Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When creating decoders it is very useful to be able to first test decoders before creating any matching rules. #3348

Closed
frankeros opened this issue Jun 7, 2021 · 2 comments · Fixed by #3446
Closed

When creating decoders it is very useful to be able to first test decoders before creating any matching rules. #3348

frankeros opened this issue Jun 7, 2021 · 2 comments · Fixed by #3446
Assignees
@MauGaP @sortiz1191
Labels
type/enhancement Enhancement issue

Comments

@frankeros
Copy link
Contributor

When creating decoders it is very useful to be able to first test decoders before creating any matching rules.
Currently testing a log that matches a decoder without matching a rule will again return the No result found message.
For example:

Apr 28 13:43:51 localhost local_decoder_example: test

Should result in:

**Phase 1: Completed pre-decoding.
        full event: 'Apr 28 13:43:51 localhost local_decoder_example: test'
        timestamp: 'Apr 28 13:43:51'
        hostname: 'localhost'
        program_name: 'local_decoder_example'

**Phase 2: Completed decoding.
        name: 'local_decoder_example'

Instead it returns:

No result found for:  Apr 28 13:43:51 localhost local_decoder_example: test

This is testing with the app compiled at 87fba01

Originally posted by @jctello in #3193 (comment)
@frankeros frankeros mentioned this issue Jun 7, 2021
Closed
@frankeros frankeros added pending-PO Taks pending for PO validation and priorization question type/enhancement Enhancement issue and removed question labels Jun 7, 2021
@sortiz1191 sortiz1191 self-assigned this Jul 1, 2021
@frankeros frankeros removed the pending-PO Taks pending for PO validation and priorization label Jul 6, 2021
@sortiz1191
Copy link
Contributor

Tested logtest for rulesets and decoders.

Check if the data is from a ruleset or from a decoder and show data depending on the case.

image
image

@sortiz1191 sortiz1191 mentioned this issue Jul 7, 2021
Merged
@Desvelao Desvelao linked a pull request Jul 8, 2021 that will close this issue
Test decoders before matching rules #3446
Merged
@MauGaP MauGaP self-assigned this Jul 30, 2021
@branchnetconsulting
Copy link

branchnetconsulting commented Oct 28, 2021
edited
Loading

This continues to be broken as of 4.2.4. Also, the issue is broader than just affecting decoder tests. If you create a custom top level parent rule and then use the webui logtest feature to test it with a log sample, you will also only see "No result found..." It appears presently when the WebUI calls wazuh-logtest that unless the results include "**Alert to be generated.", the only thing that will be displayed in the web output will be "No result found...". Please remove that check and simply let the full output of wazuh-logtest be conveyed to the web results window.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MauGaP MauGaP

@sortiz1191 sortiz1191

Labels
type/enhancement Enhancement issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Test decoders before matching rules wazuh/wazuh-dashboard-plugins
5 participants
@branchnetconsulting @CPAlejandro @MauGaP @frankeros @sortiz1191