AWS Cloud Trail - ingestion via the SQS

Development
1

i have issue - AWS Cloud Trail - ingestion via the SQS i have follow the doucmnet - AWS CloudTrail Input
i am using graylog opensource now i dont see the mesages or log in the graylog after the intergation

2

Hey @harishpal2090

To clarify, no log messages are making it into Graylog since the setup of the Cloudtrail input or just the messages you expect from the Input?

Is there nothing within /var/log/graylog-server/server.log that point to a problem?

3

this is what i am seeing the server.log -
2024-10-09T01:07:43.256Z INFO [PeriodicalsService] Not starting [org.graylog2.periodical.UserPermissionMigrationPeriodical] periodical. Not configured to run on this node.
2024-10-09T01:07:43.257Z INFO [Periodicals] Starting [org.graylog2.periodical.ConfigurationManagementPeriodical] periodical, running forever.
2024-10-09T01:07:43.261Z INFO [Periodicals] Starting [org.graylog2.periodical.LdapGroupMappingMigration] periodical, running forever.
2024-10-09T01:07:43.264Z INFO [Periodicals] Starting [org.graylog2.periodical.IndexFailuresPeriodical] periodical, running forever.
2024-10-09T01:07:43.266Z INFO [Periodicals] Starting [org.graylog2.periodical.TrafficCounterCalculator] periodical in [0s], polling every [1s].
2024-10-09T01:07:43.267Z INFO [Periodicals] Starting [org.graylog2.indexer.fieldtypes.IndexFieldTypePollerPeriodical] periodical in [0s], polling every [3600s].
2024-10-09T01:07:43.269Z INFO [Periodicals] Starting [org.graylog.scheduler.periodicals.ScheduleTriggerCleanUp] periodical in [120s], polling every [86400s].
2024-10-09T01:07:43.271Z INFO [Periodicals] Starting [org.graylog.plugins.sidecar.periodical.PurgeExpiredSidecarsThread] periodical in [0s], polling every [600s].
2024-10-09T01:07:43.272Z INFO [Periodicals] Starting [org.graylog.plugins.sidecar.periodical.PurgeExpiredConfigurationUploads] periodical in [0s], polling every [600s].
2024-10-09T01:07:43.273Z INFO [Periodicals] Starting [org.graylog.plugins.views.search.db.SearchesCleanUpJob] periodical in [3600s], polling every [28800s].
2024-10-09T01:07:43.273Z INFO [Periodicals] Starting [org.graylog.events.periodicals.EventNotificationStatusCleanUp] periodical in [120s], polling every [86400s].
2024-10-09T01:07:43.274Z INFO [Periodicals] Starting [org.graylog.plugins.collector.periodical.PurgeExpiredCollectorsThread] periodical in [0s], polling every [3600s].
2024-10-09T01:07:43.589Z INFO [JerseyService] Enabling CORS for HTTP endpoint
2024-10-09T01:08:04.206Z INFO [NetworkListener] Started listener bound to [0.0.0.0:9000]
2024-10-09T01:08:04.207Z INFO [HttpServer] [HttpServer] Started.
2024-10-09T01:08:04.207Z INFO [JerseyService] Started REST API at <0.0.0.0:9000>
2024-10-09T01:08:04.207Z INFO [ServiceManagerListener] Services are healthy
2024-10-09T01:08:04.208Z INFO [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2024-10-09T01:08:04.208Z INFO [ServerBootstrap] Services started, startup times in ms: {InputSetupService [RUNNING]=7, GracefulShutdownService [RUNNING]=7, OutputSetupService [RUNNING]=10, JournalReader [RUNNING]=14, BufferSynchronizerService [RUNNING]=15, UserSessionTerminationService [RUNNING]=15, KafkaJournal [RUNNING]=18, MongoDBProcessingStatusRecorderService [RUNNING]=19, JobSchedulerService [RUNNING]=59, EtagService [RUNNING]=64, UrlWhitelistService [RUNNING]=68, ConfigurationEtagService [RUNNING]=83, LookupTableService [RUNNING]=95, StreamCacheService [RUNNING]=118, PeriodicalsService [RUNNING]=128, JerseyService [RUNNING]=21057}
2024-10-09T01:08:04.213Z INFO [ServerBootstrap] Graylog server up and running.
2024-10-09T01:08:04.218Z INFO [CloudTrailTransport] Starting cloud trail subscriber
2024-10-09T01:08:04.218Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now STARTING
2024-10-09T01:08:04.246Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now RUNNING
2024-10-09T01:08:04.531Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:09:09.767Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:15:31.004Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:16:36.185Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:17:11.267Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:18:56.046Z INFO [CloudTrailTransport] Stopping cloud trail subscriber
2024-10-09T01:18:56.047Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now STOPPING
2024-10-09T01:18:56.048Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now TERMINATED
2024-10-09T01:18:56.049Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now STOPPED
2024-10-09T01:19:00.310Z INFO [CloudTrailTransport] Starting cloud trail subscriber
2024-10-09T01:19:00.311Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now STARTING
2024-10-09T01:19:00.313Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now RUNNING
2024-10-09T01:26:26.563Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:27:01.676Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:28:26.863Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:33:12.580Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:35:12.901Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:37:08.253Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:45:54.530Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:47:29.798Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:49:15.048Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T01:59:11.504Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T02:00:21.656Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T02:04:02.197Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T02:16:49.089Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T02:17:19.154Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T02:18:34.340Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T02:39:02.676Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T02:40:12.837Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T02:41:12.963Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T03:06:56.879Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T03:07:46.995Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T03:08:57.187Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T03:40:21.813Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T03:40:51.876Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T03:41:57.020Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T04:15:26.962Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T04:16:17.101Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T04:17:22.251Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T04:52:22.527Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T04:52:52.592Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T04:54:37.847Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T05:40:00.114Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T05:41:10.304Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T05:41:40.371Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T06:36:33.863Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T06:37:39.035Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T06:38:59.251Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T07:39:33.499Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T07:40:53.702Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T07:42:43.953Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T08:57:00.150Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T08:57:55.276Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T08:58:55.444Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T11:09:05.539Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T11:10:35.772Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T11:11:30.911Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T12:55:32.086Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T12:56:17.196Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.
2024-10-09T12:59:47.733Z WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.

4

i was reading this and it pointing to the line number 50 of the code - graylog2-server: graylog2-server/src/main/java/org/graylog/aws/inputs/cloudtrail/notifications/CloudtrailSNSNotificationParser.java Source File - doxygen documentation | Fossies Dox

5

Now i have dont have this warning messages it says now - 2024-10-09T14:45:26.480Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now STARTING
2024-10-09T14:45:26.481Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now RUNNING and i dont see any messages in the Graylog dashboard or Show received messages is empty

6

These logs appear to be filled with the below

WARN [CloudtrailSNSNotificationParser] Message is empty. Processing of message has been aborted. Verify that the SQS subscription in AWS is NOT set to send raw data.

First off, is this true within your sqs config “AWS is NOT set to send raw data”. The message field must contain something for messages to be processed within Graylog, whatever format these messages are arriving in is not one that Graylog recognises.

7

Now i have diabled the Raw log deliver from SNS, now logs are - 2024-10-09T15:37:49.823Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now STARTING
2024-10-09T15:37:49.824Z INFO [InputStateListener] Input [AWS CloudTrail Input/67059c4f60640f6f59975560] is now RUNNING. — but i dont see any messages in the Graylog dashdboard or for this input - Input/67059c4f60640f6f59975560

8

That’s frustrating, if under ‘System/Logging’ you alter the level to debug and then review the logs again. Does anything jump out?

Debug will be incredibly noisy, only run logging at debug for a couple of minuets.

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.