The Amazon Web Services S3 connector allows you to ingest AWS service logs, collected in AWS S3 buckets, to Microsoft Sentinel. The types we currently support are AWS CloudTrail, VPC Flow Logs, and AWS GuardDuty. This article describes common methods for verifying and troubleshooting an Amazon Web Services S3 connector for Microsoft Sentinel. Learn how to connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data.
Issue: Microsoft Sentinel doesn’t receive data from the Amazon Web Services S3 connector or one of its data types
The logs for the AWS S3 connector (or one of its data types) aren’t visible in the Microsoft Sentinel workspace for more than 30 minutes after the connector was connected.
Notes
Possible Causes
In this section, we cover these causes:
Troubleshoot
Review the next sections to identify and solve common issues.
Check that the AWS S3 connector permissions policies are set properly
This issue is mainly caused by incorrect permissions in the AWS environment. You need permissions policies to deploy the AWS S3 data connector. Learn about required permissions. - Azure-Sentinel/AwsRequiredPolicies.md at master · Azure/Azure-Sentinel (github.com)
Check that the relevant data exists in the S3 bucket
In AWS, open the S3 bucket, search for the relevant folder according to the required logs, and check if there are any logs inside the folder:
If the data does not exist, there’s an issue with the AWS configuration. Configure an AWS service to export logs to an S3 bucket.
Verify that the data arrived from S3 to the SQS:
In AWS, open the relevant SQS.
In the Monitoring tab, you should see traffic in the Number Of Messages Sent widget.
If there is no traffic in the SQS, there is an AWS configuration problem:
Verify that data is read from the SQS
In the Monitoring tab, you should see traffic in the Number Of Messages Deleted and Number Of Messages Received widgets.
Note that one spike of data is not enough, as shown in the screenshot below. Wait until there is enough data, as shown in the screenshot above, and then check for issues.
2. If at least one of the widgets is empty, check the health logs by running this query:
SentinelHealth
| where TimeGenerated > ago(1d)
| where SentinelResourceKind in ('AmazonWebServicesCloudTrail', 'AmazonWebServicesS3')
| where OperationName == 'Data fetch failure summary'
| mv-expand TypeOfFailureDuringHour = ExtendedProperties["FailureSummary"]
| extend StatusCode = TypeOfFailureDuringHour["StatusCode"]
| extend StatusMessage = TypeOfFailureDuringHour["StatusMessage"]
| project SentinelResourceKind, SentinelResourceName, StatusCode, StatusMessage, SentinelResourceId, TypeOfFailureDuringHour, ExtendedProperties
3. Make sure that the health feature is enabled:
SentinelHealth
| take 20
4. If the health feature isn’t enabled, enable it
Issue: Data from the AWS S3 connector (or one of its data types) is seen in Microsoft Sentinel with a delay of more than 30 minutes
Possible Causes
This issue usually happens because Microsoft can’t read files in the S3 folder, either because the files are encrypted, or the files are in the wrong format. In these cases, many retries eventually cause ingestion delay.
Troubleshoot
For example:
3. Verify that there are no errors in the health logs by running this query:
SentinelHealth
| where TimeGenerated between (ago(startTime)..ago(endTime))
| where SentinelResourceKind == "AmazonWebServicesS3"
| where Status != "Success"
| distinct TimeGenerated, OperationName, SentinelResourceName, Status, Description
4. Make sure that the health feature is enabled:
SentinelHealth
| take 20
5. If the health feature isn’t enabled, enable it.
Note: thank you Danielle Ohfeld Zats and Sara Gamzu for co-writing this blog
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.