AWS Cloud Trail Error Code 1

[Syed]

Hi Folks,

I am getting following error in ossec.log. It was working at one point. I can see logs in s3 bucket. What does exit code 1 means? Can't find it anywhere in Wazuh documentation.

2018/06/23 14:49:10 wazuh-modulesd:aws-cloudtrail: WARNING: Returned exit code 1.

2018/06/23 14:49:10 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.

2018/06/23 14:59:10 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs started

2018/06/23 14:59:10 wazuh-modulesd:aws-cloudtrail: WARNING: Returned exit code 1.

2018/06/23 14:59:10 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.

Thanks,

Syed 

[Jeremy Phillips]

Exit code 1 is either the "bucket" parameter is missing in the wodle config or the wodle is unable to access the wazuh socket to pipe log entries to.

Try killing the wazuh-modulesd process, then running manually in foreground with debug enabled:

pkill wazuh-modulesd

/var/ossec/bin/wazuh-modulesd -fd

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a864e67-14de-4462-8585-bac186637276%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Syed]

Thanks for the quick response Jeremy, Here is the output. Same problem.

[ro...@ip-X.X.X.X ~]# pkill wazuh-modulesd

[ro...@ip-X.X.X.X ~]# /var/ossec/bin/wazuh-modulesd -fd

2018/06/23 19:17:50 wazuh-modulesd: INFO: Process started.

2018/06/23 19:17:50 wazuh-modulesd:database: INFO: Module started.

2018/06/23 19:17:50 wazuh-modulesd:aws-cloudtrail: INFO: Module AWS-CloudTrail started

2018/06/23 19:17:50 wazuh-modulesd: DEBUG: (unix_domain) Maximum send buffer set to: '212992'.

2018/06/23 19:17:50 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs started

2018/06/23 19:17:50 wazuh-modulesd:oscap: INFO: Module disabled. Exiting...

2018/06/23 19:17:50 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...

2018/06/23 19:17:50 wazuh-modulesd:vulnerability-detector: DEBUG: Module disabled. Exiting...

2018/06/23 19:17:50 wazuh-modulesd:database: DEBUG: Cleaning directory 'var/db/agents'.

2018/06/23 19:17:50 wazuh-modulesd:database: DEBUG: Synchronizing agents.

2018/06/23 19:17:50 wazuh-modulesd:database: DEBUG: Waiting for event notification...

2018/06/23 19:17:50 wazuh-modulesd:database: DEBUG: Agent sync completed.

2018/06/23 19:17:50 wazuh-modulesd:database: DEBUG: wm_sync_agents(): 6.001 ms (0.000 clock ms).

2018/06/23 19:17:50 wazuh-modulesd:database: DEBUG: Scanning directory '/var/ossec/queue/agent-info'.

2018/06/23 19:17:50 wazuh-modulesd:database: DEBUG: Scanning directory '/var/ossec/queue/rootcheck'.

2018/06/23 19:17:50 wazuh-modulesd:aws-cloudtrail: WARNING: Returned exit code 1.

2018/06/23 19:17:50 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.

I checked. Wodle does have the s3 bucket parameter set.

What else can I check?

Thanks,

Syed

On Saturday, 23 June 2018 11:41:20 UTC-4, Jeremy Phillips wrote:

Exit code 1 is either the "bucket" parameter is missing in the wodle config or the wodle is unable to access the wazuh socket to pipe log entries to.

Try killing the wazuh-modulesd process, then running manually in foreground with debug enabled:

pkill wazuh-modulesd

/var/ossec/bin/wazuh-modulesd -fd

On Sat, Jun 23, 2018 at 11:11 AM Syed <hass...@gmail.com> wrote:

Hi Folks,

I am getting following error in ossec.log. It was working at one point. I can see logs in s3 bucket. What does exit code 1 means? Can't find it anywhere in Wazuh documentation.

2018/06/23 14:49:10 wazuh-modulesd:aws-cloudtrail: WARNING: Returned exit code 1.

2018/06/23 14:49:10 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.

2018/06/23 14:59:10 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs started

2018/06/23 14:59:10 wazuh-modulesd:aws-cloudtrail: WARNING: Returned exit code 1.

2018/06/23 14:59:10 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.

Thanks,

Syed 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Jeremy Phillips]

With the debug flag set, the script should be printing more debug info... You can try running the script manually:

/var/ossec/wodles/aws/aws.py --bucket <bucket_name> --debug

Include --access_key and --secret_key if you use those

Jeremy

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a864e67-14de-4462-8585-bac186637276%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/057e482a-7537-41b1-bc83-78593433c7a8%40googlegroups.com.

[S.Hasan Rizvi]

Thanks Jeremy!

Here is what the script is reporting in debug mode:

[root@ip-XXXX aws]# ./aws.py -b bucket_name --access_key XXXXXX --secret_key XXXXXX --debug

+++ Debug mode on

+++ Create or connect SQLite DB

+++ Connecting to Amazon S3

++ Found new log: 2018-06-13-16-26-21-C4EA46ECF78C4A9B

Traceback (most recent call last):

  File "./aws.py", line 166, in <module>

    main(sys.argv[1:])

  File "./aws.py", line 139, in main

    j = json.load(data)

  File "/usr/lib64/python2.7/json/__init__.py", line 286, in load

    return loads(fp.read(),

  File "/usr/lib64/python2.7/gzip.py", line 254, in read

    self._read(readsize)

  File "/usr/lib64/python2.7/gzip.py", line 296, in _read

    self._read_gzip_header()

  File "/usr/lib64/python2.7/gzip.py", line 190, in _read_gzip_header

    raise IOError, 'Not a gzipped file'

IOError: Not a gzipped file

It seems we are having IOError and it didn't find any gzipped file in the bucket ???

[Jeremy Phillips]

It's choking because it came across a file that it wasn't able to uncompressed.  The script as it is today doesn't have the best error handling for malformed/unexpected files.  Short of removing that file, and all other non-CloudTrail files, from the bucket, I don't think there is any workaround to get past this error in the current version of the CloudTrail module.

I would suggest opening an issue on github - https://github.com/wazuh/wazuh/issues - and I'll try adding some better error handling in context of some of the other stuff I'm working on in the module...

Jeremy

[Syed]

Thanks Jeremy for pointing me in the right direction. After I deleted all other non cloud trial log files from the bucket, it started working.

I think it will help if cloud trail troubleshooting section documentation can mention to manually run the scrip in the debug mode like following.

/aws.py -b bucket_name --access_key YourAccessKey --secret_key YourSecretKey --debug

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a864e67-14de-4462-8585-bac186637276%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.