What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    Amazon CloudWatch Logs Integration

    Juan Romero

    06-Nov-2025

    Amazon CloudWatch Logs

    AWS CloudWatch Logs is a service that allows the users to centralize the logs from all their systems, applications, and AWS services in a single place. To understand how Cloudwatch Logs works it is important to learn about the following concepts:

    • Log events: CloudWatch saves the logs generated by the application or resource being monitored as log events. A log event is a record with two properties: the timestamp when the event occurred and the raw log message.

    • Log streams: Log events are stored in log streams. A log stream represents a sequence of events coming from the application instance or resource being monitored. All log events in a log stream share the same source.

    • Log groups: Log streams are grouped using log groups. A log group defines a group of log streams that share retention, monitoring, and access control settings.

    Amazon CloudWatch configuration

    AWS CloudWatch logs can be accessed by using the Wazuh CloudWatch Logs integration. The AWS API allows Wazuh to retrieve those logs, analyze them, and raise alerts if applicable.

    Policy configuration

    Create a policy using the Amazon Web Services console.

    Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

    To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

     
    {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "VisualEditor0",
 "Effect": "Allow",
 "Action": "logs:DescribeLogStreams",
 "Resource": "arn:aws:logs:::log-group::*"
 },
 {
 "Sid": "VisualEditor1",
 "Effect": "Allow",
 "Action": "logs:GetLogEvents",
 "Resource": "arn:aws:logs:::log-group::log-stream:"
 }
 ]
}

    If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

     
    {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "VisualEditor0",
 "Effect": "Allow",
 "Action": "logs:DescribeLogStreams",
 "Resource": "arn:aws:logs:::log-group::*"
 },
 {
 "Sid": "VisualEditor1",
 "Effect": "Allow",
 "Action": [
 "logs:GetLogEvents",
 "logs:DeleteLogStream"
 ],
 "Resource": "arn:aws:logs:::log-group::log-stream:"
 }
 ]
}

    Note: REGION, ACCOUNT_ID, LOG_GROUP_NAME, LOG_GROUP_NAME and LOG_STREAM_NAME are placeholders. Replace them with the appropriate values.

    After creating a policy, you can attach it directly to a user or to a group to which the user belongs. 

    After completing the configuration in AWS, please upload a txt file to Onehub with the following information:

    • aws_access_key_id,
    • aws_secret_access_key
    • AWS REGION
    • LOG_GROUP_NAME
    • LOG_STREAM_NAME
    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.