Problem - Wazuh aws waf v2 logs decoder

[Calix Singh]

Hello there,

I hope all is well. I have explained an issue in detail here https://github.com/wazuh/wazuh/issues/9101.

I am waiting for 12 days now, can somebody please have a look and guide me? This is really urgent for me. I have done quite a lot of Google about it but could not find any documentation helping me with the problem.

We request someone to help /share some direction so that we can get the logs reflecting in Wazuh Dashboard.

[Yana Zaeva]

Hi,

Take into account that only the alerts whose level is above 3 will appear in the Kibana UI. You can modify this option in the /var/ossec/etc/ossec.conf file, in this section:

<log_alert_level>3</log_alert_level>

The rule that is being triggered has a 0 level. After performing the change, do not forget to restart the manager to apply the changes. In order to see how the event are arriving to the console, we can enable the archived.json file. To do so, once again in the /var/ossec/etc/ossec.conf file, enable this option:

<logall_json>yes</logall_json>

By default, is set to no. Do not forget to restart the manager afterward. Then, you should be able to see the /var/ossec/logs/archives/archives.json file growing. Find one of these AWS WAF logs and check the full_log field. This is how the manager is receiving these logs, so this is how you should test them in the wazuh-logtest tool. 

I would appreciate it if you could send me a couple of these full_log fields, in order to check how they are working. Also, let me know if after modifying the log_alert_level you started to receive the events.

Waiting for your reply,

Yana.

[Calix Singh]

Hi @Yana,

First of all, thank you very much for your response. I am really glad I could hear from somebody. I did the modifications as per your suggestions and reapplied kubectl. Configs inside new pods:

> /var/ossec/etc/ossec.conf  (Attached, PFA)

> /var/ossec/logs/archives/archives.json  (Attached, PFA)

Also, modifying log_alert_level did not help, Still cannot see events, please check this screenshot:

Also, for your analysis, I have attached ossec.log file.

please let me know if you need any further information.

P.S. I am using https://github.com/wazuh/wazuh-kubernetes.

[Yana Zaeva]

Hi,

Hm, I cannot see any AWS logs in archives, but no erroneous logs either in the ossec.log file. Let me investigate this a little bit and I will get back to you as soon as possible.

Regards,

Yana.

[Yana Zaeva]

Hi,

I have seen that you also have a configuration for CloudWatch. Are you receiving these logs? Due to the fact that you do not have any AWS related logs in the archives.json, it seems that there is something wrong with the configuration. Also, in the ossec.conf file, I can see that you have specified an aws_account_id and aws_account_alias. Can you try deleting these two options and see if the logs can come through with only the secrety_key and access_key ones. It seems that at least the aws_account_id option is only valid for CloudTrail. Once you have modified this, do not forget to restart the Wazuh manager. You can check it here. 

If you still do not receive any logs, please check once again the ossec.log configuration and send it to me so we can check if there are any erroneous logs. If there aren't any, we should proceed with the debugging. To do so, first of all, we will stop modulesd with this command: 

pkill wazuh-modulesd

Then, we will start wazuh-modulesd in the foreground in debug mode:

/var/ossec/bin/wazuh-modulesd -fd

You can start a basic debug (-fd), a verbose debug (-fdd) or an extremely verbose debug (-fddd). This will print debug data to the console and log. You can check more information about it here. 

Let me know how it went when possible.

Regards,

Yana.

[Calix Singh]

Hi,

Thank you for looking into this. After removing aws_account_alias and aws_account_id, I can see some logs have started appearing in archives.json:

{"timestamp":"2021-07-08T14:46:58.963+0000","agent":{"id":"000","name":"wazuh-manager-master-0"},"manager":{"name":"wazuh-manager-master-0"},"id":"1625755618.3563","cluster":{"name":"wazuh","node":"wazuh-manager-master"},"full_log":"{\"type\":\"process\",\"ID\":457708728,\"timestamp\":\"2021/07/08 14:46:58\",\"process\":{\"pid\":875,\"name\":\"aws-s3\",\"state\":\"S\",\"ppid\":861,\"utime\":0,\"stime\":0,\"cmd\":\"/bin/sh\",\"argvs\":[\"/var/ossec/wodles/aws/aws-s3\",\"--bucket\",\"wazuh-jmuoaint\",\"--access_key\",\"xxxxxxx\",\"--secret_key\",\"xxxxxx\",\"--trail_prefix\",\"firehose2021\",\"--only_logs_after\",\"2020-JUN-01\",\"--regions\",\"eu-central-1\",\"--type\",\"waf\"],\"euser\":\"root\",\"ruser\":\"root\",\"suser\":\"root\",\"egroup\":\"ossec\",\"rgroup\":\"ossec\",\"sgroup\":\"ossec\",\"fgroup\":\"ossec\",\"priority\":30,\"nice\":10,\"size\":2925,\"vm_size\":11700,\"resident\":638,\"share\":581,\"start_time\":798544462,\"pgrp\":875,\"session\":875,\"nlwp\":1,\"tgid\":875,\"tty\":0,\"processor\":1}}","decoder":{"name":"syscollector"},"data":{"type":"process","process":{"pid":"875","name":"aws-s3","state":"S","ppid":"861","utime":"0","stime":"0","cmd":"/bin/sh","args":["/var/ossec/wodles/aws/aws-s3","--bucket","wazuh-jmuoaint","--access_key","xxxxxxx","--secret_key","xxxxxx","--trail_prefix","firehose2021","--only_logs_after","2020-JUN-01","--regions","eu-central-1","--type","waf"],"euser":"root","ruser":"root","suser":"root","egroup":"ossec","rgroup":"ossec","sgroup":"ossec","fgroup":"ossec","priority":"30","nice":"10","size":"2925","vm_size":"11700","resident":"638","share":"581","start_time":"798544462","pgrp":"875","session":"875","nlwp":"1","tgid":"875","tty":"0","processor":"1"}},"location":"syscollector"}

But these still do not seem correct logs. I've attached ossec.log file. I am glad some of the logs started showing up, but still, something is terribly wrong in the config. I have removed the CloudWatch service for now, because CloudWatch logs were also not appearing.

[Calix Singh]

Hello there,

We have moved ourselves to Splunk and that's working perfectly, unlike wazuh. Thank you very much.