We have an application running on an EC2 instance, and we've set up CloudWatch to monitor it. First, we’ll look the how do we install awslogs to the EC2. Application hosting on Apache server and log file is an default log path which is /var/log/apache2/access.log
Installing AWS CloudWatch Logs agent (awslogs) on an EC2 instance allows you to monitor and store logs centrally in Amazon CloudWatch. Here are the step-by-step instructions to install awslogs using the provided `curl` command:
Use SSH to connect to your EC2 instance. Replace `your-instance-ip` with your actual EC2 instance's public IP address.
ssh ec2-user@your-instance-ip
Use the `curl` command to download the awslogs agent setup script from Amazon S3:
curl https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-setup.py -O
Run the downloaded setup script using Python. This script will guide you through the configuration process.
sudo python ./awslogs-agent-setup.py --region us-east-1Replace `us-east-1` with your desired AWS region.
The setup script will prompt you for various configuration options. Here's what you might need to configure:
Once the configuration is complete, start and enable the awslogs service to ensure it starts automatically on system boot:
sudo service awslogs start
Check the status of the awslogs service to ensure it's running without any errors:
sudo service awslogs status
That's it! AWS CloudWatch Logs agent (awslogs) is now installed and configured on your EC2 instance, and it's shipping logs to the specified CloudWatch Logs group. Make sure to adjust configurations according to your specific use case and security best practices.
Please check Quick Start: Install and configure the CloudWatch Logs agent on a running EC2 Linux instance documentation for further information.
You can potentially detect SQL Injection (SQLi) attacks using CloudWatch Logs Insights, but it's important to understand the limitations of log-based detection methods. While log analysis can identify certain patterns indicative of SQL Injection attempts, it might not catch all sophisticated attack techniques.
To detect potential SQL Injection (SQLi) attacks in your Apache access logs using CloudWatch Logs Insights, you would need to create custom log queries that search for specific patterns or keywords indicative of SQL injection attempts. By crafting queries in CloudWatch Logs Insights, you can identify potential security threats within your log data.
For example, you can write a query like the following to identify potential SQL Injection attacks in Apache access logs:
fields @timestamp, @message
| filter @message like /.*(SELECT|UNION|INSERT|UPDATE|DELETE|FROM|WHERE|DROP|AND|OR).*/
It looks like indicate that our query in CloudWatch Logs Insights matched 121 records out of 746 records scanned. This means that 121 log entries in your Apache access logs contain patterns indicative of potential SQL Injection attempts, based on the query you ran.
If you want to investigate these matched records further, you can analyze the specific log entries to gain more context about the potential SQL Injection attempts. Look for details such as IP addresses, requested URLs, and other parameters in these log entries to understand the nature of the attacks.
If you need more details about AWS Cloudwatch, you can check this course on LetsDefend.
In the rapidly evolving landscape of cybersecurity, having a robust Security Operations Center (SOC) is paramount. Our training focused on harnessing the power of Amazon CloudWatch to bolster SOC capabilities, providing real-time insights, proactive monitoring, and efficient incident response. As we conclude this training, it’s evident that CloudWatch stands as a cornerstone in the realm of cloud-based security.
.png)
.png)