Azure-logs spamming in the ossec log

[Selutario]

Description

We have been reported a problem where, in 4.8.0-rc1, wazuh-modulesd service is spamming azure-logs like the following:

(INFO) No request tag defined

We need to review what might be happening and fix it, especially if this problem has been included in 4.8.0.

Checks

The following elements have been updated or reviewed (should also be checked if no modification is required):

• Tests (unit tests, API integration tests).
• Changelog.
• Documentation.
• Integration test mapping (using api/test/integration/mapping/_test_mapping.py).

[fdalmaup]

Issue Update

The related code fragment is in the src/config/wmodules-azure.c file and was not introduced in 4.8.0 as it can be checked in the v4.7.4 code fragments:

wazuh/src/config/wmodules-azure.c

Lines 376 to 377 in f094086

	if (!request->tag) {
	minfo("At module '%s': No request tag defined. Setting it randomly...", WM_AZURE_CONTEXT.name);

wazuh/src/config/wmodules-azure.c

Lines 508 to 509 in f094086

	if (!storage->tag) {
	minfo("At module '%s': No storage tag defined. Setting it randomly...", WM_AZURE_CONTEXT.name);

Also, a test of the module was carried out in Wazuh v4.7.4, showing the INFO messages when the ossec.conf configuration is read:

Wazuh version

root@d9b3863d6d59:/# /var/ossec/bin/wazuh-control info   
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="server"

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <interval>10m</interval>
    <run_on_start>yes</run_on_start>

    <log_analytics>
        <auth_path>/var/ossec/wodles/azure/credentials-analytics</auth_path>
        <tenantdomain>TENANT</tenantdomain>

        <request>
            <query>AzureActivity</query>
            <workspace><workspace_id></workspace>
            <time_offset>50d</time_offset>
        </request>
    </log_analytics>

    <storage>
        <auth_path>/var/ossec/wodles/azure/credentials-storage</auth_path>
        <container name="container">
            <content_type>json_inline</content_type>
            <time_offset>260d</time_offset>
        </container>
    </storage>
</wodle>

ossec.log

2024/05/08 10:44:56 wazuh-modulesd: INFO: At module 'azure-logs': No request tag defined. Setting it randomly...
2024/05/08 10:44:56 wazuh-modulesd: INFO: At module 'azure-logs': No storage tag defined. Setting it randomly...
2024/05/08 10:45:02 wazuh-modulesd: INFO: At module 'azure-logs': No request tag defined. Setting it randomly...
2024/05/08 10:45:02 wazuh-modulesd: INFO: At module 'azure-logs': No storage tag defined. Setting it randomly...
2024/05/08 10:45:02 wazuh-modulesd:azure-logs: INFO: Module started.
2024/05/08 10:45:02 wazuh-modulesd:azure-logs: INFO: Starting fetching of logs.
2024/05/08 10:45:02 wazuh-modulesd:azure-logs: INFO: Starting Log Analytics collection for the domain 'TENANT'.
2024/05/08 10:45:03 wazuh-modulesd:azure-logs: INFO: Finished Log Analytics collection for request 'request_1408637460'.
2024/05/08 10:45:03 wazuh-modulesd:azure-logs: INFO: Finished Log Analytics collection for the domain 'TENANT'.
2024/05/08 10:45:03 wazuh-modulesd:azure-logs: INFO: Starting Storage log collection for 'storage_599859369'.
2024/05/08 10:45:08 wazuh-modulesd:azure-logs: INFO: Finished Storage log collection for container 'container'.
2024/05/08 10:45:08 wazuh-modulesd:azure-logs: INFO: Finished Storage log collection for 'storage_599859369'.
2024/05/08 10:55:02 wazuh-modulesd:azure-logs: INFO: Starting fetching of logs.
2024/05/08 10:55:02 wazuh-modulesd:azure-logs: INFO: Starting Log Analytics collection for the domain 'TENANT'.
2024/05/08 10:55:09 wazuh-modulesd:azure-logs: INFO: Finished Log Analytics collection for request 'request_1408637460'.
2024/05/08 10:55:09 wazuh-modulesd:azure-logs: INFO: Finished Log Analytics collection for the domain 'TENANT'.
2024/05/08 10:55:09 wazuh-modulesd:azure-logs: INFO: Starting Storage log collection for 'storage_599859369'.
2024/05/08 10:55:11 wazuh-modulesd:azure-logs: INFO: Finished Storage log collection for container 'container'.
2024/05/08 10:55:11 wazuh-modulesd:azure-logs: INFO: Finished Storage log collection for 'storage_599859369'.

In conclusion, we will categorize it as a bug with a lower priority given it is not new to 4.8.0, and point the changes in the log level (debug=2) to the 5.0.0 version.

Wazuh version

root@29c3919c0341:/# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v5.0.0"
WAZUH_REVISION="50000"
WAZUH_TYPE="server"

ossec.log without debug level 2

2024/05/08 12:06:43 wazuh-modulesd:azure-logs: INFO: Module started.
2024/05/08 12:06:43 wazuh-modulesd:azure-logs: INFO: Starting fetching of logs.
2024/05/08 12:06:43 wazuh-modulesd:azure-logs: INFO: Starting Log Analytics collection for the domain 'TENANT'.
2024/05/08 12:06:48 wazuh-modulesd:azure-logs: INFO: Finished Log Analytics collection for request 'request_1169087121'.
2024/05/08 12:06:48 wazuh-modulesd:azure-logs: INFO: Finished Log Analytics collection for the domain 'TENANT'.
2024/05/08 12:06:48 wazuh-modulesd:azure-logs: INFO: Starting Storage log collection for 'storage_1431669653'.

After setting wazuh_modules.debug=2 in the /var/ossec/etc/local_internal_options.conf file:

ossec.log with debug level 2

2024/05/08 12:08:31 wazuh-modulesd[5466] wmodules-azure.c:356 at wm_azure_request_read(): DEBUG: At module 'azure-logs': No request tag defined. Setting it randomly...
2024/05/08 12:08:31 wazuh-modulesd[5466] wmodules-azure.c:478 at wm_azure_storage_read(): DEBUG: At module 'azure-logs': No storage tag defined. Setting it randomly...
2024/05/08 12:08:31 wazuh-modulesd[5466] main.c:95 at main(): DEBUG: Created new thread for the 'azure-logs' module.
2024/05/08 12:08:31 wazuh-modulesd:azure-logs[5466] wm_azure.c:54 at wm_azure_main(): INFO: Module started.
2024/05/08 12:08:31 wazuh-modulesd:azure-logs[5466] wm_azure.c:74 at wm_azure_main(): INFO: Starting fetching of logs.
2024/05/08 12:08:31 wazuh-modulesd:azure-logs[5466] wm_azure.c:81 at wm_azure_main(): INFO: Starting Log Analytics collection for the domain 'TENANT'.
2024/05/08 12:08:31 wazuh-modulesd:azure-logs[5466] wm_azure.c:120 at wm_azure_log_analytics(): DEBUG: Creating argument list.
2024/05/08 12:08:31 wazuh-modulesd:azure-logs[5466] wm_azure.c:167 at wm_azure_log_analytics(): DEBUG: Launching command: wodles/azure/azure-logs --log_analytics --la_auth_path /var/ossec/wodles/azure/credentials-analytics --la_tenant_domain TENANT --la_tag request_1069165979 --la_query "AzureActivity" --workspace 7d18bf81-3fc9-4b41-ae28-680f8a3494fe --la_time_offset 50d --debug 2
2024/05/08 12:08:33 wazuh-modulesd:azure-logs[5466] wm_azure.c:184 at wm_azure_log_analytics(): INFO: Finished Log Analytics collection for request 'request_1069165979'.
2024/05/08 12:08:33 wazuh-modulesd:azure-logs[5466] wm_azure.c:83 at wm_azure_main(): INFO: Finished Log Analytics collection for the domain 'TENANT'.
2024/05/08 12:08:33 wazuh-modulesd:azure-logs[5466] wm_azure.c:92 at wm_azure_main(): INFO: Starting Storage log collection for 'storage_980559964'.
2024/05/08 12:08:33 wazuh-modulesd:azure-logs[5466] wm_azure.c:287 at wm_azure_storage(): DEBUG: Creating argument list.
2024/05/08 12:08:33 wazuh-modulesd:azure-logs[5466] wm_azure.c:349 at wm_azure_storage(): DEBUG: Launching command: wodles/azure/azure-logs --storage --storage_auth_path /var/ossec/wodles/azure/credentials-storage --container "container" --blobs "*" --storage_tag storage_980559964 --json_inline --storage_time_offset 260d --debug 2
2024/05/08 12:08:35 wazuh-modulesd:azure-logs[5466] wm_azure.c:366 at wm_azure_storage(): INFO: Finished Storage log collection for container 'container'.
2024/05/08 12:08:35 wazuh-modulesd:azure-logs[5466] wm_azure.c:94 at wm_azure_main(): INFO: Finished Storage log collection for 'storage_980559964'.
2024/05/08 12:08:35 wazuh-modulesd:azure-logs[5466] wm_azure.c:100 at wm_azure_main(): DEBUG: Fetching logs finished.
2024/05/08 12:08:35 wazuh-modulesd:azure-logs[5466] wm_azure.c:70 at wm_azure_main(): DEBUG: Sleeping until: 2024/05/08 12:18:31