search

wazuh / qa-system-framework

GNU General Public License v2.0
1 stars 3 forks source link

Add generic module to manage callback #18

Closed Rebits closed 1 year ago

Rebits commented 1 year ago

Description

It is necessary to have a better event callback trace, allowing us to determine if the patterns match the expected logs. In cases where they do not match, having detailed information, such as the last processed log, can be extremely helpful.

We require a class that provides us with essential information such as timeouts, logs, patterns, groups, and more. This will enable us to effectively manage and access the necessary data for our operations, and we will be able to have a proper debug trace for further testing, including system, e2e, and other relevant testing scenarios.

roronoasins commented 1 year ago

After implementing the current and new approach, callback metadata has been added. This metadata includes information such as logs trace, pattern description name, pattern, and match flag. These additions provide valuable information to enhance the analysis and understanding of the callbacks.

roronoasins commented 1 year ago

Currently we have the following structure to store the callbacks related info:

{
    "Check if ossec appears": {
        "match": true,
        "pattern": ".*ossec.*",
        "last_monitored_log": "2023/05/16 12:31:38 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'\n"
    },
    "Check if wazuh appears": {
        "match": true,
        "pattern": ".*wazuh.*",
        "last_monitored_log": "2023/05/16 12:31:38 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...\n"
    },
    "Check if syscollector scan has been started.": {
        "match": true,
        "pattern": ".*wazuh-modulesd:syscollector: INFO: Module started.",
        "last_monitored_log": "2023/05/16 12:31:38 wazuh-modulesd:syscollector: INFO: Module started.\n"
    },
    "Checks if the syscollector scan has been completed.": {
        "match": true,
        "pattern": ".*wazuh-modulesd:syscollector: INFO: Evaluation finished.",
        "last_monitored_log": "2023/05/16 12:31:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.\n"
    },
    "Catch the policy file when it is evaluated.": {
        "match": true,
        "pattern": ".*Starting evaluation of policy: '(.*)'\n",
        "last_monitored_log": "2023/05/16 12:45:38 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'\n",
        "groups": ["/var/ossec/ruleset/sca/cis_ubuntu22-04.yml"]
    },
    "Check vd debug": {
        "match": false,
        "pattern": ".*DEBUG: Module disabled. Exiting...",
        "last_monitored_log": "2023/06/13 16:54:23 wazuh-modulesd:syscollector1: INFO: info1\n"
    }
}

There is a flag that enables us to store the trace of events that have been monitored. It would be beneficial to discuss whether we require additional or reduced metadata for our purposes such us match, groups, last_monitored_log, pattern, monitored_logs, etc.

pro-akim commented 1 year ago

Update

Setting environment for testing.

pro-akim commented 1 year ago

Update

Tested, LGTM Another reviewer should approve the review. Moved back to pending review

davidjiglesias commented 1 year ago

LGTM!