AWS WAF Logs - Allow events missing
269 views
Skip to first unread message
Joe
Aug 9, 2023, 10:14:04 AM8/9/23
to Wazuh mailing list
Hello,
I recently started sending my AWS WAF logs into Wazuh and I am seeing events for all "BLOCK" actions but do not appear to be getting any of my "ALLOW" traffic events. Any ideas for what I should be looking for?
Here is my current setup:
WAF is logging to CloudWatch log group -> a subscription filter is turned on to have the logs pushed over to Kinesis Firehose in my central logging account -> Kinesis is then pushing the logs into an S3 bucket
Looking at my Wazuh rulesets and I do see there is a rule configured for the "ALLOW" action.
<rule id="80441" level="0">
<if_sid>80440</if_sid>
<field name="aws.action">ALLOW</field>
<options>no_full_log</options>
<description>AWS WAF - Allowed request.</description>
<group>aws_waf,aws_waf_allow,</group>
</rule>
Any help is appreciated!
I recently started sending my AWS WAF logs into Wazuh and I am seeing events for all "BLOCK" actions but do not appear to be getting any of my "ALLOW" traffic events. Any ideas for what I should be looking for?
Here is my current setup:
WAF is logging to CloudWatch log group -> a subscription filter is turned on to have the logs pushed over to Kinesis Firehose in my central logging account -> Kinesis is then pushing the logs into an S3 bucket
Looking at my Wazuh rulesets and I do see there is a rule configured for the "ALLOW" action.
<rule id="80441" level="0">
<if_sid>80440</if_sid>
<field name="aws.action">ALLOW</field>
<options>no_full_log</options>
<description>AWS WAF - Allowed request.</description>
<group>aws_waf,aws_waf_allow,</group>
</rule>
Any help is appreciated!
Carlos Ezequiel Bordon
Aug 9, 2023, 1:45:29 PM8/9/23
to Joe, Wazuh mailing list
Good afternoon, it would be important to have a little more information about the error, for this it would be important that you enable the log all to be able to have more detail of the logs (at least for a while) to be able to see that all the events are being received.
In order to configure this you must modify the /var/ossec/etc/ossec.conf in the global section, pass the logall to yes and restart the manager.
After this, if you find events with ALLOW.
Extract a log file to test the rule using logtest, which is located in /var/ossec/bin/wazuh-logtest.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e83daa21-c41e-45d0-b528-fed325cd269dn%40googlegroups.com.
--
Joe
Aug 9, 2023, 3:27:56 PM8/9/23
to Wazuh mailing list
Thank you, I have adjusted the logall configuration as suggested and restarted the manager. I ran the wazuh-logtest against a log entry and it appears to parse and ingest as I would hope but I still do not see the information in Wazuh - Discover. Something else that I am running into is that the logs are not automatically ingesting. I've included my output below from testing the wodle configuration. It seems that the marker continues to get mismatched? I'm not certain what is causing this either. I connect to the db under /var/ossec/wodles/aws/ using sqlite and do a delete from waf; and then I notice all of the logs ingest for that time until the marker mismatches and it gets stuck again. Any ideas for this?
XXXXXXXXXXXX:/var/ossec/wodles/aws# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.5
Type one log per line
{"integration": "aws", "aws": {"log_info": {"aws_account_alias": "", "log_file": "XXXXXXXXXXXX/2023/08/09/05/XXXXXXXXXXXX", "s3bucket": "XXXXXXXXXXXX"}, "timestamp": 1691557919124, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:regional/webacl/XXXXXXXXXXXX/XXXXXXXXXXXX", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "ALB", "httpSourceId": "XXXXXXXXXXXX-app/XXXXXXXXXXXX/XXXXXXXXXXXX", "ruleGroupList": [{"ruleGroupId": "AWS#AWSManagedRulesAmazonIpReputationList", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null}, {"ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null}, {"ruleGroupId": "AWS#AWSManagedRulesLinuxRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null}, {"ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null}], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "httpRequest": {"clientIp": "XXXXXXXXXXXX", "country": "US", "headers": {"host": "XXXXXXXXXXXX", "user-agent": "Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)", "accept": "*/*", "accept-encoding": "gzip"}, "uri": "/assets/img/favicon-32x32.png", "args": "", "httpVersion": "HTTP/2.0", "httpMethod": "GET", "requestId": "XXXXXXXXXXXX"}, "labels": [{"name": "awswaf:clientip:geo:region:US-NJ"}, {"name": "awswaf:clientip:geo:country:US"}], "source": "waf"}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
aws.action: 'ALLOW'
aws.formatVersion: '1'
aws.httpRequest.clientIp: 'XXXXXXXXXXXX'
aws.httpRequest.country: 'US'
aws.httpRequest.headers.accept: '*/*'
aws.httpRequest.headers.accept-encoding: 'gzip'
aws.httpRequest.headers.host: 'XXXXXXXXXXXX'
aws.httpRequest.headers.user-agent: 'Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)'
aws.httpRequest.httpMethod: 'GET'
aws.httpRequest.httpVersion: 'HTTP/2.0'
aws.httpRequest.requestId: 'XXXXXXXXXXXX'
aws.httpRequest.uri: '/assets/img/favicon-32x32.png'
aws.httpSourceId: 'XXXXXXXXXXXX-app/XXXXXXXXXXXX/XXXXXXXXXXXX'
aws.httpSourceName: 'ALB'
aws.labels: '[{'name': 'awswaf:clientip:geo:region:US-NJ'}, {'name': 'awswaf:clientip:geo:country:US'}]'
aws.log_info.log_file: 'XXXXXXXXXXXX/2023/08/09/05/XXXXXXXXXXXX'
aws.log_info.s3bucket: 'XXXXXXXXXXXX'
aws.nonTerminatingMatchingRules: '[]'
aws.rateBasedRuleList: '[]'
aws.ruleGroupList: '[{'ruleGroupId': 'AWS#AWSManagedRulesAmazonIpReputationList', 'terminatingRule': None, 'nonTerminatingMatchingRules': [], 'excludedRules': None, 'customerConfig': None}, {'ruleGroupId': 'AWS#AWSManagedRulesKnownBadInputsRuleSet', 'terminatingRule': None, 'nonTerminatingMatchingRules': [], 'excludedRules': None, 'customerConfig': None}, {'ruleGroupId': 'AWS#AWSManagedRulesLinuxRuleSet', 'terminatingRule': None, 'nonTerminatingMatchingRules': [], 'excludedRules': None, 'customerConfig': None}, {'ruleGroupId': 'AWS#AWSManagedRulesSQLiRuleSet', 'terminatingRule': None, 'nonTerminatingMatchingRules': [], 'excludedRules': None, 'customerConfig': None}]'
aws.source: 'waf'
aws.terminatingRuleId: 'Default_Action'
aws.terminatingRuleMatchDetails: '[]'
aws.terminatingRuleType: 'REGULAR'
aws.timestamp: '1691557919124.000000'
aws.webaclId: 'arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:regional/webacl/XXXXXXXXXXXX/XXXXXXXXXXXX
integration: 'aws'
**Phase 3: Completed filtering (rules).
id: '80441'
level: '0'
description: 'AWS WAF - Allowed request.'
groups: '['amazon', 'aws', 'aws_waf', 'aws_waf_allow']'
firedtimes: '1'
mail: 'False'
XXXXXXXXXXXX:/var/ossec/wodles/aws# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.5
Type one log per line
{"integration": "aws", "aws": {"log_info": {"aws_account_alias": "", "log_file": "XXXXXXXXXXXX/2023/08/09/05/XXXXXXXXXXXX", "s3bucket": "XXXXXXXXXXXX"}, "timestamp": 1691557919124, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:regional/webacl/XXXXXXXXXXXX/XXXXXXXXXXXX", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "ALB", "httpSourceId": "XXXXXXXXXXXX-app/XXXXXXXXXXXX/XXXXXXXXXXXX", "ruleGroupList": [{"ruleGroupId": "AWS#AWSManagedRulesAmazonIpReputationList", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null}, {"ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null}, {"ruleGroupId": "AWS#AWSManagedRulesLinuxRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null}, {"ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null}], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "httpRequest": {"clientIp": "XXXXXXXXXXXX", "country": "US", "headers": {"host": "XXXXXXXXXXXX", "user-agent": "Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)", "accept": "*/*", "accept-encoding": "gzip"}, "uri": "/assets/img/favicon-32x32.png", "args": "", "httpVersion": "HTTP/2.0", "httpMethod": "GET", "requestId": "XXXXXXXXXXXX"}, "labels": [{"name": "awswaf:clientip:geo:region:US-NJ"}, {"name": "awswaf:clientip:geo:country:US"}], "source": "waf"}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
aws.action: 'ALLOW'
aws.formatVersion: '1'
aws.httpRequest.clientIp: 'XXXXXXXXXXXX'
aws.httpRequest.country: 'US'
aws.httpRequest.headers.accept: '*/*'
aws.httpRequest.headers.accept-encoding: 'gzip'
aws.httpRequest.headers.host: 'XXXXXXXXXXXX'
aws.httpRequest.headers.user-agent: 'Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)'
aws.httpRequest.httpMethod: 'GET'
aws.httpRequest.httpVersion: 'HTTP/2.0'
aws.httpRequest.requestId: 'XXXXXXXXXXXX'
aws.httpRequest.uri: '/assets/img/favicon-32x32.png'
aws.httpSourceId: 'XXXXXXXXXXXX-app/XXXXXXXXXXXX/XXXXXXXXXXXX'
aws.httpSourceName: 'ALB'
aws.labels: '[{'name': 'awswaf:clientip:geo:region:US-NJ'}, {'name': 'awswaf:clientip:geo:country:US'}]'
aws.log_info.log_file: 'XXXXXXXXXXXX/2023/08/09/05/XXXXXXXXXXXX'
aws.log_info.s3bucket: 'XXXXXXXXXXXX'
aws.nonTerminatingMatchingRules: '[]'
aws.rateBasedRuleList: '[]'
aws.ruleGroupList: '[{'ruleGroupId': 'AWS#AWSManagedRulesAmazonIpReputationList', 'terminatingRule': None, 'nonTerminatingMatchingRules': [], 'excludedRules': None, 'customerConfig': None}, {'ruleGroupId': 'AWS#AWSManagedRulesKnownBadInputsRuleSet', 'terminatingRule': None, 'nonTerminatingMatchingRules': [], 'excludedRules': None, 'customerConfig': None}, {'ruleGroupId': 'AWS#AWSManagedRulesLinuxRuleSet', 'terminatingRule': None, 'nonTerminatingMatchingRules': [], 'excludedRules': None, 'customerConfig': None}, {'ruleGroupId': 'AWS#AWSManagedRulesSQLiRuleSet', 'terminatingRule': None, 'nonTerminatingMatchingRules': [], 'excludedRules': None, 'customerConfig': None}]'
aws.source: 'waf'
aws.terminatingRuleId: 'Default_Action'
aws.terminatingRuleMatchDetails: '[]'
aws.terminatingRuleType: 'REGULAR'
aws.timestamp: '1691557919124.000000'
aws.webaclId: 'arn:aws:wafv2:us-east-1:XXXXXXXXXXXX:regional/webacl/XXXXXXXXXXXX/XXXXXXXXXXXX
integration: 'aws'
**Phase 3: Completed filtering (rules).
id: '80441'
level: '0'
description: 'AWS WAF - Allowed request.'
groups: '['amazon', 'aws', 'aws_waf', 'aws_waf_allow']'
firedtimes: '1'
mail: 'False'
XXXXXXXXXXXX:# /var/ossec/wodles/aws/aws-s3 --bucket XXXXXXXXXXXX --type waf --aws_profile XXXXXXXXXXXX --regions us-east-1 --trail_prefix XXXXXXXXXXXX --debug 3
DEBUG: +++ Debug mode on - Level: 3
DEBUG: Generating default configuration for retries: mode standard - max_attempts 10
DEBUG: +++ Marker: XXXXXXXXXXXX/2023/08/09/12/XXXXXXXXXXXX
DEBUG: +++ No logs to process in bucket: None/None
DEBUG: +++ DB Maintenance
Carlos Ezequiel Bordon
Aug 16, 2023, 2:06:46 PM8/16/23
to Wazuh mailing list
Joe, I need you to create an issue for us in this repository https://github.com/wazuh/wazuh/issues
detailing the problem you are running into, if you can share the
ossec.conf configuration and the steps you followed to configure it the
wodle
Shrish Pandey
Jun 16, 2025, 1:23:29 AM6/16/25
to Wazuh | Mailing List
Did you get a solution for this, if you did can you please help me because I am facing the same issue
Reply all
Reply to author
Forward
0 new messages