integrate AWS CloudWatch with Wazuh

1,939 views
Skip to first unread message

kanaka raju

unread,
Dec 8, 2022, 9:51:13 AM12/8/22
to Wazuh mailing list
Hey guys, I'm trying to integrate AWS CloudWatch with Wazuh. But, we are not able to view the logs being shown in the dashboard. This is configured at one of the agent and if I run the below command.

 wodles/aws/aws-s3 --service cloudwatchlogs --access_key xxxvvv --secret_key xxxvvv --aws_profile default --regions us-east-1 --aws_log_groups /aws/rds/instance/db/postgresql --debug 1

it says that the logs generated and sending events to analysis.... but not able to view these in the Wazuh UI. Can someone please debug this issue
image.png

kanaka raju

unread,
Dec 8, 2022, 12:07:01 PM12/8/22
to Wazuh mailing list
Hello Wazuh Team,
Any update?

Federico Damian Lo Iacono

unread,
Dec 8, 2022, 1:50:27 PM12/8/22
to Wazuh mailing list
Hi Raju, sorry for the delay! I was doing a little research on this. You followed the Monitoring AWS based services guide perhaps? Can you send me a sample of the configurations you changed? Also, in your Wazuh dashboard, is the Amazon AWS module active? You can activate it by clicking on the down-arrow by the Wazuh logo and going to the Settings->Modules section:

settings_modules.png
amazon-aws.png

Thanks in advance.

kanaka raju

unread,
Dec 9, 2022, 12:31:19 AM12/9/22
to Wazuh mailing list
Hello,
We have enabled the required AWS Modules in the modules section, please find the screenshot of the same.

Screenshot 2022-12-09 at 10.58.00 AM.png

kanaka raju

unread,
Dec 9, 2022, 12:41:48 AM12/9/22
to Wazuh mailing list
Also, below is the sample configuration file to enable cloud watch logs.

<wodle name="aws-s3"> 
 <disabled>no</disabled> 
 <interval>5m</interval> 
 <run_on_start>yes</run_on_start> 
 <service type="cloudwatchlogs"> 
 <access_key>---</access_key> 
 <secret_key>---</secret_key> 
 <aws_log_groups>/aws/rds/instance/----/postgresql</aws_log_groups> 
 <regions>us-east-1</regions> 
 </service> </wodle>

Federico Damian Lo Iacono

unread,
Dec 9, 2022, 8:39:49 AM12/9/22
to Wazuh mailing list
Everything seems to look good, configuration wise. Can you please provide the output of `cat /var/ossec/logs/ossec.log | grep aws-s3 -m 30` please? The logs will tell if anything is not working properly.

Thanks.

kanaka raju

unread,
Dec 9, 2022, 8:48:06 AM12/9/22
to Wazuh mailing list
Hello, 
please find the screenshot below.
It says that it fetched logs succeesfully.
I think its about adding custom decoders which is currently being missed here.


wazuh-logs.png

Thanks

Federico Damian Lo Iacono

unread,
Dec 9, 2022, 3:01:23 PM12/9/22
to Wazuh mailing list
Let's check if there's no decoder matching now.

In /var/ossec/etc/ossec.conf, set <logall_json> to yes, like so: <logall_json>yes</logall_json>

in /etc/filebeat/filebeat.yml, set archives: enabled to true.
archives:
enabled: true

Restart both filebeat and wazuh-manager:

systemctl restart filebeat
systemctl restart wazuh-manager

Select > Management > Stack Management in the Wazuh dashboard.
select-stack-management1.png
Choose Index Patterns and select Create index pattern. Use wazuh-archives-* as the index pattern name.
select-create-index-pattern1.png
Select timestamp as the primary time field for use with the global time filter, then proceed to create the index pattern.
configure-settings1.png
Open the menu and select Discover under OpenSearch Dashboards. Events should be getting reported there.
select-discover-11.png
select-discover-21.png

kanaka raju

unread,
Dec 9, 2022, 3:41:15 PM12/9/22
to Wazuh mailing list
Hello,
followed the above procedures, but I couldn't see anything regarding Cloudwatch or RDS when I try to query, please find the screenshot below.
areyyyyy.png

Federico Damian Lo Iacono

unread,
Dec 9, 2022, 4:08:23 PM12/9/22
to Wazuh mailing list
Raju, please notice that the index pattern should be wazuh-archives-4.x-*, but your screenshot shows wazuh-alerts-*. Can you please change the index pattern and run the query again?

Thanks!

kanaka raju

unread,
Dec 9, 2022, 4:20:38 PM12/9/22
to Wazuh mailing list
Hey, Thanks, now I see data from cloudwatch as well. Also, just wanted to ask weather is this the only way to view logs from cloudwatch.

But this also helps, thanks a lot :) 

are.png

kanaka raju

unread,
Dec 12, 2022, 4:05:49 AM12/12/22
to Wazuh mailing list
Hello, I couldn't see any cloudwatch logs as such coming up for the past 2-3 days. Is there something which is missing.
The logs of the agent says that it has processed the cloudwatch logs, but nothing in the dashboard. Can you please help in what went wrong here??
AREEEEEEEEEE.png

Federico Damian Lo Iacono

unread,
Dec 13, 2022, 8:16:58 AM12/13/22
to Wazuh mailing list
Hi Raju, sorry I wasn't available yesterday.

Can you please check again, increasing the time span from 24 hours to 72 hours? Also, after doing so, please disable archives in your manager, since it can fill up your hard drive very quickly.

To do so, in /var/ossec/etc/ossec.conf, set <logall_json> to no, like so: <logall_json>no</logall_json>

In /etc/filebeat/filebeat.yml, set archives: enabled to false.
archives:
enabled: false

And finally restart filebeat and wazuh-manager:
systemctl restart filebeat
systemctl restart wazuh-manager

riyaansh gangadhari

unread,
Mar 11, 2025, 8:53:48 AM3/11/25
to Wazuh | Mailing List
Hi 
same configuration, I tried not working.
Reply all
Reply to author
Forward
0 new messages