Fleet AWS Cloudtrail integration stops working after upgrading elastic agent to 7.12.0

Hi all,

We have a working AWS CloudTrail integration with Elastic agent 7.10.1. After upgrading to 7.12 the cloud trail data stops working without any error in the log.

I have tried to enabled debug level on agent but there is no error message at all.

Any idea how to solve the issue or at least to know what the error is?

Thank you.

Regards,
Nugroho

Hmmm have you tried 7.11? There is a bug introduced into 7.12 and it's fixed by [Filebeat] Fix gcp/vpcflow module defaulting to file input by andrewkroh · Pull Request #24719 · elastic/beats · GitHub.

@Kaiyan_Sheng I don't think that fix is related to the issue that I have (GCP vs AWS).

@Kaiyan_Sheng I can confirm that it works after I rolled back to 7.11.2.

I use IAM Instance Profile (associated with IAM Role) attached to EC2 and set all configuration to blank (no access key, no credentials, no role) and it works (default SDK fallback behavior-- good).

It seems 7.12 breaks that behavior.

Thank you @nugroho-expereo for confirming!! OK I will go investigate what changed here!! Thanks!!

I have also found this to be the case. Today I upgraded our ES from 7.11 to 7.12, as well as upgrading my Elastic Agent to 7.12 after which I am no longer receiving logs using the AWS Integration. Prior 7.11 was working fine.

Also note that I am collecting AWS CloudTrail and VPCFlow which which have both stoped. In an effort to try to fix I deployed a newer version of the integration from AWS v0.3.12 to AWS v0.5.0 which did not seem to fix the problem. Unlike Nugroho I am not using EC2 with IAM Role, I am using Access ID\Key.

Hello! Sorry for the late response here. I did some testing and found AWS log integration is broken because of the renaming of s3 input to aws-s3 input. Here is the PR that should fix this: Change s3 input name to aws-s3 by kaiyan-sheng · Pull Request #631 · elastic/integrations · GitHub

Thank you @Kaiyan_Sheng. When will the fix be released?

Hi @Kaiyan_Sheng

I see 7.12.1 was released a few days ago. Is the fix related to the s3 input naming (Pull Request 631) included with included with 7.12.1 release?

Hello! This change is only affecting the aws integration and it is released in 0.5.4.

Thank you @Kaiyan_Sheng. It works after upgrading to 7.13 and the latest AWS package.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.