Listen to SNS Topics

112 views
Skip to first unread message

Ashish B

unread,
Feb 23, 2021, 10:01:59 AM2/23/21
to Wazuh mailing list
Hello,

Is there a way to get SNS messages directly to Wazuh.?

Regards
Ash

Ezequiel Velez

unread,
Feb 23, 2021, 1:12:35 PM2/23/21
to Wazuh mailing list
Hello Ashish,

If you want to receive the messages from Wazuh, this post could help:

In case that you want to send SNS message to Wazuh.
Probably you can configure your publisher to log the messages into a file and if you have a Wazuh Agent or Wazuh Manager running in the host.
Then use the following totorial to add the localfile to ossec.conf (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html)
So, the SNS messages published to the Topic and logged into the file will be sent to Wazuh to be analyzed.
Take into account that to analyze and generate the alerts you need to define decoders and rules.

Best Regards,
Ezequiel

Ashish B

unread,
Feb 23, 2021, 1:20:07 PM2/23/21
to Wazuh mailing list
Hi Ezequiel,

Thanks a ton for your reply, I want to send SNS message to Wazuh.

So, I will look at your second suggestion to make this work. Is there a documentation that I can refer to for setting the file logging?

Regards
Ashish Bansal

Ezequiel Velez

unread,
Feb 23, 2021, 2:20:37 PM2/23/21
to Wazuh mailing list
On the second suggestion, it depends on the use case and how your publisher works. The basic idea is configure your publisher to log into a local file and set the wazuh agent/manager to collect the logs from a file.

There is other alternative, to use an endpoint with Wazuh Manager as a webhook listener to redirect the events into wazuh and create a SNS subscription for the web listener. 
In the attached image is the example of subscription.

Regards,
Ezequiel
SNS_wazuh.png

Ashish B

unread,
Feb 23, 2021, 3:19:48 PM2/23/21
to Ezequiel Velez, Wazuh mailing list
Hi Ezequiel,

Thanks a lot for your help, really appreciate it.

I think using Wazuh Manager as webhook listener would be the better option. So, I will try setting it up and will let you know in case of any issue. 

Regards
Ashish


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/333f2db3-a577-41fe-addf-2e24dc6062aen%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages