Adding wildcards for folders in the localfile configuration on Windows

[lsayanes]

Related issue
#12351

Description

Wildcard log monitoring for folders and files in Windows has been added to this branch.

Wildcards '*' and '?' are allowed in folders and files in Windows:

C:\Logs\10.0.01\date_10.0.0.1.log
C:\Logs\10.0.02\*.log
C:\Logs\10.0.03\date_10.0.0.?.log
C:\*\*\*.log
C:\Log?\*\date_10.0.0.2.log
C:\Logs\10.0.03\*log

Meaning: '*' as a complete word and '?' as a character

Sources:

The following files have been modified:

• src\config\localfile-config.c
• src\logcollector\logcollector.c
• src\shared\file_op.c

Log deleted:
In the Read_Localfile function (in localfile-config.c) the call to the Win32 FindFirstFile function has been removed because it is not able to resolve wildcard paths, for this reason the following error message has also been removed:

GLOB_ERROR_WIN "(1141): Glob error. Invalid pattern: '%s' or no files found."

Proof of concept:

In this proof of concept for Windows Agent, three types of monitoring are established:

1. Matching file
2. Folder doesn't exist:
3. File doesn't exist:

The ossec.conf has been configured for:

<!-- Log analysis -->
 <localfile>
    <location>c:\log\one\*.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <localfile>
    <location>c:\one\*.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <localfile>
    <location>c:\log\one\two.*</location>
    <log_format>syslog</log_format>
  </localfile>

Given this folder structure:

       C:
        |
        |-----\log
                |
                |-----\one
                |       |
                |       |---- one.log
                |
                |-----\two
                |        |
                |        |-----two.log
                |
                |-----\three
                        |
                        |-----three.log

The following log (extract) was obtained with windows.debug=2

2023/02/14 16:20:43 wazuh-agent[8284] logcollector.c:1571 at check_pattern_expand(): INFO: (1957): New file that matches the 'c:\log\one\*.log' pattern: 'c:\log\one\one.log'.
2023/02/14 16:20:43 wazuh-agent[8284] logcollector.c:1257 at set_read(): DEBUG: Socket target for 'c:\log\one\one.log' -> agent
2023/02/14 16:20:43 wazuh-agent[8284] logcollector.c:431 at LogCollectorStart(): INFO: (1950): Analyzing file: 'c:\log\one\one.log'.

2023/02/14 16:20:43 wazuh-agent[8284] file_op.c:2035 at expand_win32_wildcards(): DEBUG: No folder that matches c:\one\*.log.
2023/02/14 16:20:43 wazuh-agent[8284] file_op.c:2032 at expand_win32_wildcards(): DEBUG: No file that matches c:\log\one\two.*.


2023/02/14 16:20:47 wazuh-agent[8284] read_syslog.c:150 at read_syslog(): DEBUG: Read 0 lines from c:\log\one\one.log

Tests

• Compilation without warnings in every supported platform
  • Linux
  • Windows
  • MAC OS X
• Source installation
• Package installation
• Source upgrade
• Package upgrade
• Review logs syntax and correct language
• QA templates contemplate the added capabilities

• Memory tests for Linux
  • Scan-build report
  • Coverity
  • Valgrind (memcheck and descriptor leaks check)
  • Dr. Memory
  • AddressSanitizer
• Memory tests for Windows
  • Scan-build report
  • Coverity
  • Dr. Memory
• Memory tests for macOS
  • Scan-build report
  • Leaks
  • AddressSanitizer

• Retrocompatibility with older Wazuh versions
• Working on cluster environments
• Configuration on demand reports new parameters
• The data flow works as expected (agent-manager-api-app)
• Added unit tests (for new features)
• Stress test for affected components

• Decoder/Rule tests
  • Added unit testing files ".ini"
  • runtests.py executed without errors

[jnasselle]

Hi @lsayanes ,

Unfortunately, this PR needs a rebase since #17639 issue moves 4.5.0 to 4.6.0, and this PR is not aligned with such changes.

Thanks in advance,
Nico