AWS Cloud Watch Logs

[Usman Ali]

Hi friends

           I have configure cloduwatch IN OSSEC file, but not getting logs on dashboard..

while running wodle i saw logs are fetching without  any error.. snapshot attached

[Luis González Romero]

Hello @usmanaa10, hope you’re doing great.

After setting the AWS configuration within ossec.conf, I could see the logs you attached in your message. That’s expected but no alert is triggered. Also, there are logs like:

• 2022 Jun 20 12:12:49 afo->aws-s3 DEBUG: Found "ecs/report-generator/<ID>" log stream in /ecs/report-generator
• 2022 Jun 20 12:12:50 afo->aws-s3 DEBUG: committing changes and closing the DB.

I have done the following steps to get alerts through the dashboard(I thought that was what you would like) because these logs do not register any alert by default:

1. Enable archives.log log files by setting the logall to yes
   Now, you can see all the logs within your archives.log file.

2. Create a custom decoder and rule so we can see events in the dashboard
   As there are no default rules to be triggered when these logs appear, we need to create them. Here you have a simple decoder and rule to check these events:

   <decoder name="custom-aws">
    <prematch>/ecs/report-generator</prematch>
    <regex>Found (\S+) log stream in</regex>
    <order>report_id</order>
   </decoder>
   

   <group name="amazon,">
   <rule id="7979" level="8">
    <decoded_as>custom-aws</decoded_as>
    <description>AWS Log stream found</description>
   </rule>
   </group>
   

3. Restart the manager and we can check that events appear in the dashboard with the amazon group(filtering by rule.groups:amazon)

Finally, if you want to create your own decoders and rules, you can use the wazuh-logtest tool. You can paste a full log and see the output you should have without the need of restarting after each change. When you have your final decoders/rules, you should restart and then you can see the events in your dashboard(do not forget that these events belong to the amazon group, you can filter by rule.groups:amazon).

If you need help creating decoders/rules, or something else, do not hesitate to ask us.

Hope this helps you,
Luis.

​

[Usman Ali]

Hi Luis,

      Thanks for the quick response, can you let me know the exact location where I can set logall to yes?

Will it affect my storage 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/wXlvfoU2Sn0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c66bdcbe-20c3-47f5-9255-e9a3b4c2bb02n%40googlegroups.com.

[Luis González Romero]

Yes, of course. You can set this within your ossec.conf global section, here you have the doc ref.

About the memory, you can disable the logall after checking the logs are received as expected. When you enable logall it stores all the logs there, even when they do not trigger an alert, so this can increase a lot the disk usage. This was used to check that logs are received with no issues. Sorry if I have confused you.

Just place your custom decoders/rules and you should be able to see the events within the dashboard.

​

[Usman Ali]

Hi Luis,

            Thanks for quick response, I have enable all logs, and tail the  tail -f /var/ossec/logs/archives/archives.log | grep aws

but I got

While running wodle manually i got no error

using

following command

>>

results are

What should I do?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5402175f-14dd-4010-8911-0c717996073dn%40googlegroups.com.