All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why has AWS Data stopped coming into Splunk suddenly with error "ERRORClient is not authenticated"?

brent_weaver
Builder
‎06-12-2017 01:13 PM

We were getting cloud trail and config until 10am yesterday. I looked at events around this time in Splunk and do not see anything. We are getting the following errors. 

06-12-2017 19:59:09.083 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_aws/bin/aws_config.py" ERRORClient is not authenticated

and 

06-12-2017 19:59:08.920 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_aws/bin/aws_cloudtrail.py" ERRORFail to load AWS Accounts - {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}

Does anyone have any thoughts? Where do we even begin? I am told the cloud team made no changes, but that does not mean that they didn't.

Thanks!

0 Karma
Reply

lguinn2
Legend
‎06-12-2017 03:59 PM
  1. Was this message generated from within the script aws_cloudtrail.py? If so, where and why would the script issue this message?
  2. Did a password change? (if passAuth is set in inputs.conf, then did the password for that user change - or expire?)
  3. Did an AWS password change?
  4. Did a firewall rule change?
  5. Was there an update to the OS or AWS or any other piece of software?

Go to Settings -> General Settings and change the log level for the exec processor to DEBUG (I assume that it is set to INFOR or WARN now). Let it run for a bit and then see what you can find in the splunkd.log (Note that this setting will revert if you restart Splunk...)

That's where I would start...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...