CloudTrail Log Collection to Central S3 (Log Archive Account) Is Failing

[Lucas]

Hello

We are collecting CloudTrail logs from multiple AWS accounts (“b”, “c”) into an S3 bucket in the log-archive AWS account “A.”

The S3 bucket structure in the log-archive account is as follows:
<bucket_name>/<organization_id>/AWSLogs/<account_id>/CloudTrail/<region>/<yyyy>/<mm>/<dd>/<file_name>.json.gz

We’ve tried various options in ossec.conf (such as aws_account_id and aws_organization_id, path), but each time we change the settings we encounter different errors, including “Returned exit code 1.”

Best Regards.
Lucas.

[Leonardo López]

Hello Lucas,

Can you share the complete configuration for the wodle?

In this documentation, you can see some examples regarding configuring AWS-S3 bucket for cloudtrail:

https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/cloudtrail.html#configure-wazuh-to-process-aws-cloudtrail-logs

https://documentation.wazuh.com/current/proof-of-concept-guide/aws-infrastructure-monitoring.html#monitoring-aws-infrastructure

And here you have the possible options:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#wodle-name-aws-s3

Let me know if that helps you.

Thanks!

[Lucas]

Hello Leonardo 

I tried applying all the different options from the page you sent and even changed up the combinations, but I still keep getting errors  

Could the issue be that the bucket name doesn’t really look like a typical bucket name?
(The bucket name is: aws-controltower-logs-<Account ID>-ap-northeast-2)
  

Thanks!

2025년 8월 29일 금요일 오전 8시 45분 10초 UTC+9에 Leonardo López님이 작성:

[Leonardo López]

Hello Lucas,

I don't think that the issue is the bucket name, but try it if you can.

Can you share the complete wodle configuration?

To check if something is not correct.

Thanks!