AWS GuardDuty
This guide describes how to forward findings from AWS GuardDuty to a designated Syslog endpoint. The process involves AWS GuardDuty, Amazon CloudWatch Events, and an AWS Lambda function that sends the findings to Syslog.
Prerequisites
- An active AWS account with AWS GuardDuty enabled.
- Administrative access to the AWS Management Console.
- The Syslog endpoint and port provided by the service (replace
<SYSLOG_ENDPOINT>
and<SYSLOG_PORT>
with the actual values).
Step 1: Create a Lambda Function for Syslog Forwarding
- Navigate to the AWS Lambda Console and choose Create function.
- Select Author from scratch. Enter a function name, e.g.,
GuardDutyToSyslog
, and select a runtime (Python 3.x or Node.js). - Under Permissions, choose or create an execution role that grants the Lambda function permissions to write log entries to CloudWatch Logs.
- Click Create function.
-
In the Function code section, upload or paste the code that sends events to your Syslog endpoint. Sample Python code snippet:
import socket import json def lambda_handler(event, context): syslog_server = '<SYSLOG_ENDPOINT>' syslog_port = <SYSLOG_PORT> sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) message = json.dumps(event) sock.sendto(message.encode('utf-8'), (syslog_server, syslog_port)) sock.close() return { 'statusCode': 200, 'body': json.dumps('Success') }
Replace
<SYSLOG_ENDPOINT>
and<SYSLOG_PORT>
with the provided Syslog server details. -
Click Save to store your Lambda function settings.
Step 2: Create a CloudWatch Event Rule for GuardDuty
- Navigate to the Amazon CloudWatch Console and select Rules under Events.
- Click Create rule.
- For Event Source, select Event Pattern. Choose AWS GuardDuty as the service name and select the desired event type(s).
- In the Targets section, select Lambda function and choose the Lambda function you created in Step 1.
- Configure any additional settings as needed, then click Configure details.
- Give your rule a name and description, then click Create rule.
Step 3: Test and Verify
- Generate or wait for a GuardDuty finding to trigger the CloudWatch Event rule.
- Contact your service provider to confirm that the findings are being received at the Syslog endpoint.
Troubleshooting
- Check Lambda Execution Role: Ensure the Lambda function's execution role has the necessary permissions.
- Verify Network Connectivity: Confirm there's network connectivity between AWS Lambda and the Syslog endpoint.
- Lambda Function Limits: Be aware of and monitor for any AWS Lambda limits that might affect the function's execution.
For further assistance or specific configurations, please contact your service provider's support team.