View Categories

Monitoring AWS Infrastructure with Argus

2 min read

This usecase demonstrates how to monitor AWS services using the Argus AWS module (aws-s3), enabling automated log collection and analysis from AWS services like Amazon CloudTrail to identify potential security incidents.

Infrastructure

Cloud Service:

  • Amazon CloudTrail: Tracks user activities and API usage across your AWS account. Requires setting user permissions and authentication, such as the profile authentication method.

Configuration Steps

1. Configure Amazon CloudTrail

  1. Access CloudTrail:
    • Open the AWS Management Console and navigate to the CloudTrail service.
  2. Create a New Trail:
    • Choose whether to:
      • Create a new S3 bucket for storing logs, or
      • Use an existing S3 bucket.
    • Note the S3 bucket name, as it is required for the Argus configuration.

2. Configure the Argus Server

  1. Modify the Configuration File:
    • Edit the /var/ossec/etc/ossec.conf file on the Argus server and enable the AWS module.
    • Add the relevant S3 bucket(s) for monitoring. Replace <AWS_BUCKET_NAME> and <AWS_PROFILE_NAME> with the actual bucket and profile names:

<wodle name=”aws-s3″>

  <disabled>no</disabled>

  <interval>30m</interval>

  <run_on_start>yes</run_on_start>

  <skip_on_error>no</skip_on_error>

  <bucket type=”cloudtrail”>

    <name><AWS_BUCKET_NAME></name>

    <aws_profile><AWS_PROFILE_NAME></aws_profile>

  </bucket>

</wodle>

  1. Restart the Argus Manager:
    • Apply the changes by restarting the service:

sudo systemctl restart Argus-manager

Testing the Configuration

  1. Generate CloudTrail Events:
    • Create a new IAM user account in the AWS console. This activity logs an event that will be processed by Argus.
  2. Alert Generation:
    • Argus automatically parses AWS logs using its built-in ruleset.
    • Alerts are generated and displayed once the logs from the S3 bucket are received by Argus.

Visualizing Alerts

  • Access the Argus dashboard and navigate to the Amazon Web Services module.
  • Use the dashboard to view detailed alerts and log insights.

Summary

By integrating Argus with Amazon CloudTrail, you can continuously monitor AWS activities, detect potential security issues, and comply with security standards. This setup allows organizations to track and analyze AWS log data seamlessly, ensuring better visibility into cloud-based operations.

Leave a Reply

Your email address will not be published. Required fields are marked *