Skip to content

AWS GuardDuty

This guide describes how to forward findings from AWS GuardDuty to a designated Syslog endpoint. The process involves AWS GuardDuty, Amazon CloudWatch Events, and an AWS Lambda function that sends the findings to Syslog.

Prerequisites

  • An active AWS account with AWS GuardDuty enabled.
  • Administrative access to the AWS Management Console.
  • The Syslog endpoint and port provided by the service (replace <SYSLOG_ENDPOINT> and <SYSLOG_PORT> with the actual values).

Step 1: Create a Lambda Function for Syslog Forwarding

  1. Navigate to the AWS Lambda Console and choose Create function.
  2. Select Author from scratch. Enter a function name, e.g., GuardDutyToSyslog, and select a runtime (Python 3.x or Node.js).
  3. Under Permissions, choose or create an execution role that grants the Lambda function permissions to write log entries to CloudWatch Logs.
  4. Click Create function.

  5. In the Function code section, upload or paste the code that sends events to your Syslog endpoint. Sample Python code snippet:

    import socket
import json

def lambda_handler(event, context):
    syslog_server = '<SYSLOG_ENDPOINT>'
    syslog_port = <SYSLOG_PORT>

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    message = json.dumps(event)
    sock.sendto(message.encode('utf-8'), (syslog_server, syslog_port))
    sock.close()

    return {
        'statusCode': 200,
        'body': json.dumps('Success')
    }

    Replace <SYSLOG_ENDPOINT> and <SYSLOG_PORT> with the provided Syslog server details.

  6. Click Save to store your Lambda function settings.

Step 2: Create a CloudWatch Event Rule for GuardDuty

  1. Navigate to the Amazon CloudWatch Console and select Rules under Events.
  2. Click Create rule.
  3. For Event Source, select Event Pattern. Choose AWS GuardDuty as the service name and select the desired event type(s).
  4. In the Targets section, select Lambda function and choose the Lambda function you created in Step 1.
  5. Configure any additional settings as needed, then click Configure details.
  6. Give your rule a name and description, then click Create rule.

Step 3: Test and Verify

  • Generate or wait for a GuardDuty finding to trigger the CloudWatch Event rule.
  • Contact your service provider to confirm that the findings are being received at the Syslog endpoint.

Troubleshooting

  • Check Lambda Execution Role: Ensure the Lambda function's execution role has the necessary permissions.
  • Verify Network Connectivity: Confirm there's network connectivity between AWS Lambda and the Syslog endpoint.
  • Lambda Function Limits: Be aware of and monitor for any AWS Lambda limits that might affect the function's execution.

For further assistance or specific configurations, please contact your service provider's support team.