Aws lambda logs not being collected by wazuh.

[hailey...@gmail.com]

Hello all I've configured wazuh to recieve the cloudtrail logs, and it's working well for all other event sources except for lambda functions. I've checked that there's no error in configuration, checked the trail via athena (lambda logs are present in the trail) but not being ingested to wazuh. In the alerts.json file as well, i see logs from all other sources just not for lambda. Is anyone familiar with this issue?

[Luis González Romero]

Hello hailey, hope you’re great.

I’ve researched the AWS rules Wazuh has, and it seems like there is none for lambdas. Here you have the Amazon rules Wazuh has right now.

I took a look into an Amazon’s AWS Lambda function logging to try to see the logs format but I don’t know if these are the ones you have.

Here we have some samples:

• Raw logs that does not even follow the expected syslog format or any:

  **Phase 1: Completed pre-decoding. full event: '2023/02/03/[$LATEST]ea9a64ec87294bf6bbc9026c05a01e04 2023-02-03T14:59:51.128000 REPORT RequestId: d455cfc4-7704-46df-901b-2a5cce9405be Duration: 16.33 ms Billed Duration: 17 ms Memory Size: 128 MB Max Memory Used: 64 MB Init Duration: 739.46 ms' **Phase 2: Completed decoding. No decoder matched. REPORT RequestId: 1c8df7d3-xmpl-46da-9778-518e6eca8125 Duration: 2.75 ms Billed Duration: 3 ms Memory Size: 128 MB Max Memory Used: 56 MB Init Duration: 113.51 ms **Phase 1: Completed pre-decoding. full event: 'REPORT RequestId: 1c8df7d3-xmpl-46da-9778-518e6eca8125 Duration: 2.75 ms Billed Duration: 3 ms Memory Size: 128 MB Max Memory Used: 56 MB Init Duration: 113.51 ms' **Phase 2: Completed decoding. No decoder matched.

• Some extracted as JSON:

  {"timestamp":1559763003171,"message":"START RequestId: 4ce9340a-b765-490f-ad8a-02ab3415e2bf Version: $LATEST\n","ingestionTime":1559763003309} **Phase 1: Completed pre-decoding. full event: '{"timestamp":1559763003171,"message":"START RequestId: 4ce9340a-b765-490f-ad8a-02ab3415e2bf Version: $LATEST\n","ingestionTime":1559763003309}' **Phase 2: Completed decoding. name: 'json' ingestionTime: '1559763003309.000000' message: 'START RequestId: 4ce9340a-b765-490f-ad8a-02ab3415e2bf Version: $LATEST ' timestamp: '1559763003171.000000'

  With these you have a few fields that are gathered without doing anything so you could add a custom rule or decoder based on them

Please share some logging samples (avoiding sending sensitive info) so I can verify if those logs should trigger an alert. To double check that the lambda logs you have are not triggering any alert, we can paste them into /var/ossec/bin/wazuh-logtest and verify it.

If no decoder matches or rule is triggered, you have to create your own custom decoder/rule. If you have any doubt or issue do not hesitate and ask for help.

​

[hailey...@gmail.com]

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDxxxxxxxxxxxxxxxxx",
        "arn": "arn:aws:iam::2542xxxxxxxxxxxxxxx",
        "accountId": "254xxxxxxxxxxx",
        "accessKeyId": "ASIxxxxxxxxxxxxxxxxx",
        "userName": "riyxxxxxxxxxxxxxxx",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-07-13T05:11:38Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2023-07-13T05:59:03Z",
    "eventSource": "lambda.amazonaws.com",
    "eventName": "DeleteFunction2015xxxx",
    "awsRegion": "eu-north-1",
    "sourceIPAddress": "120.11.102.1",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
    "requestParameters": {
        "functionName": "myfunction"
    },
    "responseElements": null,
    "requestID": "ee8e5e7b-3ded-456d-bfc8zzzzzzzzzzz",
    "eventID": "45bece99-d1800-4fe5-0000-5db6ecfiwiwjn5",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "254289409ww88w",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "lambda.eu-north-1.amazonaws.com"
    },
    "sessionCredentialFromConsole": "true"
}
This is one example for delete function event (from the cloudtrail)

[Luis González Romero]

Hello again!

Here is a possible workaround that can make it work for you. Feel free to modify it as needed. The following sample contains a rule for API calls and a child rule that includes the lambda function reference. Add this to the /var/ossec/etc/rules/local_rules.xml file:

<group name="amazon,aws,"> <rule id="80210" level="3"> <decoded_as>json</decoded_as> <field name="eventType">AwsApiCall</field> <options>no_full_log</options> <description>AWS API Call: $(eventSource) - $(eventName).</description> <group>aws_api_call,</group> </rule> <rule id="80211" level="3"> <if_sid>80210</if_sid> <field name="requestParameters.functionName"></field> <options>no_full_log</options> <description>AWS Lambda Function $(requestParameters.functionName): $(eventSource) - $(eventName).</description> <group>aws_api_call,aws_lambda_func,</group> </rule> </group>

Now, an alert will be generated:

root@manager44:/home/vagrant# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.4.4 Type one log per line {"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"AIDxxxxxxxxxxxxxxxxx","arn":"arn:aws:iam::2542xxxxxxxxxxxxxxx","accountId":"254xxxxxxxxxxx","accessKeyId":"ASIxxxxxxxxxxxxxxxxx","userName":"riyxxxxxxxxxxxxxxx","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"creationDate":"2023-07-13T05:11:38Z","mfaAuthenticated":"false"}}},"eventTime":"2023-07-13T05:59:03Z","eventSource":"lambda.amazonaws.com","eventName":"DeleteFunction2015xxxx","awsRegion":"eu-north-1","sourceIPAddress":"120.11.102.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","requestParameters":{"functionName":"myfunction"},"responseElements":null,"requestID":"ee8e5e7b-3ded-456d-bfc8zzzzzzzzzzz","eventID":"45bece99-d1800-4fe5-0000-5db6ecfiwiwjn5","readOnly":false,"eventType":"AwsApiCall","managementEvent":true,"recipientAccountId":"254289409ww88w","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.2","cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"lambda.eu-north-1.amazonaws.com"},"sessionCredentialFromConsole":"true"} **Phase 1: Completed pre-decoding. **Phase 2: Completed decoding. name: 'json' awsRegion: 'eu-north-1' eventCategory: 'Management' eventID: '45bece99-d1800-4fe5-0000-5db6ecfiwiwjn5' eventName: 'DeleteFunction2015xxxx' eventSource: 'lambda.amazonaws.com' eventTime: '2023-07-13T05:59:03Z' eventType: 'AwsApiCall' eventVersion: '1.08' managementEvent: 'true' readOnly: 'false' recipientAccountId: '254289409ww88w' requestID: 'ee8e5e7b-3ded-456d-bfc8zzzzzzzzzzz' requestParameters.functionName: 'myfunction' responseElements: 'null' sessionCredentialFromConsole: 'true' sourceIPAddress: '120.11.102.1' tlsDetails.cipherSuite: 'ECDHE-RSA-AES128-GCM-SHA256' tlsDetails.clientProvidedHostHeader: 'lambda.eu-north-1.amazonaws.com' tlsDetails.tlsVersion: 'TLSv1.2' userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' userIdentity.accessKeyId: 'ASIxxxxxxxxxxxxxxxxx' userIdentity.accountId: '254xxxxxxxxxxx' userIdentity.arn: 'arn:aws:iam::2542xxxxxxxxxxxxxxx' userIdentity.principalId: 'AIDxxxxxxxxxxxxxxxxx' userIdentity.sessionContext.attributes.creationDate: '2023-07-13T05:11:38Z' userIdentity.sessionContext.attributes.mfaAuthenticated: 'false' userIdentity.type: 'IAMUser' userIdentity.userName: 'riyxxxxxxxxxxxxxxx' **Phase 3: Completed filtering (rules). id: '80211' level: '3' description: 'AWS Lambda Function myfunction: lambda.amazonaws.com - DeleteFunction2015xxxx.' groups: '['amazon', 'aws', 'aws_api_call', 'aws_lambda_func']' firedtimes: '1' mail: 'False' **Alert to be generated.

Since your event does not have an integration field with aws value, the rules will need to be modified compared to the ones supported by Wazuh.

I hope this helps you. Let me know if you have any further questions or concerns.

Best regards,
Luis

​

[hailey...@gmail.com]

Hey, thank you so much! Will test this out.

[digite amazon]

I tried this config on Wazuh. I got the same results in the ruleset test as well. However, the logs do not appear in the wazuh dashboard events section. I also troubleshoot it by enabling logall_json and the cloudtrail event logs for lambda function were present in archives.json file.

Custom rule is also appearing in the rules section but there are no logs for it. I tried the config as it is. What could be the possible reason for this?