Supported services

All services, except Inspector, CloudWatch Logs, and Security Lake, get their data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags. Inspector and CloudWatch Logs services are configured inside <service type='inspector'> </service> and <service type='cloudwatchlogs'> </service> tags, respectively. To collect logs from Amazon Security Lake buckets, use <subscriber type='TYPE'> </subscriber> tags.

The next table contains the most relevant information about configuring each service in the /var/ossec/etc/ossec.conf file, as well as the path where the logs will be stored in the bucket if the corresponding service uses them as its storage medium:

Provider	Service	Configuration tag	Type	Path to logs	Required permission
Amazon	CloudTrail	bucket	cloudtrail	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<organization_id>/<ACCOUNT_ID>/CloudTrail/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	VPC	bucket	vpcflow	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<ACCOUNT_ID>/vpcflowlogs/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	Config	bucket	config	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<ACCOUNT_ID>/Config/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	KMS	bucket	custom	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>	Policy configuration
Amazon	Macie	bucket	custom	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>	Policy configuration
Amazon	Trusted Advisor	bucket	custom	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>	Policy configuration
Amazon	GuardDuty	bucket	guardduty	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>/<hh>	Policy configuration
Amazon	WAF	bucket	waf	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>/<hh>	Policy configuration
Amazon	S3 Server Access logs	bucket	server_access	<WAZUH_AWS_BUCKET>/<prefix>	Policy configuration
Amazon	Inspector	service	inspector		Policy configuration
Amazon	CloudWatch Logs	service	cloudwatchlogs		Policy configuration
Amazon	Amazon ECR Image scanning	service	cloudwatchlogs		Policy configuration
Cisco	Umbrella	bucket	cisco_umbrella	<WAZUH_AWS_BUCKET>/<prefix>/<year>-<month>-<day>	Policy configuration
Amazon	ALB	bucket	alb	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<ACCOUNT_ID>/elasticloadbalancing/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	CLB	bucket	clb	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<ACCOUNT_ID>/elasticloadbalancing/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	NLB	bucket	custom	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>	Policy configuration
Amazon	Amazon Security Lake	subscriber	security_lake		Policy configuration
Amazon	Custom Logs Buckets	subscriber	buckets		Amazon Simple Queue Service
Amazon	Security Hub	subscriber	security_hub