How to setup CloudTrail and then inject it into Wazuh.

Setup CloudTrail

From the AWS Console create a new CloudTrail trail. CloudTrail Console Quick trail create

Once its done creating it will take a little bit to start populating the bucket with logs.

Wazuh Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>wazuh-cloudtrail</name>
    <aws_profile>default</aws_profile>
    <only_logs_after>2022-JUN-29</only_logs_after>
    <regions>us-west-2</regions>
  </bucket>
</wodle>

Replace wazuh-cloudtrail with your bucket

If your using an AWS EC2 with a role attacked you can remove <aws_profile>default</aws_profile> from the configuration.

Wazuh S3 documentation

AWS credentials

Once that is configured restart wazuh manager

systemctl restart wazuh-manager

Wazuh CloudTrail Documentation

Troubleshooting

If Wazuh stops pulling disable the wodle and run it manually and re-enable.

Manually Testing Pulling from Bucket

/var/ossec/wodles/aws/aws-s3 --bucket wazuh-cloudtrail --only_logs_after 2022-JUN-29 --regions us-west-2 --type cloudtrail --debug 1 --skip_on_error