How To
Summary
An Amazon® administrator must create a user and then apply the S3:listBucket and S3:getObject permissions to that user in the AWS Management Console. If these permissions are not set, QRadar® cannot pull events from a remote AWS S3 Bucket. The AWS command line tool can list bucket contents or verify files can download to validate permissions.
Objective
Test AWS Access and Secret Key permissions to access and download events from a remote AWS S3 Bucket.
Environment
For information about operating systems and requirements for the AWS Command Line Interface tool, see: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html.
Steps
Administrators who experience collection issues from Amazon S3 buckets can use the Log Source Management app to test protocol configurations to Amazon S3 buckets. The steps provided in this technical note can help administrators test credential issues from a Windows® host.
Procedure
Procedure
- Download and install the AWS CLI.
- Open the Windows® command prompt (CMD) with administrative rights.
- Run the following command:
aws configure
- Enter your AWS Access Key ID.
- Enter your AWS Secret Access Key.
- Enter the Default region name.
- Enter the Default output format.
Note: You can leave the default by pressing ENTER.
- After you configure a user, type the following command to display the files in the bucket:
aws s3 ls s3://bucket-name/DirectoryPrefix/
- In order to display the files, always end the line with a forward slash ( / ).
- If the credentials do not have access to the bucket, you might see a message similar to:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied.
- To confirm if QRadar will be able to download files with the provided credentials, create a folder on your workstation. For example: \test\AWSFiles\
- Open the command prompt (CMD) with administrative rights.
- Type the following command using the absolute path for the folder location:
aws s3 ls s3://bucket-name/DirectoryPrefix/file.json.gz \WindowsAbsolutePathtoFolder\
Results
If the files are successfully downloaded to the Windows host, QRadar should be able to pull the files from the remote S3 bucket. This command will download the file, file.json.gz under the windows folder you created, \test\AWSFiles. If you continue to experience issues, use the Log Source Management app in QRadar to fully test protocol configurations to Amazon S3 buckets.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
27 October 2020
UID
ibm16335125