Integrate CloudFront logs stored in AWS s3 bucket

[Carlos Lopez]

HI all,

I am reading wazuh's docs regarding this subject, but i can't find anything related. Are CloudFront's logs stored in a AWS s3 bucket supported by Wazuh?

An example:
2019-12-13 22:37:02 SEA19-C2 900 192.0.2.200 GET d111111abcdef8.cloudfront.net / 502 - curl/7.55.1 - - Error kBkDzGnceVtWHqSCqBUqtA_cEs2T3tFUBbnBNkB9El_uVRhHgcZfcw== www.example.com http 387 0.103 - - - Error HTTP/1.1 - - 12644 0.103 OriginDnsError text/html 507 - -

Many thanks.

[Nicolas Guini]

Hi Carlos!

Yes! You should be able to handle AWS Services with Wazuh, as described on this page: https://documentation.wazuh.com/current/amazon/services/index.html.

Among many services supported by Wazuh, you can see the Macie integration as an example. It has a bucket type called "custom" to parse their logs

Check this page as an example: https://documentation.wazuh.com/current/amazon/services/supported-services/macie.html

AWS S3 bucket support: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#type

If it even doesn't work, you can also try with custom decoders, they are described here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html?highlight=decoder

Let me know if further help is neeeded.

Bests,

Nicolas

[Carlos Lopez]

Perfect!! ... Thanks Nicolas ... I will test the integration next week and report back.

________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Nicolas Guini <nicola...@wazuh.com>
Sent: 30 March 2021 15:45
To: Wazuh mailing list
Subject: Re: Integrate CloudFront logs stored in AWS s3 bucket

Hi Carlos!

Yes! You should be able to handle AWS Services with Wazuh, as described on this page: https://documentation.wazuh.com/current/amazon/services/index.html.

Among many services supported by Wazuh, you can see the Macie integration as an example. It has a bucket type called "custom" to parse their logs
Check this page as an example: https://documentation.wazuh.com/current/amazon/services/supported-services/macie.html
AWS S3 bucket support: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#type

If it even doesn't work, you can also try with custom decoders, they are described here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html?highlight=decoder

Let me know if further help is neeeded.

Bests,
Nicolas

On Tuesday, March 30, 2021 at 8:19:20 AM UTC-3 Carlos Lopez wrote:
HI all,

I am reading wazuh's docs regarding this subject, but i can't find anything related. Are CloudFront's logs stored in a AWS s3 bucket supported by Wazuh?

An example:
2019-12-13 22:37:02 SEA19-C2 900 192.0.2.200 GET d111111abcdef8.cloudfront.net<http://d111111abcdef8.cloudfront.net> / 502 - curl/7.55.1 - - Error kBkDzGnceVtWHqSCqBUqtA_cEs2T3tFUBbnBNkB9El_uVRhHgcZfcw== www.example.com<http://www.example.com> http 387 0.103 - - - Error HTTP/1.1 - - 12644 0.103 OriginDnsError text/html 507 - -

Many thanks.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0b626d8d-e08f-4367-99ae-5b3c8fb9e0ban%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/0b626d8d-e08f-4367-99ae-5b3c8fb9e0ban%40googlegroups.com?utm_medium=email&utm_source=footer>.