Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Custom Logs Buckets documentation #6254

Merged
merged 5 commits into from
Aug 9, 2023
Merged

New Custom Logs Buckets documentation #6254

merged 5 commits into from
Aug 9, 2023

Conversation

fdalmaup
Copy link
Member

Description

This PR adds the documentation for the new Custom Logs Buckets feature to be included in wazuh/wazuh#13577, adding new parameters for the AWS module reference and extending the available <subscriber> values.

Checks

  • Compiles without warnings.
  • Uses present tense, active voice, and semi-formal registry.
  • Uses short, simple sentences.
  • Uses bold for user interface elements, italics for key terms or emphasis, and code font for Bash commands, file names, REST paths, and code.
  • Uses three spaces indentation.
  • Adds or updates meta descriptions accordingly.
  • Updates the redirects.js script if necessary (check this guide).

@fdalmaup fdalmaup self-assigned this Jul 19, 2023
@fdalmaup fdalmaup linked an issue Jul 19, 2023 that may be closed by this pull request
Expand support for custom AWS logs wazuh/wazuh#13577
Closed
@fdalmaup fdalmaup force-pushed the 13577-custom-logs-bucket-subscriber branch 2 times, most recently from b482198 to 40767aa Compare July 19, 2023 16:30
@fdalmaup fdalmaup force-pushed the 13577-custom-logs-bucket-subscriber branch from 40767aa to 457622d Compare August 3, 2023 14:53
@fdalmaup fdalmaup force-pushed the 13577-custom-logs-bucket-subscriber branch from 457622d to 7f153b0 Compare August 3, 2023 15:03
@fdalmaup fdalmaup requested a review from Selutario August 4, 2023 15:32
@javimed javimed added level/task Task issue type/enhancement Enhancement issue labels Aug 7, 2023
javimed
javimed reviewed Aug 9, 2023
View reviewed changes
source/cloud-security/amazon/services/supported-services/custom-buckets.rst Outdated
`Amazon Simple Queue Service (Amazon SQS) <https://aws.amazon.com/sqs/>`_ is a fully managed message queuing service that offers secure, durable, and available hosted queues to decouple and scale software systems and components.
It allows sending, storing, and receiving messages between software components at any volume, without losing messages or requiring other services to be available. These features make it an optimal component to associate with Amazon S3 Buckets to consume any type of log.

Combining Amazon SQS with Amazon S3 buckets, allows Wazuh to fetch any JSON, CSV or plain text logs, originated in AWS or not, and process the events inside them.
Copy link
Member

@javimed javimed Aug 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not clear enough. What's new to Wazuh about fetching logs and processing the events inside?

Copy link
Contributor

@Selutario Selutario Aug 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The difference with what already exists is the following:

  • Currently, all Wazuh's AWS integrations to read logs stored in buckets like Cloudtrail, Macie, etc. they require specifying the path in the configuration and that the logs are saved in a defined and very strict folder structure. These structures are the ones that can be consulted here (Paths to logs). Wazuh directly accessed those paths and downloaded the items found inside.
  • Now, this new feature of Custom Logs Buckets allows to read logs stored in any path of a bucket, even from multiple buckets. In addition, it allows one to do it in a distributed and simultaneous way with different managers or Wazuh agents, without duplicating logs. This is done because the bucket publishes a notification to the SQS queue containing the full path of each new file stored in it. The notification is consumed only once, so it won't duplicate alerts.

javimed
javimed reviewed Aug 9, 2023
View reviewed changes
source/cloud-security/amazon/services/supported-services/custom-buckets.rst Outdated

The steps to have an S3 bucket reporting creation events are:

#. Configure an S3 bucket as defined in the :ref:`Configuring an S3 Bucket <s3_bucket>` section with the name provided in the previous section.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What previous section? What name provided?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It probably refers to the <s3-bucket> in this line and this one.

javimed
javimed requested changes Aug 9, 2023
View reviewed changes
source/cloud-security/amazon/services/supported-services/custom-buckets.rst Outdated

The available authentication methods are :ref:`IAM Roles <iam_roles>` or :ref:`Profiles <aws_profile>`.

* ``<profile>``: A valid profile name from a Shared Credential File or AWS Config File with the permission to read logs from the bucket.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* ``<profile>``: A valid profile name from a Shared Credential File or AWS Config File with the permission to read logs from the bucket.
* ``<aws_profile>``: A valid profile name from a Shared Credential File or AWS Config File with the permission to read logs from the bucket.

source/cloud-security/amazon/services/troubleshooting.rst Outdated
@@ -252,3 +252,7 @@ Error codes reference
+-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| 21 | Failed fetch/delete from SQS | Check that no more instances of the wodle are running at the same time. |
+-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| 22 | Invalid region | Check the provided ``region`` in the ``ossec.conf`` file. |
+-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| 23 | Profile not found | Check the provided ``profile`` in the ``ossec.conf`` file. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| 23 | Profile not found | Check the provided ``profile`` in the ``ossec.conf`` file. |
| 23 | Profile not found | Check the provided ``aws_profile`` in the ``ossec.conf`` file. |

@javimed javimed merged commit d420913 into 4.7.0 Aug 9, 2023
@javimed javimed deleted the 13577-custom-logs-bucket-subscriber branch August 9, 2023 19:15
@Selutario Selutario mentioned this pull request Nov 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Selutario Selutario Selutario approved these changes

@javimed javimed javimed approved these changes

Assignees

@fdalmaup fdalmaup

Labels
level/task Task issue type/enhancement Enhancement issue
Projects
No open projects
Release 4.7.0
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Expand support for custom AWS logs
3 participants
@fdalmaup @Selutario @javimed