Setup Walkthroughs Overview¶
Introduction¶
Once the prerequisites and the installation of the Splunk TA for SAP LogServ have been completed, use the provided setup walkthroughs to complete the setup based on the cloud provider where your SAP ECS environment is running in and your preferred deployment scenario.
Note
Starting with version 0.0.3, the TA includes built-in index-time filtering that works with all deployment scenarios below. After completing the AWS setup, see Configuring Filters to control which log types are indexed and drop stale data directly from Splunk Web — no Lambda-based filtering required.
Amazon Web Services (AWS)¶
All AWS deployment scenarios achieve the end goal of ingesting LogServ logs into Splunk. However, there are some differences in functionality. All AWS deployment scenarios involve two distinct AWS accounts.
All deployment scenarios for AWS require the use of an AWS Secondary account (a different AWS account than the one SAP ECS is running in) due to the requirement from SAP for a cross-account IAM Role to access the AWS SAP ECS account where the LogServ logs reside. See the diagram below for reference.
For brevity and clarity, the AWS account at the top of the diagram will be referred to as the SAP ECS account and the second AWS account on the bottom of the diagram will be referred to as the Secondary account from this point onward.
The table below lists the AWS Resources required for each deployment scenario:
| AWS Resources | AWS Remote S3 Connect Setup | AWS Remote S3 Filter Setup | AWS Remote S3 Copy Setup |
|---|---|---|---|
| S3 Bucket (SAP ECS account) | ✅ Required | ✅ Required | ✅ Required |
| SQS Queue (SAP ECS account) | ✅ Required | ✅ Required | ✅ Required |
| S3 Bucket (Secondary account) | ❌ Not Required | ❌ Not Required | ✅ Required |
| SQS Queue (Secondary account) | ❌ Not Required | ✅ Required | ✅ Required |
| SQS Queue DLQ (Secondary account) | ❌ Not Required | ✅ Required | ✅ Required |
| IAM Policy (Secondary account) | ✅ Required | ✅ Required | ✅ Required |
| IAM Role (Secondary account) | ✅ Required | ✅ Required | ✅ Required |
| IAM User (Secondary account) | ✅ Required | ✅ Required | ✅ Required |
| Lambda Function (Secondary account) | ❌ Not Required | ✅ Required | ✅ Required |
| Lambda Log Group (Secondary account) | ❌ Not Required | ✅ Required | ✅ Required |
If you want to have a secondary copy of the logs from the S3 bucket in the SAP ECS account, the AWS Remote S3 Copy Setup is the recommended approach. Utilizing that approach ensures you have your own copy of all the logs from the S3 bucket in the SAP ECS account, in a second S3 bucket in your secondary AWS account.
The table below lists the different features supported by each deployment scenario:
| Feature | AWS Remote S3 Connect Setup | AWS Remote S3 Filter Setup | AWS Remote S3 Copy Setup |
|---|---|---|---|
| Secondary Copy of Logs | ❌ Not Supported | ❌ Not Supported | ✅ Supported |
| AWS Lambda-based Filtering | ❌ Not Supported | ✅ Supported | ❌ Not yet, coming soon |
| Native TA Index-Time Filtering | ✅ Supported | ✅ Supported | ✅ Supported |
Native TA Filtering vs. AWS Lambda-based Filtering
Starting with version 0.0.3, the TA provides native index-time filtering that works with all deployment scenarios. This filtering happens inside Splunk at index time and is configured entirely through the Splunk Web UI.
The AWS Lambda-based filtering (available in the S3 Filter Setup) filters S3 event notifications before they reach Splunk, reducing the number of SQS messages processed. Both approaches can be used independently or together for defense-in-depth filtering.
See Configuring Filters for details on the native TA filtering.
AWS Remote S3 Connect Setup Walkthrough¶
Note
This deployment scenario uses an IAM User with a configured Access Key and a cross-account IAM Role to directly access LogServ resources in the AWS SAP ECS account where the LogServ logs reside without the need to copy logs to a secondary S3 bucket.
- No secondary S3 Bucket needed
- No secondary SQS Queue needed
- CloudFormation Template provided
AWS Remote S3 Filter Setup Walkthrough¶
Note
This deployment scenario uses an IAM User with a configured Access Key and a cross-account IAM Role to directly access LogServ resources in the AWS SAP ECS account where the LogServ logs reside without the need to copy logs to a secondary S3 bucket. It also provides the mechanism to filter logs by times stamp and types of logs via parameters on the Lambda function.
- No secondary S3 Bucket needed
- Secondary SQS Queue needed
- Log filtering options supported
- CloudFormation Template provided
AWS Remote S3 Copy Setup Walkthrough¶
Note
This deployment scenario uses an IAM User with a configured Access Key and a cross-account IAM Role along with a secondary S3 bucket and SQS queue. Use this deployment scenario if you want a copy of all the LogServ logs in your own S3 Bucket.
- Greater control of data + retention
- Requires secondary S3 Bucket
- Requires secondary SQS Queue
- CloudFormation Template provided
