Amazon CloudWatch Logs

AWS CloudWatch Logs is a service that allows the users to centralize the logs from all their systems, applications, and AWS services in a single place. To understand how Cloudwatch Logs works it is important to learn about the following concepts:

  • Log events: CloudWatch saves the logs generated by the application or resource being monitored as log events. A log event is a record with two properties: the timestamp when the event occurred and the raw log message.

  • Log streams: Log events are stored in log streams. A log stream represents a sequence of events coming from the application instance or resource being monitored. All log events in a log stream share the same source.

  • Log groups: Log streams are grouped using log groups. A log group defines a group of log streams that share retention, monitoring, and access control settings.

AWS configuration

Learn how to configure the Amazon CloudWatch service to integrate with Wazuh.

Amazon CloudWatch configuration

AWS CloudWatch logs can be accessed by using the Wazuh CloudWatch Logs integration. The AWS API allows Wazuh to retrieve those logs, analyze them, and raise alerts if applicable.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:GetLogEvents",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:log-stream:<LOG_STREAM_NAME>"
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DeleteLogStream"
            ],
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:log-stream:<LOG_STREAM_NAME>"
        }
    ]
}

Note

<REGION>, <ACCOUNT_ID>, <LOG_GROUP_NAME>, <LOG_GROUP_NAME> and <LOG_STREAM_NAME> are placeholders. Replace them with the appropriate values.

After creating a policy, you can attach it directly to a user or to a group to which the user belongs. In attaching a policy to an IAM user group, you see how to attach a policy to a group. More information on how to use other methods is available in the AWS documentation.

Configure Wazuh to process Amazon CloudWatch logs

  1. Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

  2. Add the following Wazuh module for AWS configuration block to enable the integration with CloudWatch Logs:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>5m</interval>
      <run_on_start>yes</run_on_start>
      <service type="cloudwatchlogs">
        <aws_profile>default</aws_profile>
        <aws_log_groups>example_log_group</aws_log_groups>
        <regions>us-east-1</regions>
      </service>
    </wodle>
    

    You must specify at least one AWS log group from where the logs will be extracted. You can add multiple regions by separating them with commas. If no region is specified the Wazuh module for AWS will look for the log group in every available region.

  3. Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:

    • Wazuh manager:

      # systemctl restart wazuh-manager
      
    • Wazuh agent:

      # systemctl restart wazuh-agent
      

CloudWatch Logs use cases

Check the Amazon ECR Image scanning section to learn how to use the CloudWatch Logs integration to pull logs from Amazon ECR Image scans.