Not able to configure cloud trail with wazih

211 views
Skip to first unread message

hailey m

unread,
Jun 6, 2023, 2:57:13 AM6/6/23
to Wazuh mailing list
I'm trying to send logs from cloudtrail to wazuh, but the bucket in which cloudtrail is storing logs apparently they are going to a different folder inside this bucket whereas wazuh is checking in the other folder as mentioned below. What can i do to solve this? 

root@wazuh:/var/ossec/wodles/aws# ./aws-s3 -b 'aws-cloudtrail-logs' --reparse --only_logs_after '2021-Jun-10' --debug 2 -r eu-east-1 DEBUG: +++ Debug mode on - Level: 2 DEBUG: +++ Working on 254xxxxxxx - eu-east-1 DEBUG: +++ Marker: AWSLogs/254xxxxxxxx/CloudTrail/eu-east-1/2021/06/10 DEBUG: +++ No logs to process in bucket: 254xxxxx/eu-east-1 DEBUG: +++ DB Maintenance

This is the error i was getting, then i deleted that empty folder and only got 'Debug mode on - Level: 2'

Even when i deleted that empty folder still logs are not appearing in wazuh.
I also added the path where cloudtrail is storing logs in my ossec.conf file but nothing seems to work.
I've followed the wazuh documentation but I'm not able to figure out what I'm doing wrong. 
I've used profile method to configure aws credentials.
This is my config block in ossec.conf: 

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>aws-cloudtrail-logs</name>
   <path>aws-cloudtrail-logs/AWSLogs/o-xxxxxx/2500000000</path>
   <aws_profile>default</aws_profile>
 </bucket>
</wodle>

Selu López

unread,
Jun 6, 2023, 8:01:53 AM6/6/23
to Wazuh mailing list

Hi Hailey,

What is the path where your Cloudtrail logs are actually being stored inside the bucket? According to the documentation, the standard file system AWS CloudTrail will create has this structure by default:

<bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day>

But Wazuh can handle any path that matches this pattern:

<bucket_name>/<prefix>/AWSLogs/<suffix>/<organization_id>/<account_id>/CloudTrail/<region>/<year>/<month>/<day>

For example, if my logs were in wazuh-cloudtrail-bucket/AWSLogs/o-wazuh-1234567/166123456789/CloudTrail/us-west-1/2023/06/06, I would need a configuration similar to this one:

<wodle name="aws-s3"> <disabled>no</disabled> <interval>10m</interval> <run_on_start>yes</run_on_start> <skip_on_error>yes</skip_on_error> <bucket type="cloudtrail"> <name>wazuh-cloudtrail-bucket</name> <aws_organization_id>o-wazuh-1234567</aws_organization_id> <aws_account_id>166123456789</aws_account_id> <aws_profile>default</aws_profile> </bucket> </wodle>

Let me know if this works for you!

Reply all
Reply to author
Forward
0 new messages