How to setup CloudTrail and then inject it into Wazuh.
Setup CloudTrail
From the AWS Console create a new CloudTrail trail.
Once its done creating it will take a little bit to start populating the bucket with logs.
Wazuh Configuration
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<bucket type="cloudtrail">
<name>wazuh-cloudtrail</name>
<aws_profile>default</aws_profile>
<only_logs_after>2022-JUN-29</only_logs_after>
<regions>us-west-2</regions>
</bucket>
</wodle>
Replace wazuh-cloudtrail
with your bucket
If your using an AWS EC2 with a role attacked you can remove <aws_profile>default</aws_profile>
from the configuration.
Once that is configured restart wazuh manager
systemctl restart wazuh-manager
Wazuh CloudTrail Documentation
Troubleshooting
If Wazuh stops pulling disable the wodle and run it manually and re-enable.
Manually Testing Pulling from Bucket
/var/ossec/wodles/aws/aws-s3 --bucket wazuh-cloudtrail --only_logs_after 2022-JUN-29 --regions us-west-2 --type cloudtrail --debug 1 --skip_on_error