Trouble with AWS ControlTower CloudTrail Logs
203 views
Skip to first unread message
Joe
Jul 26, 2023, 11:47:21 AM7/26/23
to Wazuh mailing list
Hello,
I am trying to push my CloudTrail logs into Wazuh but am having some issues. Whenever I manually run the aws-s3 wodle with debug, I get a message saying "No logs to process in bucket" returned however I have confirmed in the S3 bucket that there are files present.
Here is my S3 bucket location for files;
wazuh-cloudtrail/<organization_id>/AWSLogs/<organization_id>/<accountId>/CloudTrail/us-east-1/2023/07/26/
And here is my ossec.conf setup:
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<bucket type="cloudtrail">
<name>wazuh-cloudtrail</name>
<aws_profile><profile_name></aws_profile>
<regions>us-east-1</regions>
<aws_account_id><accountId></aws_account_id>
<aws_account_alias>xx</aws_account_alias>
<aws_organization_id><organization_id></aws_organization_id>
</bucket>
</wodle>
I believe my issue might be the first <organization_id> bucket before the "AWSLogs" but I'm not certain. When I attempt to use "path" for setting the prefix to <organization_id> and manually run the wodle, I get an unrecognized argument.
Any help is appreciated!
I am trying to push my CloudTrail logs into Wazuh but am having some issues. Whenever I manually run the aws-s3 wodle with debug, I get a message saying "No logs to process in bucket" returned however I have confirmed in the S3 bucket that there are files present.
Here is my S3 bucket location for files;
wazuh-cloudtrail/<organization_id>/AWSLogs/<organization_id>/<accountId>/CloudTrail/us-east-1/2023/07/26/
And here is my ossec.conf setup:
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<bucket type="cloudtrail">
<name>wazuh-cloudtrail</name>
<aws_profile><profile_name></aws_profile>
<regions>us-east-1</regions>
<aws_account_id><accountId></aws_account_id>
<aws_account_alias>xx</aws_account_alias>
<aws_organization_id><organization_id></aws_organization_id>
</bucket>
</wodle>
I believe my issue might be the first <organization_id> bucket before the "AWSLogs" but I'm not certain. When I attempt to use "path" for setting the prefix to <organization_id> and manually run the wodle, I get an unrecognized argument.
Any help is appreciated!
Leonardo Daniel Sancho
Jul 26, 2023, 4:36:42 PM7/26/23
to Wazuh mailing list
Hello Joe, thanks for choosing Wazuh!
Let's start right from the beginning, you might be having an unnecessary slash at the end of your path. Use slashes when the path to the logs includes more directories, but not at the start or at the end. As for the wodle configuration of your ossec.conf , some fields are unnecessary unless you're ingesting logs from several buckets at the same time, here's an example configuration:
- https://documentation.wazuh.com/current/cloud-security/amazon/services/troubleshooting.html#there-are-no-aws-alerts-present-in-the-wazuh-ui
- https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/cloudtrail.html#aws-cloudtrail
- https://documentation.wazuh.com/current/cloud-security/amazon/services/prerequisites/credentials.html#profiles
- https://wazuh.com/blog/integrating-aws-cloudtrail-in-wazuh/
Should you have further questions, let us know!
Have a great day!
Joe
Jul 27, 2023, 10:41:45 AM7/27/23
to Wazuh mailing list
Thank you for the response.
I am indeed setting up multiple buckets but was just starting with the single one for now. I was able to uncover what my issue was, it turns out the S3 bucket had KMS encryption enabled and the IAM profile used did not have permissions to that key. I was not able to see any sort of error however until I mapped the bucket location properly with my manual wodle runs. It turns out that while "path" is the prefix value for the ossec.conf, that does not work for the manual wodle run and it instead needs to be "--trail_prefix". Once I added this value the manual wodle run was able to locate my bucket and files and it provided the error message about the KMS key permissions.
I am indeed setting up multiple buckets but was just starting with the single one for now. I was able to uncover what my issue was, it turns out the S3 bucket had KMS encryption enabled and the IAM profile used did not have permissions to that key. I was not able to see any sort of error however until I mapped the bucket location properly with my manual wodle runs. It turns out that while "path" is the prefix value for the ossec.conf, that does not work for the manual wodle run and it instead needs to be "--trail_prefix". Once I added this value the manual wodle run was able to locate my bucket and files and it provided the error message about the KMS key permissions.
Reply all
Reply to author
Forward
0 new messages