AWS VPC Flow Logs & AWS nlb logs are not coming in WAZUH UI

28 views
Skip to first unread message

Suvadip Ghosh

unread,
Mar 4, 2026, 6:13:32 AMMar 4
to Wazuh | Mailing List
Dear Team,

While integrating AWS services like AWS nlb & AWS VPC I am facing some issue with the log parsing.

For AWS VPC there is a parsing error: 2026/03/04 06:18:47 wazuh-modulesd:aws-s3: INFO: Executing Bucket Analysis: (Bucket: ikxxxxx-vpc-flow-log-xxxxf0, Type: vpcflow)
2026/03/04 06:18:49 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  Returned exit code 9
2026/03/04 06:18:49 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  Failed to parse file AWSLogs/xxxxxxxxxx265/vpcflowlogs/ap-south-1/2026/03/04/xxxxxxxxx265_vpcflowlogs_ap-south-1_fl-0210ecfc6db3503a6_20260304T0000Z_504eb0f8.log.gz: ValueError("invalid literal for int() with base 10: 'type'")

AWS nlb: Everything is working fine for aws nlb, no error in the wazuh server but logs are not coming in the UI.(kindly check the attached screenshot).

Let me know what changes are required to oversome this issue.

Screenshot 2026-03-04 120730.png

Suvadip Ghosh

unread,
Mar 6, 2026, 3:55:53 AMMar 6
to Wazuh | Mailing List
Dear Team,

Please help here in this case.

Ezequiel Matías Montero

unread,
Mar 11, 2026, 1:49:21 PMMar 11
to Suvadip Ghosh, Wazuh | Mailing List

This behavior is related to how Wazuh AWS S3 integrations work by default:
VPC Flow logs: Wazuh expects a supported/standard VPC Flow log structure. If the file includes a header or a non-standard/custom field layout, parsing can fail (as seen in your invalid literal for int() with base 10: 'type' message).
NLB logs: Collection may still be working even if you do not see events in the UI. By default, visibility depends on active rules that generate alert levels shown in Security Events.

What is possible with the tool out of the box:
Ingest AWS logs from S3 (for supported log types/formats).
Decode and normalize events.
Show events in UI when matching rules produce visible alerts.

What is not automatic by default:
Handling every custom VPC Flow log format variation.
Showing all ingested NLB records in UI without matching visible rules/conditions.

Recommended operational checks:
Confirm bucket type/configuration and AWSLogs prefix/region/account path.
Verify IAM permissions for S3 read/list.
Validate the exported VPC Flow format is standard/supported.
Confirm time range, index pattern, and severity filters in the UI.
Check manager logs to confirm ingestion vs. correlation/visibility.


Libre de virus.www.avast.com

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/89b8bcac-f402-4e80-80c0-efc7efda43c9n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages