Security Hub Logs Not Appearing in Wazuh Dashboard

16 views

Skip to first unread message

Chandra pal singh Chauhan

unread,

6:13 AM (14 hours ago) 6:13 AM

to Wazuh | Mailing List

Dear Team,

I hope you are doing well.

We previously integrated AWS Security Hub with Wazuh, and at the time of integration the logs were successfully appearing on the Wazuh dashboard. However, currently we are not seeing any Security Hub logs on the dashboard.

Upon checking, we observed that logs are still being generated and stored in the S3 bucket. We also reviewed the ossec.log file and did not find any errors related to this log source. The relevant log entries are shown below:

Screenshot 2026-03-04 105334.png

2026/03/04 10:46:20 wazuh-modulesd:aws-s3: INFO: Executing Subscriber fetch: (Type and SQS: security_hub Toucan-Prod-SQS-SecurityHub) 2026/03/04 10:46:41 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

Since the module appears to be running without errors but the logs are not visible on the Wazuh dashboard, could you please help us identify what additional checks or troubleshooting steps we should perform?

Your guidance on resolving this issue would be greatly appreciated.

Thank you for your support.

Regards,

Chandra

Gustavo Choquevilca

unread,

2:05 PM (6 hours ago) 2:05 PM

to Wazuh | Mailing List

Hi Chandra,

Thank you for the detailed report. The log shows the module is running and completing the fetch cycle without errors, which suggests the issue may not be in the AWS connectivity layer but further down the pipeline.

To help narrow down the root cause, could you please share the following?

1. Enable debug mode for the AWS module and share the output:

Add the following to `/var/ossec/etc/local_internal_options.conf`:

wazuh_modules.debug=2

Then restart the Wazuh manager:

systemctl restart wazuh-manager

After that, wait for the next execution cycle and share the relevant section of /var/ossec/logs/ossec.log (look for lines containing aws-s3).

2. Check if events are reaching the analysis engine:

Run the following to see if any Security Hub alerts are being generated:

grep 'aws' /var/ossec/logs/alerts/alerts.json | tail -20

You can also enable event archiving and verify whether AWS events are reaching Wazuh at all. Here is the official documentation on how to enable it:
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving

3. Additional question:

Have you made any recent changes that could have affected this integration? For example, changes to the ossec.conf, IAM permissions, SQS/S3 configurations, or a Wazuh version upgrade?

Reply all

Reply to author

Forward

0 new messages