Exit code 12 for AWS cloudwatch logs
342 views
Skip to first unread message
Jonathan Frappier
Jun 21, 2021, 11:59:13 AM6/21/21
to Wazuh mailing list
Hello,
I am trying to setup ingestion of cloudwatch logs but get the following message in the logs:
I am trying to setup ingestion of cloudwatch logs but get the following message in the logs:
Jun 21, 2021 @ 11:37:32.000 wazuh-modulesd:aws-s3 WARNING Service: cloudwatchlogs - Returned exit code 12
Jun 21, 2021 @ 11:37:32.000 wazuh-modulesd:aws-s3 WARNING Service: cloudwatchlogs - The config profile (default) could not be found
Jun 21, 2021 @ 11:37:32.000 wazuh-modulesd:aws-s3 INFO Fetching logs finished.
Jun 21, 2021 @ 11:37:31.000 wazuh-modulesd:aws-s3 INFO Starting fetching of logs.
Jun 21, 2021 @ 11:37:31.000 wazuh-modulesd:aws-s3 INFO Executing Service Analysis: (Service: cloudwatchlogs, Profile: default)
I followed (as best I could?) the documentation at https://documentation.wazuh.com/current/amazon/services/supported-services/cloudwatchlogs.html#aws-cloudwatchlogs
I made the assumption (and maybe incorrectly) that the "aws_profile" corresponded to the aws cli config which has access/secret key set in the default profile (side question - will roles ever be supported as well?)
My ossec.conf config
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<service type="cloudwatchlogs">
<aws_profile>default</aws_profile>
<aws_log_groups>vpcFlowLogs</aws_log_groups>
<regions>us-west-2</regions>
</service>
</wodle>
Jonathan Frappier
Jun 21, 2021, 1:34:45 PM6/21/21
to Wazuh mailing list
I did also try with aws_profile removed, to see if it would fall back to the role assigned to the instance, no errors, but also not seeing anything show up.
Jesus Linares
Jun 21, 2021, 1:44:57 PM6/21/21
to Wazuh mailing list
Hi,
It looks like the module doesn't find the profile. The profile is read from the ~/.aws/credentials file.
Could you verify that the following file exists in the server where you are running the Wazuh S3 module?
$ cat ~/.aws/credentials
[default]
aws_access_key_id = redacted
aws_secret_access_key = redacted
Also, you can manually test the access key by using the aws cli in that server with the default profile.
> will roles ever be supported as well?
Yes, you can use roles. Check the section "IAM roles for EC2 instances": https://documentation.wazuh.com/current/amazon/services/prerequisites/credentials.html#iam-roles-for-ec2-instances.
On the other hand, you can enable the debug mode for wazuh-modulesd (wazuh_modules.debug - https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#wazuh-modules) in other to see if there are some logs with more information.
I hope it helps.
Jonathan Frappier
Jun 21, 2021, 2:25:09 PM6/21/21
to Jesus Linares, Wazuh mailing list
Hi,
Thank you for the reply. Yes the aws credentials file is there
Thank you for the reply. Yes the aws credentials file is there
And the credentials can query cloudwatch logs
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/sZ0EhCgl6YA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/38170986-b081-4b92-8b42-cb7a0d41c8b0n%40googlegroups.com.
Jonathan Frappier
Jun 21, 2021, 4:33:37 PM6/21/21
to Wazuh mailing list
RE:
On the other hand, you can enable the debug mode for wazuh-modulesd (wazuh_modules.debug - https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#wazuh-modules) in other to see if there are some logs with more information.
It is not clear to me from that link where I would change the debug value. I searched ossec.conf and
local_internal_options.conf to see if there was an existing debug parameter already set to 0 but I am not seeing anything.
Jesus Linares
Jun 22, 2021, 4:26:58 AM6/22/21
to Wazuh mailing list
Hi,
In order to enable the debug mode for the Wazuh modules, follow these steps:
- Go to /var/ossec/etc/local_internal_options.conf file
- Add the setting: wazuh_modules.debug=2
- Restart Wazuh
Then, review the ossec.log file filtering by the AWS module.
Regarding your issue, I think the module is looking at the AWS credentials file in the root path (/root/.aws/credentials). Does this file exist? Your AWS CLI is working because you are logged with the user ec2-user (using the file /home/ec2-user/.aws/credentials). Just copy the file to the root directory to know if this is the problem.
I hope it helps.
Jonathan Frappier
Jun 22, 2021, 7:44:14 AM6/22/21
to Wazuh mailing list
Thanks - think the credentials file being setup for root was the issue. And thank you for the clarification on enabling debug.
Reply all
Reply to author
Forward
0 new messages