Access

To access your archive data, you need an AWS token that grants permission on the AWS S3 bucket of your environment. This token can be generated using the Wazuh Cloud API.

Note

See the Wazuh Cloud CLI section to learn how to list and download your archive data automatically.

Getting your API key and the AWS token

  1. Obtain your Wazuh Cloud API key by following the steps outlined in the API Authentication section.

  2. Use the POST /storage/token API endpoint with your key to get a temporary AWS token. For example, the following request generates an AWS token valid for 3600 seconds that grants access to the environment archive data with ID 012345678ab.

    curl -XPOST https://api.cloud.wazuh.com/v2/storage/token -H "x-api-key: <YOUR_API_KEY>" -H "Content-Type: application/json" --data '
{
   "environment_cloud_id": "012345678ab",
   "token_expiration": "3600"
}'

    {
   "environment_cloud_id": "012345678ab",
   "aws": {
      "s3_path": "wazuh-cloud-cold-us-east-1/012345678ab",
      "region": "us-east-1",
      "credentials": {
         "access_key_id": "mUdT2dBjlHd...Gh7Ni1yZKR5If",
         "secret_access_key": "qEzCk63a224...5aB+e4fC1BR0G",
         "session_token": "MRg3t7HIuoA...4o4BXSAcPfUD8",
         "expires_in": 3600
      }
   }
}

Generating the AWS wazuh_cloud_storage profile

Add the token to the AWS credentials file ~/.aws/credentials.

[wazuh_cloud_storage]
aws_access_key_id = mUdT2dBjlHd...Gh7Ni1yZKR5If
aws_secret_access_key = qEzCk63a224...5aB+e4fC1BR0G
aws_session_token = MRg3t7HIuoA...4o4BXSAcPfUD8

Listing archive data

This command lists the archive data files of the environment 012345678ab.

# aws --profile wazuh_cloud_storage --region us-east-1 s3 ls --recursive s3://wazuh-cloud-cold-us-east-1/012345678ab/

2024-04-19 17:50:06        493 012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz
2024-04-19 18:00:05      77759 012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2100_kdBY42OvE9QJuiia.json.gz

Examples

Downloading archive data – Multiple files

This command downloads the archive data files of the environment 012345678ab into the /home/test/ directory.

# aws --profile wazuh_cloud_storage --region us-east-1 s3 cp --recursive s3://wazuh-cloud-cold-us-east-1/012345678ab/ /home/test/

download: s3://wazuh-cloud-cold-us-east-1/012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz to output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz
download: s3://wazuh-cloud-cold-us-east-1/012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2100_kdBY42OvE9QJuiia.json.gz to output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2100_kdBY42OvE9QJuiia.json.gz

Downloading archive data – Single file

This command downloads the 012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz file of the environment 012345678ab into the directory /home/test.

# aws --profile wazuh_cloud_storage --region us-east-1 s3 cp --recursive s3://wazuh-cloud-cold-us-east-1/012345678ab/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz /home/test/

download: s3://wazuh-cloud-cold-us-east-1/012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz to ./012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz