awslabs / hids-cloudwatchlogs-elasticsearch-template Goto Github PK

According to the documentation of OSSEC, An OSSEC server will monitor and analyse the log from remote agents. Although it is not clearly clarified in their documentation, a server should be able to monitor itself too.

If my understanding is correct, i don't see remote agents are installed. Instead, two OSSEC servers are installed and the alerts.json are piped to lambda function via cloudwatch log agents.

When creating with CloudFormation I get the following error:

The runtime parameter of nodejs4.3 is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (nodejs8.10) while creating or updating functions. (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException

I will create a pull request that updates to nodejs8.10.

Providing the information on how the AMI is configured will help in troubleshooting the issues while building this solution manually with few changes to better suite a specific environment.

I've created a similar solution by referring to this but using OSSEC 2.9.4 where the format of alerts output is changed and the lambda function is unable to process the alerts to Elasticsearch. Error: Process exited before completing request.

Older version format:
{"rule":{"level":6,"comment":"SSH insecure connection attempt (scan).","sidid":5706},"location":"/var/log/secure","full_log":"Aug 6 00:03:57 ip-10-0-0-100 sshd[12462]: Did not receive identification string from 127.0.0.1 port 35578"}

Newer version format:
{"rule":{"level":6,"comment":"SSH insecure connection attempt (scan).","sidid":5706},"srcip":"196.52.43.80","location":"/var/log/auth.log","full_log":"Aug 6 18:49:02 ip-15-0-213-229 sshd[3270]: Did not receive identification string from 196.52.43.80"}

Hoping for a resolution at the earliest possible.