Skip to content

Commit

Permalink
Merge pull request #6207 from wazuh/17388-update-aws-services-section
Browse files Browse the repository at this point in the history 
Add discard_regex parameter to Services
  • Loading branch information
@javimed
javimed authored Jul 18, 2023
2 parents a72193a + d2e3305 commit 3538c44
Showing 1 changed file with 43 additions and 3 deletions.
46 changes: 43 additions & 3 deletions source/user-manual/reference/ossec-conf/wodle-s3.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ The available types are: ``cloudtrail``, ``guardduty``, ``vpcflow``, ``config``
+----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+
| :ref:`bucket_aws_organization_id` | Name of AWS organization | Optional (only works with CloudTrail buckets) |
+----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+
| :ref:`bucket_discard_regex` | A regex value to determine if an event should be discarded | Optional |
| :ref:`bucket_discard_regex` | A regex to determine if an event must be discarded | Optional |
+----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+
| :ref:`bucket_remove_from_bucket` | A value to determine if each log file is deleted once it | Optional |
| | has been collected by the module | |
Expand Down Expand Up @@ -368,7 +368,7 @@ Name of AWS organization. Only works with CloudTrail buckets.
discard_regex
^^^^^^^^^^^^^

A regex value to determine if an event should be discarded. It requires a `field` attribute used to specify the field of the event where the regex should be applied.
A regular expression to determine if an event must be discarded. It requires a mandatory ``field`` attribute. The regex is applied to the event field specified with this attribute.

+--------------------+----------------------------------------+
| **Default value** | N/A |
Expand All @@ -379,7 +379,7 @@ A regex value to determine if an event should be discarded. It requires a `field
Attributes:

+-----------+------------------------------------------------------------------------------------------------------+
| **field** | The event's field on which the regex should be applied to determine if the event should be skipped |
| **field** | The event field where to apply the regex. |
| +------------------+-----------------------------------------------------------------------------------+
| | Default value | N/A |
| +------------------+-----------------------------------------------------------------------------------+
Expand Down Expand Up @@ -462,6 +462,8 @@ The available types are: ``cloudwatchlogs``, and ``inspector``.
+----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+
| :ref:`service_aws_profile` | Valid profile name | Optional |
+----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+
| :ref:`service_discard_regex` | A regex to determine if an event must be discarded | Optional |
+----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+
| :ref:`service_iam_role_arn` | Valid role ARN | Optional |
+----------------------------------------+-------------------------------------------------------------+-----------------------------------------------+
| :ref:`service_iam_role_duration` | Number of seconds between 900 and 3600 | Optional (if set, it requires an iam_role_arn |
Expand Down Expand Up @@ -558,6 +560,44 @@ A valid profile name from a Shared Credential File or AWS Config File with the p
| **Allowed values** | Valid profile name |
+--------------------+--------------------+

.. _service_discard_regex:

discard_regex
^^^^^^^^^^^^^

A regular expression to determine if an event must be discarded.

- For ``inspector``, it requires a mandatory ``field`` attribute. The regex is applied to the event field specified with this attribute.
- For ``cloudwatchlogs``, the ``field`` attribute is optional. You can omit it, for example, when monitoring Cloudwatch logs in JSON format and plain text.

+--------------------+----------------------------------------+
| **Default value** | N/A |
+--------------------+----------------------------------------+
| **Allowed values** | Any regex or sregex expression |
+--------------------+----------------------------------------+

Attributes:

+-----------+------------------------------------------------------------------------------------------------------+
| **field** | The event field where to apply the regex |
| +------------------+-----------------------------------------------------------------------------------+
| | Default value | N/A |
| +------------------+-----------------------------------------------------------------------------------+
| | Allowed values | A str containing the full field name path |
+-----------+------------------+-----------------------------------------------------------------------------------+

Usage example:

.. code-block:: console
<discard_regex field="data.configurationItemStatus">REJECT</discard_regex>
Usage example only for ``cloudwatchlogs``:

.. code-block:: console
<discard_regex>.*Log:.*</discard_regex>
.. _service_iam_role_arn:

iam_role_arn
Expand Down

0 comments on commit 3538c44

Please sign in to comment.