diff --git a/splunk-aws-automation/lambda_code/config_snapshot_logger_v0.2/index.js b/splunk-aws-automation/lambda_code/config_snapshot_logger_v0.2/index.js index a37537d..de31038 100755 --- a/splunk-aws-automation/lambda_code/config_snapshot_logger_v0.2/index.js +++ b/splunk-aws-automation/lambda_code/config_snapshot_logger_v0.2/index.js @@ -127,7 +127,8 @@ const configureLogger = (context, callback) => { // Set common error handler for logger.send() and logger.flush() logger.error = (error, payload) => { - console.log('error', error, 'context', payload); + // console.log('error', error, 'context', payload); + console.log('SplunkHECError', error, 'URL', loggerConfig.url, 'Token', loggerConfig.token, 'context', payload); callback(error); }; }; \ No newline at end of file diff --git a/splunk-aws-automation/lambda_code/splunk_cwe_firehose_processor_v0.2/lambda_function.py b/splunk-aws-automation/lambda_code/splunk_cwe_firehose_processor_v0.2/lambda_function.py index 8fe06b6..de82474 100755 --- a/splunk-aws-automation/lambda_code/splunk_cwe_firehose_processor_v0.2/lambda_function.py +++ b/splunk-aws-automation/lambda_code/splunk_cwe_firehose_processor_v0.2/lambda_function.py @@ -48,7 +48,8 @@ import base64 import json import gzip -import StringIO +import io +from io import StringIO import boto3 @@ -86,7 +87,7 @@ def processRecords(records): return_event['sourcetype'] = st return_event['event'] = data['detail'] - data = base64.b64encode(json.dumps(return_event)) + data = base64.b64encode(json.dumps(return_event).encode('utf-8')).decode('utf-8') yield { 'data': data, 'result': 'Ok', diff --git a/splunk-aws-automation/trumpet_full_v0.2.json b/splunk-aws-automation/trumpet_full_v0.2.json index aaa0ae8..51531c9 100644 --- a/splunk-aws-automation/trumpet_full_v0.2.json +++ b/splunk-aws-automation/trumpet_full_v0.2.json @@ -1560,6 +1560,136 @@ ] } } + }, + "SplunkConfigNotificationDeliveryCloudWatchAlarm": { + "Type": "AWS::CloudWatch::Alarm", + "Properties": { + "AlarmName": "splunk-config-notification-delivery-fail", + "AlarmDescription": "Config notification failing to deliver to Splunk", + "Namespace": "AWS/Firehose", + "MetricName": "DeliveryToSplunk.Success", + "Dimensions": [ + { + "Name": "DeliveryStreamName", + "Value": "splunk-confignotify-cwe-monitoring" + } + ], + "Statistic": "Average", + "Period": 3600, + "EvaluationPeriods": 1, + "Threshold": 1, + "ComparisonOperator": "LessThanThreshold", + "TreatMissingData": "notBreaching", + "AlarmActions": [ + { + "Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:splunk-cloudwatch-alarms" + } + ] + } + }, + "SplunkConfigSnapshotDeliveryCloudWatchAlarm": { + "Type": "AWS::CloudWatch::Alarm", + "Properties": { + "AlarmName": "splunk-config-snapshot-delivery-fail", + "AlarmDescription": "Config snapshot failing to deliver to Splunk", + "Namespace": "SplunkHECStream", + "MetricName": "DepliveryError", + "Statistic": "Average", + "Period": 900, + "EvaluationPeriods": 1, + "Threshold": 5, + "ComparisonOperator": "GreaterThanOrEqualToThreshold", + "TreatMissingData": "notBreaching", + "AlarmActions": [ + { + "Fn::Sub": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:splunk-cloudwatch-alarms" + } + ] + } + }, + "ConfigSnapshotStreamStatusFilter": { + "Type": "AWS::Logs::MetricFilter", + "Properties": { + "LogGroupName": { + "Fn::Join": [ + "/", + [ + "/aws/lambda", + { + "Ref": "BackingLambdaConfigLogProcessor" + } + ] + ] + }, + "FilterPattern": "SplunkHECError", + "MetricTransformations": [ + { + "MetricValue": "1", + "MetricNamespace": "SplunkHECStream", + "MetricName": "DepliveryError" + } + ] + } + }, + "SplunkCWAlarmTopic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "TopicName": "splunk-cloudwatch-alarms" + } + }, + "SplunkCWAlarmTopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "SplunkCWAlarmTopic" + } + ], + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "__default_statement_ID", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": [ + "SNS:GetTopicAttributes", + "SNS:SetTopicAttributes", + "SNS:AddPermission", + "SNS:RemovePermission", + "SNS:DeleteTopic", + "SNS:Subscribe", + "SNS:ListSubscriptionsByTopic", + "SNS:Publish", + "SNS:Receive" + ], + "Resource": { + "Ref": "SplunkCWAlarmTopic" + }, + "Condition": { + "StringEquals": { + "AWS:SourceOwner": { + "Fn::Sub": "${AWS::AccountId}" + } + } + } + }, + { + "Sid": "AllowCloudWatchEvents", + "Effect": "Allow", + "Principal": { + "Service": "events.amazonaws.com" + }, + "Action": "sns:Publish", + "Resource": { + "Ref": "SplunkCWAlarmTopic" + } + } + ] + } + } } } } \ No newline at end of file