Integrating Security Hub to Wazuh - Exit Code 12
177 views
Skip to first unread message
Gilson Junio
Mar 17, 2025, 2:34:27 PM3/17/25
to Wazuh | Mailing List
Hello everyone.
Recently i tried to integrate AWS Security Hub to Wazuh and faced the warning below:
2025/03/17 14:14:45 wazuh-modulesd:aws-s3:WARNING: Subscriber: security_hub SQS-NAME - Returned exit code 12
2025/03/17 14:14:45 wazuh-modulesd:aws-s3: WARNING: Subscriber: security_hub SQS-NAME - An error occurred (NoSuchKey) when calling the GetObject operation: The specified key does not exist.
To begin, i followed all instructions on https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/security-hub.html
Recently i tried to integrate AWS Security Hub to Wazuh and faced the warning below:
2025/03/17 14:14:45 wazuh-modulesd:aws-s3:WARNING: Subscriber: security_hub SQS-NAME - Returned exit code 12
2025/03/17 14:14:45 wazuh-modulesd:aws-s3: WARNING: Subscriber: security_hub SQS-NAME - An error occurred (NoSuchKey) when calling the GetObject operation: The specified key does not exist.
To begin, i followed all instructions on https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/security-hub.html
First i created a S3 bucket to store all data that will be put by Firehose, enabled AWS Security Hub, created a Firehose Stream with that bucket as destination, created a new rule on Event Bridge to target that stream, created a new SQS queue (setting the policy accodingly) and configured notifications on that bucket to send them all to the queue.
After all of this i got the warning above.
What's this code 12 meaning and what could be that key this warning mentions? From what i know, S3 keys are the objects stored on buckets themselves.
I would really appreciate some answers.
Best regards,
Gilson Junio
Olamilekan Abdullateef Ajani
Mar 17, 2025, 3:55:37 PM3/17/25
to Wazuh | Mailing List
Hello Gilson,
The error you encountered above simply means, No authentication method was provided within the configuration of the Wazuh module for AWS. You can review the documentation here, which explains different options available regarding credentials and how to configure them. This involves IAM roles, profiles, and environmental variables.
Beyond the above, you could also review the troubleshooting documentation guide here which explains the details about exit codes for reference
https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/index.html
Gilson Junio
Mar 18, 2025, 9:33:35 AM3/18/25
to Wazuh | Mailing List
Hello again. Thank you for your response.
On my wazuh environment i have the credentials all setup, i was even able to integrate Guard Duty.
So, i restarted everything from the beginning and got rid of that key error, but it has changed to a bucket error.
I activated wazuh_debug=1 and got the output below:
2025/03/18 12:38:49 wazuh-modulesd:aws-s3[24414] wm_aws.c:201 at wm_aws_main(): INFO: Fetching logs finished.
2025/03/18 12:38:49 wazuh-modulesd:aws-s3[24414] wm_aws.c:84 at wm_aws_main(): INFO: Starting fetching of logs.
2025/03/18 12:38:49 wazuh-modulesd:aws-s3[24414] wm_aws.c:196 at wm_aws_main(): INFO: Executing Subscriber fetch: (Type and SQS: security_hub kensei-wazuh-sqs_kensei-wazuh-s3-sqs)
2025/03/18 12:38:49 wazuh-modulesd:aws-s3[24414] wm_aws.c:806 at wm_aws_run_subscriber(): DEBUG: Launching S3 Subscriber Command: wodles/aws/aws-s3 --subscriber security_hub --queue kensei-wazuh-sqs_kensei-wazuh-s3-sqs --aws_profile Kensei-Wazuh-S3-IAM --debug 1
2025/03/18 12:39:01 wazuh-modulesd:aws-s3[24414] wm_aws.c:821 at wm_aws_run_subscriber(): WARNING: Subscriber: security_hub kensei-wazuh-sqs_kensei-wazuh-s3-sqs - Returned exit code 1
2025/03/18 12:39:01 wazuh-modulesd:aws-s3[24414] wm_aws.c:827 at wm_aws_run_subscriber(): WARNING: Subscriber: security_hub kensei-wazuh-sqs_kensei-wazuh-s3-sqs - Unknown error: An error occurred (NoSuchBucket) when calling the GetObject operation: The specified bucket does not exist
Traceback (most recent call last):
File "/var/ossec/wodles/aws/aws-s3", line 207, in <module>
main(sys.argv[1:])
File "/var/ossec/wodles/aws/aws-s3", line 194, in main
subscriber_queue.sync_events()
File "/var/ossec/wodles/aws/subscribers/sqs_queue.py", line 140, in sync_events
self.bucket_handler.process_file(message["route"])
File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 381, in process_file
formatted_logs = self.obtain_logs(bucket=bucket_path, log_path=log_path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 355, in obtain_logs
with self.decompress_file(bucket, log_key=log_path) as f:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/wazuh_integration.py", line 372, in decompress_file
raw_object = io.BytesIO(self.client.get_object(Bucket=bucket, Key=log_key)['Body'].read())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 1017, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.NoSuchBucket: An error occurred (NoSuchBucket) when calling the GetObject operation: The specified bucket does not exist
2025/03/18 12:39:01 wazuh-modulesd:aws-s3[24414] wm_aws.c:845 at wm_aws_run_subscriber(): DEBUG: Subscriber: security_hub kensei-wazuh-sqs_kensei-wazuh-s3-sqs - OUTPUT: DEBUG: +++ Debug mode on - Level: 1
ERROR: Unknown error: An error occurred (NoSuchBucket) when calling the GetObject operation: The specified bucket does not exist
Traceback (most recent call last):
File "/var/ossec/wodles/aws/aws-s3", line 207, in <module>
main(sys.argv[1:])
File "/var/ossec/wodles/aws/aws-s3", line 194, in main
subscriber_queue.sync_events()
File "/var/ossec/wodles/aws/subscribers/sqs_queue.py", line 140, in sync_events
self.bucket_handler.process_file(message["route"])
File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 381, in process_file
formatted_logs = self.obtain_logs(bucket=bucket_path, log_path=log_path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 355, in obtain_logs
with self.decompress_file(bucket, log_key=log_path) as f:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/wazuh_integration.py", line 372, in decompress_file
raw_object = io.BytesIO(self.client.get_object(Bucket=bucket, Key=log_key)['Body'].read())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 1017, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.NoSuchBucket: An error occurred (NoSuchBucket) when calling the GetObject operation: The specified bucket does not exist
2025/03/18 12:38:49 wazuh-modulesd:aws-s3[24414] wm_aws.c:84 at wm_aws_main(): INFO: Starting fetching of logs.
2025/03/18 12:38:49 wazuh-modulesd:aws-s3[24414] wm_aws.c:196 at wm_aws_main(): INFO: Executing Subscriber fetch: (Type and SQS: security_hub kensei-wazuh-sqs_kensei-wazuh-s3-sqs)
2025/03/18 12:38:49 wazuh-modulesd:aws-s3[24414] wm_aws.c:806 at wm_aws_run_subscriber(): DEBUG: Launching S3 Subscriber Command: wodles/aws/aws-s3 --subscriber security_hub --queue kensei-wazuh-sqs_kensei-wazuh-s3-sqs --aws_profile Kensei-Wazuh-S3-IAM --debug 1
2025/03/18 12:39:01 wazuh-modulesd:aws-s3[24414] wm_aws.c:821 at wm_aws_run_subscriber(): WARNING: Subscriber: security_hub kensei-wazuh-sqs_kensei-wazuh-s3-sqs - Returned exit code 1
2025/03/18 12:39:01 wazuh-modulesd:aws-s3[24414] wm_aws.c:827 at wm_aws_run_subscriber(): WARNING: Subscriber: security_hub kensei-wazuh-sqs_kensei-wazuh-s3-sqs - Unknown error: An error occurred (NoSuchBucket) when calling the GetObject operation: The specified bucket does not exist
Traceback (most recent call last):
File "/var/ossec/wodles/aws/aws-s3", line 207, in <module>
main(sys.argv[1:])
File "/var/ossec/wodles/aws/aws-s3", line 194, in main
subscriber_queue.sync_events()
File "/var/ossec/wodles/aws/subscribers/sqs_queue.py", line 140, in sync_events
self.bucket_handler.process_file(message["route"])
File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 381, in process_file
formatted_logs = self.obtain_logs(bucket=bucket_path, log_path=log_path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 355, in obtain_logs
with self.decompress_file(bucket, log_key=log_path) as f:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/wazuh_integration.py", line 372, in decompress_file
raw_object = io.BytesIO(self.client.get_object(Bucket=bucket, Key=log_key)['Body'].read())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 1017, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.NoSuchBucket: An error occurred (NoSuchBucket) when calling the GetObject operation: The specified bucket does not exist
2025/03/18 12:39:01 wazuh-modulesd:aws-s3[24414] wm_aws.c:845 at wm_aws_run_subscriber(): DEBUG: Subscriber: security_hub kensei-wazuh-sqs_kensei-wazuh-s3-sqs - OUTPUT: DEBUG: +++ Debug mode on - Level: 1
ERROR: Unknown error: An error occurred (NoSuchBucket) when calling the GetObject operation: The specified bucket does not exist
Traceback (most recent call last):
File "/var/ossec/wodles/aws/aws-s3", line 207, in <module>
main(sys.argv[1:])
File "/var/ossec/wodles/aws/aws-s3", line 194, in main
subscriber_queue.sync_events()
File "/var/ossec/wodles/aws/subscribers/sqs_queue.py", line 140, in sync_events
self.bucket_handler.process_file(message["route"])
File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 381, in process_file
formatted_logs = self.obtain_logs(bucket=bucket_path, log_path=log_path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 355, in obtain_logs
with self.decompress_file(bucket, log_key=log_path) as f:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/wazuh_integration.py", line 372, in decompress_file
raw_object = io.BytesIO(self.client.get_object(Bucket=bucket, Key=log_key)['Body'].read())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 1017, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.NoSuchBucket: An error occurred (NoSuchBucket) when calling the GetObject operation: The specified bucket does not exist
The configuration for subscriber does not require specifying a bucket in ossec.conf, then why it returns this error?
Thanks in advance for your response.
Best regards,
Gilson Junio
Olamilekan Abdullateef Ajani
Mar 19, 2025, 1:41:55 PM3/19/25
to Wazuh | Mailing List
Hello Gilson,
The error you encountered is more of a programming error, especially with the exit code received, and yes you are correct, if you specify the subscriber option, you do not require a bucket except for the S3 bucket with the event notification which forwards to your SQS queue when configured.
Could you share your aws woodle configuration in /var/ossec/etc/ossec.conf file for further analysis.
And also turn on debug level 2, you can make use of the query below also and share the output: wodles/aws/aws-s3 --subscriber security_hub --queue sqs-queue-here --debug 2
Gilson Junio
Mar 19, 2025, 3:38:36 PM3/19/25
to Wazuh | Mailing List
Hello again.
Here's my configuration at /var/ossec/etc/ossec.conf
<wodle name="aws-s3">
<subscriber type="security_hub">
<sqs_name>SQS-NAME-ON-MY-SETUP</sqs_name>
<aws_profile>IAM-NAME</aws_profile>
</subscriber>
</wodle>
<wodle name="aws-s3">
<subscriber type="security_hub">
<sqs_name>SQS-NAME-ON-MY-SETUP</sqs_name>
<aws_profile>IAM-NAME</aws_profile>
</subscriber>
</wodle>
And here's the output for that query:
root@ip-xxxx-xxx-xxx-xxx:/var/ossec# wodles/aws/aws-s3 --subscriber security_hub --queue MY-QUEUE-NAME-HERE --debug 2
DEBUG: +++ Debug mode on - Level: 2
DEBUG: Generating default configuration for retries: mode standard - max_attempts 10
DEBUG: +++ Error: You must specify a region.
ERROR: Unknown error: You must specify a region.
DEBUG: +++ Debug mode on - Level: 2
DEBUG: Generating default configuration for retries: mode standard - max_attempts 10
DEBUG: +++ Error: You must specify a region.
ERROR: Unknown error: You must specify a region.
Traceback (most recent call last):
File "/var/ossec/wodles/aws/aws-s3", line 207, in <module>
main(sys.argv[1:])
File "/var/ossec/wodles/aws/aws-s3", line 181, in main
subscriber_queue = subscribers.sqs_queue.AWSSQSQueue(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/subscribers/sqs_queue.py", line 49, in __init__
wazuh_integration.WazuhIntegration.__init__(self, access_key=None, secret_key=None,
File "/var/ossec/wodles/aws/wazuh_integration.py", line 66, in __init__
self.client = self.get_client(access_key=access_key,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/wazuh_integration.py", line 234, in get_client
client = boto_session.client(service_name=service_name, endpoint_url=service_endpoint,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/boto3/session.py", line 297, in client
return self._session.create_client(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/session.py", line 997, in create_client
client = client_creator.create_client(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 161, in create_client
client_args = self._get_client_args(
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 520, in _get_client_args
return args_creator.get_client_args(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/args.py", line 101, in get_client_args
final_args = self.compute_client_args(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/args.py", line 220, in compute_client_args
endpoint_config = self._compute_endpoint_config(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/args.py", line 370, in _compute_endpoint_config
return self._resolve_endpoint(**resolve_endpoint_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/args.py", line 475, in _resolve_endpoint
return endpoint_bridge.resolve(
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 625, in resolve
resolved = self.endpoint_resolver.construct_endpoint(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/regions.py", line 230, in construct_endpoint
result = self._endpoint_for_partition(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/regions.py", line 278, in _endpoint_for_partition
raise NoRegionError()
botocore.exceptions.NoRegionError: You must specify a region.
subscriber_queue = subscribers.sqs_queue.AWSSQSQueue(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/subscribers/sqs_queue.py", line 49, in __init__
wazuh_integration.WazuhIntegration.__init__(self, access_key=None, secret_key=None,
File "/var/ossec/wodles/aws/wazuh_integration.py", line 66, in __init__
self.client = self.get_client(access_key=access_key,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/ossec/wodles/aws/wazuh_integration.py", line 234, in get_client
client = boto_session.client(service_name=service_name, endpoint_url=service_endpoint,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/boto3/session.py", line 297, in client
return self._session.create_client(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/session.py", line 997, in create_client
client = client_creator.create_client(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 161, in create_client
client_args = self._get_client_args(
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 520, in _get_client_args
return args_creator.get_client_args(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/args.py", line 101, in get_client_args
final_args = self.compute_client_args(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/args.py", line 220, in compute_client_args
endpoint_config = self._compute_endpoint_config(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/args.py", line 370, in _compute_endpoint_config
return self._resolve_endpoint(**resolve_endpoint_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/args.py", line 475, in _resolve_endpoint
return endpoint_bridge.resolve(
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/client.py", line 625, in resolve
resolved = self.endpoint_resolver.construct_endpoint(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/regions.py", line 230, in construct_endpoint
result = self._endpoint_for_partition(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/dist-packages/botocore/regions.py", line 278, in _endpoint_for_partition
raise NoRegionError()
botocore.exceptions.NoRegionError: You must specify a region.
I see that it outputs a region error, but here's the deal. I'm authenticating from a profile for an IAM role on /root/.aws/credentials
[profile-name]
aws_access_key_id = ***********************
aws_aws_secret_access_key = ***********************
region = us-east-1
Oh, and i also found something weird, even though this error happens, on the dashboard discover section there are events regarding security hub, it shows information about public S3 buckets , which means it's working, i even created another public bucket and a new event regarding this new bucket was also created. However, if i check the Amazon Web Services section, there is nothing over there.
I really appreciate your support, thanks for sparing time to help me. Anxiously waiting for your reply.
Best regards,
Gilson Junio
Olamilekan Abdullateef Ajani
Mar 24, 2025, 12:42:49 PM3/24/25
to Wazuh | Mailing List
Hello Gilson,
From your response, you are able to see the events from this integration, but the issue is you still experience the logs. I also found a similar reference opened on github issue which is worth taking a look at. From all indication, your configuration looks good which is why you are able to see the events on your dashboard. Kindly open a github issue here so our back-end engineers can also have a look as this is a programming issue.
Reply all
Reply to author
Forward
0 new messages