Supported services

All the services except Inspector Classic, CloudWatch Logs, and Security Lake get their data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags, while Inspector Classic and CloudWatch Logs services are configured inside <service type='inspector'> </service> and <service type='cloudwatchlogs'> </service> tags, respectively. The <subscriber type='TYPE'> </subscriber> tags are added to obtain logs from Amazon Security Lake buckets.

The next table contains the most relevant information about configuring each service in the /var/ossec/etc/ossec.conf file, as well as the path where the logs will be stored in the bucket if the corresponding service uses them as its storage medium:

Provider

Service

Configuration tag

Type

Path to logs

Required permission

Amazon

CloudTrail

bucket

cloudtrail

<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<organization_id>/<ACCOUNT_ID>/CloudTrail/<REGION>/<year>/<month>/<day>

Policy configuration

Amazon

VPC

bucket

vpcflow

<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<ACCOUNT_ID>/vpcflowlogs/<REGION>/<year>/<month>/<day>

Policy configuration

Amazon

Config

bucket

config

<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<ACCOUNT_ID>/Config/<REGION>/<year>/<month>/<day>

Policy configuration

Amazon

KMS

bucket

custom

<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>

Policy configuration

Amazon

Macie

bucket

custom

<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>

Policy configuration

Amazon

Trusted Advisor

bucket

custom

<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>

Policy configuration

Amazon

GuardDuty

bucket

guardduty

<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>/<hh>

Policy configuration

Amazon

WAF

bucket

waf

<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>/<hh>

Policy configuration

Amazon

S3 Server Access logs

bucket

server_access

<WAZUH_AWS_BUCKET>/<prefix>

Policy configuration

Amazon

Inspector Classic

service

inspector

Policy configuration

Amazon

CloudWatch Logs

service

cloudwatchlogs

Policy configuration

Amazon

Amazon ECR Image scanning

service

cloudwatchlogs

Policy configuration

Cisco

Umbrella

bucket

cisco_umbrella

<WAZUH_AWS_BUCKET>/<prefix>/<year>-<month>-<day>

Policy configuration

Amazon

ALB

bucket

alb

<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<ACCOUNT_ID>/elasticloadbalancing/<REGION>/<year>/<month>/<day>

Policy configuration

Amazon

CLB

bucket

clb

<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<ACCOUNT_ID>/elasticloadbalancing/<REGION>/<year>/<month>/<day>

Policy configuration

Amazon

NLB

bucket

custom

<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>

Policy configuration

Amazon

Amazon Security Lake

subscriber

security_lake

Policy configuration

Amazon

Custom Logs Buckets

subscriber

buckets

Amazon Simple Queue Service

Amazon

Security Hub

subscriber

security_hub