No log files AWS
Alara Joel
I have done a lot of troubleshooting, but I keep missing something. Im quite sure it's the path.
The User:
My credential file is correct, my region is Stockholm eu-north-1, and i have that written in my config file.
Mind you the AWS account has an organizational ID on it. Cloud trail logging is working fine on the AWS side, i can see the logs there nicely.
I have attached my wodle config section from ossec.conf, some pictures from my aws (policy and permissions)
Bucket: bucket-s3-gastec-siem
Trail-log-location according to aws dashboard: bucket-s3-gastec-siem/AWSLogs/o-srvq2cpn6y/337683XXXXXX
On opening that link, this is path i see inside; 337xx321xxxx/
inside that, there are threee folders : CloudTrail-Digest/ CloudTrail-Insight/ CloudTrail
In CloudTrail i see three regions (eu-north-1, eu-central-1, us-east-1. as far as i know we only really use 1 eu-north-1)
In them, i get months, days and then log files.
I changed the policy to include some new permissions when the default one didn't work.
My aws profile name for wazuh is called wazuh-aws.
What am I getting wrong? Thank you in advance for your help.
Stuti Gupta
Hi Alara,
The error you are seeing means Wazuh is able to access your S3 bucket, but it is not finding any files in the specific path you configured.
Right now Wazuh is checking:
s3://bucket-s3-gastec-siem/o-srvq2cpn6y/
We need to confirm whether there are actually CloudTrail logs in that exact location.
Please run this command from your server using the same AWS profile:
aws s3 ls s3://bucket-s3-gastec-siem/o-srvq2cpn6y/ --recursive --profile wazuh-aws
If this command returns no output, it means there are no files under that path, which explains the error. In that case, the <path> in your ossec.conf does not match the real location of your logs in the bucket.
If the command does return files, then the path is correct and we can look at other settings such as filters.
The key point is that Wazuh only reads from the exact prefix you configure, so the path must match the real S3 object structure exactly.
Alara Joel
It listed all the files. I will change it in the ossec.conf to see if it works now
Alara Joel
I get the results in the second picture when I run this command: cat /var/ossec/logs/ossec.log | grep -i aws
Stuti Gupta
Now the path issue looks resolved because Wazuh is no longer showing:
“No files were found”.
It is successfully starting the bucket analysis and finishing without path errors.
The next thing to verify is whether Wazuh is actually finding CloudTrail log files inside that prefix and whether they match the only_logs_after filter.
Please run:
aws s3 ls s3://bucket-s3-gastec-siem/AWSLogs/o-srvq2cpn6y/ --recursive --profile wazuh-aws | tail
and confirm that the files are CloudTrail .json.gz log and the timestamps are newer than 2026-APR-27
Because you have:
<only_logs_after>2026-APR-27</only_logs_after>
Alara Joel
I ran the command : aws s3 ls s3://bucket-s3-gastec-siem/AWSLogs/o-srvq2cpn6y/ --recursive --profile wazuh-aws .
I took out the tails, and there are loads of logs there, but I realized they were from different regions. I don't know how the dev team has structured that. I see logs from ap-northeast-1, us-east-1, eu-north-1, eu-central-1
Most of the other regions are CloudTrail digest logs, but eu-north-1, which I know we actually use, has almost all the CloudTrail logs.
2026-05-05 23:56:52 731 AWSLogs/o-srvq2cpn6y/337683218317/CloudTrail-Digest/us-west-2/2026/05/05/337683218317_CloudTrail-Digest_us-west-2_gastec-platform-trail_eu-north-1_20260505T235203Z.json.gz
2026-04-27 11:08:18 1466 AWSLogs/o-srvq2cpn6y/337683218317/CloudTrail/eu-north-1/2026/04/27/337683218317_CloudTrail_eu-north-1_20260427T1105Z_V0J5C4b1K95uTsU6.json.gz
Am I getting the correct logs? What could the problem be now?
Alara Joel
Please some help here?