Wazuh 4.6 - AWS Profile Not found
Charles Rawls
<disabled>no</disabled>
<remove_from_bucket>no</remove_from_bucket>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>no</skip_on_error>
<bucket type="cloudtrail">
<name>XXXX-org-trail-bucket</name>
<aws_organization_id>o-XXXXXXXXX</aws_organization_id>
</bucket>
</wodle>
2023/11/13 15:06:19 wazuh-modulesd:aws-s3: WARNING: Bucket: - Returned exit code 23
2023/11/13 15:06:19 wazuh-modulesd:aws-s3: WARNING: Bucket: - No profile named: 'default' was found in the user config file
Carlos Ezequiel Bordon
cra...@kinetik.care
There are no profiles configured in the /root/.aws/credentials file. I use the ec2 instance role.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/2nuzxd1JaBc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8de0321-353d-4997-9d4d-85891efd686bn%40googlegroups.com.
CONFIDENTIALITY NOTICE: This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 510 - 2521 and is legally privileged. The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, use, dissemination, forwarding, printing, copying, disclosure or distribution by persons other than the intended recipient(s) is prohibited and may be unlawful. You must delete this message and any copy of it (in any form) without disclosing it.
If you believe this message has been sent to you in error, please notify the sender by replying to this transmission.
cra...@kinetik.care
More and more curious:
I took a snapshot of my running 4.5.3 wazuh instance, and created a new server from it.
After letting it boot up and settle out, (it was retrieving logs from my buckets), I upgraded Wazuh via apt-get update; apt-get upgrade to Wazuh 4.6.0
I get a similar issue:
I then created a wauzh user in aws and added the user to the aws config as here:
[wazuh]
aws_access_key_id = AKIAXXXXXXXXXXXX
aws_secret_access_key = jWY6s8UXXXXXXXXXXXXXXXX
region = us-east-1
And changed my ossec.conf file as here:
<wodle name="aws-s3">
<disabled>no</disabled>
<remove_from_bucket>no</remove_from_bucket>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>no</skip_on_error>
<bucket type="cloudtrail">
<name>XXXX-org-trail-bucket</name>
<aws_profile>wazuh</aws_profile>
<aws_organization_id>o-XXXXXXXXXX</aws_organization_id>
</bucket>
</wodle>
In the ossec.log file I find the following entries.
In the first line Wazuh identifies the bucket and the profile
Wazuh tells me that it found no profile name; but that the profile Wazuh was found in the user config file.
2023/11/13 20:28:27 wazuh-modulesd:aws-s3: INFO: Executing Bucket Analysis: (Bucket: XXXX=org-trail-bucket, Type: cloudtrail, Organization ID: o-XXXXXXXX, Profile: wazuh)
2023/11/13 20:28:28 wazuh-modulesd:aws-s3: WARNING: Bucket: - Returned exit code 23
2023/11/13 20:28:28 wazuh-modulesd:aws-s3: WARNING: Bucket: - No profile named: 'wazuh' was found in the user config file
From: 'Carlos Ezequiel Bordon' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: Monday, November 13, 2023 13:59
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Wazuh 4.6 - AWS Profile Not found
Hello, possibly the error is due to the profile name you have configured in ~/.aws/config being the same as the one you configure in ossec.conf, since if it is not specified Wazuh tries to use the profile called default. This is to prevent the case of having more than one profile in the ~/.aws/config file
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/2nuzxd1JaBc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8de0321-353d-4997-9d4d-85891efd686bn%40googlegroups.com.
cra...@kinetik.care
Update: Resolved.
Issue was I attached an AWS instance profile to the instance. After several reconfigures, I terminated the instance and built from scratch, not applying the instance profile and configuring the aws cli with out a profile name.
Testing / development continues, but this specific issue was PEBKAC related
From: 'Carlos Ezequiel Bordon' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: Monday, November 13, 2023 13:59
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Wazuh 4.6 - AWS Profile Not found
Hello, possibly the error is due to the profile name you have configured in ~/.aws/config being the same as the one you configure in ossec.conf, since if it is not specified Wazuh tries to use the profile called default. This is to prevent the case of having more than one profile in the ~/.aws/config file
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/2nuzxd1JaBc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8de0321-353d-4997-9d4d-85891efd686bn%40googlegroups.com.