Supported services
All the services except Inspector Classic
, CloudWatch Logs
, and Security Lake
get their data from log files stored in an S3
bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket>
tags, while Inspector Classic
and CloudWatch Logs
services are configured inside <service type='inspector'> </service>
and <service type='cloudwatchlogs'> </service>
tags, respectively. The <subscriber type='TYPE'> </subscriber>
tags are added to obtain logs from Amazon Security Lake
buckets.
The next table contains the most relevant information about configuring each service in the /var/ossec/etc/ossec.conf
file, as well as the path where the logs will be stored in the bucket if the corresponding service uses them as its storage medium:
Provider |
Service |
Configuration tag |
Type |
Path to logs |
Required permission |
Amazon |
bucket |
cloudtrail |
<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<organization_id>/<ACCOUNT_ID>/CloudTrail/<REGION>/<year>/<month>/<day> |
||
Amazon |
bucket |
vpcflow |
<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<ACCOUNT_ID>/vpcflowlogs/<REGION>/<year>/<month>/<day> |
||
Amazon |
bucket |
config |
<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<ACCOUNT_ID>/Config/<REGION>/<year>/<month>/<day> |
||
Amazon |
bucket |
custom |
<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day> |
||
Amazon |
bucket |
custom |
<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day> |
||
Amazon |
bucket |
custom |
<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day> |
||
Amazon |
bucket |
guardduty |
<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>/<hh> |
||
Amazon |
bucket |
waf |
<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>/<hh> |
||
Amazon |
bucket |
server_access |
<WAZUH_AWS_BUCKET>/<prefix> |
||
Amazon |
service |
inspector |
|||
Amazon |
service |
cloudwatchlogs |
|||
Amazon |
service |
cloudwatchlogs |
|||
Cisco |
bucket |
cisco_umbrella |
<WAZUH_AWS_BUCKET>/<prefix>/<year>-<month>-<day> |
||
Amazon |
bucket |
alb |
<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<ACCOUNT_ID>/elasticloadbalancing/<REGION>/<year>/<month>/<day> |
||
Amazon |
bucket |
clb |
<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<ACCOUNT_ID>/elasticloadbalancing/<REGION>/<year>/<month>/<day> |
||
Amazon |
bucket |
custom |
<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day> |
||
Amazon |
subscriber |
security_lake |
|||
Amazon |
subscriber |
buckets |
|||
Amazon |
subscriber |
security_hub |