Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logs Missing in alerts.json After Switching to SQS Subscriber in ossec.conf #469

Open
SharjeelVLRNT opened this issue Dec 30, 2024 · 0 comments
Open

Logs Missing in alerts.json After Switching to SQS Subscriber in ossec.conf #469

SharjeelVLRNT opened this issue Dec 30, 2024 · 0 comments

Comments

@SharjeelVLRNT
Copy link

Wazuh Versions:
Wazuh agent version 4.9.2
Wazuh manager version 4.9.1

I need some assistance with an issue I’m facing. I’m working on retrieving AWS SQS messages and processing them in my agent pod. I’m attempting to replace the following block in the file located at /var/ossec/etc/ossec.conf:

xml

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>BUCKET_NAME</name>
    <aws_profile>AWS_PROFILE</aws_profile>
  </bucket>
</wodle>

With this block:

xml

<wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>10m</interval>
    <run_on_start>yes</run_on_start>
    <subscriber type="buckets">
        <sqs_name>sqs-queue</sqs_name>
        <aws_profile>AWS_PROFILE</aws_profile>
    </subscriber>
</wodle>

The reference documentation can be found -> https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/custom-buckets.html.

After adding the new block and restarting the pod, everything works fine on the agent pod. I can see messages being processed as expected, with logs appearing in /var/ossec/logs/ossec.log.

However, on the manager pod, no new logs appear in alerts.json, even though I see the messages being processed in the agent pod within the defined time interval. Previously, before making this change, new logs related to S3 appeared in alerts.json on the manager pod without any issue.

Here’s what I tried to resolve this:

Edited the ossec.conf file in the manager pod and set <logall_json> to yes.
Updated the filebeat.yml file with the following values:

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true # Updated to true

After these changes, I was able to view logs in JSON format in archives.json, but still nothing in alerts.json.

My questions are:

  1. Is there a way to ensure logs appear in alerts.json?
  2. Even if not possible, the JSON format in archives.json is different from what I used to receive in alerts.json before doing my changes. Making backend code changes to handle this would be problematic for us. Is there any alternative solution?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SharjeelVLRNT