Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Troubleshooting Amazon AWS S3 REST API Log Source Integrations

 

You configured a log source in JSA to collect Amazon AWS logs, but the log source status is Warn and events are not generated as expected.

Symptom:

Error that is shown in /var/log/qradar.error:

Cause:

This error was probably caused by exporting the Amazon SSL certificate from the incorrect URL or by not using the Automatically Acquire Server Certificate(s) option when you configured the log source.

Environment:

All JSA versions.

Diagnosing the problem:

Verify that the certificate that is on the whitelist does not intersect with the server certificate that is provided by the connection. The server certificate that is sent by Amazon covers the *.s3.amazonaws.com domain. You must export the certificate for the following URL:

The stack trace in JSA indicates the issue with the Amazon AWS S3 REST API Protocol. In the following example, JSA is rejecting an unrecognized certificate. The most common cause is that the certificate is not in the correct format or is not placed in the correct directory on the correct JSA appliance.

Resolving the problem:

If you downloaded the certificate automatically when you created the log source, verify the following steps:

  1. You configured the correct Amazon S3 endpoint URL and the correct bucket name.

  2. You selected the Yes option for Automatically Acquire server Certificate(s).

  3. You saved the log source.

Note

The log source automatically downloads the .DER certificate file to the /opt/qradar/conf/ trusted_certificates directory. To verify that the correct certificate is downloaded and working, complete the following steps:

  1. From the Navigation menu, click Enable/Disable to disable the log source.

  2. Enable the Amazon AWS CloudTrail log source.

If you manually downloaded the certificate , you must move the .DER certificate file to the correct JSA appliance. The correct JSA appliance is assigned in the Target Event Collector field in the Amazon AWS CouldTrail log source.

Note

The certificate must have a .DER extension. The .DER extension is case-sensitive and must be in uppercase. If the certificate is exported in lowercase, then the log source might experience event collection issues.

  1. Access your AWS CloudTrail S3 bucket at https://<bucketname>.s3.amazonaws.com

  2. Use Firefox to export the SSL certificate from AWS as a DER certificate file.

  3. Copy the DER certificate file to the /opt/qradar/conf/trusted_certificates directory on the JSA appliance that manages the Amazon AWS CloudTrail log source.

    Note

    The JSA appliance that manages the log source is identified by the Target Event Collect field in the Amazon AWS CloudTrail log source. The JSA appliance has a copy of the DER certificate file in the /opt/qradar/conf/trusted_certificates folder.

  4. Log in to JSA as an administrator.

  5. Click the Admin tab.

  6. Click the Log Sources icon.

  7. Select the Amazon AWS CloudTrail log source.

  8. From the navigation menu, click Enable/Disable to disable, then re-enable the Amazon AWS CloudTrail log source.

    Note

    Forcing the log source from disabled to enabled connects the protocol to the Amazon AWS bucket as defined in the log source. A certificate check takes place as part of the first communication.

  9. If you continue to have issues, verify that the Amazon AWS bucket name in the Log Source Identifier field is correct. Ensure that the Remote Directory path is correct in the log source configuration.