Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create buffer in whodata syscheck to store audit logs #16200

Merged
merged 9 commits into from Oct 31, 2023
Merged

Create buffer in whodata syscheck to store audit logs #16200

merged 9 commits into from Oct 31, 2023

Conversation

jotacarma90
Copy link
Member

@jotacarma90 jotacarma90 commented Feb 14, 2023
edited

Related issue Documentation issue
#13920 wazuh/wazuh-documentation#5941

Description

Hi team, in this PR we are going to implement a queue in the syscheck module, to store the logs that we receive from the audit dispatcher.
In this way, we avoid blocking the same thread that receives those logs while we process them, as this is generating problems in the system when there is a large number of events.

I have created a separate thread that pulls logs from that queue and processes them.

Configuration options

<whodata>
    <queue_size>100000</queue_size>
</whodata>

Logs/Alerts example

  • Info message setting the audit queue size:
    2023/02/23 11:39:52 wazuh-syscheckd: INFO: (6046): Internal audit queue size set to '16384'
  • Warning when audit queue is full:
    2023/02/23 11:41:26 wazuh-syscheckd: WARNING: (6955): Internal audit queue is full. Some events may be lost. Next scheduled scan will recover lost data.

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
  • Source installation
  • Review logs syntax and correct language
  • QA templates contemplate the added capabilities
  • Memory tests for Linux
    • Scan-build report
    • Valgrind (memcheck and descriptor leaks check)
  • Memory tests for Windows
    • Scan-build report
  • Configuration on demand reports new parameters
  • Added unit tests (for new features)

Base automatically changed from 9103-replace-fim-db-dbsync to 4.5 February 15, 2023 15:41
This was referenced Feb 16, 2023
Closed
Closed
@jotacarma90 jotacarma90 force-pushed the 13920-audit-logs-buffer branch 3 times, most recently from ba94723 to c39b2cc Compare February 23, 2023 11:03
@jotacarma90 jotacarma90 force-pushed the 13920-audit-logs-buffer branch 3 times, most recently from db7c484 to 70c562a Compare February 23, 2023 11:52
@jotacarma90 jotacarma90 marked this pull request as ready for review February 23, 2023 11:53
@jotacarma90 jotacarma90 linked an issue Feb 23, 2023 that may be closed by this pull request
FIM whodata delays packages installation time #13920
Closed
3 tasks
This was referenced Feb 23, 2023
Closed
Closed
@jotacarma90 jotacarma90 mentioned this pull request Feb 27, 2023
Open
chemamartinez
chemamartinez previously approved these changes Mar 13, 2023
View reviewed changes
Copy link
Contributor

@chemamartinez chemamartinez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jotacarma90 jotacarma90 force-pushed the 13920-audit-logs-buffer branch 2 times, most recently from ac8ffcc to dc47c3d Compare April 19, 2023 07:30
@jotacarma90 jotacarma90 changed the base branch from 4.6.0 to master June 26, 2023 16:23
@jotacarma90 jotacarma90 force-pushed the 13920-audit-logs-buffer branch 2 times, most recently from 499e134 to cae2644 Compare July 3, 2023 13:27
@jotacarma90 jotacarma90 force-pushed the 13920-audit-logs-buffer branch 2 times, most recently from 78440cd to 6d6e354 Compare August 3, 2023 16:13
@jotacarma90 jotacarma90 changed the base branch from master to 4.7.0 August 3, 2023 16:13
@jotacarma90 jotacarma90 force-pushed the 13920-audit-logs-buffer branch 2 times, most recently from 3cc131f to 77add2d Compare September 1, 2023 07:45
@jotacarma90 jotacarma90 changed the base branch from 4.7.0 to master September 1, 2023 07:45
@jotacarma90 jotacarma90 mentioned this pull request Sep 18, 2023
Closed
3 tasks
@vikman90
Copy link
Member

Wazuh CI / Unit tests: cmocka winagent

Cause:

The issue above is not related to the changes in this PR.

@vikman90 vikman90 merged commit 4f1e510 into master Oct 31, 2023
83 checks passed
@vikman90 vikman90 deleted the 13920-audit-logs-buffer branch October 31, 2023 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

@chemamartinez chemamartinez chemamartinez left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FIM whodata delays packages installation time
3 participants
@jotacarma90 @vikman90 @chemamartinez