VPC flow configuration
119 views
Skip to first unread message
Ponnaiah Ganesh
Mar 5, 2024, 1:05:32 AM3/5/24
to wa...@googlegroups.com, in...@wazuh.com
We have our infrastructure set up in AWS, and we are monitoring our AWS environment with wazuh. We are encountering issues while configuring vpc-flow logs. Our wazuh manager is hosted on a server within one of the accounts(Account A). When attempting to configure vpc-flow logs for Account A using an S3 bucket and cloudtrail log group, we were successful. However, we are facing challenges when configuring vpc-flow logs for other accounts, for example, Account B. Below, I have listed the various approaches we have attempted.
1. We attempted to configure vpc-flow logs in the S3 bucket hosted in Account B and tried configuring them in the wazuh manager by providing full access. However, we were unable to see the security events.
2. We pushed the vpc-flow logs from Account-B to the S3 bucket which hosted in Account- A, where the wazuh manager is located. We attempted to monitor the logs in wazuh, but were unsuccessful, even with full permissions granted to the bucket.
Ponnaiah Ganesh
Mar 5, 2024, 1:13:37 AM3/5/24
to wa...@googlegroups.com, in...@wazuh.com
We have our infrastructure set up in AWS, and we are monitoring our AWS environment with wazuh. We are encountering issues while configuring vpc-flow logs. Our wazuh manager is hosted on a server within one of the accounts(Account A). When attempting to configure vpc-flow logs for Account A using an S3 bucket and cloudtrail log group, we were successful. However, we are facing challenges when configuring vpc-flow logs for other accounts, for example, Account B. Below, I have listed the various approaches we have attempted.
1. We attempted to configure vpc-flow logs in the S3 bucket hosted in Account B and tried configuring them in the wazuh manager by providing full access. However, we were unable to see the security events.
2. We pushed the vpc-flow logs from Account-B to the S3 bucket which hosted in Account- A, where the wazuh manager is located. We attempted to monitor the logs in wazuh, but were unsuccessful, even with full permissions granted to the bucket
elw...@wazuh.com
Mar 5, 2024, 8:16:22 AM3/5/24
to Wazuh | Mailing List
Hello Ponnaiah,
Can you please add the following custom rule and restart the Wazuh manager then restest pushing the logs:
<group name="amazon,aws,">
<!-- AWS wodle -->
<rule id="80200" level="5">
<decoded_as>json</decoded_as>
<field name="integration">aws</field>
<options>no_full_log</options>
<description>AWS alert.</description>
</rule>
<rule id="80400" level="0">
<if_sid>80200</if_sid>
<field name="aws.source">vpc</field>
<options>no_full_log</options>
<description>AWS VPC flow alert.</description>
<group>aws_vpcflow,</group>
</rule>
</group>
If that did not work please enable the archives and look for the logs in the archives.json as explained here https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html.
I hope this helps.
Regards,
Wali
Can you please add the following custom rule and restart the Wazuh manager then restest pushing the logs:
<group name="amazon,aws,">
<!-- AWS wodle -->
<rule id="80200" level="5">
<decoded_as>json</decoded_as>
<field name="integration">aws</field>
<options>no_full_log</options>
<description>AWS alert.</description>
</rule>
<rule id="80400" level="0">
<if_sid>80200</if_sid>
<field name="aws.source">vpc</field>
<options>no_full_log</options>
<description>AWS VPC flow alert.</description>
<group>aws_vpcflow,</group>
</rule>
</group>
If that did not work please enable the archives and look for the logs in the archives.json as explained here https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html.
I hope this helps.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages