I am configuring filebeat AWS module to fetch Cloudtrail logs from an s3 bucket. I configured my settings from this article. However, somehow filebeat is unable to find SQS queue's region.
here is my filebeat.yml input configurations
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: s3
queueURL: https://sqs.ap-south-1.amazonaws.com/123456789/s3-object-operation
aws_partition: aws
visibility_timeout: 300s
access_key_id: ACCESS_KEY
secret_access_key: SECRET_KEY
#- type: log
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
#paths:
#- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
#include_lines: ['^ERR', '^WARN']
here are my aws.yml configurations.
- module: aws
cloudtrail:
enabled: true
# AWS SQS queue url
#var.queue_url: https://sqs.ap-south-1.amazonaws.com/123456789/s3-object-operation
# Filename of AWS credential file
# If not set "$HOME/.aws/credentials" is used on Linux/Mac
# "%UserProfile%\.aws\credentials" is used on Windows
#var.shared_credential_file: /etc/filebeat/aws_credentials
# Profile name for aws credential
# If not set the default profile is used
#var.credential_profile_name: fb-aws
# Use access_key_id, secret_access_key and/or session_token instead of shared credential file
var.access_key_id: ACCESS_KEY
var.secret_access_key: SECRET_KEY
#var.session_token: session_token
# The duration that the received messages are hidden from ReceiveMessage request
# Default to be 300s
var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
# Default to be 120s
#var.api_timeout: 120s
# Custom endpoint used to access AWS APIs
#var.endpoint: amazonaws.com
# AWS IAM Role to assume
#var.role_arn: arn:aws:iam::123456789012:role/test-mb
Following is the error message I get when I start filebeat from command line.
Problem statements:
- I am not sure why I am getting the "missing region" error even if queue URL itself has the region name.
- I am not sure if I would require to give the same queue URL one more time to fill in
var.queue_url
in aws.yml.