Collecting Data From Amazon SQS

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

macOS Security data that you forward to Amazon S3 can be pushed as an object notification to Amazon SQS.

When configured, Jamf Protect forwards data to Amazon S3, S3 pushes a new object notification to Amazon SQS, and the Elastic Agent receives the notification from Amazon SQS, and then reads the S3 object. Multiple Elastic agents can be used with this configuration.

Keep the following in mind:

  • For each unique data type, a separate Amazon SQS queue and S3 bucket notification is required. Data collection using AWS S3 bucket and AWS SQS are mutually exclusive.
  • Permissions for the AWS S3 bucket and SQS queues should be configured according to the Filebeat S3 input documentation in the Elastic Filebeat Reference.
  • Credentials for the AWS S3 and SQS input types should be configured using the AWS Credential Configuration for Elastic in the Elastic Filebeat Reference.
Requirements

You must set up data forwarding using Amazon S3. For more information, see Forwarding macOS Security Data to Amazon S3.

  1. Create an Amazon SQS queue.

    When you create the queue, use the same Amazon S3 bucket ARN that was generated when you created an Amazon S3 bucket for your macOS Security data.

    For more information, see Create an Amazon SQS queue in the Amazon Simple Storage Service user guide.

  2. Set up event notification from the AWS S3 bucket using the following settings.
    • Event typeAll object create events (s3:ObjectCreated:*)
    • DestinationSQS Queue
    • Prefix (filter)The prefix for this data type (e.g., protect-/alerts/)
    • Queue SelectionSelect the SQS queue that you created.

    For more information, see Enabling and configuring event notifications using the Amazon S3 console in the Amazon Simple Storage Service user guide.