integrate AWS CloudWatch with Wazuh
1,939 views
Skip to first unread message
kanaka raju
Dec 8, 2022, 9:51:13 AM12/8/22
to Wazuh mailing list
Hey guys, I'm trying to integrate AWS CloudWatch with Wazuh. But, we are not able to view the logs being shown in the dashboard. This is configured at one of the agent and if I run the below command.
wodles/aws/aws-s3 --service cloudwatchlogs --access_key xxxvvv --secret_key xxxvvv --aws_profile default --regions us-east-1 --aws_log_groups /aws/rds/instance/db/postgresql --debug 1
it says that the logs generated and sending events to analysis.... but not able to view these in the Wazuh UI. Can someone please debug this issue
kanaka raju
Dec 8, 2022, 12:07:01 PM12/8/22
to Wazuh mailing list
Hello Wazuh Team,
Any update?
Federico Damian Lo Iacono
Dec 8, 2022, 1:50:27 PM12/8/22
to Wazuh mailing list
Hi Raju, sorry for the delay! I was doing a little research on this. You followed the Monitoring AWS based services guide perhaps? Can you send me a sample of the configurations you changed? Also, in your Wazuh dashboard, is the Amazon AWS module active? You can activate it by clicking on the down-arrow by the Wazuh logo and going to the Settings->Modules section:
Thanks in advance.
kanaka raju
Dec 9, 2022, 12:31:19 AM12/9/22
to Wazuh mailing list
Hello,
We have enabled the required AWS Modules in the modules section, please find the screenshot of the same.
kanaka raju
Dec 9, 2022, 12:41:48 AM12/9/22
to Wazuh mailing list
Also, below is the sample configuration file to enable cloud watch logs.
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<service type="cloudwatchlogs">
<access_key>---</access_key>
<secret_key>---</secret_key>
<aws_log_groups>/aws/rds/instance/----/postgresql</aws_log_groups>
<regions>us-east-1</regions>
</service>
</wodle>
Federico Damian Lo Iacono
Dec 9, 2022, 8:39:49 AM12/9/22
to Wazuh mailing list
Everything seems to look good, configuration wise. Can you please provide the output of `cat /var/ossec/logs/ossec.log | grep aws-s3 -m 30` please? The logs will tell if anything is not working properly.
Thanks.
kanaka raju
Dec 9, 2022, 8:48:06 AM12/9/22
to Wazuh mailing list
Hello,
please find the screenshot below.
It says that it fetched logs succeesfully.
I think its about adding custom decoders which is currently being missed here.
Thanks
Federico Damian Lo Iacono
Dec 9, 2022, 3:01:23 PM12/9/22
to Wazuh mailing list
Let's check if there's no decoder matching now.
In /var/ossec/etc/ossec.conf, set <logall_json> to yes, like so: <logall_json>yes</logall_json>
in /etc/filebeat/filebeat.yml, set archives: enabled to true.
archives:
archives:
enabled: true
Restart both filebeat and wazuh-manager:
systemctl restart filebeat
systemctl restart wazuh-manager
Select ☰ > Management > Stack Management in the Wazuh dashboard.
Choose Index Patterns and select Create index pattern. Use wazuh-archives-* as the index pattern name.
Select timestamp as the primary time field for use with the global time filter, then proceed to create the index pattern.
Open the menu and select Discover under OpenSearch Dashboards. Events should be getting reported there.
(Extracted from Enable archives monitoring in the Wazuh indexer).
kanaka raju
Dec 9, 2022, 3:41:15 PM12/9/22
to Wazuh mailing list
Hello,
followed the above procedures, but I couldn't see anything regarding Cloudwatch or RDS when I try to query, please find the screenshot below.
followed the above procedures, but I couldn't see anything regarding Cloudwatch or RDS when I try to query, please find the screenshot below.
Federico Damian Lo Iacono
Dec 9, 2022, 4:08:23 PM12/9/22
to Wazuh mailing list
Raju, please notice that the index pattern should be wazuh-archives-4.x-*, but your screenshot shows wazuh-alerts-*. Can you please change the index pattern and run the query again?
Thanks!
kanaka raju
Dec 9, 2022, 4:20:38 PM12/9/22
to Wazuh mailing list
Hey, Thanks, now I see data from cloudwatch as well. Also, just wanted to ask weather is this the only way to view logs from cloudwatch.
But this also helps, thanks a lot :)
But this also helps, thanks a lot :)
kanaka raju
Dec 12, 2022, 4:05:49 AM12/12/22
to Wazuh mailing list
Hello, I couldn't see any cloudwatch logs as such coming up for the past 2-3 days. Is there something which is missing.
The logs of the agent says that it has processed the cloudwatch logs, but nothing in the dashboard. Can you please help in what went wrong here??
The logs of the agent says that it has processed the cloudwatch logs, but nothing in the dashboard. Can you please help in what went wrong here??
Federico Damian Lo Iacono
Dec 13, 2022, 8:16:58 AM12/13/22
to Wazuh mailing list
Hi Raju, sorry I wasn't available yesterday.
Can you please check again, increasing the time span from 24 hours to 72 hours? Also, after doing so, please disable archives in your manager, since it can fill up your hard drive very quickly.
To do so, in /var/ossec/etc/ossec.conf, set <logall_json> to no, like so: <logall_json>no</logall_json>
To do so, in /var/ossec/etc/ossec.conf, set <logall_json> to no, like so: <logall_json>no</logall_json>
In /etc/filebeat/filebeat.yml, set archives: enabled to false.
archives:
archives:
enabled: false
And finally restart filebeat and wazuh-manager:
systemctl restart filebeat
systemctl restart wazuh-manager
riyaansh gangadhari
Mar 11, 2025, 8:53:48 AM3/11/25
to Wazuh | Mailing List
Hi
same configuration, I tried not working.
same configuration, I tried not working.
Reply all
Reply to author
Forward
0 new messages