Integration of amazon rds with wazuh

[Meraz Khan]

Hi Wazuh Team,

I am meraz and i need a step by step guidance like i have to integrate wazuh with rds and I want RDS logs in my wazuh dashboard , can you please guide me step by step so i will make it possible .

Regards,

Meraz

[Olusegun Adenrele Oyebo]

Hello Meraz,

The below link is not an official guide, though it could be helpful. Kindly check it out:

• https://www.infopercept.com/blogs/monitoring-aws-rds-logs-with-wazuh/

I hope it helps. If you have any other query, do not hesitate to ask.

Best regards.

[Meraz Khan]

Hi ,

the configuration i have done but the decoders are rules are incorrect can you please help me with decoders and rules

[Olusegun Adenrele Oyebo]

Hello Meraz,

Sorry for the late response.

Kindly send sample logs to us so as to assist you accordingly.

Will be expecting your feedback.

Best regards.

[Olusegun Adenrele Oyebo]

Hello Meraz,

Did you try to enable archive logging on the Wazuh server to verify whether the logs are being received? If you haven't done this, enable archive logging on the Wazuh server using the below procedures. Archive logs captures all events, regardless of whether they trigger a rule or not:

• Go to the file /var/ossec/etc/ossec.conf and enable <logall> and <logall_json> (screenshot attached).
• Save the changes and restart the Wazuh manager service systemctl restart wazuh-manager
• You can then monitor the archive.log file tail -f /var/ossec/logs/archives/archives.log

After checking the logs, and you see them being received, send to us the sample logs for us to be able to assist you with custom decoder and rules. Do not forget to disable archive logging after getting the sample logs.

If you didn't see the logs there, check for error entries on the Wazuh server's ossec.log file by running the command cat /var/ossec/logs/ossec.log | grep -i -E "error|warn|crit"

Kindly update us with the outcome so as to know the next step to take.

Best regards.

On Sun, Jun 2, 2024 at 10:07 PM Meraz Khan <meraz.8...@gmail.com> wrote:

Hi Olysegun, 

We are not getting the logs but we have followed step by step configuration which is in the above mentioned documentation.

Best Regards

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/HWv1Rd0vmDg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8c3a1bb1-a9f7-4776-b10f-cea9cbdc95f0n%40googlegroups.com.

[Meraz Khan]

Hi Olusegun,

yes I have enabled Logall in ossec.conf file,

I am getting this log kindly help me 

Regards,

Meraz

[Olusegun Adenrele Oyebo]

Hello Meraz,

From the logs, it states that the access_key and secret_key authentication parameters are deprecated and you need to use another authentication instead.

You'll need to recheck your configuration on AWS. Kindly use the below documentation which includes the latest authentication method used:

• https://documentation.wazuh.com/current/cloud-security/amazon/services/prerequisites/credentials.html

Once you have confirmed and made adjustments in your configuration, you can verify again from the archive file if you see the RDS logs coming in. If you see the logs, you can send to us some samples for us to assist you with the decoders and rules.

I hope this helps. We remain attentive to your queries.

Best regards.