Amazon CloudWatch Logs
AWS CloudWatch Logs is a service that allows the users to centralize the logs from all their systems, applications, and AWS services in a single place. In order to understand how Cloudwatch Logs works it is important to learn about the following concepts:
Log events: CloudWatch saves the logs generated by the application or resource being monitored as log events. A log event is a record with two properties: the timestamp when the event occurred and the raw log message.
Log streams: Log events are stored in log streams. A log stream represents a sequence of events coming from the application instance or resource being monitored. All log events in a log stream share the same source.
Log groups: Log streams are grouped using log groups. A log group defines a group of log streams that share retention, monitoring, and access control settings.
AWS configuration
AWS CloudWatch logs can be accessed by using the ThreatLockDown CloudWatch Logs integration. The AWS API allows ThreatLockDown to retrieve those logs, analyze them, and raise alerts if applicable.
Policy configuration
To create a policy using the Amazon Web Services console, follow the AWS documentation.
Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the ThreatLockDown user.
To allow an AWS user to use the module with read-only permissions, it must have a policy like the following attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:DescribeLogStreams",
"Resource": "arn:aws:logs:region:account_ID:log-group:log_group_name:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "logs:GetLogEvents",
"Resource": "arn:aws:logs:region:account_ID:log-group:log_group_name:log-stream:log_stream_name"
}
]
}
If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:DescribeLogStreams",
"Resource": "arn:aws:logs:region:account_ID:log-group:log_group_name:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DeleteLogStream"
],
"Resource": "arn:aws:logs:region:account_ID:log-group:log_group_name:log-stream:*"
}
]
}
Once a policy has been created, there are different methods available to attach it to a user, such as attaching it directly or to a group to which the user belongs. More information on how to perform those tasks on the AWS documentation.
ThreatLockDown configuration
Open the ThreatLockDown configuration file (
/var/ossec/etc/ossec.conf
) and add the following configuration block to enable the integration with CloudWatch Logs:<wodle name="aws-s3"> <disabled>no</disabled> <interval>5m</interval> <run_on_start>yes</run_on_start> <service type="cloudwatchlogs"> <aws_profile>default</aws_profile> <aws_log_groups>example_log_group</aws_log_groups> <regions>us-east-1</regions> </service> </wodle>
Users must specify at least one AWS log group from where the logs will be extracted. Multiple regions can be added separated by commas. If no region is specified the module will look for the log group in every available region.
Note
Check the AWS S3 module reference manual to learn more about each setting.
Restart ThreatLockDown in order to apply the changes:
If you are configuring a ThreatLockDown manager:
# systemctl restart wazuh-manager
# service wazuh-manager restart
If you are configuring a ThreatLockDown agent:
# systemctl restart wazuh-agent
# service wazuh-agent restart
CloudWatch Logs use cases
Check the Amazon ECR Image scanning section to learn how to use the CloudWatch Logs integration to pull logs from Amazon ECR Image scans.