AWS-S3 Wodle (CloudWatch)
64 views
Skip to first unread message
عبدالعزيز بن حلوان
Oct 18, 2023, 1:08:23 PM10/18/23
to Wazuh | Mailing List
Hello Wazuh Team,
Hope you are all doing well,
I'm facing an issue with aws-s3 integration specifically the cloudwatch service
I can Find the logs in archives.log however it's not being decoded therefore I created a custom decoders and it worked !! but only on testing tools for decoders and rules
in archives.log all cloudwatch logs start with 2023 Oct 18 01:06:55 wazuh->Wazuh-AWS
and after it is json data
I just want to know if should created decoders based on wazuh->Wazuh-AWS or is it being ignored by the SIEM Rules engine and I should use json
Thanks
Abdulaziz
Eduardo Leon Aldazoro
Oct 18, 2023, 2:15:12 PM10/18/23
to Wazuh | Mailing List
Hi,
The approach was correct to create custom decoders specifically for your logs and test them using the wazuh-logtest. However, take into consideration that to trigger an alert it needs to match a rule as well, and finally for it to be seen in the dashboard the level of the alert needs to be higher than the alert threshold set in the alert configuration of the ossec.conf.
Since the cloudwatch service works as a transport method for other services there are no specific decoders for the cloudwatch itself but for the services integrated
The approach was correct to create custom decoders specifically for your logs and test them using the wazuh-logtest. However, take into consideration that to trigger an alert it needs to match a rule as well, and finally for it to be seen in the dashboard the level of the alert needs to be higher than the alert threshold set in the alert configuration of the ossec.conf.
Will leave a link to an older ticket with the same issue for you to check out.
Best.
عبدالعزيز بن حلوان
Oct 18, 2023, 7:41:54 PM10/18/23
to Eduardo Leon Aldazoro, Wazuh | Mailing List
Hello
issue is that custom decoders and rules works in testing tools using log sample however when a log is being
collected in archives.log it doesn’t trigger an alert
the log message for aws-s3 starts with:
2023 Oct 18 01:06:55 wazuh->Wazuh-AWS {json data}
then after it a json data currently I’m confused on how to create decoders for it should I take the first part of the log generated by wazuh under consideration which I have already done but for some reason it doesn’t trigger an alert or is it ignored by the SIEM engine and it treats it as json
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/j4C1jZ-FVoc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/99f6c4e5-a7d0-4d6b-b216-d53acc5c3a32n%40googlegroups.com.
Eduardo Leon Aldazoro
Nov 1, 2023, 8:45:31 AM11/1/23
to Wazuh | Mailing List
Hi,
I'm sorry for the late response.
I'm sorry for the late response.
Regarding decoders. Yes, you should be able to decode any message that comes in the log using the appropriate regex even when is a JSON-formatted message.
Also, would like to mention that the log test should mimic a production environment meaning that triggering an alert by a custom rule should provide the same alert if a real log is used.
Please check if the level of the rule surpasses the alert threshold and if it does let me know so we can further look into that.
Please check if the level of the rule surpasses the alert threshold and if it does let me know so we can further look into that.
Reply all
Reply to author
Forward
0 new messages