Integration Of AWS RDS With wazuh
53 views
Skip to first unread message
Meraz Khan
May 31, 2024, 10:38:03 AM5/31/24
to Wazuh | Mailing List
Hi Wazuh Team,
we are trying to integrate wazuh rds with wazuh through cloud watch
we have followed the steps
1. our config file we have done changes in wodle
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<service type="cloudwatchlogs">
<access_key>" access_key"</access_key>
<secret_key>"secret_key"</secret_key>
<aws_log_groups>"log_group </aws_log_groups>
<regions>ap-south-1</regions>
<only_logs_after>2024-JAN-10</only_logs_after>
<aws_account_id>Account_ID</aws_account_id>
</service>
<service type="cloudwatchlogs">
<access_key>AKIAUCZBRJOBOZ7QXHUQ</access_key>
<secret_key>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</secret_key>
<aws_log_groups>/aws/rds/instance/bee-poc-db/slowquery</aws_log_groups>
<regions>ap-south-1</regions>
<only_logs_after>2024-JAN-10</only_logs_after>
<aws_account_id>280853826434</aws_account_id>
</service>
<service type="cloudwatchlogs">
<access_key>AKIAUCZBRJOBOZ7QXHUQ</access_key>
<secret_key>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</secret_key>
<aws_log_groups>/aws/rds/instance/bee-poc-db/audit</aws_log_groups>
<regions>ap-south-1</regions>
<only_logs_after>2024-JAN-10</only_logs_after>
<aws_account_id>280853826434</aws_account_id>
</service>
<service type="cloudwatchlogs">
<access_key>"our access key"</access_key>
<secret_key>"Our secret key"</secret_key>
<aws_log_groups>/aws/rds/instance/bee-poc-db/general</aws_log_groups>
<regions>ap-south-1</regions>
<only_logs_after>2024-JAN-10</only_logs_after>
<aws_account_id>280853826434</aws_account_id>
</service>
<disabled>no</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<service type="cloudwatchlogs">
<access_key>" access_key"</access_key>
<secret_key>"secret_key"</secret_key>
<aws_log_groups>"log_group </aws_log_groups>
<regions>ap-south-1</regions>
<only_logs_after>2024-JAN-10</only_logs_after>
<aws_account_id>Account_ID</aws_account_id>
</service>
<service type="cloudwatchlogs">
<access_key>AKIAUCZBRJOBOZ7QXHUQ</access_key>
<secret_key>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</secret_key>
<aws_log_groups>/aws/rds/instance/bee-poc-db/slowquery</aws_log_groups>
<regions>ap-south-1</regions>
<only_logs_after>2024-JAN-10</only_logs_after>
<aws_account_id>280853826434</aws_account_id>
</service>
<service type="cloudwatchlogs">
<access_key>AKIAUCZBRJOBOZ7QXHUQ</access_key>
<secret_key>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</secret_key>
<aws_log_groups>/aws/rds/instance/bee-poc-db/audit</aws_log_groups>
<regions>ap-south-1</regions>
<only_logs_after>2024-JAN-10</only_logs_after>
<aws_account_id>280853826434</aws_account_id>
</service>
<service type="cloudwatchlogs">
<access_key>"our access key"</access_key>
<secret_key>"Our secret key"</secret_key>
<aws_log_groups>/aws/rds/instance/bee-poc-db/general</aws_log_groups>
<regions>ap-south-1</regions>
<only_logs_after>2024-JAN-10</only_logs_after>
<aws_account_id>280853826434</aws_account_id>
</service>
</wodle>
2.Then we used the decoder -
<decoder name="RDS">
<prematch>^\.*Connect|Query|Quit</prematch>
</decoder>
<decoder name="RDS-1">
<parent>RDS</parent>
<regex>(\.*)</regex>
<order>Action</order>
</decoder>
<decoder name="RDS-1">
<parent>RDS</parent>
<regex>(\w+) (\.*)\s</regex>
<order>id user-action</order>
</decoder>
<decoder name="RDS-1">
<parent>RDS</parent>
<regex offset="after_regex">(\.*)</regex>
<order>query</order>
</decoder>
<decoder name="RDS-1">
<parent>RDS</parent>
<regex offset="after_regex">\s(\w+)@(\.*)\son\s(\.*)\susing\s(\.*)</regex>
<order>username srcip service protocol</order>
</decoder>
<decoder name="RDS-ERROR">
<prematch>^\.* Aborted</prematch>
</decoder>
<decoder name="RDS-2">
<parent>RDS-ERROR</parent>
<regex>(\.*) (\.*\s\.*) (\.*) db:\s(\.*) user:\s(\.*) host:\s(\.*) </regex>
<order>severity connection-action id db user host</order>
</decoder>
3. we have set the rules -
<group name="RDS">
<rule id="100141" level="3">
<decoded_as>RDS</decoded_as>
<field name="user-action">Connect</field>
<description>Connect using $ username </description>
</rule>
</group>
<group name="RDS ERROR">
<rule id="100208" level="3">
<decoded_as>RDS-ERROR</decoded_as>
<field name="connection-action">Aborted Connection</field>
<description>Aborted Connection from $ dstuser </description>
</rule>
</group>
I am not getting the logs , I request wazuh team please help me in this integration
Jose Luis Carreras Marin
Jun 3, 2024, 5:54:58 AM6/3/24
to Wazuh | Mailing List
Hi Meraz,
first of all I have been checking your configuration, and I see that you are using the <access_key> tag (Be careful, it seems that some keys are still displayed in your message) which was deprecated since version 4.4.
This was done to avoid saving these keys in plain text, you can read more related info in the issue we were working on:
https://github.com/wazuh/wazuh/issues/14508
This was done to avoid saving these keys in plain text, you can read more related info in the issue we were working on:
https://github.com/wazuh/wazuh/issues/14508
In our documentation you can find a complete guide on how to configure AWS credentials correctly:
https://documentation.wazuh.com/current/cloud-security/amazon/services/prerequisites/credentials.html
This should give correct access to what the Wazuh integration needs.
From here on, to help you as much as possible during the integration setup, it would be good if you could give us as many details as possible related to environments, Wazuh version, logs (/var/ossec/logs/ossec.log) or errors you may have encountered during the setup process.
Once everything is functional, we can proceed to test those decoders and custom rules, which by the way, I leave you related link from our docu:
I hope I can help you as much as possible.
Greetings,
Jose
Reply all
Reply to author
Forward
0 new messages