Troubleshooting
The below information is intended to assist in troubleshooting issues.
Testing the integration
After configuring the module successfully users can expect to see the following log messages in their agent log file: /var/ossec/logs/ossec.log
Module starting:
2018/01/12 18:47:09 wazuh-modulesd:aws-cloudtrail: INFO: Module AWS-CloudTrail started
Scheduled scan:
2018/01/12 18:49:10 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs started 2018/01/12 18:49:11 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.
Troubleshooting
Errors in ossec.log
When an error occurs when trying to collect and parse logs for a CloudTrail, the ossec.log will output an error such as below:
The number is the AWS Account ID provided for the CloudTrail, and the name in the parenthesis is the AWS Account Alias (if provided).
2018/06/28 14:31:09 wazuh-modulesd:aws-cloudtrail: WARNING: CloudTrail: 012345678901(Prod) - Returned exit code 3. 2018/06/28 14:31:09 wazuh-modulesd:aws-cloudtrail: WARNING: CloudTrail: 012345678901(Prod) - Invalid credentials to access S3 Bucket
The exit codes are as follows:
Code
Description
1
Unknown error
2
Error parsing configuration (bucket name, keys, etc)
3
Invalid credentials to access S3 bucket
4
boto3 module missing
5
Unexpected error accessing SQLite DB
6
Unable to create SQLite DB
7
Unexpected error querying/working with objects in S3
8
Failed to decompress file
9
Failed to parse file
10
Failed to execute DB cleanup
11
Unable to connect to Wazuh
12
SIGINT
13
Error sending message to Wazuh
Debugging configuration:
If users are unable to determine the issues from the ossec.log, users can run the modules in debug mode. With Wazuh running, stop the moduled
# pkill wazuh-modulesd
Start wazuh-modulesd in the foreground in debug mode
# /var/ossec/bin/wazuh-modulesd -fd
Debug
Description
-fd
Basic debug
-fdd
Verbose debug
-fddd
Extremely verbose debug (Warning: generates logs of msgs)
This will print debug data to the console and log. The debug will also output the command that the wodle is using to execute the Python script for each CloudTrail. If a particular CloudTrail is causing problems, this command can be manually executed, increasing the debug level from 1 (basic) to 3 (extremely verbose)
# 2018/06/28 18:11:02 wazuh-modulesd:aws-cloudtrail: DEBUG: Launching CloudTrail Command: /var/ossec/wodles/aws/aws.py --bucket s3-prod-bucket --iam_role_arn arn:aws:iam::001122334455:role/ROLE_Log-Parser --aws_account_id 012345678901 --aws_account_alias prod --only_logs_after 2018-JUN-01 --debug 2 --skip_on_error
Time interval is shorter than the time taken to pull log data:
In this case a simple warning will be displayed. There is no impact in the event data fetching process and the module will keep running.
2018/01/12 19:10:37 wazuh-modulesd:aws-cloudtrail: WARNING: Interval overtaken.
Wrong AWS service path:
If users get any trouble related to "paths", check if the AWS files path is correct:
AWS Cloudtrail
<bucket_name>/<prefix>/AWSLogs/<account_id>/CloudTrail/<region>/<year>/<month>/<day>
AWS Config
<bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day>/ConfigHistory <bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day>/ConfigSnapshot
AWS Guardduty
<bucket_name>/<prefix>/<year>/<month>/<day>/<hh>
AWS Custom bucket
<bucket_name>/<prefix>/<year>/<month>/<day>
AWS VPC
<bucket_name>/<prefix>/AWSLogs/<account_id>/vpcflowlogs/<region>/<year>/<month>/<day>
Use case
AmazonS3/config/AWSLogs/1308927/Config/EU-West/2019/01/12/file.log
AmazonFirstBucket/store/2019/01/9/logs.log