This is the documentation for Wazuh 3.12. Check out the docs for the latest version of Wazuh!

Supported services

All the services except Inspector get the data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags, while Inspector service is configured inside <service type='inspector'> </service> tags.

The next table contains the more relevant information about configuring each service in ossec.conf:

Provider Service Configuration tag Type Path to logs
Amazon CloudTrail bucket cloudtrail <bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day>
Amazon VPC bucket vpcflow <bucket_name>/<prefix>/AWSLogs/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day>
Amazon Config bucket config <bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day>
Amazon KMS bucket custom <bucket_name>/<prefix>/<year>/<month>/<day>
Amazon Macie bucket custom <bucket_name>/<prefix>/<year>/<month>/<day>
Amazon Trusted Advisor bucket custom <bucket_name>/<prefix>/<year>/<month>/<day>
Amazon GuardDuty bucket guardduty <bucket_name>/<prefix>/<year>/<month>/<day>/<hh>
Amazon WAF bucket waf <bucket_name>/<prefix>/<year>/<month>/<day>/<hh>
Amazon Inspector service inspector  
Cisco Umbrella bucket cisco_umbrella <bucket_name>/<prefix>/<year>-<month>-<day>