Monitoring AWS CloudWatch Logs Using Wazuh

Wazuh Part 10 DevOps Docs

Monitoring AWS CloudWatch Logs Using Wazuh

Objective

This guide explains how to monitor AWS CloudWatch Logs from systems, applications, and AWS services in a single place using Wazuh.

By integrating CloudWatch Logs with Wazuh, you can centralize log analysis, generate alerts, and streamline troubleshooting processes.

Key Concepts of AWS CloudWatch Logs

To understand how CloudWatch Logs work, it’s important to know the following:

  • Log Events:
    These are individual log records generated by the application or resource being monitored. Each log event contains:
    • A timestamp indicating when the event occurred.
    • The raw log message.

  • Log Streams:
    Log events are stored in log streams, which represent a sequence of log events from a specific resource or application instance. All log events in a log stream share the same source.

  • Log Groups:
    Log streams are grouped into log groups, which define shared settings for retention, monitoring, and access control.

Prerequisites

Before proceeding, ensure the following:

  • Wazuh is up and running.
  • AWS Account with proper permissions.
  • Instance Profile for secure authentication.
  • S3 Bucket for storing logs.
  • CloudWatch Log Group configured in your AWS environment.

AWS Configuration

AWS CloudWatch logs can be accessed using the Wazuh CloudWatch Logs integration. The AWS API enables Wazuh to retrieve, analyze, and alert on logs.

Policy Configuration for Wazuh Integration

To allow Wazuh access to your CloudWatch logs, create the following IAM policy. Replace <REGION>, <ACCOUNT_ID>, <LOG_GROUP_NAME>, and <LOG_STREAM_NAME> with your specific values.

Policy for Log Access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDescribeLogStreams",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:*"
        },
        {
            "Sid": "AllowGetLogEvents",
            "Effect": "Allow",
            "Action": "logs:GetLogEvents",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:log-stream:<LOG_STREAM_NAME>"
        }
    ]
}

Policy for Deleting Logs (Optional):

If you need Wazuh to delete logs after processing, use the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DeleteLogStream"
            ],
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:log-stream:<LOG_STREAM_NAME>"
        }
    ]
}

  • <REGION>, <ACCOUNT_ID>, <LOG_GROUP_NAME>, <LOG_GROUP_NAME> and <LOG_STREAM_NAME> are placeholders. Replace them with the appropriate values.

  • Attach this policy to a user, role, or group as required.

Configure Wazuh to process Amazon CloudWatch logs

Follow these steps to enable Wazuh integration with AWS CloudWatch Logs:

Step 1: Modify Wazuh Configuration

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration block to enable the integration with CloudWatch Logs:

<ossec_config>
  <wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>5m</interval>
    <run_on_start>yes</run_on_start>
    <service type="cloudwatchlogs">
      <regions>region</regions>
      <aws_log_groups>log_group_name</aws_log_groups>
    </service>
  </wodle>
</ossec_config>

Replace region and log_group_name with your AWS region and log group name.

You must specify at least one AWS log group for extraction. To monitor logs from multiple regions, separate them with commas. If no region is specified, Wazuh will search for log groups in all available regions.

Step 2: Restart Wazuh

Save the changes and restart Wazuh to apply the changes.

systemctl restart wazuh-manager

Testing the Integration

/var/ossec/wodles/aws/aws-s3 --service cloudwatchlogs --aws_log_groups <log_group_name> --regions <region> --debug 1
  • Replace <log_group_name> and <region> with your specific values.
  • Use --debug 1 for detailed output to troubleshoot any issues.

Conclusion

By following this guide, you can successfully integrate AWS CloudWatch Logs with Wazuh for centralized log monitoring. This setup enables you to analyze logs and improve visibility into your AWS environment.