Troubleshooting
Problem
Setting the local region in the protocol parameters, and selecting the 'Assume IAM role' in log source configuration as the event collector is an EC2 instance, it's not honoring the regional VPC STS endpoint.
Symptom
The protocol is selecting the generic sts.amazonaws.com instead of the local regional STS. This default behavior is resolving a public IP address and cannot be set. There is no public interface to the generic sts.amazonaws.com endpoint in a private closed environment.
Cause
Regardless of protocol parameters in the log source config, QRadar goes to the default endpoint, which is US Eastern. According to Amazon document (in AWS STS Regionalized endpoints), it is recommended to reach the regional end point not default.
Environment
Log Source Type: Amazon AWS CloudTrail
Protocol Type: Amazon Web Services
Protocol Type: Amazon Web Services
Diagnosing The Problem
Located in /var/log/qradar.error, you see an error related to the AWS Logs query:
com.q1labs.semsources.sources.amazonwebservices.api.threads.AWSCloudWatchThread: [ERROR] [NOT:0000003000][XXX.XXX.XXX.XXX/- -] [-/- -]An error was encounterd while executing AWSLogs query for [CloudWatch Logs - <region name>] and Log group: [ XXXXX ]
From the UI, in the protocol testing output, in the log source configuration, you see an error for connection timeout:
Testing access to Cloudwatch Log Group [XXXXX] :: Region [<region name>] - Failed
- Error: Error performing test :: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/XXX.XXX.XXX.XXX] failed: connect timed out
- Debug: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/XXX.XXX.XXX.XXX] failed: connect timed out
Resolving The Problem
- Verify no existing AWS configuration:
ls -l /root/.aws/config
Note: if the configuration exists, back it up:cp -p /root/.aws/config /store/aws_config.backup
- Enable regional endpoints:
mkdir -p /root/.aws/ && echo -e "[default]\nsts_regional_endpoints = regional" > /root/.aws/config
- During a maintenance schedule, restart Event Collection:
systemctl restart ecs-ec-ingress
Warning: Restarting ingress will impact event collection during the restart period.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS013424688","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
16 January 2024
UID
ibm17107257