I'm administering a relatively simple AWS stack with about 5 heterogeneous Linux EC2 instances. All instances already have been setup to ship important logs to Cloudwatch Logs. Now I want to setup a basic HIDS for this system covering all nodes. Alternative one is a dedicated HIDS / SEIM like OSSEC, Prelude, etc. Alternative two is installing auditd shipping the auditd log to AWS like the other logs, and doing some kind of IDS based on log parsing once the logs hit Cloudwatch. This is fewer additional moving pieces and much less work / time to setup. The issue is auditd logs are quite challenging to parse and interpret. So my question is, is there any out of the box AWS service or well know scripts that can parse these logs and generate IDS style real time alerts?
0 Answers