Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add information about eventlog in API report #10602

Merged
merged 2 commits into from Nov 2, 2021
Merged

Add information about eventlog in API report #10602

merged 2 commits into from Nov 2, 2021

Conversation

JcabreraC
Copy link
Member

@JcabreraC JcabreraC commented Oct 20, 2021
edited by juliancnn

Related issue
#6565

This PR aims to add the location parameter of the localfile (channel) to the API responses, when querying the Logcollector's localfiles configuration. These changes only affect the localfiles that have eventchannel or eventlog formats.

Eventlog

Given the following configuration:

<localfile>
	<location>Application</location>
	<log_format>eventlog</log_format>
</localfile>

<localfile>
	<location>Security</location>
	<log_format>eventlog</log_format>
</localfile>

<localfile>
	<location>System</location>
	<log_format>eventlog</log_format>
</localfile>

<localfile>
	<location>active-response\active-responses.log</location>
	<log_format>syslog</log_format>
</localfile>

Then, querying the logcollector API' socket, the following response is obtained:

socket query
/var/ossec/queue/sockets/request 030 logcollector getconfig localfile 
Response: ok
{
    "localfile":
     [{
          "channel":"Application",
          "logformat":"eventlog",
          "ignore_binaries":"no",
          "only-future-events":"yes",
          "target":["agent"]
     },
     {
          "channel":"Security",
          "logformat":"eventlog",
          "ignore_binaries":"no",
          "only-future-events":"yes",
          "target":["agent"]
     },
     {
          "channel":"System",
          "logformat":"eventlog",
          "ignore_binaries":"no",
          "only-future-events":"yes",
          "target":["agent"]
     },
     {
          "file":"active-response\\active-responses.log",
          "logformat":"syslog",
          "ignore_binaries":"no",
          "only-future-events":"yes",
          "target":["agent"]
     }]
}

Eventchannel

Given the following configuration:

<localfile>
	<location>Application</location>
	<log_format>eventchannel</log_format>
</localfile>

<localfile>
	<location>Security</location>
	<log_format>eventchannel</log_format>
	<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
	EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
	EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
	EventID != 5152 and EventID != 5157]</query>
</localfile>

<localfile>
	<location>System</location>
	<log_format>eventchannel</log_format>
</localfile>

Then, querying the logcollector API' socket, the following response is obtained:

socket query
/var/ossec/queue/sockets/request 002 logcollector getconfig localfile 
Response: ok {
    "localfile": [
        {
            "channel": "Application",
            "logformat": "eventchannel",
            "ignore_binaries": "no",
            "only-future-events": "yes",
            "target": [
                "agent"
            ],
            "reconnect_time": 5
        },
        {
            "channel": "Security",
            "logformat": "eventchannel",
            "query": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and\n      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and\n      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and\n      EventID != 5152 and EventID != 5157]",
            "ignore_binaries": "no",
            "only-future-events": "yes",
            "target": [
                "agent"
            ],
            "reconnect_time": 5
        },
        {
            "channel": "System",
            "logformat": "eventchannel",
            "ignore_binaries": "no",
            "only-future-events": "yes",
            "target": [
                "agent"
            ],
            "reconnect_time": 5
        },
        {
            "file": "active-response\\active-responses.log",
            "logformat": "syslog",
            "ignore_binaries": "no",
            "only-future-events": "yes",
            "target": [
                "agent"
            ]
        }
    ]
}

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • QA templates contemplate the added capabilities
  • Memory tests for Linux
    • Scan-build report (Download)
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)
    • Dr. Memory
    • AddressSanitizer
  • Memory tests for Windows
  • Memory tests for macOS
    • Scan-build report
    • Leaks
    • AddressSanitizer
  • Retrocompatibility with older Wazuh versions
  • Working on cluster environments
  • Configuration on demand reports new parameters
  • The data flow works as expected (agent-manager-api-app)
  • Added unit tests (for new features)
  • Stress test for affected components

@JcabreraC JcabreraC added type/bug Something isn't working module/logcollector labels Oct 20, 2021
@JcabreraC JcabreraC linked an issue Oct 20, 2021 that may be closed by this pull request
Wazuh API doesn't report complete information about Windows localfiles #6565
Closed
@juliancnn juliancnn force-pushed the 6565-report-windows-localfile branch 2 times, most recently from 726a80b to 117ac73 Compare October 20, 2021 19:41
nmkoremblum
nmkoremblum previously approved these changes Oct 25, 2021
View reviewed changes
Copy link
Member

@nmkoremblum nmkoremblum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just checked again the feature, with the last fixes, and obtained the following outputs:

Windows Server 2016

{
  "localfile": [
    {
      "channel": "Application",
      "logformat": "eventchannel",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ],
      "reconnect_time": 5
    },
    {
      "channel": "Security",
      "logformat": "eventchannel",
      "query": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and\n      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and\n      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and\n      EventID != 5152 and EventID != 5157]",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ],
      "reconnect_time": 5
    },
    {
      "channel": "System",
      "logformat": "eventchannel",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ],
      "reconnect_time": 5
    },
    {
      "file": "active-response\\active-responses.log",
      "logformat": "syslog",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ]
    }
  ]
}

Windows XP

{
  "localfile": [
    {
      "channel": "Application",
      "logformat": "eventlog",
      "ignore_binaries": "no",
      "target": [
        "agent"
      ]
    },
    {
      "channel": "Security",
      "logformat": "eventlog",
      "ignore_binaries": "no",
      "target": [
        "agent"
      ]
    },
    {
      "channel": "System",
      "logformat": "eventlog",
      "ignore_binaries": "no",
      "target": [
        "agent"
      ]
    },
    {
      "file": "active-response\\active-responses.log",
      "logformat": "syslog",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ]
    }
  ]
}

LGTM :)

juliancnn
juliancnn previously approved these changes Oct 26, 2021
View reviewed changes
@juliancnn
Copy link
Member

W10 - default config:

Response: ok {
    "localfile": [
        {
            "channel": "Application",
            "logformat": "eventchannel",
            "ignore_binaries": "no",
            "only-future-events": "yes",
            "target": [
                "agent"
            ],
            "reconnect_time": 5
        },
        {
            "channel": "Security",
            "logformat": "eventchannel",
            "query": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and\n      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and\n      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and\n      EventID != 5152 and EventID != 5157]",
            "ignore_binaries": "no",
            "only-future-events": "yes",
            "target": [
                "agent"
            ],
            "reconnect_time": 5
        },
        {
            "channel": "System",
            "logformat": "eventchannel",
            "ignore_binaries": "no",
            "only-future-events": "yes",
            "target": [
                "agent"
            ],
            "reconnect_time": 5
        },
        {
            "file": "active-response\\active-responses.log",
            "logformat": "syslog",
            "ignore_binaries": "no",
            "only-future-events": "yes",
            "target": [
                "agent"
            ]
        }
    ]
}

@JcabreraC
Copy link
Member Author

JcabreraC commented Oct 26, 2021
edited

Windows Server

{
  "localfile": [
    {
      "channel": "Application",
      "logformat": "eventchannel",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ],
      "reconnect_time": 5
    },
    {
      "channel": "Security",
      "logformat": "eventchannel",
      "query": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and\n      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and\n      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and\n      EventID != 5152 and EventID != 5157]",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ],
      "reconnect_time": 5
    },
    {
      "channel": "System",
      "logformat": "eventchannel",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ],
      "reconnect_time": 5
    },
    {
      "file": "active-response\\active-responses.log",
      "logformat": "syslog",
      "ignore_binaries": "no",
      "only-future-events": "yes",
      "target": [
        "agent"
      ]
    }
  ]
}

LGTM !

miguemedina11
miguemedina11 previously approved these changes Oct 27, 2021
View reviewed changes
@juliancnn juliancnn dismissed stale reviews from miguemedina11, nmkoremblum, and themself via f491ad1 November 1, 2021 14:49
@juliancnn juliancnn force-pushed the 6565-report-windows-localfile branch from 84b3fc3 to f491ad1 Compare November 1, 2021 14:49
@JcabreraC
Copy link
Member Author

LGTM !

@juliancnn juliancnn self-requested a review November 2, 2021 12:07
@vikman90 vikman90 merged commit 40a65b6 into master Nov 2, 2021
@vikman90 vikman90 deleted the 6565-report-windows-localfile branch November 2, 2021 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliancnn juliancnn juliancnn approved these changes

@vikman90 vikman90 vikman90 approved these changes

@nmkoremblum nmkoremblum nmkoremblum approved these changes

@miguemedina11 miguemedina11 Awaiting requested review from miguemedina11

Assignees

@juliancnn juliancnn

@JcabreraC JcabreraC

Labels
module/logcollector platform/windows type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Wazuh API doesn't report complete information about Windows localfiles
5 participants
@JcabreraC @juliancnn @vikman90 @miguemedina11 @nmkoremblum