VPC flow logs from cloudwatch log groups do not appear

[Jonathan Frappier]

I have configured my VPC flow logs to a cloudwatch log group, and configured wazuh as follows:

  <wodle name="aws-s3">

    <disabled>no</disabled>

    <interval>5m</interval>

    <run_on_start>yes</run_on_start>

    <service type="cloudwatchlogs">

    <aws_profile>default</aws_profile>

      <aws_log_groups>vpcFlowLogs</aws_log_groups>

      <regions>us-west-2</regions>

    </service>

  </wodle>

In a previous post, Jesus Linares helped me fix a problem with how I had the aws credentials and now see the following in the logs:

Jun 22, 2021 @ 09:34:08.000 wazuh-modulesd:aws-s3 INFO Fetching logs finished. 

Jun 22, 2021 @ 09:34:01.000 wazuh-modulesd:aws-s3 INFO Starting fetching of logs.

Jun 22, 2021 @ 09:34:01.000 wazuh-modulesd:aws-s3 INFO Executing Service Analysis: (Service: cloudwatchlogs, Profile: default)

However, nothing appears in the AWS module. I enabled debugging but then I see no output in the logs for the AWS (either by following the troubleshooting guide here https://documentation.wazuh.com/current/amazon/services/troubleshooting.html or setting wazuh_modules.debug=2 in /var/ossec/etc/local_internal_options.conf )

[Jonathan Frappier]

Appears maybe I have been misunderstanding the directions/intentions of the AWS module. I *think* this is working but confused by the purpose of the AWS module.

[carlos...@wazuh.com]

Hi Jonathan,

Wazuh currently supports VPC Flow logs, however, only if VPC is configured to store those logs in a bucket, not using CloudWatchLogs. In this section of the documentation we show you how to configure it properly. 

Wazuh comes with VPC Flow rules built in, but these rules are configured to check the logs are coming from our VPC Flow integration. Since you are using CloudWatchLogs to get those logs, the source is not considered VPC Flow and therefore the rules won't match, hence no alerts are being generated and nothing will appear in Kibana.

It would be possible to modify these rules so that they do not check if the logs come from our integration with VPC Flow, but we cannot guarantee that this will work correctly. As I said, the official support for VPC Flow is through the use of buckets as indicated here.

The purpose of the CloudWatchLogs integration is to be able to bring to Wazuh logs from other AWS services that are not directly supported by our module. However, note that given the nature of CloudWatchLogs logs, where you can store almost anything, you need to create your own custom rules for the logs you want to process.

I hope this clarifies the issue a bit. Feel free to ask me any questions you may have regarding this.