AWS GuardDuty and CloudTrail integration with Wazuh not working

[S SAN]

Hi,

I am having an issue with the integration of Wazuh with AWS GuardDuty and AWS CloudTrail. The integration is configured correctly, all logs were enabled, but no events are being logged in Wazuh:

 <logall>yes</logall>
  <logall_json>yes</logall_json>

ossec.conf logs:

2023-09-18 10:43:16 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs. 2023-09-18 10:43:16 wazuh-modulesd:aws-s3: INFO: Executing Bucket Analysis: (Bucket: test-guardduty, Type: guardduty) 2023-09-18 10:43:17 wazuh-modulesd:aws-s3: INFO: Executing Bucket Analysis: (Bucket: test-cloudtrail, Type: cloudtrail) 2023-09-18 10:43:17 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

I have tried the following solutions, but none of them have resolved the issue:

• Restarting Wazuh
• Restarting AWS GuardDuty and AWS CloudTrail
• Reconfiguring the integration of Wazuh with AWS GuardDuty and AWS CloudTrail

Additional information:

• I am using the s3-aws wodle to collect logs from AWS GuardDuty and AWS CloudTrail.
• Guard Duty logs are being stored in S3 bucket as jsonl.gz
• Cloudtrail logd are being stored in s3 bucket as json.gz

I am open to any suggestions that could help me resolve this issue.

Thank you in advance.

[Carlos Vendrell]

Hello,


Thanks for using Wazuh, 

After enabling the 'logall' option within the manager's ossec.conf file, as you mentioned and as is outlined in our Documentation:

• Wazuh Documentation | Logall

You should be able to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. This way you should be able to observe the incoming alerts generated by your AWS integration.
After setting this option, restart the manager and check the archives.log file.

Note: Don't forget to disable the logall_json parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
This way you will be able to verify if the integration is working as expected and if the information is actually reaching your manager.

You can also check the Wazuh API logs: The API logs can provide valuable information about the integration process:

#tail -f /var/ossec/logs/api.log

Using tail -f, you can monitor your setting results when you are making the changes.
Basically, those 2 logs are Wazuh Manager main logs and keep all the information, if you cannot find information related to the integration, you will need to double-check the integration settings.


Hope it helps,
Carlos

[S SAN]

Unfortunately I couldn't find anything related to AWS in the API logs. I was wondering if it was a matter of permission, but I was able to retrieve the logs using a python scripts with wazuh-permissions for the S3 buckets. 

Is there an example of how the the ossec.conf should be configured in case of multiple cloud accounts to be monitored by cloudtrail and guardduty?

Best regards

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/0TlPneqYeM8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9f66da81-332f-4cac-ac66-1d40d232dbfbn%40googlegroups.com.

[Carlos Vendrell]

Hello,

You should define the different buckets inside the wodle:

• Example:

<bucket type="cloudtrail">
    <name>wazuh-cloudtrail</name>
    <aws_profile>default</aws_profile>
  </bucket>

  <bucket type="cloudtrail">
    <name>wazuh-cloudtrail-other-account</name>
    <aws_profile>default-other-account</aws_profile>
  </bucket>

Please, take a look at the documentation below, there you will find a full example:

• Wazuh | Example of configuration

Remember that you need to restart the manager to apply the configurations.

Hope it helps,

Carlos