Filebeat AWS Module SQS Queue Configurations Errors

ankitdevnalkar · March 8, 2021, 5:50pm

I am configuring filebeat AWS module to fetch Cloudtrail logs from an s3 bucket. I configured my settings from this article. However, somehow filebeat is unable to find SQS queue's region.

here is my filebeat.yml input configurations

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: s3
  queueURL: https://sqs.ap-south-1.amazonaws.com/123456789/s3-object-operation
  aws_partition: aws
  visibility_timeout: 300s
  access_key_id: ACCESS_KEY
  secret_access_key: SECRET_KEY
#- type: log

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  #paths:
    #- /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ['^ERR', '^WARN']

here are my aws.yml configurations.

- module: aws
  cloudtrail:
    enabled: true

    # AWS SQS queue url
    #var.queue_url: https://sqs.ap-south-1.amazonaws.com/123456789/s3-object-operation

    # Filename of AWS credential file
    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
    # "%UserProfile%\.aws\credentials" is used on Windows
    #var.shared_credential_file: /etc/filebeat/aws_credentials

    # Profile name for aws credential
    # If not set the default profile is used
    #var.credential_profile_name: fb-aws

    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    var.access_key_id: ACCESS_KEY
    var.secret_access_key: SECRET_KEY
    #var.session_token: session_token

    # The duration that the received messages are hidden from ReceiveMessage request
    # Default to be 300s
    var.visibility_timeout: 300s

    # Maximum duration before AWS API request will be interrupted
    # Default to be 120s
    #var.api_timeout: 120s

    # Custom endpoint used to access AWS APIs
    #var.endpoint: amazonaws.com

    # AWS IAM Role to assume
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb

Following is the error message I get when I start filebeat from command line.

Problem statements:

I am not sure why I am getting the "missing region" error even if queue URL itself has the region name.
I am not sure if I would require to give the same queue URL one more time to fill in var.queue_url in aws.yml.

ankitdevnalkar · March 9, 2021, 5:37am

can anyone help with this?

system · April 6, 2021, 7:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat and AWS Module unable to get CloudTrail logs Beats beats-module , filebeat	2	1416	June 25, 2020
Filebeat AWS Module No found Beats beats-module , filebeat	6	591	August 29, 2021
Filebeat AWS Module Errors and Missing Logs Beats beats-module , filebeat	1	759	September 8, 2020
Ingest AWS-CloudTrail Logs Beats beats-module , filebeat	11	758	July 8, 2021
Filebeat not ingesting logs from s3 Beats filebeat	10	1280	December 19, 2019

Filebeat AWS Module SQS Queue Configurations Errors

Related topics