Monitoring AWS Cloud trail with Wazuh failed
241 views
Skip to first unread message
Ujunwa Odette
Apr 15, 2024, 5:30:12 AM4/15/24
to wa...@googlegroups.com
Hi, I recently integrated AWS Cloud trail with Wazuh. I followed all the instructions on the documentation, but no logs came in. When I checked the logs, the following error kept repeating. Please what can I do to fix this?
2024/04/12 15:31:27 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/04/12 15:31:29 wazuh-modulesd:aws-s3: WARNING: Bucket: - Returned exit code 1
2024/04/12 15:31:29 wazuh-modulesd:aws-s3: WARNING: Bucket: - Unknown error.
2024/04/12 15:31:29 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
2024/04/12 15:31:29 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2024/04/12 15:31:29 wazuh-syscheckd:
INFO: FIM sync module started.
After trying to debug, I got the following logs
2024/04/12 15:54:13 wazuh-modulesd:aws-s3[8439] wm_aws.c:201 at wm_aws_main(): INFO: Fetching logs finished. 2024/04/12 15:54:40 wazuh-modulesd:agent-upgrade[8439] wm_agent_upgrade_tasks.c:211 at wm_agent_send_task_information_master(): DEBUG: (8157): Sending message to task_manager module: '{"origin":{"name":"node01","module":"upgrade_module"},"command":"upgrade_cancel_tasks","parameters":{}}'
2024/04/12 15:54:40 wazuh-modulesd:task-manager[8439] wm_task_manager.c:59 at wm_task_manager_dispatch(): DEBUG: (8204): Incomming message: '{"origin":{"name":"node01","module":"upgrade_module"},"command":"upgrade_cancel_tasks","parameters":{}}'
2024/04/12 15:54:40 wazuh-modulesd:task-manager[8439] wm_task_manager.c:101 at wm_task_manager_dispatch(): DEBUG: (8205): Response to message: '{"error":0,"data":[{"error":0,"message":"Success"}],"message":"Success"}'
2024/04/12 15:54:40 wazuh-modulesd:agent-upgrade[8439] wm_agent_upgrade_tasks.c:229 at wm_agent_send_task_information_master(): DEBUG: (8158): Receiving message from task_manager module: '{"error":0,"data":[{"error":0,"message":"Success"}],"message":"Success"}'
2024/04/12 15:55:10 wazuh-modulesd:aws-s3[8439] wm_aws.c:84 at wm_aws_main(): INFO: Starting fetching of logs.
2024/04/12 15:55:10 wazuh-modulesd:aws-s3[8439] wm_aws.c:136 at wm_aws_main(): INFO: Executing Bucket Analysis: (Bucket: aws-cloudtrail-logs-xxxxx-xxxx-xx, Type: cloudtrail, Profile: default)
2024/04/12 15:55:10 wazuh-modulesd:aws-s3[8439] wm_aws.c:494 at wm_aws_run_s3(): DEBUG: Launching S3 Command: wodles/aws/aws-s3 --bucket aws-cloudtrail-logs-xxx-xxxx-xxxx --aws_profile default --type cloudtrail --debug 1 --skip_on_error
2024/04/12 15:55:12 wazuh-modulesd:aws-s3[8439] wm_aws.c:508 at wm_aws_run_s3(): WARNING: Bucket: - Returned exit code 1
2024/04/12 15:55:12 wazuh-modulesd:aws-s3[8439] wm_aws.c:512 at wm_aws_run_s3(): WARNING: Bucket: - Unknown error.
2024/04/12 15:55:12 wazuh-modulesd:aws-s3[8439] wm_aws.c:532 at wm_aws_run_s3(): DEBUG: Bucket: - OUTPUT: DEBUG: +++ Debug mode on - Level: 1 ERROR: Unknown
Matías David Mercado Aragonés
Apr 16, 2024, 2:41:08 PM4/16/24
to Wazuh | Mailing List
Hi Ujunwa,
Thanks for using Wazuh!
To integrate Wazuh with Amazon CloudTrail you can follow this tutorial detailed in the Wazuh documentation. Remember that you need to configure a new trail for S3 bucket, and then configure the policy for the Wazuh user, following the AWS documentation. After that, you need to add CloudTrail to your Wazuh configuration file (/var/ossec/etc/ossec.conf) to enable the integration.
Following your debug error, I found a previous issue that is similar to the error "Returned exit code 1" you're receiving. In a previous case, the exit code 1 was either the "bucket" parameter was missing in the wodle config, or the wodle was unabled to access the Wazuh socket to pipe log entries to. You can try killing the wazuh-modulesd process, then running manually in foreground with debug enabled:
You can also get more information about the error using the aws.py script included in your installation, test with the following command from your Wazuh manager:
Regards,
Matías.
Thanks for using Wazuh!
To integrate Wazuh with Amazon CloudTrail you can follow this tutorial detailed in the Wazuh documentation. Remember that you need to configure a new trail for S3 bucket, and then configure the policy for the Wazuh user, following the AWS documentation. After that, you need to add CloudTrail to your Wazuh configuration file (/var/ossec/etc/ossec.conf) to enable the integration.
Following your debug error, I found a previous issue that is similar to the error "Returned exit code 1" you're receiving. In a previous case, the exit code 1 was either the "bucket" parameter was missing in the wodle config, or the wodle was unabled to access the Wazuh socket to pipe log entries to. You can try killing the wazuh-modulesd process, then running manually in foreground with debug enabled:
# pkill wazuh-modulesd
# /var/ossec/bin/wazuh-modulesd -fd
You can also get more information about the error using the aws.py script included in your installation, test with the following command from your Wazuh manager:
# /var/ossec/wodles/aws/aws.py -b <bucket_name> --debug
If you are using access key and secret key, run it like:
# /var/ossec/wodles/aws/aws.py -b <bucket_name> --access_key XXXXXX --secret_key XXXXXX --debug
Regards,
Matías.
Reply all
Reply to author
Forward
0 new messages