Release 4.5.1 - Alpha 1 - E2E UX tests - Amazon Cloudwatch Logs integration

[QU3B1M]

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information

Test name	Amazon Cloudwatch Logs integration
Category	Cloud Security
Deployment option	Single Indexer, Server & Dashboard: Quickstart
Main release candidate issue	wazuh/wazuh#18224
Release candidate #	Alpha 1

Test description

Configure AWS CloudWatch Logs in a Wazuh Manager and a Wazuh Agent.
Ensure the events are correctly displayed on the dashboard.

Test the sample configuration provided in this documentation page:
https://documentation.wazuh.com/current/amazon/services/supported-services/cloudwatchlogs.html

Use discard_regex option to effectively discard certain types of events.

Test report procedure

All test results must have one of the following statuses:

🟢	All checks passed.
🔴	There is at least one failed to check.
🟡	There is at least one expected to fail or skipped test and no failures.

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results must be attached as a zip or txt. Please attach any documents, screenshots or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Conclusions

All tests have been executed. Results:

Status	Test	Failure type	Notes
🟢	Test Cloudwatch logs integration on wazuh-manager	--	--
🟢	Test Cloudwatch logs integration on wazuh-agent	--	--

All tests have passed I, therefore, conclude that this issue is finished and OK for this release candidate.

Auditors' validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

• @fcaffieri
• @damarisg

[QU3B1M]

wazuh-manager installation

sudo bash ./wazuh-install.sh -a

07/08/2023 13:32:40 INFO: Starting Wazuh installation assistant. Wazuh version: 4.5.1
07/08/2023 13:32:40 INFO: Verbose logging redirected to /var/log/wazuh-install.log
07/08/2023 13:32:56 INFO: Wazuh development repository added.
07/08/2023 13:32:56 INFO: --- Configuration files ---
07/08/2023 13:32:56 INFO: Generating configuration files.
07/08/2023 13:32:57 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/08/2023 13:32:58 INFO: --- Wazuh indexer ---
07/08/2023 13:32:58 INFO: Starting Wazuh indexer installation.
07/08/2023 13:36:13 INFO: Wazuh indexer installation finished.
07/08/2023 13:36:13 INFO: Wazuh indexer post-install configuration finished.
07/08/2023 13:36:13 INFO: Starting service wazuh-indexer.
07/08/2023 13:36:42 INFO: wazuh-indexer service started.
07/08/2023 13:36:42 INFO: Initializing Wazuh indexer cluster security settings.
07/08/2023 13:36:52 INFO: Wazuh indexer cluster initialized.
07/08/2023 13:36:52 INFO: --- Wazuh server ---
07/08/2023 13:36:52 INFO: Starting the Wazuh manager installation.
07/08/2023 13:38:46 INFO: Wazuh manager installation finished.
07/08/2023 13:38:46 INFO: Starting service wazuh-manager.
07/08/2023 13:39:01 INFO: wazuh-manager service started.
07/08/2023 13:39:01 INFO: Starting Filebeat installation.
07/08/2023 13:39:14 INFO: Filebeat installation finished.
07/08/2023 13:39:16 INFO: Filebeat post-install configuration finished.
07/08/2023 13:39:16 INFO: Starting service filebeat.
07/08/2023 13:39:16 INFO: filebeat service started.
07/08/2023 13:39:17 INFO: --- Wazuh dashboard ---
07/08/2023 13:39:17 INFO: Starting Wazuh dashboard installation.
07/08/2023 13:41:27 INFO: Wazuh dashboard installation finished.
07/08/2023 13:41:27 INFO: Wazuh dashboard post-install configuration finished.
07/08/2023 13:41:27 INFO: Starting service wazuh-dashboard.
07/08/2023 13:41:27 INFO: wazuh-dashboard service started.
07/08/2023 13:41:59 INFO: Initializing Wazuh dashboard web application.
07/08/2023 13:42:02 INFO: Wazuh dashboard web application initialized.
07/08/2023 13:42:02 INFO: --- Summary ---
07/08/2023 13:42:02 INFO: You can access the web interface https://<wazuh-dashboard-ip>
    User: admin
    Password: +eli4Gx4uhD*c+?Qrmr.RwAKGXGWY9RX
07/08/2023 13:42:02 INFO: Installation finished.

wazuh-agent installation

 WAZUH_MANAGER='xxx.xx.xx.xx' yum install -y wazuh-agent-4.5.1.x86_64.rpm

Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:19:20 ago on Wed Aug  9 20:59:40 2023.
Dependencies resolved.
========================================================================================================================
 Package                       Architecture             Version                    Repository                      Size
========================================================================================================================
Installing:
 wazuh-agent                   x86_64                   4.5.1-1                    @commandline                   8.7 M

Transaction Summary
========================================================================================================================
Install  1 Package

Total size: 8.7 M
Installed size: 25 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                1/1
  Running scriptlet: wazuh-agent-4.5.1-1.x86_64                                                                     1/1
  Installing       : wazuh-agent-4.5.1-1.x86_64                                                                     1/1
  Running scriptlet: wazuh-agent-4.5.1-1.x86_64                                                                     1/1
  Verifying        : wazuh-agent-4.5.1-1.x86_64                                                                     1/1
Installed products updated.

Installed:
  wazuh-agent-4.5.1-1.x86_64

Complete!

[QU3B1M]

Test Blocked 🔐

After several tries with different policies, the creation of the CloudFormation Stack is still not possible due to permissions problems. It is being tracked in the issue:

• wazuh/internal-devel-requests#133

[QU3B1M]

AWS Environment Setup

• ECR Repository created
  

• CloudFormation Stack created
  

• CloudWatch log group created
  

• ECR Scan Completed with vulnerabilities found
  

[QU3B1M]

Test Cloudwatch logs integration on wazuh-manager 🟢

• CloudWatch logs normal execution

  • Configure the integration in ossec.conf

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>5m</interval>
      <run_on_start>yes</run_on_start>
      <service type="cloudwatchlogs">
        <aws_profile>default</aws_profile>
        <aws_log_groups>/aws/ecr/image-scan-findings/cloudwatch-logs-e2e</aws_log_groups>
        <regions>us-east-2</regions>
      </service>
    </wodle>

  • Log is received by the wazuh-manager and the alert is raised
    

    egrep "HIGH" /var/ossec/logs/alerts/alerts.json
    
    {"timestamp":"2023-08-09T18:57:54.559+0000","rule":{"level":12,"description":"AWS CloudWatch Logs.","id":"100001","firedtimes":1,"mail":true,"groups":["local","syslog","sshd"]},"agent":{"id":"000","name":"rhel8.localdomain"},"manager":{"name":"rhel8.localdomain"},"id":"1691607474.271818","decoder":{"name":"json"},"data":{"name":"CVE-2023-31484","description":"CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.","uri":"https://security-tracker.debian.org/tracker/CVE-2023-31484","severity":"HIGH","attributes":[{"key":"CVSS3_SCORE","value":"8.1"},{"key":"package_version","value":"5.36.0-7"},{"key":"package_name","value":"perl"},{"key":"CVSS3_VECTOR","value":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]},"location":"Wazuh-AWS"}

• CloudWatch logs discard_regex feature execution

  • Configure the integration in ossec.conf

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>5m</interval>
      <run_on_start>yes</run_on_start>
      <service type="cloudwatchlogs">
        <aws_profile>default</aws_profile>
        <aws_log_groups>/aws/ecr/image-scan-findings/cloudwatch-logs-e2e</aws_log_groups>
        <discard_regex field="severity">HIGH</discard_regex>
        <regions>us-east-2</regions>
      </service>
    </wodle>

  • The alert is not raised
    

    egrep "HIGH" /var/ossec/logs/alerts/alerts.json

[QU3B1M]

Test Cloudwatch logs integration on wazuh-agent 🟢

• CloudWatch logs normal execution

  • Configure the integration in ossec.conf

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>5m</interval>
      <run_on_start>yes</run_on_start>
      <service type="cloudwatchlogs">
        <aws_profile>default</aws_profile>
        <aws_log_groups>/aws/ecr/image-scan-findings/cloudwatch-logs-e2e</aws_log_groups>
        <regions>us-east-2</regions>
      </service>
    </wodle>

  • Log is received by the wazuh-manager and the alert is raised
    

    egrep "HIGH" /var/ossec/logs/alerts/alerts.json
    
    {"timestamp":"2023-08-09T21:06:37.874+0000","rule":{"level":12,"description":"AWS CloudWatch Logs.","id":"100001","firedtimes":2,"mail":true,"groups":["local","syslog","sshd"]},"agent":{"id":"002","name":"ebc2856be54c"},"manager":{"name":"rhel8.localdomain"},"id":"1691615197.820884","decoder":{"name":"json"},"data":{"name":"CVE-2023-31484","description":"CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.","uri":"https://security-tracker.debian.org/tracker/CVE-2023-31484","severity":"HIGH","attributes":[{"key":"CVSS3_SCORE","value":"8.1"},{"key":"package_version","value":"5.36.0-7"},{"key":"package_name","value":"perl"},{"key":"CVSS3_VECTOR","value":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]},"location":"Wazuh-AWS"}

• CloudWatch logs discard_rege feature execution

  • Configure the integration in ossec.conf

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>5m</interval>
      <run_on_start>yes</run_on_start>
      <service type="cloudwatchlogs">
        <aws_profile>default</aws_profile>
        <aws_log_groups>/aws/ecr/image-scan-findings/cloudwatch-logs-e2e</aws_log_groups>
        <discard_regex field="severity">HIGH</discard_regex>
        <regions>us-east-2</regions>
      </service>
    </wodle>

  • The alert is not raised
    

    egrep "HIGH" /var/ossec/logs/alerts/alerts.json

[fcaffieri]

LGTM