AWS S3 API access logs
91 views
Skip to first unread message
Slava G
Jan 11, 2021, 11:09:49 AM1/11/21
to Wazuh mailing list
Hi,
Question - can wazuh parse s3 api access logs (those logs stored in dedicated bucket) ?
Thanks
Franco Hielpos
Jan 11, 2021, 1:27:00 PM1/11/21
to Slava G, Wazuh mailing list
Hello Slava,
You also need to configure some AWS permissions as well as authentication, take a look at this for more information:
Yes, Wazuh can monitor AWS S3 logs through the AWS integration. Here you can read more about it:
We recommend using CloudTrail or CloudWatch for this, as we have rules for these services already created. You can configure the S3 integration adding the following config to the ossec.conf:
<wodle name="aws-s3"> <disabled>no</disabled> <interval>10m</interval> <run_on_start>yes</run_on_start> <skip_on_error>yes</skip_on_error><bucket type="cloudtrail"> <name>wazuh-cloudtrail</name> <access_key>XXXXXXXXXX</access_key> <secret_key>XXXXXXXXXX</secret_key> </bucket></wodle>
You also need to configure some AWS permissions as well as authentication, take a look at this for more information:
I hope this answers your question!
Regards
Franco
Franco
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAP6s8-pzk_S5X4meyXoo7NMJXJ8VS%2Bm0ebXYZMF_VBT%3D8zjJcg%40mail.gmail.com.
Franco Hielpos
Slava G
Jan 11, 2021, 2:06:20 PM1/11/21
to Franco Hielpos, Wazuh mailing list
Well ,
Thanks, but in your example it's cloudtrail logs, but not sure that this is the same. CloudTrail I'm already monitoring in Wazuh, here is S3 Access logs.
So, what should be bucket type ?
Thanks
Franco Hielpos
Jan 12, 2021, 3:51:38 PM1/12/21
to Wazuh mailing list
Hello Slava,
If you are already using Wazuh with AWS CloudTrail, you sould be able to monitor S3 access logs as CloudTrail watch those API calls:
You can check if you are receiving this logs by activating the logall option on ossec.conf:
<global>
<logall>yes</logall>
</global>
And watch /var/ossec/logs/archives/archives.log for S3 events.
If you are seeing events but you have no alerts, what may be happening is that the CDB list for the AWS ruleset does not have the proper eventName. You can check this by searching for the eventName from the log on: cat /var/ossec/etc/lists/amazon/aws-eventnames
If there is not an entry for that eventName you can add it manually with the following format:
eventName:S3
If you still want to ingest other logs from your buckets, you might be able to use the custom bucket for the S3 integration as a workaround:
<bucket type="custom">
<name>wazuh-aws-wodle</name>
<path>prefix</path>
</bucket>
And your bucket structure should be the following:
AWS Custom bucket
<bucket_name>/<prefix>/<year>/<month>/<day>
But bear in mind that this is outside our supported services for AWS:
https://documentation.wazuh.com/4.0/amazon/services/supported-services/index.html
Regards,
Franco Hielpos
Slava G
Jan 13, 2021, 3:32:17 AM1/13/21
to Franco Hielpos, Wazuh mailing list
Hi Franco,
Thanks for your help.
AWS S3 API access logs are not CloudTrail logs, they are stored by AWS in the bucket, as files not separated by prefix, year, month and date, just files in the bucket, each file has a timestamp in the name (in the middle of the name).
Those are not CloudTrail logs, but different logs from AWS : https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
So, is Wazuh capable of analyzing those logs as CloudTrail logs.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ffa07044-ebc9-476f-8c6b-e99bc1af84a9n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages