AWS logs not getting in Wazuh
294 views
Skip to first unread message
AMIT JOHN T ALAPATT Tony John Alapatt
Aug 18, 2023, 2:56:30 AM8/18/23
to Wazuh mailing list
I am not getting AWS logs in Wazuh that is installed in AWS Cloud.
<wodle name="">
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>no</skip_on_error>
<bucket type="">
<name></name>
<access_key></access_key>
<secret_key></secret_key>
<only_logs_after>2023-AUG-01</only_logs_after>
<regions>ap-south-1</regions>
<aws_account_id></aws_account_id>
<aws_account_alias></aws_account_alias>
<remove_from_bucket>no</remove_from_bucket>
</bucket>
</wodle>
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>no</skip_on_error>
<bucket type="">
<name></name>
<access_key></access_key>
<secret_key></secret_key>
<only_logs_after>2023-AUG-01</only_logs_after>
<regions>ap-south-1</regions>
<aws_account_id></aws_account_id>
<aws_account_alias></aws_account_alias>
<remove_from_bucket>no</remove_from_bucket>
</bucket>
</wodle>
I had given this much details. What else do I need to do?
Olusegun Adenrele Oyebo
Aug 18, 2023, 11:33:01 AM8/18/23
to Wazuh mailing list
Hello John,
Thank you for using Wazuh.
For you to be able to make use of Wazuh's AWS module, please confirm that you went through and configured the prerequisites as detailed on the documentation Prerequisites
First thing you will need to d o is configure an S3 Bucket as detailed in the link Configuring an S3 Bucket
I'll also be dropping a link that could assist in troubleshooting issues for your perusal Troubleshooting.
We hope this was helpful. Do not hesitate to get across incase you might still be having the issue or any other challenge after confirming the above.
Best Regards
Thank you for using Wazuh.
For you to be able to make use of Wazuh's AWS module, please confirm that you went through and configured the prerequisites as detailed on the documentation Prerequisites
First thing you will need to d o is configure an S3 Bucket as detailed in the link Configuring an S3 Bucket
- You will need to go to Services > Storage > S3
- Click on Create bucket
- Create a new bucket, give it a name, then click on the Create button
- Profiles
- IAM Roles
- IAM roles for EC2 instances
- Environment variables
- Insert the credentials into the configurations
- Note that the wazuh manager includes all dependencies installed, the steps for installing dependencies is necessary when configuring the integration in a Wazuh agent.
- The AWS module makes use of python3. It is compatible with Python 3.7 and above
- For AWS pip dependencies, Boto3 is the official package supported by Amazon to manage AWS resources. It is used to download the log messages from the different AWS services supported by Wazuh. The module is compatible with boto3 from 1.13.1 to 1.17.85. Future boto3 releases should maintain compatibility although it cannot be guaranteed.
I'll also be dropping a link that could assist in troubleshooting issues for your perusal Troubleshooting.
We hope this was helpful. Do not hesitate to get across incase you might still be having the issue or any other challenge after confirming the above.
Best Regards
AMIT JOHN T ALAPATT Tony John Alapatt
Aug 22, 2023, 2:01:05 AM8/22/23
to Wazuh mailing list
I haven't Installed dependencies sill I am getting confirmation logs in logs section, But I am not getting logs in Wazuh Dashboard.
AMIT JOHN T ALAPATT Tony John Alapatt
Aug 24, 2023, 12:39:57 AM8/24/23
to Wazuh | Mailing List
Hello.. any updates about this issue.
Olusegun Adenrele Oyebo
Aug 24, 2023, 8:17:18 AM8/24/23
to AMIT JOHN T ALAPATT Tony John Alapatt, Wazuh | Mailing List
Hello John,
Sorry for the late response and thanks for the information attached.
The Wazuh manager includes all dependencies installed, the steps for the installation of dependencies are only necessary when configuring the integration in a Wazuh agent as explained in this documentation.
Since it is confirmed from the screenshot shared that the logs are fetched, kindly enable debug mode on the Wazuh server for further troubleshooting. Add the following line to the /var/ossec/etc/local_internal_options.conf file, specifying the below debug level:
wazuh_modules.debug=2
Restart the wazuh manager: systemctl restart wazuh-manager. Allow it to run for a few minutes before disabling the debug mode.
Will also recommend if you can check whether the logs are processed regardless of whether alerts are being generated or regardless of the buckets or services configured. This is achieved by using the logall_json parameter. Go to the file /var/ossec/etc/ossec.conf on the wazuh server and enable the <logall_json>no</logall_json> to yes. Restart the wazuh manager service after making the changes. When this is enabled, Wazuh stores into the /var/ossec/logs/archives/archives.log file every event sent to the analysis engine whether they tripped a rule or not. When you check this file, you will be able to determine if AWS events are being sent to the analysis engine. Don't forget to disable the logall_json after some time and restart the services accordingly after disabling it.
Also keep in mind that for events to be generated and shown on the Wazuh dashboard, the wazuh analysis engine evaluates these events and compares them with the different rules available. If the event matches any of the rules an alert will be generated, which is what ultimately is shown in the Wazuh UI. You can also go through the links below for further information:
I hope this was helpful. Do not hesitate to contact us further in case you have any other query.
Best Regards.
Sorry for the late response and thanks for the information attached.
The Wazuh manager includes all dependencies installed, the steps for the installation of dependencies are only necessary when configuring the integration in a Wazuh agent as explained in this documentation.
Since it is confirmed from the screenshot shared that the logs are fetched, kindly enable debug mode on the Wazuh server for further troubleshooting. Add the following line to the /var/ossec/etc/local_internal_options.conf file, specifying the below debug level:
wazuh_modules.debug=2
Restart the wazuh manager: systemctl restart wazuh-manager. Allow it to run for a few minutes before disabling the debug mode.
Will also recommend if you can check whether the logs are processed regardless of whether alerts are being generated or regardless of the buckets or services configured. This is achieved by using the logall_json parameter. Go to the file /var/ossec/etc/ossec.conf on the wazuh server and enable the <logall_json>no</logall_json> to yes. Restart the wazuh manager service after making the changes. When this is enabled, Wazuh stores into the /var/ossec/logs/archives/archives.log file every event sent to the analysis engine whether they tripped a rule or not. When you check this file, you will be able to determine if AWS events are being sent to the analysis engine. Don't forget to disable the logall_json after some time and restart the services accordingly after disabling it.
Also keep in mind that for events to be generated and shown on the Wazuh dashboard, the wazuh analysis engine evaluates these events and compares them with the different rules available. If the event matches any of the rules an alert will be generated, which is what ultimately is shown in the Wazuh UI. You can also go through the links below for further information:
I hope this was helpful. Do not hesitate to contact us further in case you have any other query.
Best Regards.
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0a819059-c305-49f8-b7b9-9a9db2b313a9n%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages