AWS Inspector service integration issue

42 views
Skip to first unread message

CJK

unread,
Jun 26, 2026, 3:32:37 AM (yesterday) Jun 26
to Wazuh | Mailing List
Hi Team,

I am having an issue on AWS services integration on wazuh v4.14.5 distributed.

I have integrated two aws services cloudwatch and and inspector. But the log fetching delay is around 4hours for Cloudwatch and 2 hours for Inspector. And resently Inspector logs are stopped receiving and now we are seeing an error on ossec log. Can someone help me fix inspector issue and finetune this delay in fetching?

Below is the conf and I have attached logs from ossec.log and a SQLite query result from aws_services.db.
Fyi. Service integrated from an Agent and all other aws buckets are on wazuh manager.

## woodle conf
<!-- AWS GOV cloud services -->
  <wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>3h</interval>
    <run_on_start>yes</run_on_start>
    <skip_on_error>yes</skip_on_error>

    <service type="inspector">
      <aws_profile>Govcloud</aws_profile>
      <only_logs_after>2026-May-21</only_logs_after>
    </service>

    <service type="cloudwatchlogs">
      <aws_profile>Govcloud</aws_profile>
      <aws_log_groups>/aws/lambda/sns-alert-log-govcloud</aws_log_groups>
      <only_logs_after>2026-May-21</only_logs_after>
    </service>
  </wodle>
AWStroubleshoot.txt

Darío Ortega Leyva

unread,
Jun 26, 2026, 4:43:12 AM (yesterday) Jun 26
to Wazuh | Mailing List

Hi CJK,

I see two issues in your setup, both documented in the official Wazuh docs.

1. Inspector AccessDeniedException

The error An error occurred (AccessDeniedException) when calling the ListFindings operation means your Govcloud IAM profile is missing the required permissions. Per the Amazon Inspector integration docs, the IAM policy must include:


{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector:ListFindings", "inspector:DescribeFindings", "inspector2:ListFindings" ], "Resource": "*" } ] }

Verify this policy is attached to the IAM entity behind your Govcloud profile.

2. Missing <regions> tag, root cause of the delay and the Interval overtaken warning

The same Inspector documentation states: "You must specify at least a region." Your configuration does not include <regions>, so the module iterates over all AWS regions. Your aws_services.db query confirms this, it shows 19+ regions being queried (af-south-1, ap-east-1, mx-central-1, etc.), each one failing or taking minutes.

This causes the total execution to exceed your 3h interval. As stated in the Troubleshooting section, the Interval overtaken warning means the execution time exceeded the configured interval, and the next run won't start until the current one finishes. Since both services run sequentially within the same wodle block, Inspector's slow region iteration also delays CloudWatch.

Suggested configuration (adjust regions to match your GovCloud deployment):


<wodle name="aws-s3"> <disabled>no</disabled> <interval>10m</interval> <run_on_start>yes</run_on_start> <skip_on_error>yes</skip_on_error> <service type="inspector"> <aws_profile>Govcloud</aws_profile> <regions>us-gov-west-1,us-gov-east-1</regions> <only_logs_after>2026-May-21</only_logs_after> </service> <service type="cloudwatchlogs"> <aws_profile>Govcloud</aws_profile> <aws_log_groups>/aws/lambda/sns-alert-log-govcloud</aws_log_groups> <regions>us-gov-west-1</regions> <only_logs_after>2026-May-21</only_logs_after> </service> </wodle>

Note the interval is set to 10m, which matches the official documentation examples. After fixing the IAM policy and adding regions, you can optionally delete /var/ossec/wodles/aws/aws_services.db to clear stale region entries, then restart the agent.

Ref: wodle aws-s3 configuration reference

CJK

unread,
Jun 26, 2026, 7:50:52 AM (yesterday) Jun 26
to Wazuh | Mailing List
Hi Dario,

Thanks for your reply,
I have checked the aws policy attached and i have added  AmazonInspectorFullAccess, AmazonInspector2FullAccess_v2 &  AmazonInspector2FullAccess
And changed the config to below and restarted service. But now both logs are stopped and receving exit code 22. !? What is this issue?
fyi. Based on the refference from this link https://groups.google.com/g/wazuh/c/lIdmru58oao I have removed /var/ossec/wodles/aws/*.db-journal also.
# updated config
<!-- AWS Buckets -->

  <wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>5m</interval>

    <run_on_start>yes</run_on_start>
    <skip_on_error>yes</skip_on_error>

    <service type="inspector">
      <aws_profile>Govcloud</aws_profile>
      <regions>us-gov-west-1,us-gov-east-1</regions>
      <only_logs_after>2026-May-21</only_logs_after>
    </service>

    <service type="cloudwatchlogs">
      <aws_profile>Govcloud</aws_profile>
      <aws_log_groups>/aws/lambda/sns-alert-log-govcloud</aws_log_groups>
      <regions>us-gov-west-1</regions>
      <only_logs_after>2026-May-21</only_logs_after>
    </service>
  </wodle>

#Ossec.log
tail -100f /var/ossec/logs/ossec.log | grep aws
2026/06/26 11:32:34 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -  Returned exit code 22
2026/06/26 11:32:34 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -
2026/06/26 11:32:34 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
2026/06/26 11:37:33 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2026/06/26 11:37:33 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: inspector, Profile: Govcloud)
2026/06/26 11:37:34 wazuh-modulesd:aws-s3: WARNING: Service: inspector  -  Returned exit code 22
2026/06/26 11:37:34 wazuh-modulesd:aws-s3: WARNING: Service: inspector  -
2026/06/26 11:37:34 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: cloudwatchlogs, Profile: Govcloud)
2026/06/26 11:37:34 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -  Returned exit code 22
2026/06/26 11:37:34 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -
2026/06/26 11:37:34 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
2026/06/26 11:37:37 wazuh-agentd: INFO: Version detected -> Linux |SIEM-analyze-server |6.17.0-1013-aws |#13~24.04.1-Ubuntu SMP Fri Apr 24 21:50:45 UTC 2026 |x86_64 [Ubuntu|ubuntu: 24.04.4 LTS (Noble Numbat)] - Wazuh v4.14.5
2026/06/26 11:37:40 wazuh-modulesd:aws-s3: INFO: Module AWS started
2026/06/26 11:37:40 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2026/06/26 11:37:40 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: inspector, Profile: Govcloud)
2026/06/26 11:37:41 wazuh-modulesd:aws-s3: WARNING: Service: inspector  -  Returned exit code 22
2026/06/26 11:37:41 wazuh-modulesd:aws-s3: WARNING: Service: inspector  -
2026/06/26 11:37:41 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: cloudwatchlogs, Profile: Govcloud)
2026/06/26 11:37:41 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -  Returned exit code 22
2026/06/26 11:37:41 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -
2026/06/26 11:37:41 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
2026/06/26 11:42:40 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2026/06/26 11:42:40 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: inspector, Profile: Govcloud)
2026/06/26 11:42:40 wazuh-modulesd:aws-s3: WARNING: Service: inspector  -  Returned exit code 22
2026/06/26 11:42:40 wazuh-modulesd:aws-s3: WARNING: Service: inspector  -
2026/06/26 11:42:40 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: cloudwatchlogs, Profile: Govcloud)
2026/06/26 11:42:40 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -  Returned exit code 22
2026/06/26 11:42:40 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -
2026/06/26 11:42:40 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

CJK

unread,
12:43 AM (22 hours ago) 12:43 AM
to Wazuh | Mailing List
Hi Dario,

Can you help? both are not working when I add region. And access to GOV is fine I have tested and confirmed from CLI aws commands with the profile.

Reply all
Reply to author
Forward
0 new messages