IBM Support

QRadar: Unable to integrate Amazon AWS logs with QRadar

Troubleshooting


Problem

When attempting to integrate data from Amazon AWS CloudTrail with QRadar, the log source status displays a warning and no event data is retrieved.

Symptom

The error message displayed in /var/log/qradar.error is as follows:

[ecs-ec] [Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider29154] com.q1labs.semsources.sources.amazonawsrest.utils.web.SimpleRESTFileLister: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] Exception encountered when trying to list files from remote Amazon S3 bucket


[ecs-ec] [Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider29154] java.io.IOException: Server returned HTTP response code: 403 for URL https://myexamplebucket.s3.amazonaws.com/?prefix=AWSLogs&marker=
[ecs-ec] [Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider29154] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1639)

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
16 June 2018

UID

swg21974487