Security Hub Logs Not Appearing in Wazuh Dashboard

[Chandra pal singh Chauhan]

Dear Team,

I hope you are doing well.

We previously integrated AWS Security Hub with Wazuh, and at the time of integration the logs were successfully appearing on the Wazuh dashboard. However, currently we are not seeing any Security Hub logs on the dashboard.

Upon checking, we observed that logs are still being generated and stored in the S3 bucket. We also reviewed the ossec.log file and did not find any errors related to this log source. The relevant log entries are shown below:

2026/03/04 10:46:20 wazuh-modulesd:aws-s3: INFO: Executing Subscriber fetch: (Type and SQS: security_hub Toucan-Prod-SQS-SecurityHub) 2026/03/04 10:46:41 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

Since the module appears to be running without errors but the logs are not visible on the Wazuh dashboard, could you please help us identify what additional checks or troubleshooting steps we should perform?

Your guidance on resolving this issue would be greatly appreciated.

Thank you for your support.

Regards,

Chandra

[Gustavo Choquevilca]

Hi Chandra,

Thank you for the detailed report. The log shows the module is running and completing the fetch cycle without errors, which suggests the issue may not be in the AWS connectivity layer but further down the pipeline.

To help narrow down the root cause, could you please share the following?

1. Enable debug mode for the AWS module and share the output:

Add the following to `/var/ossec/etc/local_internal_options.conf`:

wazuh_modules.debug=2

Then restart the Wazuh manager:

systemctl restart wazuh-manager

After that, wait for the next execution cycle and share the relevant section of /var/ossec/logs/ossec.log (look for lines containing aws-s3).

2. Check if events are reaching the analysis engine:

Run the following to see if any Security Hub alerts are being generated:

grep 'aws' /var/ossec/logs/alerts/alerts.json | tail -20

You can also enable event archiving and verify whether AWS events are reaching Wazuh at all. Here is the official documentation on how to enable it:
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving

3. Additional question:

Have you made any recent changes that could have affected this integration? For example, changes to the ossec.conf, IAM permissions, SQS/S3 configurations, or a Wazuh version upgrade?

[Chandra pal singh Chauhan]

Hello Gustavo,

Thank you for your response.

I have performed the steps you mentioned. I can see that the Security Hub events are being received in the alert.json file; however, they are not appearing on the dashboard.

For your reference, I have also attached the events file.

Could you please review it and let me know if any additional configuration or troubleshooting steps are required?

2.Have you made any recent changes that could have affected this integration?

Ans: No

Regards,

Chandra

[Chandra pal singh Chauhan]

And also i have write the ossec.conf output for security hub:

2026/03/05 10:43:59 wazuh-modulesd:aws-s3[1255773] wm_aws.c:196 at wm_aws_main(): INFO: Executing Subscriber fetch: (Type and SQS: security_hub Toucan-Prod-SQS-SecurityHub)
2026/03/05 10:43:59 wazuh-modulesd:aws-s3[1255773] wm_aws.c:727 at wm_aws_run_subscriber(): DEBUG: Create argument list
2026/03/05 10:43:59 wazuh-modulesd:aws-s3[1255773] wm_aws.c:806 at wm_aws_run_subscriber(): DEBUG: Launching S3 Subscriber Command: wodles/aws/aws-s3 --subscriber security_hub --queue Toucan-Prod-SQS-SecurityHub --aws_profile toucanprod --debug 2 --skip_on_error
2026/03/05 10:44:20 wazuh-modulesd:aws-s3[1255773] wm_aws.c:847 at wm_aws_run_subscriber(): DEBUG: Subscriber: security_hub Toucan-Prod-SQS-SecurityHub  -  OUTPUT: DEBUG: +++ Debug mode on - Level: 2
DEBUG: No retries configuration found in profile config. Generating default configuration for retries: mode: standard - max_attempts: 10
DEBUG: Created Config object using profile: 'profile toucanprod' configuration
DEBUG: The SQS queue is: https://sqs.ap-south-1.amazonaws.com/197732933843/Toucan-Prod-SQS-SecurityHub
DEBUG: No retries configuration found in profile config. Generating default configuration for retries: mode: standard - max_attempts: 10
DEBUG: Created Config object using profile: 'profile toucanprod' configuration
DEBUG: Retrieving messages from: Toucan-Prod-SQS-SecurityHub

On Thursday, March 5, 2026 at 12:35:32 AM UTC+5:30 Gustavo Choquevilca wrote:

[Chandra pal singh Chauhan]

and i also find events come in discover in wazuh but not in AWS dashboard and it also have level 12 events.

[Gustavo Choquevilca]

Based on everything you've shared, the module is working correctly — events are being received and processed by the Wazuh server without issues.

The reason Security Hub logs are not visible in the AWS dashboard is expected behavior. Security Hub events are tagged with the rule group aws_security_hub, while the AWS dashboard is designed to display only events belonging to the rule.groups: amazon group. This is the default configuration and cannot be changed at the dashboard level.




To resolve the visibility issue, you have two options:

Option 1 – Modify the Security Hub rule
Edit the relevant Wazuh rule to also include the `amazon` group. This way, the events will appear in the existing AWS dashboard without any further changes.

Option 2 – Create a custom dashboard or visualization
Build a custom panel in the Wazuh UI that filters by `rule.groups: aws_security_hub`. This gives you full visibility into Security Hub events in a dedicated view, without modifying any rules.

Both options are valid — Option 1 is quicker, while Option 2 gives you a cleaner and more organized long-term setup.

[Chandra pal singh Chauhan]

Hello  Gustavo,

Thanks for the support i will try first option 1 then go for option 2.

Regards,

Chandra

[Chandra pal singh Chauhan]

Hello Gustavo,

It is working after changing the rule.groups name. Thank you for your time and guidance.

I have attached the screenshot for your reference.

[Suvadip Ghosh]

Hello Gustavo,

While Integrating AWS NLB, I am not getting the logs in the UI.

AWS nlb: Everything is working fine for aws nlb, no error in the wazuh server but logs are not coming in the UI.(kindly check the attached screenshot).

[Gustavo Choquevilca]

Hello,

When you mention that the logs are not appearing in the graphical interface, which interface are you referring to exactly?

• Discover: If the logs appear there, could you check what value is set for rule.groups?

• The AWS module interface

Based on the logs you shared, there don’t appear to be any errors related to this integration, and it seems to be working correctly

[Gustavo Choquevilca]

As a recommendation, if the logs are not appearing anywhere, you could enable debug mode and also archives, as I mentioned earlier in this thread. This will allow us to better understand what might be happening:  https://groups.google.com/g/wazuh/c/drggiJLgeeU/m/330qEn8TBgAJ

[Suvadip Ghosh]

Dear Gustavo,

Correct in the screenshot there is no error showing.

And I am searching inside the discover as well as inside the AWS module.

Also checked in server side inside the alerts.json file.

No logs are coming.

While checking the archives.log, logs are there inside this file.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/drggiJLgeeU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/6a580f92-a623-416e-aaa8-a893b77e9fa6n%40googlegroups.com.

[Gustavo Choquevilca]

It seems that the events are reaching the Wazuh server, but they are not being fully processed since they cannot be seen in the indexer (Discover / AWS module).

What might be happening here is that there are no rules or decoders defined for these events. To verify this, you can use wazuh-logtest. This will help us determine whether rules are missing for these events.

You can refer to the following documentation to learn how to use wazuh-logtest: https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html

[Suvadip Ghosh]

Hello Gustavo,

I am sharing the logtest result. Please review and guide me to get the logs in UI.

After the logtest, also tried to fetch result for "nlb" from alerts.json and alerts.log, but no result.

[Gustavo Choquevilca]

Hello Suvadip Ghosh,

Based on the information you shared, here are some conclusions:

• The AWS NLB logs are reaching the Wazuh server and are being processed correctly by the manager.

• There are decoders and rules available to process this type of event. In your case, the event is matching rule ID 130101.

            From your wazuh-logtest output:

            **Phase 3: Completed filtering (rules).
             id: '130101'
             level: '7'
            description: 'AWS Network Load Balancer traffic detected'
            groups: '['aws', 'nlbaws', 'nlb', 'network']'
           firedtimes: '1'
           mail: 'False'

• This indicates that the events should appear in alerts.json. It is important to verify this file, because only events that generate alerts are indexed and later visible in the Wazuh dashboard. If the logs are not present in alerts.json, then the issue may be related to a different stage of the pipeline. Another approach is to search for the events in Discover using a broader filter, for example:
  
  rule.groups: aws or data.aws.source: nlb
  
  This will help confirm whether the events are being indexed correctly. On the other hand, the AWS dashboard in Wazuh applies a default filter: rule.groups: amazon
  However, the event you shared contains the following groups: ['aws', 'nlbaws', 'nlb', 'network']. Because of this, the event will not appear in the AWS dashboard, since it does not belong to the amazon rule group. Additionally, the amazon filter is part of the default dashboard configuration and cannot be modified directly from the UI. At this point, I suggest the approach discussed here: https://groups.google.com/g/wazuh/c/drggiJLgeeU/m/vVFSOExJBgAJ