Amazon ALB

Application Load Balancers (Amazon ALB) Elastic Load Balancing automatically distributes the incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets. Users can select the type of load balancer that best suits their needs. An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action.

Amazon configuration

  1. Select an existing S3 Bucket or create a new one.

  2. Go to Services > Compute > EC2:

  3. Go to Load Balancing > Load Balancers on the left menu. Create a new load balancer or select one or more load balancers and select Edit attributes on the Actions menu:

  4. In this tab we will define our S3 and the path where the logs will be stored:

    Note

    To enable access logs for ALB (Application Load Balancers), check the following link:

Wazuh configuration

  1. Open the Wazuh configuration file (/var/ossec/etc/ossec.conf) and add the following block for ALB:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>10m</interval>
      <run_on_start>yes</run_on_start>
      <skip_on_error>yes</skip_on_error>
      <bucket type="alb">
        <name>wazuh-aws-wodle</name>
        <path>ALB</path>
        <aws_profile>default</aws_profile>
      </bucket>
    </wodle>
    

    Note

    Check the AWS S3 module reference manual to learn more about each setting.

  2. Restart Wazuh in order to apply the changes:

    • If you're configuring a Wazuh manager:

      1. For Systemd:

      # systemctl restart wazuh-manager
      
      1. For SysV Init:

      # service wazuh-manager restart
      
    • If you're configuring a Wazuh agent:

      1. For Systemd:

      # systemctl restart wazuh-agent
      
      1. For SysV Init:

      # service wazuh-agent restart