Closed Rebits closed 1 year ago
After implementing the current and new approach, callback metadata has been added. This metadata includes information such as logs trace, pattern description name, pattern, and match flag. These additions provide valuable information to enhance the analysis and understanding of the callbacks.
Currently we have the following structure to store the callbacks related info:
{
"Check if ossec appears": {
"match": true,
"pattern": ".*ossec.*",
"last_monitored_log": "2023/05/16 12:31:38 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'\n"
},
"Check if wazuh appears": {
"match": true,
"pattern": ".*wazuh.*",
"last_monitored_log": "2023/05/16 12:31:38 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...\n"
},
"Check if syscollector scan has been started.": {
"match": true,
"pattern": ".*wazuh-modulesd:syscollector: INFO: Module started.",
"last_monitored_log": "2023/05/16 12:31:38 wazuh-modulesd:syscollector: INFO: Module started.\n"
},
"Checks if the syscollector scan has been completed.": {
"match": true,
"pattern": ".*wazuh-modulesd:syscollector: INFO: Evaluation finished.",
"last_monitored_log": "2023/05/16 12:31:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.\n"
},
"Catch the policy file when it is evaluated.": {
"match": true,
"pattern": ".*Starting evaluation of policy: '(.*)'\n",
"last_monitored_log": "2023/05/16 12:45:38 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'\n",
"groups": ["/var/ossec/ruleset/sca/cis_ubuntu22-04.yml"]
},
"Check vd debug": {
"match": false,
"pattern": ".*DEBUG: Module disabled. Exiting...",
"last_monitored_log": "2023/06/13 16:54:23 wazuh-modulesd:syscollector1: INFO: info1\n"
}
}
There is a flag that enables us to store the trace of events that have been monitored. It would be beneficial to discuss whether we require additional or reduced metadata for our purposes such us match
, groups
, last_monitored_log
, pattern
, monitored_logs
, etc.
Setting environment for testing.
Tested, LGTM Another reviewer should approve the review. Moved back to pending review
LGTM!
Description
It is necessary to have a better event callback trace, allowing us to determine if the patterns match the expected logs. In cases where they do not match, having detailed information, such as the last processed log, can be extremely helpful.
We require a class that provides us with essential information such as timeouts, logs, patterns, groups, and more. This will enable us to effectively manage and access the necessary data for our operations, and we will be able to have a proper debug trace for further testing, including system, e2e, and other relevant testing scenarios.