How to setup CloudTrail and then inject it into Wazuh.

Setup CloudTrail

From the AWS Console create a new CloudTrail trail. CloudTrail Console Quick trail create

Once its done creating it will take a little bit to start populating the bucket with logs.

Wazuh Configuration

<wodle name="aws-s3">
  <bucket type="cloudtrail">

Replace wazuh-cloudtrail with your bucket

If your using an AWS EC2 with a role attacked you can remove <aws_profile>default</aws_profile> from the configuration.

Wazuh S3 documentation

AWS credentials

Once that is configured restart wazuh manager

systemctl restart wazuh-manager

Wazuh CloudTrail Documentation


If Wazuh stops pulling disable the wodle and run it manually and re-enable.

Manually Testing Pulling from Bucket

/var/ossec/wodles/aws/aws-s3 --bucket wazuh-cloudtrail --only_logs_after 2022-JUN-29 --regions us-west-2 --type cloudtrail --debug 1 --skip_on_error