Filebeat Cisco Umbrella module

Hi, I am trying to configure filebeat to get logs from Cisco Umbrella but something don't work.

The logs are in a bucket Cisco managed.

If I try to list the bucket I am successful, with:

/usr/local/bin/aws s3 ls s3://umbrella-managed-<MyCompanyID>-<idKey>

is authenticated and work flawlessy.

If I configure the umbrella filebeat module in this way:

            enabled: true

            var.input: s3
            # AWS SQS queue url
            # Access ID to authenticate with the S3 input
            var.access_key_id: <myKeyID>
            # Access key to authenticate with the S3 input
            var.secret_access_key: <mySecretAccessKey>
            # The duration that the received messages are hidden from ReceiveMessage request
            #var.visibility_timeout: 300s
            # Maximum duration before AWS API request will be interrupted
            #var.api_timeout: 120s`

I get a bunch of errors:

2020-11-26T19:00:25.335+0100 ERROR [input.s3] s3/collector.go:107 SQS ReceiveMessageRequest failed: InvalidClientTokenId: The security token included in the request is invalid.

I think I am missing the CiscoQueue, where can I find this queue ?

Thank you

I stumbled upon the same problem and the only solution I came up with was to use my own S3 bucket with SQS notifications enabled. It seems to me that the buckets managed by Cisco do not have SQS notifications enabled.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.