Wazuh 4.7.4 and AWS Cloud Watch Error
74 views
Skip to first unread message
HA
Jun 3, 2024, 9:18:21 AM6/3/24
to Wazuh | Mailing List
Hello,
I'm trying to ingest AWS CloudWatch log group (coming from AWS WAF).
Credentials are OK.
But I receive the following error message :
DEBUG: Getting log streams for "aws-waf-logs-all" log group
DEBUG: Found "eu-central-1_WAF-ELB-VPC-F-SAAS_0" log stream in aws-waf-logs-all
DEBUG: Getting data from DB for log stream "eu-central-1_WAF-ELB-VPC-F-SAAS_0" in log group "aws-waf-logs-all"
DEBUG: Token: "f/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/s", start_time: "1717372800000", end_time: "1717419792997"
DEBUG: Getting CloudWatch logs from log stream "eu-central-1_WAF-ELB-VPC-F-SAAS_0" in log group "aws-waf-logs-all" using token "f/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/s", start_time "1717419792998" and end_time "None"
DEBUG: +++ Sending events to Analysisd...
DEBUG: +++ Sending events to Analysisd...
DEBUG: The message is "{"timestamp":1717420262026,"formatVersion":1,"webaclId":"arn:aws:wafv2:eu-central-1:046969406367:regional/webacl/WAF-ELB-VPC-F-SAAS/c3402fbd-e7b3-466e-9d75-7e055310862a","terminatingRuleId":"AWS-AWSManagedRulesKnownBadInputsRuleSet","terminatingRuleType":"MANAGED_RULE_GROUP","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"REGEX","location":"URI","matchedData":null,"matchedFieldName":""}],"httpSourceName":"ALB","httpSourceId":"046969406367-app/C1-1A-ELB-VPC-F-SAAS/9054337dd39eb66d","ruleGroupList":[{"ruleGroupId":"arn:aws:wafv2:eu-central-1:046969406367:regional/rulegroup/RG-ALLOW-Specific-URLs/652b0e8e-e6d2-420a-9982-b29ce1e07fc1","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null,"customerConfig":null},{"ruleGroupId":"AWS#AWSManagedRulesAdminProtectionRuleSet","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null,"customerConfig":null},{"ruleGroupId":"AWS#AWSManagedRulesCommonRuleSet","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null,"customerConfig":null},{"ruleGroupId":"AWS#AWSManagedRulesKnownBadInputsRuleSet","terminatingRule":{"ruleId":"ExploitablePaths_URIPATH","action":"BLOCK","ruleMatchDetails":null},"nonTerminatingMatchingRules":[],"excludedRules":null,"customerConfig":null}],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"135.125.244.48","country":"FR","headers":[{"name":"Host","value":"3.65.140.46"},{"name":"Connection","value":"keep-alive"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept","value":"*/*"},{"name":"User-agent","value":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"}],"uri":"/.env","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"1-665dc0e6-665b672152f8828b2e3688f5"},"labels":[{"name":"awswaf:managed:aws:known-bad-inputs:ExploitablePaths_URIPath"}]}"
DEBUG: +++ Sent 1 events to Analysisd
DEBUG: Getting CloudWatch logs from log stream "eu-central-1_WAF-ELB-VPC-F-SAAS_0" in log group "aws-waf-logs-all" using token "f/38299751662235524187997566273115640233204935048759803904/s", start_time "1717419792998" and end_time "None"
DEBUG: +++ Sending events to Analysisd...
DEBUG: +++ There are no new events in the "aws-waf-logs-all" group
DEBUG: Saving data for log group "aws-waf-logs-all" and log stream "eu-central-1_WAF-ELB-VPC-F-SAAS_0".
DEBUG: The saved values are "{'token': 'f/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/s', 'start_time': 1717372800000, 'end_time': 1717420262026}"
DEBUG: Some data already exists on DB for that key. Updating their values...
DEBUG: Purging the BD
DEBUG: Getting log streams for "aws-waf-logs-all" log group
DEBUG: Found "eu-central-1_WAF-ELB-VPC-F-SAAS_0" log stream in aws-waf-logs-all
DEBUG: Data for the following log streams will be removed from cloudwatch_logs: "{'log_stream_created_by_aws_to_validate_log_delivery_subscriptions', 'waf'}"
DEBUG: committing changes and closing the DB
DEBUG: +++ Error: 'table_name'
Unknown error: 'table_name'
Traceback (most recent call last):
File "/var/ossec/wodles/aws/aws-s3.py", line 4246, in <module>
main(sys.argv[1:])
File "/var/ossec/wodles/aws/aws-s3.py", line 4199, in main
service.get_alerts()
File "/var/ossec/wodles/aws/aws-s3.py", line 3043, in get_alerts
self.purge_db(log_group=log_group)
File "/var/ossec/wodles/aws/aws-s3.py", line 3356, in purge_db
self.db_cursor.execute(self.sql_cloudwatch_purge.format(tablename=self.db_table_name), {
KeyError: 'table_name'
DEBUG: Found "eu-central-1_WAF-ELB-VPC-F-SAAS_0" log stream in aws-waf-logs-all
DEBUG: Getting data from DB for log stream "eu-central-1_WAF-ELB-VPC-F-SAAS_0" in log group "aws-waf-logs-all"
DEBUG: Token: "f/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/s", start_time: "1717372800000", end_time: "1717419792997"
DEBUG: Getting CloudWatch logs from log stream "eu-central-1_WAF-ELB-VPC-F-SAAS_0" in log group "aws-waf-logs-all" using token "f/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/s", start_time "1717419792998" and end_time "None"
DEBUG: +++ Sending events to Analysisd...
DEBUG: +++ Sending events to Analysisd...
DEBUG: The message is "{"timestamp":1717420262026,"formatVersion":1,"webaclId":"arn:aws:wafv2:eu-central-1:046969406367:regional/webacl/WAF-ELB-VPC-F-SAAS/c3402fbd-e7b3-466e-9d75-7e055310862a","terminatingRuleId":"AWS-AWSManagedRulesKnownBadInputsRuleSet","terminatingRuleType":"MANAGED_RULE_GROUP","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"REGEX","location":"URI","matchedData":null,"matchedFieldName":""}],"httpSourceName":"ALB","httpSourceId":"046969406367-app/C1-1A-ELB-VPC-F-SAAS/9054337dd39eb66d","ruleGroupList":[{"ruleGroupId":"arn:aws:wafv2:eu-central-1:046969406367:regional/rulegroup/RG-ALLOW-Specific-URLs/652b0e8e-e6d2-420a-9982-b29ce1e07fc1","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null,"customerConfig":null},{"ruleGroupId":"AWS#AWSManagedRulesAdminProtectionRuleSet","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null,"customerConfig":null},{"ruleGroupId":"AWS#AWSManagedRulesCommonRuleSet","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null,"customerConfig":null},{"ruleGroupId":"AWS#AWSManagedRulesKnownBadInputsRuleSet","terminatingRule":{"ruleId":"ExploitablePaths_URIPATH","action":"BLOCK","ruleMatchDetails":null},"nonTerminatingMatchingRules":[],"excludedRules":null,"customerConfig":null}],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"135.125.244.48","country":"FR","headers":[{"name":"Host","value":"3.65.140.46"},{"name":"Connection","value":"keep-alive"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept","value":"*/*"},{"name":"User-agent","value":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"}],"uri":"/.env","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"1-665dc0e6-665b672152f8828b2e3688f5"},"labels":[{"name":"awswaf:managed:aws:known-bad-inputs:ExploitablePaths_URIPath"}]}"
DEBUG: +++ Sent 1 events to Analysisd
DEBUG: Getting CloudWatch logs from log stream "eu-central-1_WAF-ELB-VPC-F-SAAS_0" in log group "aws-waf-logs-all" using token "f/38299751662235524187997566273115640233204935048759803904/s", start_time "1717419792998" and end_time "None"
DEBUG: +++ Sending events to Analysisd...
DEBUG: +++ There are no new events in the "aws-waf-logs-all" group
DEBUG: Saving data for log group "aws-waf-logs-all" and log stream "eu-central-1_WAF-ELB-VPC-F-SAAS_0".
DEBUG: The saved values are "{'token': 'f/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/s', 'start_time': 1717372800000, 'end_time': 1717420262026}"
DEBUG: Some data already exists on DB for that key. Updating their values...
DEBUG: Purging the BD
DEBUG: Getting log streams for "aws-waf-logs-all" log group
DEBUG: Found "eu-central-1_WAF-ELB-VPC-F-SAAS_0" log stream in aws-waf-logs-all
DEBUG: Data for the following log streams will be removed from cloudwatch_logs: "{'log_stream_created_by_aws_to_validate_log_delivery_subscriptions', 'waf'}"
DEBUG: committing changes and closing the DB
DEBUG: +++ Error: 'table_name'
Unknown error: 'table_name'
Traceback (most recent call last):
File "/var/ossec/wodles/aws/aws-s3.py", line 4246, in <module>
main(sys.argv[1:])
File "/var/ossec/wodles/aws/aws-s3.py", line 4199, in main
service.get_alerts()
File "/var/ossec/wodles/aws/aws-s3.py", line 3043, in get_alerts
self.purge_db(log_group=log_group)
File "/var/ossec/wodles/aws/aws-s3.py", line 3356, in purge_db
self.db_cursor.execute(self.sql_cloudwatch_purge.format(tablename=self.db_table_name), {
KeyError: 'table_name'
Any idea ??
Regards,
HA
Abdullah Al Noman
Jun 3, 2024, 4:27:16 PM6/3/24
to Wazuh | Mailing List
Hello Hadi,
I am working on your query. Let me get back to you with the exact information.
Thanks, and regards,
I am working on your query. Let me get back to you with the exact information.
Thanks, and regards,
Abdullah Al Noman
Jun 5, 2024, 3:15:16 AM6/5/24
to Wazuh | Mailing List
Kindly verify that you have performed the integration correctly including the policy creation process. Refer to this Wazuh guide for the Amazon CloudWatch Logs.
Regards,
Reply all
Reply to author
Forward
0 new messages