AWS CloudTrail SQS integration issues

bil15 · March 15, 2022, 8:04pm

Hello!
I'm trying to ingest AWS CloudTrail logs via AWS integration in Fleet using S3 input (SQS).
I followed this article to configure CloudTrail logs forwarding to SQS:
https://docs.rapid7.com/insightidr/aws-cloudtrail-sqs/

I've installed integration on Fleet server agent itself and customized configuration like this (Queue URL is 100% correct).

But I'm constantly facing an error:

Message: Failed processing <mark>SQS</mark> message
Error Message: 	
failed processing SQS message (message will be deleted): non-retryable error: the message is an invalid S3 notification: missing Records field
Stacktrace: github.com/elastic/beats/v7/x-pack/filebeat/input/awss3.(*sqsS3EventProcessor).ProcessSQS
	/go/src/github.com/elastic/beats/x-pack/filebeat/input/awss3/sqs_s3_event.go:157
github.com/elastic/beats/v7/x-pack/filebeat/input/awss3.(*sqsReader).Receive.func1
	/go/src/github.com/elastic/beats/x-pack/filebeat/input/awss3/sqs.go:91
runtime.goexit
	/usr/local/go/src/runtime/asm_amd64.s:1581

Has anyone faced the same issue?
I feel like the issue on Elastic side, not AWS.

legoguy1000 · March 16, 2022, 3:16am

Looks like u didn't setup which events get pushed to the queue properly. It should only be object creations.

system · April 13, 2022, 5:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat and AWS Module unable to get CloudTrail logs Beats beats-module , filebeat	2	1416	June 25, 2020
Missing events when shipping Cloudtrail logs with Filebeat and the AWS module Beats beats-module , filebeat	9	1128	August 12, 2020
Filebeat:aws:cloudtrail Beats filebeat	1	409	February 12, 2021
Filebeat AWS Module Errors and Missing Logs Beats beats-module , filebeat	1	759	September 8, 2020
AWS S3 buclet with SQS failed processing SQS S3 event notification Elastic Agent elastic-stack-security	3	260	March 1, 2024

AWS CloudTrail SQS integration issues

Related Topics