Collect Amazon SES logs in Wazuh
231 views
Skip to first unread message
Sergey Protsenko
Feb 1, 2023, 7:51:24 AM2/1/23
to Wazuh mailing list
Hello Team,
I need help again. I would like to find an optimal way to collect AWS SES logs in Wazuh.
Our application uses SES, and I configured Amazon CloudWatch to log AWS SES details (bounce , bomplaint, belivery notifications). Is it possible to configure Wazuh to get SES logs from Amazon CloudWatch log groups?
We would like to have information about emails our app sent to the clients and their statuses (delivered, bounced, etc.). Maybe there is a better way collect SES logs to Wazuh directly. I will thankful for the recommendations and help.
I need help again. I would like to find an optimal way to collect AWS SES logs in Wazuh.
Our application uses SES, and I configured Amazon CloudWatch to log AWS SES details (bounce , bomplaint, belivery notifications). Is it possible to configure Wazuh to get SES logs from Amazon CloudWatch log groups?
We would like to have information about emails our app sent to the clients and their statuses (delivered, bounced, etc.). Maybe there is a better way collect SES logs to Wazuh directly. I will thankful for the recommendations and help.
Nicolas Stefani
Feb 1, 2023, 8:15:52 AM2/1/23
to Sergey Protsenko, Wazuh mailing list
Hi Sergey,
Thanks for using Wazuh!
Yes, it is possible to get logs from CloudWatch. You can check this guide to see how to configure Wazuh.
For your use cases, you will need to write custom rules in order to match the desired statuses.
Best regards,
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6f4d4b2f-fbd5-49c2-9efe-a2df1b526344n%40googlegroups.com.
--
 |
Nicolás Stefani Software Engineer |
Sergey Protsenko
Feb 1, 2023, 9:57:07 AM2/1/23
to Wazuh mailing list
Hi Nicolas,
Thank you for the links. I read these articles but I recently started my experience with Wazuh and it is not easy for me to create my own decoders and rules. Nicolas, could you assist me with decoder and rule creation? I have an example of the event registered in CloudWatch and I stuck on the decoders and rules.
Nicolas Stefani
Feb 1, 2023, 11:01:04 AM2/1/23
to Sergey Protsenko, Wazuh mailing list
Yes, please share the log that you have and I will try to guide you with the rule creation process.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/76bb4327-208f-4c38-97cc-541a16311f10n%40googlegroups.com.
Sergey Protsenko
Feb 1, 2023, 12:36:13 PM2/1/23
to Wazuh mailing list
Thank you for your help, Nikolas!
The examle of the event from Amazon SES registered in CloudWatch below.
{
"notificationType": "Bounce",
"bounce": {
"feedbackId": "010101860d89be0a-ea93e0f8-8612-4af4-a5f6-af05cb09aca8-000000",
"bounceType": "Permanent",
"bounceSubType": "General",
"bouncedRecipients": [
{
"emailAddress": "client-...@gmail.com",
"action": "failed",
"status": "5.1.1",
"diagnosticCode": "smtp; 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 https://support.google.com/mail/?p=NoSuchUser i8-20020a639d08000000b004d812fdce36si18948893pgd.803 - gsmtp"
}
],
"timestamp": "2023-02-01T15:12:56.000Z",
"remoteMtaIp": "71.72.73.74",
"reportingMTA": "dns; a27-30.smtp-out.us-west-2.amazonses.com"
},
"mail": {
"timestamp": "2023-02-01T15:12:55.826Z",
"source": "in...@clickhelp.com",
"sourceArn": "arn:aws:ses:us-west-2:342107197733:identity/clickhelp.com",
"sourceIp": "3.121.39.2",
"callerIdentity": "ses-smtp-user.20220504-132337",
"sendingAccountId": "342107197733",
"messageId": "010101860d89bc12-7ce77242-b9cf-492d-a880-7f5401590119-000000",
"destination": [
"client-...@gmail.com"
],
"headersTruncated": false,
"headers": [
{
"name": "Received",
"value": "from vm-aws-new (ec2-3-121-39-2.us-east-2.compute.amazonaws.com [3.121.39.2]) by email-smtp.amazonaws.com with SMTP (SimpleEmailService-d-6PWY9WRQL) id qu36rOMWz0bNuAYx1Q68 for client-...@gmail.com; Wed, 01 Feb 2023 15:12:55 +0000 (UTC)"
},
{
"name": "MIME-Version",
"value": "1.0"
},
{
"name": "From",
"value": "\"ClickHelp Notifications\" <in...@clickhelp.com>"
},
{
"name": "To",
"value": "client-...@gmail.com"
},
{
"name": "Date",
"value": "1 Feb 2023 15:12:55 +0000"
},
{
"name": "Subject",
"value": "Confirm your trial: client-address.try.co"
},
{
"name": "Content-Type",
"value": "text/html; charset=utf-8"
},
{
"name": "Content-Transfer-Encoding",
"value": "base64"
}
],
"commonHeaders": {
"from": [
"ClickHelp Notifications <in...@clickhelp.com>"
],
"date": "1 Feb 2023 15:12:55 +0000",
"to": [
"client-...@gmail.com"
],
"subject": "Confirm your ClickHelp trial: client-address.try.co"
}
}
}
"notificationType": "Bounce",
"bounce": {
"feedbackId": "010101860d89be0a-ea93e0f8-8612-4af4-a5f6-af05cb09aca8-000000",
"bounceType": "Permanent",
"bounceSubType": "General",
"bouncedRecipients": [
{
"emailAddress": "client-...@gmail.com",
"action": "failed",
"status": "5.1.1",
"diagnosticCode": "smtp; 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 https://support.google.com/mail/?p=NoSuchUser i8-20020a639d08000000b004d812fdce36si18948893pgd.803 - gsmtp"
}
],
"timestamp": "2023-02-01T15:12:56.000Z",
"remoteMtaIp": "71.72.73.74",
"reportingMTA": "dns; a27-30.smtp-out.us-west-2.amazonses.com"
},
"mail": {
"timestamp": "2023-02-01T15:12:55.826Z",
"source": "in...@clickhelp.com",
"sourceArn": "arn:aws:ses:us-west-2:342107197733:identity/clickhelp.com",
"sourceIp": "3.121.39.2",
"callerIdentity": "ses-smtp-user.20220504-132337",
"sendingAccountId": "342107197733",
"messageId": "010101860d89bc12-7ce77242-b9cf-492d-a880-7f5401590119-000000",
"destination": [
"client-...@gmail.com"
],
"headersTruncated": false,
"headers": [
{
"name": "Received",
"value": "from vm-aws-new (ec2-3-121-39-2.us-east-2.compute.amazonaws.com [3.121.39.2]) by email-smtp.amazonaws.com with SMTP (SimpleEmailService-d-6PWY9WRQL) id qu36rOMWz0bNuAYx1Q68 for client-...@gmail.com; Wed, 01 Feb 2023 15:12:55 +0000 (UTC)"
},
{
"name": "MIME-Version",
"value": "1.0"
},
{
"name": "From",
"value": "\"ClickHelp Notifications\" <in...@clickhelp.com>"
},
{
"name": "To",
"value": "client-...@gmail.com"
},
{
"name": "Date",
"value": "1 Feb 2023 15:12:55 +0000"
},
{
"name": "Subject",
"value": "Confirm your trial: client-address.try.co"
},
{
"name": "Content-Type",
"value": "text/html; charset=utf-8"
},
{
"name": "Content-Transfer-Encoding",
"value": "base64"
}
],
"commonHeaders": {
"from": [
"ClickHelp Notifications <in...@clickhelp.com>"
],
"date": "1 Feb 2023 15:12:55 +0000",
"to": [
"client-...@gmail.com"
],
"subject": "Confirm your ClickHelp trial: client-address.try.co"
}
}
}
Nicolas Stefani
Feb 2, 2023, 8:56:01 AM2/2/23
to Sergey Protsenko, Wazuh mailing list
Adding the custom rule to /var/ossec/etc/rules/local_rules.xml.
<group name="aws,cloudwatch">
<rule id="100003" level="5">
<field name="notificationType">Bounce</field>
<options>no_full_log</options>
<description>AWS SES: $(notificationType).</description>
</rule>
</group>
<rule id="100003" level="5">
<field name="notificationType">Bounce</field>
<options>no_full_log</options>
<description>AWS SES: $(notificationType).</description>
</rule>
</group>
Is possible to match the example log:
root@wazuh:/var/ossec# bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
{"notificationType":"Bounce","bounce":{"feedbackId":"010101860d89be0a-ea93e0f8-8612-4af4-a5f6-af05cb09aca8-000000","bounceType":"Permanent","bounceSubType":"General","bouncedRecipients":[{"emailAddress":"client-...@gmail.com","action":"failed","status":"5.1.1","diagnosticCode":"smtp; 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 https://support.google.com/mail/?p=NoSuchUser i8-20020a639d08000000b004d812fdce36si18948893pgd.803 - gsmtp"}],"timestamp":"2023-02-01T15:12:56.000Z","remoteMtaIp":"71.72.73.74","reportingMTA":"dns; a27-30.smtp-out.us-west-2.amazonses.com"},"mail":{"timestamp":"2023-02-01T15:12:55.826Z","source":"in...@clickhelp.com","sourceArn":"arn:aws:ses:us-west-2:342107197733:identity/clickhelp.com","sourceIp":"3.121.39.2","callerIdentity":"ses-smtp-user.20220504-132337","sendingAccountId":"342107197733","messageId":"010101860d89bc12-7ce77242-b9cf-492d-a880-7f5401590119-000000","destination":["client-...@gmail.com"],"headersTruncated":false,"headers":[{"name":"Received","value":"from vm-aws-new (ec2-3-121-39-2.us-east-2.compute.amazonaws.com [3.121.39.2]) by email-smtp.amazonaws.com with SMTP (SimpleEmailService-d-6PWY9WRQL) id qu36rOMWz0bNuAYx1Q68 for client-...@gmail.com; Wed, 01 Feb 2023 15:12:55 +0000 (UTC)"},{"name":"MIME-Version","value":"1.0"},{"name":"From","value":"\"ClickHelp Notifications\" <in...@clickhelp.com>"},{"name":"To","value":"client-...@gmail.com"},{"name":"Date","value":"1 Feb 2023 15:12:55 +0000"},{"name":"Subject","value":"Confirm your trial: client-address.try.co"},{"name":"Content-Type","value":"text/html; charset=utf-8"},{"name":"Content-Transfer-Encoding","value":"base64"}],"commonHeaders":{"from":["ClickHelp Notifications <in...@clickhelp.com>"],"date":"1 Feb 2023 15:12:55 +0000","to":["client-...@gmail.com"],"subject":"Confirm your ClickHelp trial: client-address.try.co"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
bounce.bounceSubType: 'General'
bounce.bounceType: 'Permanent'
bounce.bouncedRecipients: '[{'emailAddress': 'client-...@gmail.com', 'action': 'failed', 'status': '5.1.1', 'diagnosticCode': "smtp; 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 https://support.google.com/mail/?p=NoSuchUser i8-20020a639d08000000b004d812fdce36si18948893pgd.803 - gsmtp"}]'
bounce.feedbackId: '010101860d89be0a-ea93e0f8-8612-4af4-a5f6-af05cb09aca8-000000'
bounce.remoteMtaIp: '71.72.73.74'
bounce.reportingMTA: 'dns; a27-30.smtp-out.us-west-2.amazonses.com'
bounce.timestamp: '2023-02-01T15:12:56.000Z'
mail.callerIdentity: 'ses-smtp-user.20220504-132337'
mail.commonHeaders.date: '1 Feb 2023 15:12:55 +0000'
mail.commonHeaders.from: '['ClickHelp Notifications <in...@clickhelp.com>']'
mail.commonHeaders.subject: 'Confirm your ClickHelp trial: client-address.try.co'
mail.commonHeaders.to: '['client-...@gmail.com']'
mail.destination: '['client-...@gmail.com']'
mail.headers: '[{'name': 'Received', 'value': 'from vm-aws-new (ec2-3-121-39-2.us-east-2.compute.amazonaws.com [3.121.39.2]) by email-smtp.amazonaws.com with SMTP (SimpleEmailService-d-6PWY9WRQL) id qu36rOMWz0bNuAYx1Q68 for client-...@gmail.com; Wed, 01 Feb 2023 15:12:55 +0000 (UTC)'}, {'name': 'MIME-Version', 'value': '1.0'}, {'name': 'From', 'value': '"ClickHelp Notifications" <in...@clickhelp.com>'}, {'name': 'To', 'value': 'client-...@gmail.com'}, {'name': 'Date', 'value': '1 Feb 2023 15:12:55 +0000'}, {'name': 'Subject', 'value': 'Confirm your trial: client-address.try.co'}, {'name': 'Content-Type', 'value': 'text/html; charset=utf-8'}, {'name': 'Content-Transfer-Encoding', 'value': 'base64'}]'
mail.headersTruncated: 'false'
mail.messageId: '010101860d89bc12-7ce77242-b9cf-492d-a880-7f5401590119-000000'
mail.sendingAccountId: '342107197733'
mail.source: 'in...@clickhelp.com'
mail.sourceArn: 'arn:aws:ses:us-west-2:342107197733:identity/clickhelp.com'
mail.sourceIp: '3.121.39.2'
mail.timestamp: '2023-02-01T15:12:55.826Z'
notificationType: 'Bounce'
**Phase 3: Completed filtering (rules).
id: '100003'
level: '5'
description: 'AWS SES: Bounce.'
groups: '['aws', 'cloudwatch']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Starting wazuh-logtest v4.3.10
Type one log per line
{"notificationType":"Bounce","bounce":{"feedbackId":"010101860d89be0a-ea93e0f8-8612-4af4-a5f6-af05cb09aca8-000000","bounceType":"Permanent","bounceSubType":"General","bouncedRecipients":[{"emailAddress":"client-...@gmail.com","action":"failed","status":"5.1.1","diagnosticCode":"smtp; 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 https://support.google.com/mail/?p=NoSuchUser i8-20020a639d08000000b004d812fdce36si18948893pgd.803 - gsmtp"}],"timestamp":"2023-02-01T15:12:56.000Z","remoteMtaIp":"71.72.73.74","reportingMTA":"dns; a27-30.smtp-out.us-west-2.amazonses.com"},"mail":{"timestamp":"2023-02-01T15:12:55.826Z","source":"in...@clickhelp.com","sourceArn":"arn:aws:ses:us-west-2:342107197733:identity/clickhelp.com","sourceIp":"3.121.39.2","callerIdentity":"ses-smtp-user.20220504-132337","sendingAccountId":"342107197733","messageId":"010101860d89bc12-7ce77242-b9cf-492d-a880-7f5401590119-000000","destination":["client-...@gmail.com"],"headersTruncated":false,"headers":[{"name":"Received","value":"from vm-aws-new (ec2-3-121-39-2.us-east-2.compute.amazonaws.com [3.121.39.2]) by email-smtp.amazonaws.com with SMTP (SimpleEmailService-d-6PWY9WRQL) id qu36rOMWz0bNuAYx1Q68 for client-...@gmail.com; Wed, 01 Feb 2023 15:12:55 +0000 (UTC)"},{"name":"MIME-Version","value":"1.0"},{"name":"From","value":"\"ClickHelp Notifications\" <in...@clickhelp.com>"},{"name":"To","value":"client-...@gmail.com"},{"name":"Date","value":"1 Feb 2023 15:12:55 +0000"},{"name":"Subject","value":"Confirm your trial: client-address.try.co"},{"name":"Content-Type","value":"text/html; charset=utf-8"},{"name":"Content-Transfer-Encoding","value":"base64"}],"commonHeaders":{"from":["ClickHelp Notifications <in...@clickhelp.com>"],"date":"1 Feb 2023 15:12:55 +0000","to":["client-...@gmail.com"],"subject":"Confirm your ClickHelp trial: client-address.try.co"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
bounce.bounceSubType: 'General'
bounce.bounceType: 'Permanent'
bounce.bouncedRecipients: '[{'emailAddress': 'client-...@gmail.com', 'action': 'failed', 'status': '5.1.1', 'diagnosticCode': "smtp; 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 https://support.google.com/mail/?p=NoSuchUser i8-20020a639d08000000b004d812fdce36si18948893pgd.803 - gsmtp"}]'
bounce.feedbackId: '010101860d89be0a-ea93e0f8-8612-4af4-a5f6-af05cb09aca8-000000'
bounce.remoteMtaIp: '71.72.73.74'
bounce.reportingMTA: 'dns; a27-30.smtp-out.us-west-2.amazonses.com'
bounce.timestamp: '2023-02-01T15:12:56.000Z'
mail.callerIdentity: 'ses-smtp-user.20220504-132337'
mail.commonHeaders.date: '1 Feb 2023 15:12:55 +0000'
mail.commonHeaders.from: '['ClickHelp Notifications <in...@clickhelp.com>']'
mail.commonHeaders.subject: 'Confirm your ClickHelp trial: client-address.try.co'
mail.commonHeaders.to: '['client-...@gmail.com']'
mail.destination: '['client-...@gmail.com']'
mail.headers: '[{'name': 'Received', 'value': 'from vm-aws-new (ec2-3-121-39-2.us-east-2.compute.amazonaws.com [3.121.39.2]) by email-smtp.amazonaws.com with SMTP (SimpleEmailService-d-6PWY9WRQL) id qu36rOMWz0bNuAYx1Q68 for client-...@gmail.com; Wed, 01 Feb 2023 15:12:55 +0000 (UTC)'}, {'name': 'MIME-Version', 'value': '1.0'}, {'name': 'From', 'value': '"ClickHelp Notifications" <in...@clickhelp.com>'}, {'name': 'To', 'value': 'client-...@gmail.com'}, {'name': 'Date', 'value': '1 Feb 2023 15:12:55 +0000'}, {'name': 'Subject', 'value': 'Confirm your trial: client-address.try.co'}, {'name': 'Content-Type', 'value': 'text/html; charset=utf-8'}, {'name': 'Content-Transfer-Encoding', 'value': 'base64'}]'
mail.headersTruncated: 'false'
mail.messageId: '010101860d89bc12-7ce77242-b9cf-492d-a880-7f5401590119-000000'
mail.sendingAccountId: '342107197733'
mail.source: 'in...@clickhelp.com'
mail.sourceArn: 'arn:aws:ses:us-west-2:342107197733:identity/clickhelp.com'
mail.sourceIp: '3.121.39.2'
mail.timestamp: '2023-02-01T15:12:55.826Z'
notificationType: 'Bounce'
**Phase 3: Completed filtering (rules).
id: '100003'
level: '5'
description: 'AWS SES: Bounce.'
groups: '['aws', 'cloudwatch']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Of course, you can add the level of complexity that you need. This is only an example.
Regards,
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/aa381d2b-b827-48fb-ba6a-8fcdc08e5b30n%40googlegroups.com.
Sergey Protsenko
Feb 6, 2023, 5:35:08 AM2/6/23
to Wazuh mailing list
Hi Nicolas,
Thank you!
I configured the AWS credentials, added the custom rule to the local_rules.xml file and restarted Wazuh. Also, I tested the rule using wazuh-logtest.
I see no errors in the ossec.log file
2023/02/06 06:44:34 wazuh-modulesd:aws-s3: INFO: Module AWS started
2023/02/06 06:44:34 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2023/02/06 06:44:34 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: cloudwatchlogs, Profile: default)
2023/02/06 06:45:46 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
Nikolas, can I view the Cloudwatch logs that Wazuh fetched? For example, our support team asks to check if an email exists in the bounced emails log. Can I chek it in Wazuh?
I configured the AWS credentials, added the custom rule to the local_rules.xml file and restarted Wazuh. Also, I tested the rule using wazuh-logtest.
I see no errors in the ossec.log file
2023/02/06 06:44:34 wazuh-modulesd:aws-s3: INFO: Module AWS started
2023/02/06 06:44:34 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2023/02/06 06:44:34 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: cloudwatchlogs, Profile: default)
2023/02/06 06:45:46 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
Nikolas, can I view the Cloudwatch logs that Wazuh fetched? For example, our support team asks to check if an email exists in the bounced emails log. Can I chek it in Wazuh?
sang thanh
Feb 19, 2023, 9:33:52 PM2/19/23
to Wazuh mailing list
Hi Nicolas Stefani,
I already done with the decoder and ruleset for AWS SES log, but looks like something wrong when I connect Wazuh and AWS S3 bucket with stored my AWS SES logs.
My AWS SES log structure in S3 like this: s3://ses-st******s/2023/02/20/01/
And here is my Wazuh integrate configure:
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<bucket type="config">
<name>ses-st******s</name>
<aws_account_id>63********03</aws_account_id>
<access_key>AKIA*************SNV</access_key>
<secret_key>yN7ib***************************************Gv3U</secret_key>
</bucket>
</wodle>
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<bucket type="config">
<name>ses-st******s</name>
<aws_account_id>63********03</aws_account_id>
<access_key>AKIA*************SNV</access_key>
<secret_key>yN7ib***************************************Gv3U</secret_key>
</bucket>
</wodle>
Do I need to add the path or change the bucket type to another?
P/s: the "wazuh-modulesd:aws-s3 INFO" is looking good with any error.
Thanks a lot.
Vào lúc 20:56:01 UTC+7 ngày Thứ Năm, 2 tháng 2, 2023, Nicolas Stefani đã viết:
Reply all
Reply to author
Forward
0 new messages