Release 4.9.0 - Alpha 3 - E2E UX tests - Amazon security lake

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-pyserver team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Jul 24, 2024 and notify the @wazuh/devel-pyserver team via Slack using the c-release channel
• Review: The @wazuh/devel-pyserver team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Jul 25, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Jul 26, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Step by step	Single node	Rocky Linux 9 x86_64
Server	Step by step	Single node	Rocky Linux 9 x86_64
Dashboard	Step by step	-	Rocky Linux 9 x86_64
Agent	Wazuh WUI one-liner deploy using IP	-	Amazon Linux 1 x86_64

Test description

Configure AWS security lake in a Wazuh Manager and a Wazuh Agent. Ensure the events are correctly displayed on the dashboard.

Test the sample configuration provided in this documentation page: https://documentation-dev.wazuh.com/v4.9.0-alpha3/cloud-security/amazon/services/supported-services/security-lake.html#amazon-security-lake

Known issues

There are no known issues.

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status	Test	Failure type	Notes
:green_circle:	Wazuh Indexer deployment step-by-step	-	-
:green_circle:	Wazuh Server deployment step-by-step	-	-
:green_circle:	Wazuh Dashboard deployment step-by-step	-	-
:green_circle:	Wazuh WUI one-liner deploy using IP (Agent)	-	-
🟡	Configuring AWS Security Lake - Wazuh as suscriber	No alerts are generated in the dashboard	Known issue: https://github.com/wazuh/wazuh/issues/22880
:green_circle:	Configuring AWS Security Lake - Wazuh as custom source	-	-

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • The guide is quite clear, but the documentation assumes that the user has advanced knowledge of AWS.
• Did you face any challenges not covered by the guideline?
  • I had some issues regarding the permissions assigned to my user in the AWS environment, which did not allow me to view all the information required for the testing. This added to the fact that I have no experience in administration and use of AWS environments.
• Suggestions for improvement:
  • It would be a good idea to have an environment/user specifically prepared with the policies, permissions, AWS resources needed to run the test. This would save time and effort in configuring AWS and spend more time testing the Wazuh integration which is the purpose of the test.

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• [x] @rauldpm
• [x] @wazuh/devel-pyserver

[nbertoldo]

Environment installation :green_circle:

All components were installed following the step-by-step guides.

Components

Component	Installation	Type	OS	IP
Indexer	Step by step	Single node	Rocky Linux 9 x86_64	172.31.47.99
Server	Step by step	Single node	Rocky Linux 9 x86_64	172.31.35.164
Dashboard	Step by step	-	Rocky Linux 9 x86_64	172.31.32.205
Agent	Wazuh WUI one-liner deploy using IP	-	Amazon Linux 1 x86_64	172.31.40.135

OS Versions

Indexer

[rocky@ip-172-31-47-99 ~]$ cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

Manager

[rocky@ip-172-31-35-164 ~]$ cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

Dashboard

[rocky@ip-172-31-32-205 ~]$ cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

Agent

[ec2-user@ip-172-31-40-135 ~]$ cat /etc/os-release 
NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
SUPPORT_END="2023-12-31"

Component installation :green_circle:

Indexer installation :green_circle:

### Certificates creation ```console [root@ip-172-31-47-99 rocky]# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-certs-tool.sh [root@ip-172-31-47-99 rocky]# curl -sO https://packages-dev.wazuh.com/4.9/config.yml ``` ### `config.yml` configuration ```yml nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: "172.31.47.99" #- name: node-2 # ip: "" #- name: node-3 # ip: "" # Wazuh server nodes # If there is more than one Wazuh server # node, each one must have a node_type server: - name: wazuh-1 ip: "172.31.35.164" # node_type: master #- name: wazuh-2 # ip: "" # node_type: worker #- name: wazuh-3 # ip: "" # node_type: worker # Wazuh dashboard nodes dashboard: - name: dashboard ip: "172.31.32.205" ``` ### Run wazuh-certs-tool.sh ```console [root@ip-172-31-47-99 rocky]# bash ./wazuh-certs-tool.sh -A 23/07/2024 14:28:05 INFO: Verbose logging redirected to /home/rocky/wazuh-certificates-tool.log 23/07/2024 14:28:06 INFO: Generating the root certificate. 23/07/2024 14:28:06 INFO: Generating Admin certificates. 23/07/2024 14:28:07 INFO: Admin certificates created. 23/07/2024 14:28:07 INFO: Generating Wazuh indexer certificates. 23/07/2024 14:28:07 INFO: Wazuh indexer certificates created. 23/07/2024 14:28:07 INFO: Generating Filebeat certificates. 23/07/2024 14:28:08 INFO: Wazuh Filebeat certificates created. 23/07/2024 14:28:08 INFO: Generating Wazuh dashboard certificates. 23/07/2024 14:28:09 INFO: Wazuh dashboard certificates created. ``` ### Compress files ```console [root@ip-172-31-47-99 rocky]# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./root-ca.key ./root-ca.pem ./admin-key.pem ./admin.pem ./node-1-key.pem ./node-1.pem ./wazuh-1-key.pem ./wazuh-1.pem ./dashboard-key.pem ./dashboard.pem [root@ip-172-31-47-99 rocky]# rm -rf ./wazuh-certificates ``` ### Nodes installation - Installing package dependencies ```console [root@ip-172-31-47-99 rocky]# yum install coreutils Last metadata expiration check: 0:16:21 ago on Tue 23 Jul 2024 02:12:47 PM UTC. Package coreutils-8.32-35.el9.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! ``` - Adding the Wazuh repository ```console [root@ip-172-31-47-99 rocky]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@ip-172-31-47-99 rocky]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 ``` ### Installing Wazuh indexer ```console [root@ip-172-31-47-99 rocky]# yum -y install wazuh-indexer EL-9 - Wazuh 22 MB/s | 28 MB 00:01 Last metadata expiration check: 0:00:12 ago on Tue 23 Jul 2024 02:31:05 PM UTC. Dependencies resolved. ============================================================================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================================================================= Installing: wazuh-indexer x86_64 4.9.0-1 wazuh 813 M Transaction Summary ============================================================================================================================================================================================================= Install 1 Package Total download size: 813 M Installed size: 1.0 G Downloading Packages: wazuh-indexer-4.9.0-1.x86_64.rpm 46 MB/s | 813 MB 00:17 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 46 MB/s | 813 MB 00:17 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/1 Installing : wazuh-indexer-4.9.0-1.x86_64 1/1 Running scriptlet: wazuh-indexer-4.9.0-1.x86_64 1/1 ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service Verifying : wazuh-indexer-4.9.0-1.x86_64 1/1 Installed: wazuh-indexer-4.9.0-1.x86_64 Complete! ``` ### Configuring the Wazuh indexer ```yml network.host: "172.31.47.99" node.name: "node-1" cluster.initial_master_nodes: - "node-1" #- "node-2" #- "node-3" cluster.name: "wazuh-cluster" #discovery.seed_hosts: # - "node-1-ip" # - "node-2-ip" # - "node-3-ip" node.max_local_storage_nodes: "3" path.data: /var/lib/wazuh-indexer path.logs: /var/log/wazuh-indexer plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.resolve_hostname: false plugins.security.authcz.admin_dn: - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" #- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" #- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" plugins.security.system_indices.enabled: true plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] ### Option to allow Filebeat-oss 7.10.2 to work ### compatibility.override_main_response_version: true ``` ### Deploying certificates ```console [root@ip-172-31-47-99 rocky]# NODE_NAME=node-1 [root@ip-172-31-47-99 rocky]# mkdir /etc/wazuh-indexer/certs [root@ip-172-31-47-99 rocky]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem [root@ip-172-31-47-99 rocky]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem [root@ip-172-31-47-99 rocky]# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem [root@ip-172-31-47-99 rocky]# chmod 500 /etc/wazuh-indexer/certs [root@ip-172-31-47-99 rocky]# chmod 400 /etc/wazuh-indexer/certs/* [root@ip-172-31-47-99 rocky]# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs ``` ### Starting the service ```console [root@ip-172-31-47-99 rocky]# systemctl daemon-reload [root@ip-172-31-47-99 rocky]# systemctl enable wazuh-indexer Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /usr/lib/systemd/system/wazuh-indexer.service. [root@ip-172-31-47-99 rocky]# systemctl start wazuh-indexer ``` ### Cluster initialization ```console [root@ip-172-31-47-99 rocky]# /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 172.31.47.99:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.13.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success ``` ### Testing cluster installation ```console [root@ip-172-31-47-99 rocky]# curl -k -u admin:admin https://172.31.47.99:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "kk_cVlW5TtS1Iu_GoVUSlA", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "2c952aba7735bee5f4b0bb9cfc821d68ffbdd636", "build_date" : "2024-07-19T16:30:35.251438Z", "build_snapshot" : false, "lucene_version" : "9.10.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } ``` ### Testing single-node is working correctly ```console [root@ip-172-31-47-99 rocky]# curl -k -u admin:admin https://172.31.47.99:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.31.47.99 64 75 11 0.14 0.22 0.13 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 ```

Manager installation :green_circle:

### Wazuh server node installation - Adding the Wazuh repository ```console [root@ip-172-31-35-164 rocky]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@ip-172-31-35-164 rocky]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 ``` - Installing the Wazuh manager ```console [root@ip-172-31-35-164 rocky]# yum -y install wazuh-manager Last metadata expiration check: 0:24:18 ago on Tue 23 Jul 2024 02:56:11 PM UTC. Dependencies resolved. ============================================================================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================================================================= Installing: wazuh-manager x86_64 4.9.0-1 wazuh 301 M Transaction Summary ============================================================================================================================================================================================================= Install 1 Package Total download size: 301 M Installed size: 854 M Downloading Packages: wazuh-manager-4.9.0-1.x86_64.rpm 17 MB/s | 301 MB 00:17 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 17 MB/s | 301 MB 00:17 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/1 Installing : wazuh-manager-4.9.0-1.x86_64 1/1 Running scriptlet: wazuh-manager-4.9.0-1.x86_64 1/1 Verifying : wazuh-manager-4.9.0-1.x86_64 1/1 Installed: wazuh-manager-4.9.0-1.x86_64 Complete! ``` ```console [root@ip-172-31-35-164 rocky]# systemctl daemon-reload [root@ip-172-31-35-164 rocky]# systemctl enable wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. [root@ip-172-31-35-164 rocky]# systemctl start wazuh-manager ``` ```console [root@ip-172-31-35-164 rocky]# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Tue 2024-07-23 15:24:02 UTC; 1min 7s ago Process: 2458 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 146 (limit: 24171) Memory: 3.1G CPU: 1min 24.968s CGroup: /system.slice/wazuh-manager.service ├─2520 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─2561 /var/ossec/bin/wazuh-authd ├─2578 /var/ossec/bin/wazuh-db ├─2604 /var/ossec/bin/wazuh-execd ├─2619 /var/ossec/bin/wazuh-analysisd ├─2621 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─2624 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─2627 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─2640 /var/ossec/bin/wazuh-syscheckd ├─2654 /var/ossec/bin/wazuh-remoted ├─2688 /var/ossec/bin/wazuh-logcollector ├─2738 /var/ossec/bin/wazuh-monitord └─2748 /var/ossec/bin/wazuh-modulesd Jul 23 15:23:59 ip-172-31-35-164.ec2.internal env[2458]: Started wazuh-analysisd... Jul 23 15:23:59 ip-172-31-35-164.ec2.internal env[2458]: Started wazuh-syscheckd... Jul 23 15:23:59 ip-172-31-35-164.ec2.internal env[2458]: Started wazuh-remoted... Jul 23 15:24:00 ip-172-31-35-164.ec2.internal env[2458]: Started wazuh-logcollector... Jul 23 15:24:00 ip-172-31-35-164.ec2.internal env[2458]: Started wazuh-monitord... Jul 23 15:24:00 ip-172-31-35-164.ec2.internal env[2746]: 2024/07/23 15:24:00 wazuh-modulesd:router: INFO: Loaded router module. Jul 23 15:24:00 ip-172-31-35-164.ec2.internal env[2746]: 2024/07/23 15:24:00 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jul 23 15:24:00 ip-172-31-35-164.ec2.internal env[2458]: Started wazuh-modulesd... Jul 23 15:24:02 ip-172-31-35-164.ec2.internal env[2458]: Completed. Jul 23 15:24:02 ip-172-31-35-164.ec2.internal systemd[1]: Started Wazuh manager. ``` - Installing Filebeat ```console [root@ip-172-31-35-164 rocky]# yum -y install filebeat Last metadata expiration check: 0:29:55 ago on Tue 23 Jul 2024 02:56:11 PM UTC. Dependencies resolved. ============================================================================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================================================================= Installing: filebeat x86_64 7.10.2-1 wazuh 21 M Transaction Summary ============================================================================================================================================================================================================= Install 1 Package Total download size: 21 M Installed size: 70 M Downloading Packages: filebeat-oss-7.10.2-x86_64.rpm 17 MB/s | 21 MB 00:01 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 17 MB/s | 21 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : filebeat-7.10.2-1.x86_64 1/1 Running scriptlet: filebeat-7.10.2-1.x86_64 1/1 Verifying : filebeat-7.10.2-1.x86_64 1/1 Installed: filebeat-7.10.2-1.x86_64 Complete! ``` ```console [root@ip-172-31-39-94 ec2-user]# curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.yml ``` Filebeat configuration file ```yml # Wazuh - Filebeat configuration file output.elasticsearch: hosts: ["172.31.47.99:9200"] protocol: https username: ${username} password: ${password} ssl.certificate_authorities: - /etc/filebeat/certs/root-ca.pem ssl.certificate: "/etc/filebeat/certs/filebeat.pem" ssl.key: "/etc/filebeat/certs/filebeat-key.pem" setup.template.json.enabled: true setup.template.json.path: '/etc/filebeat/wazuh-template.json' setup.template.json.name: 'wazuh' setup.ilm.overwrite: true setup.ilm.enabled: false filebeat.modules: - module: wazuh alerts: enabled: true archives: enabled: false logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 7 permissions: 0644 logging.metrics.enabled: false seccomp: default_action: allow syscalls: - action: allow names: - rseq ``` ```console [root@ip-172-31-35-164 rocky]# filebeat keystore create Created filebeat keystore ``` ```console [root@ip-172-31-35-164 rocky]# echo admin | filebeat keystore add username --stdin --force Successfully updated the keystore [root@ip-172-31-35-164 rocky]# echo admin | filebeat keystore add password --stdin --force Successfully updated the keystore ``` ```console [root@ip-172-31-35-164 rocky]# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0-alpha3/extensions/elasticsearch/7.x/wazuh-template.json [root@ip-172-31-35-164 rocky]# chmod go+r /etc/filebeat/wazuh-template.json ``` ```console [root@ip-172-31-35-164 rocky]# curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json ``` ```console [root@ip-172-31-35-164 rocky]# NODE_NAME=wazuh-1 [root@ip-172-31-35-164 rocky]# mkdir /etc/filebeat/certs [root@ip-172-31-35-164 rocky]# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@ip-172-31-35-164 rocky]# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem [root@ip-172-31-35-164 rocky]# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem [root@ip-172-31-35-164 rocky]# chmod 500 /etc/filebeat/certs [root@ip-172-31-35-164 rocky]# chmod 400 /etc/filebeat/certs/* [root@ip-172-31-35-164 rocky]# chown -R root:root /etc/filebeat/certs ``` ```console [root@ip-172-31-35-164 rocky]# systemctl daemon-reload [root@ip-172-31-35-164 rocky]# systemctl enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. [root@ip-172-31-35-164 rocky]# systemctl start filebeat ``` ```console [root@ip-172-31-35-164 rocky]# filebeat test output elasticsearch: https://172.31.47.99:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.47.99 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ```

Dashboard installation :green_circle:

### Installing package dependencies ```console [root@ip-172-31-32-205 rocky]# yum install libcap Last metadata expiration check: 1:00:24 ago on Tue 23 Jul 2024 02:45:10 PM UTC. Package libcap-2.48-9.el9_2.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! ``` ### Adding the Wazuh repository ```console [root@ip-172-31-32-205 rocky]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH [root@ip-172-31-32-205 rocky]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 ``` ### Installing the Wazuh dashboard ```console [root@ip-172-31-32-205 rocky]# yum -y install wazuh-dashboard EL-9 - Wazuh 21 MB/s | 28 MB 00:01 Last metadata expiration check: 0:00:12 ago on Tue 23 Jul 2024 03:46:54 PM UTC. Dependencies resolved. ============================================================================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================================================================= Installing: wazuh-dashboard x86_64 4.9.0-1 wazuh 253 M Transaction Summary ============================================================================================================================================================================================================= Install 1 Package Total download size: 253 M Installed size: 849 M Downloading Packages: wazuh-dashboard-4.9.0-1.x86_64.rpm 44 MB/s | 253 MB 00:05 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 44 MB/s | 253 MB 00:05 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-dashboard-4.9.0-1.x86_64 1/1 Installing : wazuh-dashboard-4.9.0-1.x86_64 1/1 Running scriptlet: wazuh-dashboard-4.9.0-1.x86_64 1/1 Verifying : wazuh-dashboard-4.9.0-1.x86_64 1/1 Installed: wazuh-dashboard-4.9.0-1.x86_64 Complete! ``` Configuration opensearch_dashboards.yml ```yml server.host: 172.31.32.205 server.port: 443 opensearch.hosts: https://172.31.47.99:9200 opensearch.ssl.verificationMode: certificate opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home opensearchDashboards.branding: useExpandedHeader: false ``` ### Deploying certificates ```console [root@ip-172-31-32-205 rocky]# NODE_NAME=dashboard [root@ip-172-31-32-205 rocky]# mkdir /etc/wazuh-dashboard/certs [root@ip-172-31-32-205 rocky]# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem [root@ip-172-31-32-205 rocky]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem [root@ip-172-31-32-205 rocky]# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem [root@ip-172-31-32-205 rocky]# chmod 500 /etc/wazuh-dashboard/certs [root@ip-172-31-32-205 rocky]# chmod 400 /etc/wazuh-dashboard/certs/* [root@ip-172-31-32-205 rocky]# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs ``` ### Starting the Wazuh dashboard service ```console [root@ip-172-31-32-205 rocky]# systemctl daemon-reload [root@ip-172-31-32-205 rocky]# systemctl enable wazuh-dashboard Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. [root@ip-172-31-32-205 rocky]# systemctl start wazuh-dashboard ``` ### Wazuh API configuration ```yml hosts: - default: url: https://172.31.35.164 port: 55000 username: wazuh-wui password: wazuh-wui run_as: false ``` ### Wazuh dashboard test access 

Agent installation :green_circle:

### WUI Installation   ### Agent installation (RPM amd64) ```console [root@ip-172-31-40-135 ec2-user]# curl -o wazuh-agent-4.9.0-1.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.9.0-1.x86_64.rpm && sudo WAZUH_MANAGER='172.31.35.164' WAZUH_AGENT_NAME='Amazon_Linux_1' rpm -ihv wazuh-agent-4.9.0-1.x86_64.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 10.4M 100 10.4M 0 0 22.6M 0 --:--:-- --:--:-- --:--:-- 22.6M advertencia:wazuh-agent-4.9.0-1.x86_64.rpm: EncabezadoV4 RSA/SHA256 Signature, ID de clave 29111145: NOKEY Preparando... ################################# [100%] Actualizando / instalando... 1:wazuh-agent-4.9.0-1 ################################# [100%] ``` ### NOTE: Amazon Linux Version 1 not support systemctl. ```console [root@ip-172-31-40-135 ec2-user]# sudo systemctl daemon-reload sudo: systemctl: command not found ``` To enable the service, use `chkconfig` ```console [root@ip-172-31-40-135 ec2-user]# chkconfig wazuh-agent on ``` Then use `/var/ossec/bin/wazuh-control` to start the agent ```console [root@ip-172-31-40-135 ec2-user]# /var/ossec/bin/wazuh-control status wazuh-modulesd not running... wazuh-logcollector not running... wazuh-syscheckd not running... wazuh-agentd not running... wazuh-execd not running... [root@ip-172-31-40-135 ec2-user]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.9.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` ### Agent correctly connected to environment 

Wazuh Versions

Indexer

[root@ip-172-31-47-99 rocky]# yum list installed | grep indexer
wazuh-indexer.x86_64                  4.9.0-1                         @wazuh 

Manager

[root@ip-172-31-35-164 rocky]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40903"
WAZUH_TYPE="server"

Dashboard

[root@ip-172-31-32-205 rocky]# yum list installed | grep dashboard
wazuh-dashboard.x86_64                4.9.0-1                         @wazuh  

Agent

[root@ip-172-31-40-135 ec2-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40903"
WAZUH_TYPE="agent"

[nbertoldo]

Configuring AWS Security Lake in Wazuh Manager :red_circle:

Wazuh as a subscriber :red_circle:

Following the [v4.9.0-alpha3 dev documentation](https://documentation-dev.wazuh.com/v4.9.0-alpha3/cloud-security/amazon/services/supported-services/amazon-security-lake/security-lake-subscriber.html): 1. CICD team provided access to security lake in [this issue](https://github.com/wazuh/internal-devel-requests/issues/1365) and provided the following configuration: ```xml AmazonSecurityLake-00589311-********-Main-Queue arn:aws:iam::********:role/AmazonSecurityLake-00589311-******** 1300 wazuh-external-id ``` 2. Created `/root/.aws/credentials` file, following the [Configuring AWS Credentials](https://documentation-dev.wazuh.com/v4.9.0-alpha3/cloud-security/amazon/services/prerequisites/credentials.html) guide and configured keys corresponding to the user provided by CICD: ```console [root@ip-172-31-35-164 rocky]# cat /root/.aws/credentials [default] region=us-east-1 aws_access_key_id=AKI*** aws_secret_access_key=5tS*** ``` 3. Included the config provided by CICD mentioned in step 1 in a bigger Security Lake section, and placed it in `ossec.conf`, as stated in [the docs](https://documentation-dev.wazuh.com/v4.7.2-rc1/cloud-security/amazon/services/supported-services/security-lake.html#wazuh-configuration) ```xml ... no 1h yes AmazonSecurityLake-00589311-********-Main-Queue arn:aws:iam::********:role/AmazonSecurityLake-00589311-******** 1300 wazuh-external-id ... ``` 4. Restarted the service ```console systemctl restart wazuh-manager ``` 5. Security Lake integration is not working, no events are shown in the dashboard  6. Enabled `wazuh_modules.debug=2` and checked `/var/ossec/logs/ossec.log` for details ```console 2024/07/25 13:29:18 wazuh-modulesd:aws-s3[33014] wmodules-aws.c:522 at wm_aws_read(): DEBUG: Found a subscriber tag 2024/07/25 13:29:18 wazuh-modulesd:aws-s3[33014] wmodules-aws.c:538 at wm_aws_read(): DEBUG: Creating first subscriber structure 2024/07/25 13:29:18 wazuh-modulesd:aws-s3[33014] wmodules-aws.c:566 at wm_aws_read(): DEBUG: Loop through child nodes 2024/07/25 13:29:18 wazuh-modulesd:aws-s3[33014] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: sqs_name 2024/07/25 13:29:18 wazuh-modulesd:aws-s3[33014] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: iam_role_arn 2024/07/25 13:29:18 wazuh-modulesd:aws-s3[33014] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: iam_role_duration 2024/07/25 13:29:18 wazuh-modulesd:aws-s3[33014] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: external_id 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wmodules-aws.c:522 at wm_aws_read(): DEBUG: Found a subscriber tag 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wmodules-aws.c:538 at wm_aws_read(): DEBUG: Creating first subscriber structure 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wmodules-aws.c:566 at wm_aws_read(): DEBUG: Loop through child nodes 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: sqs_name 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: iam_role_arn 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: iam_role_duration 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: external_id 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wm_aws.c:62 at wm_aws_main(): INFO: Module AWS started 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wm_aws.c:84 at wm_aws_main(): INFO: Starting fetching of logs. 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wm_aws.c:196 at wm_aws_main(): INFO: Executing Subscriber fetch: (Type and SQS: security_lake AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue) 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wm_aws.c:727 at wm_aws_run_subscriber(): DEBUG: Create argument list 2024/07/25 13:29:27 wazuh-modulesd:aws-s3[33263] wm_aws.c:806 at wm_aws_run_subscriber(): DEBUG: Launching S3 Subscriber Command: wodles/aws/aws-s3 --subscriber security_lake --queue AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue --external_id wazuh-external-id --iam_role_arn arn:aws:iam::567970947422:role/AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b --iam_role_duration 1300 --debug 2 2024/07/25 13:29:34 wazuh-modulesd:aws-s3[33263] wm_aws.c:821 at wm_aws_run_subscriber(): WARNING: Subscriber: security_lake AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue - Returned exit code 1 2024/07/25 13:29:34 wazuh-modulesd:aws-s3[33263] wm_aws.c:827 at wm_aws_run_subscriber(): WARNING: Subscriber: security_lake AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue - Unknown error: Object of type datetime is not JSON serializable 2024/07/25 13:29:34 wazuh-modulesd:aws-s3[33263] wm_aws.c:845 at wm_aws_run_subscriber(): DEBUG: Subscriber: security_lake AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue - OUTPUT: DEBUG: +++ Debug mode on - Level: 2 2024/07/25 13:29:34 wazuh-modulesd:aws-s3[33263] wm_aws.c:201 at wm_aws_main(): INFO: Fetching logs finished. 2024/07/25 13:29:34 wazuh-modulesd:aws-s3[33263] wm_aws.c:80 at wm_aws_main(): DEBUG: Sleeping until: 2024/07/25 14:29:27 ``` ```console DEBUG: Processing file aws/ROUTE53/2.0/region=us-east-1/accountId=166157441623/eventDay=20240725/f2c87509c2ede276f8445f53d2bdb23b.gz.parquet in aws-security-data-lake-us-east-1-gbxqof17tcdrj8qkkk1rbchg3rhig0 DEBUG: +++ Error: Object of type datetime is not JSON serializable ERROR: Unknown error: Object of type datetime is not JSON serializable Traceback (most recent call last): File "/var/ossec/wodles/aws/aws-s3.py", line 199, in main(sys.argv[1:]) File "/var/ossec/wodles/aws/aws-s3.py", line 186, in main subscriber_queue.sync_events() File "/var/ossec/wodles/aws/subscribers/sqs_queue.py", line 140, in sync_events self.bucket_handler.process_file(message["route"]) File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 302, in process_file events_in_file = self.obtain_logs(bucket=message_body['bucket_path'], File "/var/ossec/wodles/aws/subscribers/s3_log_handler.py", line 290, in obtain_logs events.append(json.dumps(j)) File "/var/ossec/framework/python/lib/python3.10/json/__init__.py", line 231, in dumps return _default_encoder.encode(obj) File "/var/ossec/framework/python/lib/python3.10/json/encoder.py", line 199, in encode chunks = self.iterencode(o, _one_shot=True) File "/var/ossec/framework/python/lib/python3.10/json/encoder.py", line 257, in iterencode return _iterencode(o, 0) File "/var/ossec/framework/python/lib/python3.10/json/encoder.py", line 179, in default raise TypeError(f'Object of type {o.__class__.__name__} ' TypeError: Object of type datetime is not JSON serializable ``` 🔴 **There is a known issue for Security Lake sources version 2:** https://github.com/wazuh/wazuh/issues/22880. 7. The CICD team [changed the sources to version 1](https://github.com/wazuh/internal-devel-requests/issues/1365#issuecomment-2250366950) and repeated the test. The issue persists: ```console 2024/07/25 17:27:59 wazuh-modulesd:aws-s3[40779] wm_aws.c:84 at wm_aws_main(): INFO: Starting fetching of logs. 2024/07/25 17:27:59 wazuh-modulesd:aws-s3[40779] wm_aws.c:196 at wm_aws_main(): INFO: Executing Subscriber fetch: (Type and SQS: security_lake AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue) 2024/07/25 17:27:59 wazuh-modulesd:aws-s3[40779] wm_aws.c:727 at wm_aws_run_subscriber(): DEBUG: Create argument list 2024/07/25 17:27:59 wazuh-modulesd:aws-s3[40779] wm_aws.c:806 at wm_aws_run_subscriber(): DEBUG: Launching S3 Subscriber Command: wodles/aws/aws-s3 --subscriber security_lake --queue AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue --external_id wazuh-external-id --iam_role_arn arn:aws:iam::567970947422:role/AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b --iam_role_duration 1300 --debug 2 2024/07/25 17:28:03 wazuh-modulesd:aws-s3[40779] wm_aws.c:821 at wm_aws_run_subscriber(): WARNING: Subscriber: security_lake AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue - Returned exit code 1 2024/07/25 17:28:03 wazuh-modulesd:aws-s3[40779] wm_aws.c:827 at wm_aws_run_subscriber(): WARNING: Subscriber: security_lake AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue - Unknown error: Object of type datetime is not JSON serializable 2024/07/25 17:28:03 wazuh-modulesd:aws-s3[40779] wm_aws.c:845 at wm_aws_run_subscriber(): DEBUG: Subscriber: security_lake AmazonSecurityLake-00589311-c20a-4405-bbde-a42a05c92c3b-Main-Queue - OUTPUT: DEBUG: +++ Debug mode on - Level: 2 2024/07/25 17:28:03 wazuh-modulesd:aws-s3[40779] wm_aws.c:201 at wm_aws_main(): INFO: Fetching logs finished. 2024/07/25 17:28:03 wazuh-modulesd:aws-s3[40779] wm_aws.c:80 at wm_aws_main(): DEBUG: Sleeping until: 2024/07/25 18:27:59 ```

Wazuh as a custom source :green_circle:

Following the [v4.9.0-alpha3 dev documentation](https://documentation-dev.wazuh.com/v4.9.0-alpha3/cloud-security/amazon/services/supported-services/amazon-security-lake/security-lake-source.html): ### AWS configuration CICD team provided access to security lake in [this issue](https://github.com/wazuh/internal-devel-requests/issues/1365) and provided the following resources: - S3 bucket to store raw events: `indexer-amazon-security-lake-bucket` - Custom Source in Amazon Security Lake:  - AWS Lambda function  ### Installing and configuring Logstash 1. Follow the [official documentation](https://www.elastic.co/guide/en/logstash/current/installing-logstash.html) to install Logstash: ```console [root@ip-172-31-47-99 rocky]# sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch ``` ```console [root@ip-172-31-47-99 rocky]# vi /etc/yum.repos.d/logstash.repo [root@ip-172-31-47-99 rocky]# cat /etc/yum.repos.d/logstash.repo [logstash-8.x] name=Elastic repository for 8.x packages baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md ``` ```console [root@ip-172-31-47-99 rocky]# sudo yum install logstash Elastic repository for 8.x packages 85 MB/s | 67 MB 00:00 Last metadata expiration check: 0:00:24 ago on Thu 25 Jul 2024 08:00:18 PM UTC. Dependencies resolved. ============================================================================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================================================================= Installing: logstash x86_64 1:8.14.3-1 logstash-8.x 386 M Transaction Summary ============================================================================================================================================================================================================= Install 1 Package Total download size: 386 M Installed size: 637 M Is this ok [y/N]: y Downloading Packages: logstash-8.14.3-x86_64.rpm 18 MB/s | 386 MB 00:21 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 18 MB/s | 386 MB 00:21 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: logstash-1:8.14.3-1.x86_64 1/1 Installing : logstash-1:8.14.3-1.x86_64 1/1 Running scriptlet: logstash-1:8.14.3-1.x86_64 1/1 Verifying : logstash-1:8.14.3-1.x86_64 1/1 Installed: logstash-1:8.14.3-1.x86_64 Complete! ``` 2. Install the [logstash-input-opensearch](https://github.com/opensearch-project/logstash-input-opensearch) plugin: ```console [root@ip-172-31-47-99 rocky]# sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch Using bundled JDK: /usr/share/logstash/jdk Validating logstash-input-opensearch Resolving mixin dependencies Updating mixin dependencies logstash-mixin-ecs_compatibility_support, logstash-mixin-event_support, logstash-mixin-validator_support Bundler attempted to update logstash-mixin-ecs_compatibility_support but its version stayed the same Bundler attempted to update logstash-mixin-event_support but its version stayed the same Bundler attempted to update logstash-mixin-validator_support but its version stayed the same Installing logstash-input-opensearch Installation successful ``` 3. Copy the Wazuh Indexer root certificate on the Logstash server: ```console [root@ip-172-31-47-99 rocky]# cp /etc/wazuh-indexer/certs/root-ca.pem /usr/share/logstash/ ``` 4. Give the `logstash` user the required permissions to read the certificate: ```console [root@ip-172-31-47-99 rocky]# sudo chmod -R 755 /usr/share/logstash/root-ca.pem ``` ### Configuring the Logstash pipeline 1. Use the [Logstash keystore](https://www.elastic.co/guide/en/logstash/current/keystore.html) to securely store these values: - Prepare keystore ```console [root@ip-172-31-47-99 rocky]# set +o history [root@ip-172-31-47-99 rocky]# echo 'LOGSTASH_KEYSTORE_PASS="123456"'| sudo tee /etc/sysconfig/logstash LOGSTASH_KEYSTORE_PASS="123456" [root@ip-172-31-47-99 rocky]# export LOGSTASH_KEYSTORE_PASS=123456 [root@ip-172-31-47-99 rocky]# set -o history [root@ip-172-31-47-99 rocky]# sudo chown root /etc/sysconfig/logstash [root@ip-172-31-47-99 rocky]# sudo chmod 600 /etc/sysconfig/logstash [root@ip-172-31-47-99 rocky]# sudo systemctl start logstash ``` - Create keystore ```console [root@ip-172-31-47-99 rocky]# sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create Using bundled JDK: /usr/share/logstash/jdk Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties [2024-07-25T20:35:29,333][INFO ][org.logstash.secret.store.backend.JavaKeyStore] Created Logstash keystore at /etc/logstash/logstash.keystore Created Logstash keystore at /etc/logstash/logstash.keystore ``` - Store Wazuh indexer credentials (admin user) ```console [root@ip-172-31-47-99 rocky]# sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME Using bundled JDK: /usr/share/logstash/jdk Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties Enter value for WAZUH_INDEXER_USERNAME: Added 'wazuh_indexer_username' to the Logstash keystore. [root@ip-172-31-47-99 rocky]# sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD Using bundled JDK: /usr/share/logstash/jdk Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties Enter value for WAZUH_INDEXER_PASSWORD: Added 'wazuh_indexer_password' to the Logstash keystore. ``` 2. Create the configuration file `indexer-to-s3.conf` in the `/etc/logstash/conf.d/` folder: ```console [root@ip-172-31-47-99 rocky]# sudo touch /etc/logstash/conf.d/indexer-to-s3.conf ``` 3. Add configuration to the `indexer-to-s3.conf` file: ```console [root@ip-172-31-47-99 rocky]# cat /etc/logstash/conf.d/indexer-to-s3.conf input { opensearch { hosts => ["172.31.47.99:9200"] user => "${WAZUH_INDEXER_USERNAME}" password => "${WAZUH_INDEXER_PASSWORD}" ssl => true ca_file => "/usr/share/logstash/root-ca.pem" index => "wazuh-alerts-4.x-*" query => '{ "query": { "range": { "@timestamp": { "gt": "now-5m" } } } }' schedule => "*/5 * * * *" } } output { stdout { id => "output.stdout" codec => json_lines } s3 { id => "output.s3" access_key_id => "AKIA*******" secret_access_key => "5tSv*******" region => "us-east-1" bucket => "indexer-amazon-security-lake-bucket" codec => "json_lines" retry_count => 0 validate_credentials_on_root_bucket => false prefix => "%{+YYYY}%{+MM}%{+dd}" server_side_encryption => true server_side_encryption_algorithm => "AES256" additional_settings => { "force_path_style" => true } time_file => 5 } } ``` ### Running Logstash 1. Run Logstash from the CLI with above configuration: ```console [root@ip-172-31-47-99 rocky]# sudo systemctl stop logstash [root@ip-172-31-47-99 rocky]# sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/indexer-to-s3.conf --path.settings /etc/logstash --config.test_and_exit Using bundled JDK: /usr/share/logstash/jdk Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties [2024-07-25T20:57:48,653][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties [2024-07-25T20:57:48,656][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.14.3", "jruby.version"=>"jruby 9.4.7.0 (3.1.4) 2024-04-29 597ff08ac1 OpenJDK 64-Bit Server VM 17.0.11+9 on 17.0.11+9 +indy +jit [x86_64-linux]"} [2024-07-25T20:57:48,662][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11] [2024-07-25T20:57:48,665][INFO ][logstash.runner ] Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000` [2024-07-25T20:57:48,666][INFO ][logstash.runner ] Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000` [2024-07-25T20:57:49,005][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified [2024-07-25T20:57:50,485][INFO ][org.reflections.Reflections] Reflections took 228 ms to scan 1 urls, producing 132 keys and 468 values [2024-07-25T20:57:51,092][INFO ][logstash.codecs.jsonlines] ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message) [2024-07-25T20:57:54,250][INFO ][logstash.codecs.jsonlines] ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message) [2024-07-25T20:57:54,344][INFO ][logstash.javapipeline ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise. Configuration OK [2024-07-25T20:57:54,351][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash ``` 2. Run Logstash as a service: ```console [root@ip-172-31-47-99 rocky]# sudo systemctl enable logstash Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /usr/lib/systemd/system/logstash.service. [root@ip-172-31-47-99 rocky]# sudo systemctl start logstash ``` ### Validation Checked the parquet object was created in the Amazon Security Lake S3 bucket, properly partitioned based on the Custom Source name, AWS Region, Account ID, AWS Region and date: 

[fdalmaup]

Review

LGTM. The Security Lake v2.0 sources generate the module to finish with an error, not allowing it to delete the message from the queue and having to remove it manually.