: 	
failed processing SQS message (message will be deleted): non-retryable error: the message is an invalid S3 notification: missing Records field
Stacktrace: github.com/elastic/beats/v7/x-pack/filebeat/input/awss3.(*sqsS3EventProcessor).ProcessSQS
	/go/src/github.com/elastic/beats/x-pack/filebeat/input/awss3/sqs_s3_event.go:157
github.com/elastic/beats/v7/x-pack/filebeat/input/awss3.(*sqsReader).Receive.func1
	/go/src/github.com/elastic/beats/x-pack/filebeat/input/awss3/sqs.go:91
runtime.goexit
	/usr/local/go/src/runtime/asm_amd64.s:1581

Has anyone faced the same issue?
I feel like the issue on Elastic side, not AWS.

legoguy1000 · March 16, 2022, 3:16am

Looks like u didn't setup which events get pushed to the queue properly. It should only be object creations.

system · April 13, 2022, 5:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.