Log Collection AWS: Troubleshoot AWS (CloudTrail) Collection

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

This topic highlights possible problems that you may encounter with AWS (CloudTrail) Collection and suggested solutions to these problems.

In general, you receive more robust log messages by disabling SSL.

                       
Log Message/
Problem
No bucket key found under 'arn:aws:s3:::bucket-name/AWSLogs/account-id/CloudTrail/region/'. Determine if the 'S3 Bucket Name' for CloudTrail is configured and that 'Account Id' and 'Region' are correct. Also determine if the CloudTrail account is configured with a 'Log File Prefix' and if so, it is also defined correctly for this event source.
Possible CauseThe S3 Bucket Name parameter and its associated parameters are not configured correctly.
SolutionFor the event source that returned this message:
  1. Make sure that you specified an S3 Bucket Name.
  2. Make sure that you specified the correct Account Id and correct Region.
  3. If the CloudTrail account has a Log File Prefix, make sure that you specified it correctly.  For example:
    AWSTS1.PNG
 
Log Message/
Problem
When you try to create a Plugins event source, you receive the following error message:

Parameter start_date: Invalid dateTime 2015-03-16T23:36:52.000Z : Time must be specified in the past. Check that your appliances are time synched, or specify a time in the past.
Possible CauseYou selected an invalid Start Date, a date that Security Analytics determined was not in the past. For example:
AWS-TS2.png

There are two reasons why this occurred:
  • You selected a Start date that was in the future.
  • Your hosts are not time-synchronized.
SolutionMake sure that your hosts are time synced. Select a date in the past for the Start Date.
You are here: AWS (CloudTrail) Collection Configuration Guide > Troubleshoot AWS (CloudTrail) Collection

Attachments

    Outcomes