Amazon NLB
Network Load Balancers (Amazon NLB) Elastic Load Balancing automatically distributes the incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets. Users can select the type of load balancer that best suits their needs. A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.
Amazon configuration
Select an existing S3 Bucket or create a new one.
Go to Services > Compute > EC2:
Go to Load Balancing > Load Balancers on the left menu. Create a new load balancer or select one or more load balancers and select Edit attributes on the Actions menu:
In this tab we will define our S3 and the path where the logs will be stored:
Note
To enable access logs for NLB (Network Load Balancers), check the following link:
Policy configuration
To create a policy using the Amazon Web Services console, follow the AWS documentation.
Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the ThreatLockDown user.
To allow an AWS user to use the module with read-only permissions, it must have a policy like the following attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
}
]
}
If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
}
]
}
Note
<bucket-name>
is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.
Once a policy has been created, there are different methods available to attach it to a user, such as attaching it directly or to a group to which the user belongs. More information on how to perform those tasks on the AWS documentation.
ThreatLockDown configuration
Open the ThreatLockDown configuration file (
/var/ossec/etc/ossec.conf
) and add the following block for NLB:<wodle name="aws-s3"> <disabled>no</disabled> <interval>10m</interval> <run_on_start>yes</run_on_start> <skip_on_error>yes</skip_on_error> <bucket type="nlb"> <name>wazuh-aws-wodle</name> <path>NLB</path> <aws_profile>default</aws_profile> </bucket> </wodle>
Note
Check the AWS S3 module reference manual to learn more about each setting.
Restart ThreatLockDown in order to apply the changes:
If you're configuring a ThreatLockDown manager:
# systemctl restart wazuh-manager
# service wazuh-manager restart
If you're configuring a ThreatLockDown agent:
# systemctl restart wazuh-agent
# service wazuh-agent restart