Hi,
I've been trying to setup AWS module on 7.15 Elastic Stack cluster running as containers to ingest cloudtrail, cloudwatch, elb, s3access and vpcflow events (configured only for cloudtrail atm).
However, there seems to be some bug in filebeat wherein when bucket.arn is configured, it always appends us-east-1 region by default making the S3 bucket inaccessible.
The relevant filebeat config is as follows:
- module: aws
cloudtrail:
enabled: true
var.bucket_arn: 'arn:aws:s3:::test-bucket'
var.bucket_list_interval: 300s
var.number_of_workers: 5
var.access_key_id: ${ACCESS_KEY}
var.secret_access_key: ${SECRET_KEY}
var.visibility_timeout: 300s
var.api_timeout: 120s
var.endpoint: amazonaws.com
var.default_region: "${AWS_REGION:eu-west-1}"
with S3 type input set as:
- type: aws-s3
bucket_arn: arn:aws:s3:::test-bucket
number_of_workers: 5
bucket_list_interval: 300s
expand_event_list_from_field: Records
access_key_id: ${ACCESS_KEY}
secret_access_key: ${SECRET_KEY}
endpoint: amazonaws.com
default_region: "${AWS_REGION:eu-west-1}"
parsers:
- multiline:
pattern: "^<Event"
negate: true
match: after
However, no matter what config I provide (when using bucket_arn), us-east-1 is always appended to the connection string. Sample logs are as follows:
{"level":"error","timestamp":"2021-10-29T09:32:18.382Z","logger":"input.aws-s3","caller":"compat/compat.go:122","message":"Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket_arn: exceeded maximum number of attempts, 3, request send failed, Get \"https://s3.us-east-1.eu-west-1.amazonaws.com/test-bucket?location=\": Forbidden","id":"7C946250A2CBE8D6"}
{"level":"error","timestamp":"2021-10-29T09:42:04.606Z","logger":"input.aws-s3","caller":"compat/compat.go:122","message":"Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket_arn: exceeded maximum number of attempts, 3, request send failed, Get \"https://s3.us-east-1.s3.eu-west-1.amazonaws.com/test-bucket?location=\": x509: certificate is valid for s3-eu-west-1.amazonaws.com, *.s3-eu-west-1.amazonaws.com, s3.eu-west-1.amazonaws.com, *.s3.eu-west-1.amazonaws.com, s3.dualstack.eu-west-1.amazonaws.com, *.s3.dualstack.eu-west-1.amazonaws.com, *.s3.amazonaws.com, *.s3-control.eu-west-1.amazonaws.com, s3-control.eu-west-1.amazonaws.com, *.s3-control.dualstack.eu-west-1.amazonaws.com, s3-control.dualstack.eu-west-1.amazonaws.com, *.s3-accesspoint.eu-west-1.amazonaws.com, *.s3-accesspoint.dualstack.eu-west-1.amazonaws.com, *.s3.eu-west-1.vpce.amazonaws.com, not s3.us-east-1.s3.eu-west-1.amazonaws.com","id":"25BD02C5CFA1AFB3"}
{"level":"error","timestamp":"2021-10-29T09:49:33.194Z","logger":"input.aws-s3","caller":"compat/compat.go:122","message":"Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket_arn: exceeded maximum number of attempts, 3, request send failed, Get \"https://s3.us-east-1.https://s3.eu-west-1.amazonaws.com/test-bucket/test-bucket?location=\": Forbidden","id":"73D457479F8D5CDB"}
{"level":"error","timestamp":"2021-10-29T10:00:02.343Z","logger":"input.aws-s3","caller":"compat/compat.go:122","message":"Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket_arn: exceeded maximum number of attempts, 3, request send failed, Get \"https://s3.us-east-1.amazonaws.com/test-bucket?location=\": Forbidden","id":"BDCC88C015F87747"}
@Kaiyan_Sheng can you please help me to resolve this, may be I'm missing something ?