No Alerts/Events for CloudWatch Logs
233 views
Skip to first unread message
Kelvin Mak
Jul 8, 2025, 4:18:35 AM7/8/25
to Wazuh | Mailing List
Dear Team,
I am reaching out to seek assistance with an issue in our Wazuh deployment (version [4.9.2]) related to the AWS CloudWatch Logs integration.
Current Situation:
CloudTrail Integration: Our CloudTrail integration with the S3 bucket is working correctly. We can see logs being processed and events appearing in the Wazuh dashboard, including actions like RunInstances, CreateNetworkInterface, etc.
CloudWatch Logs Integration: The CloudWatch Logs integration is configured to monitor 70 log groups in us-east-2 for a AWS account. The Wazuh logs (/var/ossec/logs/ossec.log) show the module executing without error
However, no alerts or events for aws.cloudwatch appear in the Wazuh dashboard (wazuh-alerts-* or wazuh-archives-* index patterns), and no relevant entries are found in /var/ossec/logs/archives/archives.json when searching for aws.cloudwatch.
Logall_json: JSON logging is enabled (logall_json), but no aws.cloudwatch events appear in /var/ossec/logs/archives/archives.json.
Issue: Despite the CloudWatch Logs module running without errors (no exit code 2 or Error parsing arguments in recent logs), no alerts or events are generated in the Wazuh dashboard or logs for aws.cloudwatch. The CloudTrail integration works fine, but CloudWatch Logs are not being processed into alerts/events.
I am reaching out to seek assistance with an issue in our Wazuh deployment (version [4.9.2]) related to the AWS CloudWatch Logs integration.
Current Situation:
CloudTrail Integration: Our CloudTrail integration with the S3 bucket is working correctly. We can see logs being processed and events appearing in the Wazuh dashboard, including actions like RunInstances, CreateNetworkInterface, etc.
CloudWatch Logs Integration: The CloudWatch Logs integration is configured to monitor 70 log groups in us-east-2 for a AWS account. The Wazuh logs (/var/ossec/logs/ossec.log) show the module executing without error
For example:
Jul 8, 2025 @ 15:34:06.000 wazuh-rootcheck INFO Ending rootcheck scan. Jul 8, 2025 @ 15:34:02.000 sca INFO Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2.yml' Jul 8, 2025 @ 15:34:02.000 sca INFO Security Configuration Assessment scan finished. Duration: 46 seconds. Jul 8, 2025 @ 15:33:43.000 wazuh-modulesd:aws-s3 INFO Executing Service Analysis: (Service: cloudwatchlogs, Account ID: ********, Profile: default) Jul 8, 2025 @ 15:33:18.000 wazuh-logcollector INFO (9203): Monitoring journal entries.
Jul 8, 2025 @ 15:34:06.000 wazuh-rootcheck INFO Ending rootcheck scan. Jul 8, 2025 @ 15:34:02.000 sca INFO Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2.yml' Jul 8, 2025 @ 15:34:02.000 sca INFO Security Configuration Assessment scan finished. Duration: 46 seconds. Jul 8, 2025 @ 15:33:43.000 wazuh-modulesd:aws-s3 INFO Executing Service Analysis: (Service: cloudwatchlogs, Account ID: ********, Profile: default) Jul 8, 2025 @ 15:33:18.000 wazuh-logcollector INFO (9203): Monitoring journal entries.
However, no alerts or events for aws.cloudwatch appear in the Wazuh dashboard (wazuh-alerts-* or wazuh-archives-* index patterns), and no relevant entries are found in /var/ossec/logs/archives/archives.json when searching for aws.cloudwatch.
Logall_json: JSON logging is enabled (logall_json), but no aws.cloudwatch events appear in /var/ossec/logs/archives/archives.json.
Issue: Despite the CloudWatch Logs module running without errors (no exit code 2 or Error parsing arguments in recent logs), no alerts or events are generated in the Wazuh dashboard or logs for aws.cloudwatch. The CloudTrail integration works fine, but CloudWatch Logs are not being processed into alerts/events.
Could you assist in diagnosing why CloudWatch Logs are not generating alerts/events despite the module running successfully? Are there specific decoders or rules needed? Any additional debugging steps or configuration checks would be appreciated.
The wodle setting:
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<bucket type="cloudtrail">
<name>***********</name>
<aws_profile>default</aws_profile>
</bucket>
<service type="cloudwatchlogs">
<aws_profile>default</aws_profile>
<aws_log_groups>******,*****,******,*******</aws_log_groups>
<regions>us-east-2</regions>
<aws_account_id>*********</aws_account_id>
<only_logs_after>2025-JUL-03</only_logs_after>
</service>
</wodle>
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<bucket type="cloudtrail">
<name>***********</name>
<aws_profile>default</aws_profile>
</bucket>
<service type="cloudwatchlogs">
<aws_profile>default</aws_profile>
<aws_log_groups>******,*****,******,*******</aws_log_groups>
<regions>us-east-2</regions>
<aws_account_id>*********</aws_account_id>
<only_logs_after>2025-JUL-03</only_logs_after>
</service>
</wodle>
BR,
Kelvin
Nicolas Stefani
Jul 8, 2025, 4:54:18 PM7/8/25
to Wazuh | Mailing List
Hi Kelvin,
First, for the CloudWatch integration, there aren't rules out of the box; you need to write your own. This could be the main reason, as you don't see any alerts.
To check that the events are being ingested into Wazuh, enable the archives and search for the CloudWatch logs in `/var/ossec/logs/archives.json`. If you can see logs in there, the integration is running ok.
As I mentioned before, if the ingestion is working properly, you need to write your own rules to trigger alerts and see the results in the dashboard.
Kelvin Mak
Jul 14, 2025, 12:03:03 AM7/14/25
to Wazuh | Mailing List
Hi Nicolas,
Thank you for your input. Regarding the CloudWatch integration, I understand that there are no pre-built rules.
As you mentioned, if ingestion is working, I’ll need to create custom rules to trigger alerts and view results on the dashboard. Could you please share any sample rules to assist me with this? I’d greatly appreciate your guidance.
As you mentioned, if ingestion is working, I’ll need to create custom rules to trigger alerts and view results on the dashboard. Could you please share any sample rules to assist me with this? I’d greatly appreciate your guidance.
Also, I want to confirm whether it is possible to have two existing wodles with the same name? In my setup, I created two "s3" wodles, one for cloud trail (which works fine) and one for cloud watch.
BR,
Kelvin
Nicolas Stefani 在 2025年7月9日 星期三凌晨4:54:18 [UTC+8] 的信中寫道:
Nicolas Stefani
Jul 14, 2025, 4:23:09 PM7/14/25
to Wazuh | Mailing List
In this use case blog entry, you can see how rules for CloudWatch are created.
Also, I give you some generic documentation about the rules and decoders:
> Also, I want to confirm whether it is possible to have two existing
wodles with the same name? In my setup, I created two "s3" wodles, one
for cloud trail (which works fine) and one for cloud watch.
Yes, there is no problem with that.
Kelvin Mak
Jul 15, 2025, 4:31:43 AM7/15/25
to Wazuh | Mailing List
Hi Nicolas,
I have set up the same rules as per the documentation. However, I noticed that aws.cloudwatch events are not appearing in /var/ossec/logs/archives/archives.json (cloudtrail logs exist). Could you please suggest methods to troubleshoot why logs are not being received? Thank you for your assistance!
BR,
Kelvin
Nicolas Stefani 在 2025年7月15日 星期二凌晨4:23:09 [UTC+8] 的信中寫道:
Kelvin Mak
Jul 17, 2025, 3:29:32 AM7/17/25
to Wazuh | Mailing List
Hi Nicolas,
Here are some of the updates:
1. I can find CloudWatch events in /var/ossec/logs/archives/archives.json now.
2. While the CloudWatch service is working, I tried reducing the number of log groups (collecting only one at a time). Most log groups show the following error:
Jul 17, 2025 @ 23:05:24.000 wazuh-modulesd:aws-s3 WARNING Service: cloudwatchlogs ************ - Returned exit code 16
Jul 17, 2025 @ 23:05:24.000 wazuh-modulesd:aws-s3 WARNING Service: cloudwatchlogs ************ - The "get_log_streams" request failed: An error occurred (ResourceNotFoundException) when calling the DescribeLogStreams operation: The specified log group does not exist.
Jul 17, 2025 @ 23:05:24.000 wazuh-modulesd:aws-s3 INFO Fetching logs finished.
Jul 17, 2025 @ 23:05:21.000 wazuh-modulesd:aws-s3 INFO Executing Service Analysis: (Service: cloudwatchlogs, Account ID: **********, Profile: default)
But I use the command to test, "aws logs filter-log-events --log-group-name ********-****** --region us-east-2 --profile default". It does not show any "ResourceNotFoundException" error.
Also, I don't know why only one of the 70 log groups does not show the ResourceNotFoundException error. It prints the same output when I use the command to test.
Could you please suggest methods to solve this problem? Thank you for your assistance!
BR,
Kelvin
Kelvin Mak 在 2025年7月15日 星期二下午4:31:43 [UTC+8] 的信中寫道:
Message has been deleted
Nicolas Stefani
Jul 21, 2025, 9:31:44 AM7/21/25
to Kelvin Mak, Wazuh | Mailing List
Hi Kelvin,
Please check the log group access with
aws --region us-east-2 --profile default logs describe-log-streams --log-group-name <log_group>
And share the output.
Also, please share the contents of ~/.aws/config and ~/.aws/credentials, taking care to redact the credential values. I need to check if any configuration could be affecting the execution of the AWS module.
Regards,
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/6260ceda-7245-4378-9d08-26d7fb741d5fn%40googlegroups.com.
--
 |
Nicolás Stefani Software Engineer |
Kelvin Mak
Jul 23, 2025, 9:10:23 PM7/23/25
to Wazuh | Mailing List
Hi Nicolas,
Thank you for your reply!
The result of aws --region us-east-2 --profile default logs describe-log-streams --log-group-name <log_group>
One of the log groups showing the error:
The only log group that does not show errors:
The screenshot of ~/.aws/credentials:
For the ~/.aws/config:
I did not create a config file in the Wazuh server; I marked the region in the Wodle settings. The Wodle setting like the first email.
Thank you for your help!
BR,
Kelvin
Nicolas Stefani 在 2025年7月21日 星期一晚上9:31:44 [UTC+8] 的信中寫道:
Nicolas Stefani
Jul 24, 2025, 10:23:51 AM7/24/25
to Kelvin Mak, Wazuh | Mailing List
Understood, could you please try adding the file `~/.aws/config` and the region in it?
The content should be
[default] region = us-east-2
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c8c874ca-89de-475a-8ee3-957cab23fb14n%40googlegroups.com.
Message has been deleted
Kelvin Mak
Jul 24, 2025, 9:59:50 PM7/24/25
to Wazuh | Mailing List
Hi Nicolas,
Thank you for you help! I create an file in the `~/.aws/`. But the result still show error.
Screenshot:
Log:
Jul 25, 2025 @ 17:53:54.000 wazuh-modulesd:aws-s3 WARNING Service: cloudwatchlogs ************ - Returned exit code 16
Jul 25, 2025 @ 17:53:54.000 wazuh-modulesd:aws-s3 WARNING Service: cloudwatchlogs ************ - The "get_log_streams" request failed: An error occurred (ResourceNotFoundException) when calling the DescribeLogStreams operation: The specified log group does not exist.
Jul 25, 2025 @ 17:53:54.000 wazuh-modulesd:aws-s3 INFO Fetching logs finished.
Jul 25, 2025 @ 17:53:49.000 wazuh-modulesd:aws-s3 INFO Executing Service Analysis: (Service: cloudwatchlogs, Account ID:
************ , Profile: default)
BR,
Kelvin
Nicolas Stefani 在 2025年7月24日 星期四晚上10:23:51 [UTC+8] 的信中寫道:
Nicolas Stefani
Jul 25, 2025, 11:13:33 AM7/25/25
to Kelvin Mak, Wazuh | Mailing List
It's strange because you have access with the AWS CLI, but have you checked the required policies of the module?
To view this discussion visit https://groups.google.com/d/msgid/wazuh/bd2284f3-1b77-431b-aacf-83027ae281efn%40googlegroups.com.
Kelvin Mak
Jul 27, 2025, 10:26:28 PM7/27/25
to Wazuh | Mailing List
Hi Nioclas,
Here are the policies setting of the AWS., please give me some advice. Thank you for your help! (I only hid the account number)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetS3Logs",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"sts:AssumeRole"
],
"Resource": [
"arn:aws:s3:::aws-cloudtrail-logs-**************-b58d3f4c/*",
"arn:aws:s3:::aws-cloudtrail-logs-**************-b58d3f4c",
"arn:aws:iam::**************:role/Wazuh-IAM-Role"
]
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents",
"logs:DescribeLoggroups"
],
"Resource": [
"arn:aws:logs:us-east-2:**************:log-group:*:*",
"arn:aws:logs:us-east-2:**************:log-group:*:log-stream:*",
"arn:aws:logs:us-east-1:**************:log-group:*:*",
"arn:aws:logs:us-east-1:**************:log-group:*:log-stream:*"
]
}
]
}
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetS3Logs",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"sts:AssumeRole"
],
"Resource": [
"arn:aws:s3:::aws-cloudtrail-logs-**************-b58d3f4c/*",
"arn:aws:s3:::aws-cloudtrail-logs-**************-b58d3f4c",
"arn:aws:iam::**************:role/Wazuh-IAM-Role"
]
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents",
"logs:DescribeLoggroups"
],
"Resource": [
"arn:aws:logs:us-east-2:**************:log-group:*:*",
"arn:aws:logs:us-east-2:**************:log-group:*:log-stream:*",
"arn:aws:logs:us-east-1:**************:log-group:*:*",
"arn:aws:logs:us-east-1:**************:log-group:*:log-stream:*"
]
}
]
}
BR,
Kelvin
Nicolas Stefani 在 2025年7月25日 星期五晚上11:13:33 [UTC+8] 的信中寫道:
Nicolas Stefani
Aug 8, 2025, 10:54:09 AM8/8/25
to Kelvin Mak, Wazuh | Mailing List
Hi Kelvin,
Are you still having the issue?
To view this discussion visit https://groups.google.com/d/msgid/wazuh/5d4b68e3-02b1-4290-b17e-9606981cfccen%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages