How to make the Wazuh reads the unsupported AWS services logs which stored their logs in AWS S3
403 views
Skip to first unread message
sang thanh
Feb 22, 2023, 2:19:26 AM2/22/23
to Wazuh mailing list
Hello all,
I'm using Wazuh 4.3.8 and everything working good. My Wazuh already integrated with the AWS to reading the AWS services log such as: CloudTrail, Config , S3 server error access, ...
I'm just have a wonder how can I make the Wazuh can reads the unsupported AWS services which already stored their log inside AWS S3 bucket? I'm done with the decoder and ruleset for them, the permissions are also good, the Wazuh modules log (debug mode enabled) nothing related my issue.
My services log stored in AWS S3 bucket with this stucture:
s3://ses-st******s/2023/02/20/01/
s3://rds-st******s/2023/02/20/01/
And beblow is my Wazuh integrate config for supported AWS services:
 <wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="config">
   <name>ses-st******s</name>
   <aws_account_id>63********03</aws_account_id>
   <access_key>AKIA*************SNV</access_key>
   <secret_key>yN7ib***************************************Gv3U</secret_key>
  </bucket>
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="config">
   <name>ses-st******s</name>
   <aws_account_id>63********03</aws_account_id>
   <access_key>AKIA*************SNV</access_key>
   <secret_key>yN7ib***************************************Gv3U</secret_key>
  </bucket>
    <bucket type="server_access">
   <name>cyb***************gs</name>
   <aws_account_id>13**********21</aws_account_id>
   <access_key>AK****************TU</access_key>
   <secret_key>Zr+ ******************************** VgB</secret_key>
  </bucket>
   <name>cyb***************gs</name>
   <aws_account_id>13**********21</aws_account_id>
   <access_key>AK****************TU</access_key>
   <secret_key>Zr+ ******************************** VgB</secret_key>
  </bucket>
 </wodle>
Can you please tell me how to make the Wazuh read the unsupported AWS services which already stored their log on AWS S3?
Thanks a lot.
Daniel Folch
Feb 22, 2023, 7:25:59 AM2/22/23
to Wazuh mailing list
Hello,
You can use <bucket type="custom"> and set the name and path of the bucket your logs are stored in. Check the different configuration options here:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#bucket-type
Also here you have an example of usage:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#example-of-configuration
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#bucket-type
Also here you have an example of usage:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#example-of-configuration
sang thanh
Feb 23, 2023, 3:30:31 AM2/23/23
to Wazuh mailing list
Hi Daniel Folch,
Thanks for your kind reply, I followed your instruction link and have a configure like below:
<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="custom">
   <name>back***********gss</name>
   <aws_account_id>63*********3</aws_account_id>
   <access_key>AK******************NV</access_key>
   <secret_key>yN7ib************************************v3U</secret_key>
  </bucket>
  <bucket type="custom">
   <name>se***********es</name>
   <aws_account_id> 63*********3</aws_account_id>
   <access_key>AK******************NV </access_key>
   <secret_key>yN7ib************************************v3U</secret_key>
  </bucket>
 </wodle>
   <name>back***********gss</name>
   <aws_account_id>63*********3</aws_account_id>
   <access_key>AK******************NV</access_key>
   <secret_key>yN7ib************************************v3U</secret_key>
  </bucket>
  <bucket type="custom">
   <name>se***********es</name>
   <aws_account_id> 63*********3</aws_account_id>
   <access_key>AK******************NV </access_key>
   <secret_key>yN7ib************************************v3U</secret_key>
  </bucket>
 </wodle>
I enabled the wazuh-modulesd debug mode to level 2 and I saw the log like the attachment file.
I also tried to use the <path>2023/02/20/01/</path> andÂ
<
path_suffix
>2023/02/20/01/</path_suffix>
options but yeah none of them work.
I saw in this link at the part number 4, Wazuh define the Guardduty log path exactly same with my log structure, also tried to use guardduty at the bucket type instead of custom but still doesn't work.
Can you please tell me where am I get wrong.
P/s: my services log stored in AWS S3 bucket with this folder stucture:
s3://ses-st******s/2023/02/20/01/
s3://rds-st******s/2023/02/20/01/
Và o lúc 19:25:59 UTC+7 ngà y Thứ Tư, 22 tháng 2, 2023, Daniel Folch đã viết:
sang thanh
Mar 3, 2023, 9:45:32 AM3/3/23
to Wazuh mailing list
Hi Daniel,
Can you please help me with this?
I really stuck on that for a long time without any moving forward.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/2QXbbDJ5JZs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ec44b4e7-6609-4914-b6f6-314488060affn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages