Wazuh Integration with AWS RDS PGSQL

51 views
Skip to first unread message

Suvadip Ghosh

unread,
Mar 25, 2026, 11:14:58 AM (12 days ago) Mar 25
to Wazuh | Mailing List
Dear Team,

While integration a cloudwatch log groups(aws rds pgsql) I am not getting any logs in UI.

While checking archives.log, this is what i get: 

2026 Mar 25 14:04:58 ip-172-30-8-200->Wazuh-AWS 2026-03-25 14:03:37 UTC:[local]:rdsadmin@user:[31577]:LOG:  connection authenticated: identity="rdsmon" method=peer (/rdsdbdata/config/pg_hba.conf:2)


Can you please help me here.

Nicolas Zapata

unread,
Mar 25, 2026, 12:45:18 PM (12 days ago) Mar 25
to Wazuh | Mailing List

Hi,

From the log you shared, it looks like the events are being collected correctly from CloudWatch and written into archives.log, which means the AWS integration itself is working.

If the logs are not visible in the Wazuh UI, this is usually related to decoding/parsing rather than ingestion.

A couple of things to check:

  • These logs (PostgreSQL/RDS) do not have a default decoder in Wazuh, so they may not be generating alerts or indexed fields.
  • By default, only alerts (not all archive events) are indexed and shown in the UI.

To move forward, could you please confirm:

  • Whether the logs appear in archives.json as well?
  • If there are any related errors in /var/ossec/logs/ossec.log?
  • The Wazuh version being used?

As a next step, a custom decoder/rule may be required to properly parse these PostgreSQL logs and make them visible in the UI.

Let me know those details and we can guide you further.


Related docs:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

Suvadip Ghosh

unread,
Mar 26, 2026, 6:06:59 AM (12 days ago) Mar 26
to Wazuh | Mailing List
Hello Nicholas,

I am using wazuh version 4.14.

Logs are only appearing in archives.log, not coming in alerts.json/alerts.log.

I am using the custom decoder:
<decoder name="postgresql-rds">
  <prematch type="pcre2">Wazuh-AWS \d+-\d+-\d+ \d+:\d+:\d+ UTC</prematch>
</decoder>

<decoder name="postgresql-rds-child">
  <parent>postgresql-rds</parent>
  <regex type="pcre2">UTC:([\w\d\.\(\)\[\]]+):(\S+)@(\S+):\[\d+\]:(\w+):\s*(.*)</regex>
  <order>srcip, db_user, database, log_level, message</order>
</decoder>

And logtest Result:
Starting wazuh-logtest v4.14.4
Type one log per line

2026 Mar 26 09:48:33 ip-172-30-8-200->Wazuh-AWS 2026-03-26 09:47:35 UTC:172.30.8.194(41929):reward_service@cx_prod:[10098]:LOG:  disconnection: session time: 0:16:34.988 user=reward_service database=cx_prod host=172.30.8.194 port=41929

**Phase 1: Completed pre-decoding.
        full event: '2026 Mar 26 09:48:33 ip-172-30-8-200->Wazuh-AWS 2026-03-26 09:47:35 UTC:172.30.8.194(41929):reward_service@cx_prod:[10098]:LOG:  disconnection: session time: 0:16:34.988 user=reward_service database=lxme_prod host=172.30.8.194 port=41929'
        timestamp: '2026 Mar 26 09:48:33'

**Phase 2: Completed decoding.
        name: 'postgresql-rds'
        database: 'cx_prod'
        db_user: 'reward_service'
        log_level: 'LOG'
        message: 'disconnection: session time: 0:16:34.988 user=reward_service database=cx_prod host=172.30.8.194 port=41929'
        srcip: '172.30.8.194(41929)'

**Phase 3: Completed filtering (rules).
        id: '100501'
        level: '3'
        description: 'RDS PostgreSQL: LOG message received'
        groups: '['amazon', 'postgresql_rds']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.


After this no result related to this in alerts.json.

Kindly review and suggest what needs to be done, to generate the logs in UI.

Suvadip Ghosh

unread,
Mar 30, 2026, 12:44:05 AM (8 days ago) Mar 30
to Wazuh | Mailing List
Hello Team,

Kindly help here.

Nicolas Zapata

unread,
Apr 1, 2026, 3:15:49 AM (6 days ago) Apr 1
to Wazuh | Mailing List

Hi,

Thanks for the details, this helps a lot.

From the logtest output, decoding and rule matching are working correctly (Phase 3 shows an alert should be generated). However, since nothing appears in alerts.json, this usually indicates the events are not reaching the analysis/alerting pipeline properly or are being filtered out.


A few things to verify:


- Confirm that the integration is not configured in a way that only stores evnts (e.g., logall) without generating alerts.

- Check /var/ossec/logs/ossec.log for any warnings/errors related to analysisd, aws-s3, or queue saturation.

- Verify if events could be dropped due to rate limiting or queue overflow.

- Check if there is any filtering (e.g., in the AWS integration configuration, decoders, rules, or Filebeat) that could be preventing the events from generating alerts.


Also, an important point:

Even if decoding works in logtest, in real ingestion the event must pass through the full pipeline (wash → Filebeat → indexer). If something interrupts that flow, alerts won’t be generated or indexed in the UI.


cat /var/log/filebeat/* | grep -i -E "error|warn"


also please check check the cluster health. From the Wazuh dashboard, go to Indexer Management > Dev Tools and run:

GET _cluster/health


Indices:


GET _cat/indices?v


As a next step, could you please:

  • Share any related errors from ossec.log
  • Confirm if other AWS logs are generating alerts correctly
  • Let us know if any logs at all are reaching alerts.json, or if only these PostgreSQL logs are missing
  • Share the rule definition for ID 100501
  • Share the Filebeat logs output from the command above


This will allow me to replicate the full test (decoder + rule) and better identify where the issue might be happening.

Reply all
Reply to author
Forward
0 new messages