Troubleshooting
Problem
When attempting to integrate data from Amazon AWS CloudTrail with QRadar, the log source status displays a warning and no event data is retrieved.
Symptom
The error message displayed in /var/log/qradar.error is as follows: [ecs-ec] [Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider29154] com.q1labs.semsources.sources.amazonawsrest.utils.web.SimpleRESTFileLister: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] Exception encountered when trying to list files from remote Amazon S3 bucket
[ecs-ec] [Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider29154] java.io.IOException: Server returned HTTP response code: 403 for URL https://myexamplebucket.s3.amazonaws.com/?prefix=AWSLogs&marker=
[ecs-ec] [Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider29154] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1639)
Cause
The root cause of this error is that the Amazon AWS CloudTrail log source is configured with the wrong Public key or Secret Access key.
Resolving The Problem
To retrieve events that use Amazon's REST API, the administrator must use the correct public key and access keys. The Amazon documentation refers them as Access Key ID and Secret Access Key.
In this Amazon AWS log source configuration, the Access Key ID is equivalent to the Public Key field. The Secret Access Key as defined in Amazon's AWS documentation should be configured to use the Access Key field in the log source configuration.
For example:
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21974487