Haven't looked into this too much, but I'm guessing it is related to the updates in version 5.2.1: https://docs.splunk.com/Documentation/AddOns/released/AWS/Releasenotes """ Version 5.2.1 of the Splunk Add-on for AWS version contains the following new and changed features: Added validation of the signature of the SNS message being sent from SQS queue to Splunk. The source of the logs is validated by matching the signature of the SNS message with the signature field. """ The setup docs for the CloudTrail input state S3->SNS->SQS now. I don't think this was the case before, but I don't have a copy of the old docs to check. It looks like it is using this plugin to validate. https://pypi.org/project/validate-aws-sns-message/ Note, it "Requires message be no older than one hour, the maximum lifetime of an SNS message." Splunk, it would be much better if this was an optional feature, as it breaks our infrastructure, especially bad since this is a PATCH update, not MAJOR.
... View more