Filebeat AWS Module SQS Queue Configurations Errors

Elastic Stack Beats
1

I am configuring filebeat AWS module to fetch Cloudtrail logs from an s3 bucket. I configured my settings from this article. However, somehow filebeat is unable to find SQS queue's region.

here is my filebeat.yml input configurations

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: s3
  queueURL: https://sqs.ap-south-1.amazonaws.com/123456789/s3-object-operation
  aws_partition: aws
  visibility_timeout: 300s
  access_key_id: ACCESS_KEY
  secret_access_key: SECRET_KEY
#- type: log

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  #paths:
    #- /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ['^ERR', '^WARN']

here are my aws.yml configurations.

- module: aws
  cloudtrail:
    enabled: true

    # AWS SQS queue url
    #var.queue_url: https://sqs.ap-south-1.amazonaws.com/123456789/s3-object-operation

    # Filename of AWS credential file
    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
    # "%UserProfile%\.aws\credentials" is used on Windows
    #var.shared_credential_file: /etc/filebeat/aws_credentials

    # Profile name for aws credential
    # If not set the default profile is used
    #var.credential_profile_name: fb-aws

    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    var.access_key_id: ACCESS_KEY
    var.secret_access_key: SECRET_KEY
    #var.session_token: session_token

    # The duration that the received messages are hidden from ReceiveMessage request
    # Default to be 300s
    var.visibility_timeout: 300s

    # Maximum duration before AWS API request will be interrupted
    # Default to be 120s
    #var.api_timeout: 120s

    # Custom endpoint used to access AWS APIs
    #var.endpoint: amazonaws.com

    # AWS IAM Role to assume
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb

Following is the error message I get when I start filebeat from command line.

Selection_109
Selection_1091350×202 92.5 KB

Problem statements:

  1. I am not sure why I am getting the "missing region" error even if queue URL itself has the region name.
  2. I am not sure if I would require to give the same queue URL one more time to fill in var.queue_url in aws.yml.
2

can anyone help with this?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.