The below information is intended to assist in troubleshooting issues.

Testing the integration

After configuring the module successfully users can expect to see the following log messages in their agent log file: /var/ossec/logs/ossec.log

  1. Module starting:

    2019/10/28 13:58:10 wazuh-modulesd:aws-s3[8184] wm_aws.c:48 at wm_aws_main(): INFO: Module AWS started
  2. Scheduled scan:

    2019/10/28 13:58:10 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
    2019/10/28 13:38:11 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

Common errors

  1. Errors in ossec.log

    When an error occurs when trying to collect and parse logs for an AWS service, the ossec.log will output an error such as below:

    The number is the AWS Account ID provided for the CloudTrail, and the name in the parenthesis is the AWS Account Alias (if provided).

    2019/10/28 13:58:11 wazuh-modulesd:aws-s3: WARNING: Bucket: wazuh-cloudtrail  -  Returned exit code 3
    2019/10/28 13:58:11 wazuh-modulesd:aws-s3: WARNING: Bucket: wazuh-cloudtrail  -  Invalid credentials to access S3 Bucket

    The exit codes and their possible remediations are the next:



    Possible remediation


    Unknown error

    Programming error. Please, open an issue in the Wazuh GitHub repository with the trace of the error


    Error parsing configuration (bucket name, keys, etc)

    Check the wodle configuration in ossec.conf file


    Invalid credentials to access S3 bucket

    Ensure that your credentials are OK. Credentials section may be useful


    boto3 module missing

    Install boto3 library. Visit dependencies section for getting more information


    Unexpected error accessing SQLite DB

    Check that no more instances of the wodle are running at the same time


    Unable to create SQLite DB

    Ensure that the wodle has the right permissions in its directory


    Unexpected error querying/working with objects in S3

    Check that no more instances of the wodle are running at the same time


    Failed to decompress file

    Only .gz and .zip compression formats are supported


    Failed to parse file

    Check the type of the bucket


    Failed to execute DB cleanup

    Check that no more instances of the wodle are running at the same time


    Unable to connect to Wazuh

    Ensure that Wazuh is running



    The module stopped due to an interrupt signal


    Error sending message to Wazuh

    Ensure that Wazuh is running


    Empty bucket

    Ensure that the path to the log files is right

  2. Debugging configuration:

    If users are unable to determine the issues from the ossec.log, users can run the modules in debug mode. With Wazuh running, stop the moduled

    # pkill wazuh-modulesd

    Start wazuh-modulesd in the foreground in debug mode

    # /var/ossec/bin/wazuh-modulesd -fd




    Basic debug


    Verbose debug


    Extremely verbose debug (Warning: generates logs of msgs)

    This will print debug data to the console and log. The debug will also output the command that the wodle is using to execute the Python script for each service. If a particular service is causing problems, this command can be manually executed, increasing the debug level from 1 (basic) to 3 (extremely verbose)

    # 2019/10/28 14:08:28 wazuh-modulesd:aws-s3[2557] wm_aws.c:409 at wm_aws_run_s3(): DEBUG: Launching S3 Command: /var/ossec/wodles/aws/aws-s3 --bucket wazuh-cloudtrail --access_key XXXXXXXX --secret_key XXXXXXXX --type cloudtrail --debug 2 --skip_on_error
  3. Time interval is shorter than the time taken to pull log data:

    In this case a simple warning will be displayed. There is no impact in the event data fetching process and the module will keep running.

    # 2019/10/28 14:08:31 wazuh-modulesd:aws-s3[2557] wm_aws.c:409 at wm_aws_run_s3(): WARNING: Interval overtaken.
  4. Wrong AWS service path:

    If users get any trouble related to "paths", check if the AWS files path is correct:

    AWS Cloudtrail


    AWS Config

    <bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day>/ConfigHistory <bucket_name>/<prefix>/AWSLogs/<account_id>/Config/<region>/<year>/<month>/<day>/ConfigSnapshot

    AWS Guardduty


    AWS Custom bucket




    Cisco Umbrella


    Use case