Fleet AWS Cloudtrail integration stops working after upgrading elastic agent to 7.12.0

nugroho-expereo · April 2, 2021, 4:09pm

Hi all,

We have a working AWS CloudTrail integration with Elastic agent 7.10.1. After upgrading to 7.12 the cloud trail data stops working without any error in the log.

I have tried to enabled debug level on agent but there is no error message at all.

Any idea how to solve the issue or at least to know what the error is?

Thank you.

Regards,
Nugroho

Kaiyan_Sheng · April 6, 2021, 3:44pm

Hmmm have you tried 7.11? There is a bug introduced into 7.12 and it's fixed by [Filebeat] Fix gcp/vpcflow module defaulting to file input by andrewkroh · Pull Request #24719 · elastic/beats · GitHub.

nugroho-expereo · April 6, 2021, 5:01pm

@Kaiyan_Sheng I don't think that fix is related to the issue that I have (GCP vs AWS).

nugroho-expereo · April 6, 2021, 6:27pm

@Kaiyan_Sheng I can confirm that it works after I rolled back to 7.11.2.

I use IAM Instance Profile (associated with IAM Role) attached to EC2 and set all configuration to blank (no access key, no credentials, no role) and it works (default SDK fallback behavior-- good).

It seems 7.12 breaks that behavior.

Kaiyan_Sheng · April 7, 2021, 2:15pm

Thank you @nugroho-expereo for confirming!! OK I will go investigate what changed here!! Thanks!!

kspalding · April 10, 2021, 12:17am

I have also found this to be the case. Today I upgraded our ES from 7.11 to 7.12, as well as upgrading my Elastic Agent to 7.12 after which I am no longer receiving logs using the AWS Integration. Prior 7.11 was working fine.

Also note that I am collecting AWS CloudTrail and VPCFlow which which have both stoped. In an effort to try to fix I deployed a newer version of the integration from AWS v0.3.12 to AWS v0.5.0 which did not seem to fix the problem. Unlike Nugroho I am not using EC2 with IAM Role, I am using Access ID\Key.

Kaiyan_Sheng · April 28, 2021, 9:25pm

Hello! Sorry for the late response here. I did some testing and found AWS log integration is broken because of the renaming of s3 input to aws-s3 input. Here is the PR that should fix this: Change s3 input name to aws-s3 by kaiyan-sheng · Pull Request #631 · elastic/integrations · GitHub

nugroho-expereo · April 29, 2021, 12:26pm

Thank you @Kaiyan_Sheng. When will the fix be released?

kspalding · May 4, 2021, 6:20pm

Hi @Kaiyan_Sheng

I see 7.12.1 was released a few days ago. Is the fix related to the s3 input naming (Pull Request 631) included with included with 7.12.1 release?

Kaiyan_Sheng · May 19, 2021, 9:28pm

Hello! This change is only affecting the aws integration and it is released in 0.5.4.

nugroho-expereo · May 31, 2021, 12:05pm

Thank you @Kaiyan_Sheng. It works after upgrading to 7.13 and the latest AWS package.

system · June 28, 2021, 2:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.