Guides
Start typing to search…
  1. Guides

Integration Troubleshooting

If you followed configure integration steps steps and have confirmed you have run each integration, but you are still experiencing issues with your integration, here are a few common troubleshooting steps to help resolve the problem.

Kubernetes Common Issues

  1. Ensure you copy Catio configuration fields exactly: Ensure that you have copied the Catio configuration fields exactly as provided in the Catio integration setup instructions. Even a small typo can cause the integration to fail.
  2. Ensuring you have kubectl installed and configured correctly: Make sure that you have kubectl installed on your machine and that it is configured to connect to the correct Kubernetes cluster. For more information, refer to the kubectl documentation.
  3. Unauthorized or access denied (kubectl): If you encounter unauthorized or access denied errors when running kubectl commands, ensure you have the proper permissions to access the Kubernetes cluster.
  4. For other issues, please reach out to your Catio representative or contact Support.

VPC Flow Logs Common Issues

  1. Ensure you have VPC Flow Logs enabled: Make sure that VPC Flow Logs are enabled for the VPCs you want to monitor. Flow Logs must be explicitly enabled per VPC. Check VPC Console → Your VPC → Flow Logs tab. Enable if missing.

  2. S3 path prefix not accounted for: No logs found despite logs existing. If Flow Logs are delivered to, for example: s3://bucket/vpc-logs/AWSLogs/... rather than the bucket root, the extractor needs to know the prefix structure. Verify the actual S3 path where logs land.

  3. Region mismatch: Empty results or access errors. The "Log Source Region" selected doesn't match where the CloudWatch Log Group or S3 bucket actually exists. CloudWatch Log Groups are regional.

    From Catio Setup: For S3 authentication, the bucket's hosting region will be auto-detected or fallback to us-west-2.

AWS Common Issues

  1. Ensure IAM role named exactly CatioConsoleAccessRole: Catio constructs the IAM role ARN using the account ID and hardcoded role name. If you name the role anything other than exactly CatioConsoleAccessRole (case-sensitive), Catio will fail to assume the role with an AccessDenied or role not found error. Verify the role is named exactly as specified.

  2. Follow every step fully: The CLI setup requires multiple steps that must all be completed:

    • aws iam create-role - creates the role
    • aws iam attach-role-policy - attaches ReadOnlyAccess
    • aws iam put-role-policy - adds the deny policy

    If you complete only the role creation step, the role exists but has no permissions. Catio will connect successfully but return empty results for everything. Ensure all three CLI commands are executed in order.

  3. Ensure you the opt-in regions are enabled in your AWS Account Settings before selecting them: Some regions require explicit opt-in in your AWS Account Settings. EMEA includes af-south-1, eu-south-1, eu-south-2, me-south-1, and me-central-1. Asia Pacific includes ap-south-2, ap-southeast-3, ap-southeast-4, and ap-east-1. If you select these regions in Catio without enabling them in your AWS account first, Catio will encounter UnauthorizedOperation or AuthFailure errors. Enable opt-in regions in AWS Account Settings before selecting them in Catio.

Updated 12 days ago