wazuh integration with AWS

[Sardar]

Hello Folks, 

I've followed a procedure described on https://documentation.wazuh.com/current/amazon/integration.html.

I'm running python script on wazuh-manager server.

Cloud Trail data is being written to log file but I don't see anything in Kibana.

I've also added lines in ossec.conf like:

  <localfile>

    <log_format>syslog</log_format>

    <location>/var/log/amazon.log</location>

  </localfile>

logfile "/var/log/amazon.log" is not getting updated with new logs but when I run the script it is getting updated with new logs but not showing in Kibana.

Also lsof command output is : 

Kindly help me with this to see in the alert's in kibana. 

Thanks and Best Regards, 

Sardar Shaikh

[Braulio Vargas]

Hello Sardar,

I think there's an error in your ossec.conf, but first, I will explain a bit about that error. The logs collected by getawslog.py from CloudTrail are stored as JSON logs in a file, in this case, /var/log/amazon.log, so, your Wazuh manager will only read that logs if the log_format in the localfile section in your ossec.conf is json.

Also, check in https://documentation.wazuh.com/current/amazon/integration.html, the localfile for AWS integration has been updated as follows:

<ossec_config>
    <localfile>
      <log_format>json</log_format>
      <location>/path-with-write-permission/amazon.log</location>
      <label key="aws.integration">cloudtrail</label>
    </localfile>
</ossec_config>

In addition, please check the line in your crontab file to check that this line is correct, this line should look similar to the following one:

*/5 *   * * * root /usr/bin/flock -n /tmp/cron.lock -c "python path_to_script/getawslog.py -b s3bucketname -d -j -D -l /path-with-write-permission/amazon.log"

Hope it helps.

Best regards,

Braulio

[Sardar]

Hi Braulio, 

Thanks for your reply.

I have added those lines in ossec.conf because i'm using wazuh 2.1 

crontab command is : 

*/5 *   * * * root /usr/bin/flock -n /tmp/cron.lock -c "/home/centos/getawslog.py -b wazuhawslogs -d -j -D -l /var/log/amazon.log"

In cron log it shows : 

Dec 27 08:25:01 ip-**-*-*-*** CROND[8399]: (root) CMD (root /usr/bin/flock -n /tmp/cron.lock -c "/home/centos/getawslog.py -b BucketName -d -j -D -l /var/log/amazon.log")

But the new logs won't come's into /var/log/amazon.log

So kindly help me in this to get it work. 

Thanks and Regards, 

Sardar S. 

[Sardar]

Hi Braulio, 

Please help me to understand where i'm doing wrong, 

now logs are coming into /var/log/amazon.log file, 

but these not displaying into Kibana discover. 

Do I need to create anything else ??  like separate index or something ?? 

Hope you will reply something helpful. 

Thanks and Regards, 

Sardar S. 

On Tuesday, December 26, 2017 at 4:29:55 PM UTC+5:30, Braulio Vargas wrote:

[Braulio Vargas]

Hi Sardar,

first of all, I'm sorry for the late response. The changes to the ossec.conf that I posted before is for Wazuh 3.0, I didn't know that you are using Wazuh 2.1 so you need to revert the changes and add again:

<localfile>
	<log_format>syslog</log_format>
	<location>/var/log/amazon.log</location>
</localfile>

The json log format is a new feature in Wazuh 3.x, that is the reason that explains why your manager is not reading any log from your amazon.log and generating the alerts. After you have changed your ossec.conf, restart your wazuh-manager to apply the changes using:

# systemctl restart wazuh-manager

or in case that you are using SysV Init, use:

# service wazuh-manager restart

Now, your manager can read the logs stored in your amazon.log file and generate alerts, and then, you can see the alerts in Kibana. Those alerts will appear in the wazuh-alerts-* index, so you don't need to create a new index.

Hope it helps and happy new year Sardar.

Best regards, 

Braulio.

[Sardar]

Hi Braulio, 

Happy new year to you too :) 

This is strange seems, still the alert's are not reflecting into Kibana, 

but i can see the new logs are coming into /var/log/amazon.log   and getting updated every 5 min

Can you please tell me the way to check where the problem is ? 

Thanks and Regards, 

Sardar. S. 

[Sardar]

Hi Braulio, 

Please find attaching the ossec.conf file from wazuh-manager. 

Please let me know if anything is wrong. 

Thanks, 

Sardar S. 

[Braulio Vargas]

Hi Sardar,

I was reviewing your ossec.conf and it looks right. Maybe, this problem could be caused by a problem in the ruleset. To check if this is true or not, you can use activate the logall option (which you have already activated). In /var/ossec/logs/archives/archives.json you can find all events received by the manager, so here, you can find an event from AWS.

Once you have located an AWS event, execute ossec-logtest. This will load all your rules and decoders and it will let you try your rules by introducing a log event, which in this case this log event is your AWS event from /var/ossec/logs/archives/archives.json.

# /var/ossec/bin/ossec-logtest
...
...
...
2018/01/04 22:48:26 ossec-testrule: INFO: Reading decoder file etc/decoders/local_decoder.xml.
2018/01/04 22:48:26 ossec-testrule: INFO: Reading the lists file: 'etc/lists/audit-keys'
2018/01/04 22:48:26 ossec-testrule: INFO: Reading the lists file: 'etc/lists/amazon/aws-sources'
2018/01/04 22:48:26 ossec-testrule: INFO: Reading the lists file: 'etc/lists/amazon/aws-eventnames'
2018/01/04 22:48:26 ossec-testrule: INFO: Started (pid: 9109).
ossec-testrule: Type one log per line.

Once you have introduced your event here, if everything is correct, it should complete the three phases: predecoding, decoding and filtering, and generate the alert.

If you can't find an AWS event or if you introduce the event and ossec-logtest can't generate an alert, please let me know.

Hope it helps.

Regards,
Braulio.

[Sardar]

Hi Braulo, 

Thanks for your reply,  I shared you the event's output in the archieves.json, 

i'm able to see the events there, but it is not processing in logtest

and also the below lines are not loading while logtest : 

2018/01/04 22:48:26 ossec-testrule: INFO: Reading the lists file: 'etc/lists/amazon/aws-sources'
2018/01/04 22:48:26 ossec-testrule: INFO: Reading the lists file: 'etc/lists/amazon/aws-eventnames'

Thanks and Regards, 

Sardar

[Braulio Vargas]

Hi Sardar,

thank you for your message. As you can see in logtest, the event can't match any decoder, so, your wazuh-manager can't trigger any alert. That is the reason of why you can't see any alerts in Kibana.

Why is this happening? The reason is that in Wazuh 2.1, the decoding process was more complex that it is in the current version, and it didn't check all possible cases. This may ends in errors like this one if the logs change a bit its format. This issue is solved in Wazuh 3.x, because the manager can digest directly JSON input from the logs, making the decoding process much easier and now, it is not needed a decoder to process JSON input data.

We highly recommend upgrading to the latest stable version of Wazuh following this guide: https://documentation.wazuh.com/current/installation-guide/upgrading/different_major.html and you will find this issue solved. In case that you can't perform an upgrade in your system, please check the Amazon decoders in your ruleset and adapt them to solve the issue. You can find the Amazon decoders in GitHub: https://github.com/wazuh/wazuh-ruleset/blob/2.1/decoders/0020-amazon_decoders.xml

Hope it helps.

Regards,
Braulio

[Sardar]

Hi Braulio,

Thank you so much for your suggestins, 

I will upgrade and if anthing required I will post it here.

Thanks again !!!

Regards,

Sardar S.