Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not receiving all of the events from the AWS integrations #14485

Open
antonisnyc94 opened this issue Aug 4, 2022 · 2 comments
Open

Not receiving all of the events from the AWS integrations #14485

antonisnyc94 opened this issue Aug 4, 2022 · 2 comments
Assignees
@davidjiglesias
Labels
module/aws reporter/community type/bug Something isn't working

Comments

@antonisnyc94
Copy link

Wazuh version Component Install type Install method Platform
4.2.2 Wazuh manager Manager/Agent wazuh/wazuh-odfe:4.2.2 Amazon EKS 1.21

Hello,

I've noticed that we do not receive all of the AWS Cloudtrail events created in our ElasticSearch cluster. For example i might intentionally trigger 10 Console login failures, but end up receiving only 3-4 in our Elasticsearch. I confirmed and all of the events are in the s3 bucket. What is the best way to troubleshoot?

all of the s3 plugins run in the master node.

  <wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>yyyy</name>
  </bucket>
  <bucket type="config">
    <name>zzzzz</name>
  </bucket>
  <bucket type="guardduty">
    <name>yyyy</name>
    <path>guardduty</path>
  </bucket>
  <bucket type="custom">
    <name>yyyy</name>
    <path>kms</path>
  </bucket>
  <bucket type="custom">
    <name>yyyy</name>
    <path>macie</path>
  </bucket>
  <bucket type="cloudtrail">
    <name>xxxx</name>
  </bucket>
  <bucket type="config">
    <name>uuuu</name>
  </bucket>
  <bucket type="guardduty">
    <name>xxxx</name>
    <path>guardduty</path>
  </bucket>
  <bucket type="custom">
    <name>xxxx</name>
    <path>kms</path>
  </bucket>
 </wodle>

Best,
Tony
@davidjiglesias
Copy link
Member

Hello @antonisnyc94,

First of all, thank you for your contribution.

The behavior you indicate is very strange and might be exposing a bug. To further troubleshoot, we can first identify if the logs are arriving at the manager. For that, we can enable logall and check archives file to see if all events are there. Remember to restart the manager after changing the configuration.

@davidjiglesias davidjiglesias self-assigned this Aug 8, 2022
@an4oh
Copy link

an4oh commented Jul 31, 2023

Hi, I'm having the same issue related to Cloudtrail integration. Seem that we're receiving events logs only from specific services (eg: no logs from secretsmanager and other services at all). There are updates on this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davidjiglesias davidjiglesias

Labels
module/aws reporter/community type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@an4oh @antonisnyc94 @davidjiglesias