S3 Server Access

Amazon S3 Server Access Logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.

Amazon configuration

  1. Create a new S3 bucket to store the access logs in it. If you want to use an existing one, skip this step.

  2. Go to Services > Storage > S3:

  3. Look for the S3 bucket you want to monitor and click on its name:

  4. Go to the Properties tab, scroll down until you find the Server access logging, and click on the Edit button:

  5. Check the Enable option, and click on the Browse S3 button to look for the bucket in which you want S3 Server Access logs to be stored:

    Note

    It is possible to store the S3 Server Access logs in the same bucket to be monitored. It is also possible to specify a custom path inside the bucket to store the logs in it.

  6. Finally, click on the Save changes. S3 Server Access logs will start to be stored in the specified path.

Wazuh configuration

  1. Open the Wazuh configuration file (/var/ossec/etc/ossec.conf) and add the following block:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>10m</interval>
      <run_on_start>yes</run_on_start>
      <skip_on_error>yes</skip_on_error>
      <bucket type="server_access">
        <name>wazuh-aws-wodle</name>       <!-- PUT HERE THE S3 BUCKET CHOSEN IN STEP 5 -->
        <path>waf</path>                   <!-- PUT HERE THE PATH TO THE LOGS CHOSEN IN STEP 5 IF THE LOGS ARE NOT STORED IN THE BUCKET'S ROOT PATH -->
        <aws_profile>default</aws_profile>
      </bucket>
    </wodle>
    

    Note

    Check the AWS S3 module reference manual to learn more about each setting.

  2. Restart Wazuh in order to apply the changes:

    • If you're configuring a Wazuh manager:

      1. For Systemd:

      # systemctl restart wazuh-manager
      
      1. For SysV Init:

      # service wazuh-manager restart
      
    • If you're configuring a Wazuh agent:

      1. For Systemd:

      # systemctl restart wazuh-agent
      
      1. For SysV Init:

      # service wazuh-agent restart