Analysing AWS load balancer logs with wazuh

[Eric Lexcellent]

Hello

Has anyone managed to analyse AWS load balancer logs with wazuh? With which decoders/rules?

If it was not done before, I will try to work on a decoder and ruleset and share it.

Thanks 

Eric

[Miguelangel Freitas]

Hi Eric,

I think this topic is very similar to the one described here: https://github.com/wazuh/wazuh/issues/657#issuecomment-392550074. We're planning to add this kind of integration to the Wazuh CloudTrail wodle. In any case, we're more than glad to receive any contribution from our community.

Please not hesitate to share with us your development, we really appreciate it. Thanks!

Best Regards,

Miguelangel Freitas.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b5334c6a-fc13-45b5-89cf-3c26db1032c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Eric Lexcellent]

Hi Miguelangel

So I managed to get this working. 

I have added the following decoder in /var/ossec/etc/decoders/local_decoder.xml

<decoder name="amazon-alb">

    <type>web-log</type>

    <prematch>^\S+ \S+ \S+ \S+ \S+ \S+ \S+ \S+ \S+ \S+ \S+ \S+ "\S+ \S+ \S+"</prematch>

</decoder>

<decoder name="amazon-alb-domain">

    <type>web-log</type>

    <parent>amazon-alb</parent>

    <regex>^\S+ \S+ \S+ (\S+):\S+ \S+ \S+ \S+ \S+ (\S+) \S+ \S+ \S+ "(\S+) (\S+) \S+"</regex>

    <order>srcip, id, protocol, url</order>

</decoder>

At the moment it is really basic but I already get the same result as with nginx log file. 

Eric