AWS EVENT MONITORING, “Down the Rabbit Hole…”

Monitoring AWS events can be quite a rabbit hole and will consume many hours, brain cells, and glasses of bourbon. However, there are many methods, applications, processes, and small white rabbits to follow.

During a recent dinner with one of my contemporaries, I was introduced to Wazuh, pronounced Wazoo. And in a prior post, AWS EVENT MONITORING, “IN THE BEGINNING…”, I began installing Wazuh on a local server.

In today’s missive, we shall continue with the process of setting up the AWS integration module. This will assume that one has enabled cloudtrails and is logging into an adequately configured S3 bucket.

We begin by logging into the Wazuh server, HTTPS://<IP_ADDRESS_OF_SERVER>, and utilizing the credentials created prior. (One did save those in a password manager, right?)

In the Wazuh dashboard, we will select the wazuh management panel, thence settings.

We will toggle the Amazon AWS module to on in the dashboard.

Returning to the Wazuh Home screen, we note that Amazon AWS is present under the Security Information Management section.

This has enabled a set of JSON decoders and default AWS rules. These are located under /var/ossec/ruleset/decoders/0006-json_decoders.xml and /var/ossec/ruleset/rules/0350-amazon_rules.xml. We will return to these shortly, but first, we must enable a data stream to analyze; our cloudtrail logs stored in an S3 bucket as configured prior.

A side note on accessing the cloudtrail logs in S3, in this specific case, we are a remote machine, and we are utilizing the AWS CLI v2 to access the contents of an S3 bucket, and our configuration will reflect this. The configuration would be different if one ran the wazuh server in AWS EC2 with a proper role attached.

We will add the aws-s3 wodle to the ossec configuration file. I assume that one has logged into the console of the wazuh server and become the superuser.

First of all, let us make a backup of the ossec.conf file.

cd /var/ossec/etc
cp ossec.conf  <DATE-TIME>-ossec.conf

We will edit the ossec.conf file and will require the S3 bucket name and the AWS CLI profile name. Open the ossec.conf file and insert the wodle stanza as shown.

nano ossec.conf
------------- INSERT CODE UNDER THE CLOSE OF THE ROOTCHECK STANZA ---

  </rootcheck>

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>wazuh-trail-blprod-bucket</name>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

In line 7, we enable this wodle by not disabling this. Then, in line 8, we set the interval of pulling new entries from the S3 bucket; in line 12, we enter the name of the S3 bucket holding our Cloutrails logs; in line 13, we set the AWS CLI profile name to be used for authentication.

It is suggested that one open a second terminal session as the superuser to the wazuh server and run a tail of the ossec.log file. This will allow debugging if required as the wazuh manager process(s) are restarted.

sudo bash
cd /var/ossec/logs
tail -f ./osserc.log

We will restart the wazuh manager processes to read our new configuration and begin fetching logs from the S3 bucket.

systemctl restart wazuh-manager

Results of a successful restart of the wazuh-manager

2022/11/30 10:43:38 wazuh-db: INFO: Started (pid: 273447).
2022/11/30 10:43:39 wazuh-execd: INFO: Started (pid: 273470).
2022/11/30 10:43:40 wazuh-maild: INFO: Started (pid: 273490).
2022/11/30 10:43:40 wazuh-maild: INFO: Getting alerts in log format.
2022/11/30 10:43:41 wazuh-analysisd: INFO: Total rules enabled: '6351'
2022/11/30 10:43:41 wazuh-analysisd: INFO: Started (pid: 273497).
2022/11/30 10:43:41 rootcheck: INFO: Rootcheck disabled.
2022/11/30 10:43:41 wazuh-syscheckd: INFO: Started (pid: 273510).
----  MANY LINES REMOVED FOR BREVITY -----
2022/11/30 10:43:45 sca: INFO: Security Configuration Assessment scan finished. Duration: 0 seconds.
2022/11/30 10:43:45 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/11/30 10:43:47 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
2022/11/30 10:43:47 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
----- NOTE SUCESSFUL FETCHING OF LOGS ON THE SECHEDULED INTERVAL -----
2022/11/30 10:48:45 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2022/11/30 10:48:45 wazuh-modulesd:aws-s3: INFO: Executing Bucket Analysis: (Bucket: wazuh-trail-blprod-bucket, Type: cloudtrail, Profile: default)
2022/11/30 10:48:47 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

After a brief period, we can access the Wazuh AWS events dashboard and note that data is being retrieved, logged, and analyzed. The rules for this analysis will be discussed in an upcoming post.