wodle name="aws-cloudtrail"
New in version 3.2.0.
Configuration options of the AWS-CloudTrail wodle.
Options
Options |
Allowed values |
Mandatory/Optional |
---|---|---|
yes, no |
Mandatory |
|
Any valid bucket name |
Mandatory |
|
A positive number (seconds) |
Mandatory |
|
yes, no |
Mandatory |
|
Alphanumerical key |
Optional |
|
Alphanumerical key |
Optional |
|
yes, no |
Optional |
disabled
Disables the CloudTrail wodle.
Default value |
no |
Allowed values |
yes, no |
bucket
Name of the S3 bucket from where logs are read.
Default value |
N/A |
Allowed values |
Any valid bucket name |
interval
Frequency for reading from the S3 bucket.
Default value |
10m |
Allowed values |
A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days). |
access_key
The access key ID for the IAM user with the permission to read logs from the bucket.
Default value |
N/A |
Allowed values |
Any alphanumerical key. |
secret_key
The secret key created for the IAM user with the permission to read logs from the bucket.
Default value |
N/A |
Allowed values |
Any alphanumerical key. |
remove_from_bucket
Define if you want to remove logs from your S3 bucket after they are read by the wodle.
Default value |
yes |
Allowed values |
yes, no |
run_on_start
Run evaluation immediately when service is started.
Default value |
yes |
Allowed values |
yes, no |
Example of configuration
<wodle name="aws-cloudtrail">
<disabled>no</disabled>
<bucket>wazuh-cloudtrail</bucket>
<interval>10m</interval>
<access_key>your_access_key</access_key>
<secret_key>your_secret_key</secret_key>
<remove_from_bucket>no</remove_from_bucket>
<run_on_start>no</run_on_start>
</wodle>