AWS RDS Oracle logs
146 views
Skip to first unread message
Venkatesan A
Aug 10, 2023, 12:54:21 AM8/10/23
to Wazuh mailing list
Hi,
how to setup AWS RDS Oracle logs (ex. DML, DDL commands used in execution) in Wazuh server. Please provide document or step by step instructions
Stuti Gupta
Aug 10, 2023, 1:47:35 AM8/10/23
to Wazuh mailing list
Hi Venkatesan,
Hope you are doing well today and thank you for using wazuh.
AWS CloudWatch Logs is a service that allows users to centralize the logs from all their systems, applications, and AWS services in a single place. to know more about how to AWS logs please refer to https://documentation.wazuh.com/current/cloud-security/amazon/index.html. And to know more about how to Collect RDS logs you can also refer to https://www.infopercept.com/monitoring-aws-rds-logs-with-wazuh/.
To get the logs from RDS for the User-actions and Errors, you can add decoders in the /var/ossec/etc/decoders/local_decoders.xml file. For the decoder of RDS logs please refer to https://github.com/wazuh/wazuh/issues/7991
To get the alerts you have to create rules based on the decoders and logs if there are no default rules for RDS for that you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this will be helpful. Please feel free to contact us for any information/issue
Regards,
Stuti Gupta
Hope you are doing well today and thank you for using wazuh.
AWS CloudWatch Logs is a service that allows users to centralize the logs from all their systems, applications, and AWS services in a single place. to know more about how to AWS logs please refer to https://documentation.wazuh.com/current/cloud-security/amazon/index.html. And to know more about how to Collect RDS logs you can also refer to https://www.infopercept.com/monitoring-aws-rds-logs-with-wazuh/.
To get the logs from RDS for the User-actions and Errors, you can add decoders in the /var/ossec/etc/decoders/local_decoders.xml file. For the decoder of RDS logs please refer to https://github.com/wazuh/wazuh/issues/7991
To get the alerts you have to create rules based on the decoders and logs if there are no default rules for RDS for that you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this will be helpful. Please feel free to contact us for any information/issue
Regards,
Stuti Gupta
Venkatesan A
Aug 11, 2023, 1:17:40 AM8/11/23
to Stuti Gupta, Wazuh mailing list
Hi Stuti,
Thanks for the update. but i need detailed steps from AWS RDS and Wazuh side.We are expecting RDS logs like Insert, update, drop, truncate, delete and permission grants commands used.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9e3299df-d64b-454d-844b-59e11aae9da2n%40googlegroups.com.
Stuti Gupta
Aug 11, 2023, 5:14:35 AM8/11/23
to Venkatesan A, Wazuh mailing list
Amazon RDS API calls made by or on behalf of an AWS account are logged by AWS CloudWatch. After that, the data is saved in an Amazon S3 bucket. Monitoring is a crucial component of keeping Amazon RDS and your AWS solutions reliable, available, and efficient. If a multi-point failure occurs, you should collect monitoring data from all aspects of your AWS solution so that you can more effectively debug it. The activity of Amazon RDS DB instances can be monitored by Wazuh using the custom rules and decoders. Wazuh will collect the RDS Logs from the Amazon CloudWatch Logs. To do so please follow the following steps
1. Configuring AWS credentials: In order to make the Wazuh AWS module pull log data from the different services, it's necessary to provide access credentials to connect to them. For this step please refer to https://documentation.wazuh.com/current/cloud-security/amazon/services/prerequisites/credentials.html#configuring-aws-credentials
AWS RDS Configuration: The logs for the RDS should be exported via the following options so that it can be pushed in the Amazon CloudWatch Logs.
4. To see if those logs are monitored, you need to enable the logall option in the global section of the ossec.conf file and restart the manager, if everything is good, the manager should be running fine. This option allows Wazuh to store in /var/ossec/logs/archives/archives.log every event generated, doesn't matter if it generated an alert or not.
I hope this helps,
Best regards.
Reply all
Reply to author
Forward
0 new messages