Enabling AWS CloudTrail Logs in Wazuh with DuploCloud - Pratiksha-Marane/duplo-docs GitHub Wiki

Access System Settings:

• Navigate to System Settings > AWS Account Security.
• Enable CloudTrail Logs.

Retrieve S3 Bucket Name:

• Once CloudTrail is enabled, DuploCloud will automatically create an S3 bucket to store CloudTrail logs.
• Copy the bucket name for further configuration.

Verify Logs in AWS Console:

• Access the AWS Console and go to S3.
• Search for the bucket created by DuploCloud and verify that logs are being stored there.

Access IAM Role:

• Go to the IAM role associated with the Compliance Tenant.

Add Custom S3 Permissions:

• Attach a custom permission policy to allow all actions for the S3 bucket storing CloudTrail logs.

Update ossec.conf:

• Open the Wazuh configuration file ossec.conf.
• Add the following configuration under the <wodle name="aws-s3"> section, replacing placeholders with your specific values:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <!-- CloudTrail settings -->
  <bucket type="cloudtrail">
    <name>WAZUH_AWS_BUCKET</name>
    <aws_profile>default</aws_profile>
    <aws_account_id>123456789012</aws_account_id>
    <regions>us-east-1,us-east-2</regions>
    <path>wazuh-logs</path>
    <only_logs_after>2018-JAN-01</only_logs_after>
    <aws_organization_id>AWS-ORG-1</aws_organization_id>
  </bucket>
</wodle>

• Replace Values:
  • Replace WAZUH_AWS_BUCKET with your S3 bucket name.
  • Update <path> with any specific prefix you may be using.

Save Changes:

• Save the updated ossec.conf file.

• Restart the Wazuh manager to apply the changes.

Access Wazuh Settings:

• Go to Settings > Modules and enable Amazon AWS.

Verify AWS Tab:

• Navigate to the Modules section in Wazuh, where the AWS tab should now be visible.

• Go to the Logs section in the Wazuh dashboard.
• Verify that AWS CloudTrail logs are being ingested and displayed.