Improve Wazuh manager statistics

[TomasTurina]

Target version	Related issue	Related PR
4.4	https://github.com/wazuh/wazuh/issues/13099	https://github.com/wazuh/wazuh/pull/13713

Description

In order to validate the changes of the branch https://github.com/wazuh/wazuh/tree/dev-state-counters, some manual testing is required.

As part of https://github.com/wazuh/wazuh/issues/13099, the statistics of the Wazuh manager have been improved.

Now, global statistics in JSON format can be requested using the API for the following daemons:

• wazuh-remoted
• wazuh-analysisd
• wazuh-db

Also, agent's related statistics can be requested for the following daemons:

• wazuh-remoted
• wazuh-analysisd

Information related to the fields of the JSON can be found here and here.

All requests must point to the following sockets:

• wazuh-remoted -> queue/sockets/remote
• wazuh-analysisd -> queue/sockets/analysis
• wazuh-remoted -> queue/db/wdb

Information related to the fields of the JSON request/response can be found here.

Note: Requests to get the active configuration of these three daemons have also been moved to JSON format and should also be tested in this issue.

Configuration

No extra configuration is required.

Logs

No logs needed to verify.

Feature validation

Use the new API endpoints to retrieve and validate these counters/configurations.

• [x] Test wazuhdb socket /var/ossec/queue/db/wdb
  • [x] Socket configuration
  • [x] Socket stats
• [x] Test remoted socket /var/ossec/queue/sockets/remote
  • [x] Socket configuration
  • [x] Socket stats
  • [x] Agent's stats
• [x] Test analysis socket /var/ossec/queue/sockets/analysis
  • [x] Socket configuration
  • [x] Socket stats
  • [x] Agent's stats

Also, this python script may be useful:

import socket
from struct import pack, unpack
from json import dumps, loads

class WazuhSocket:

    MAX_SIZE = 65536

    def __init__(self, path):
        self.path = path
        self._connect()

    def _connect(self):
        try:
            self.s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
            self.s.connect(self.path)
        except Exception as e:
            raise e

    def close(self):
        self.s.close()

    def send(self, msg_bytes, header_format="<I"):
        if not isinstance(msg_bytes, bytes):
            raise Exception

        try:
            sent = self.s.send(pack(header_format, len(msg_bytes)) + msg_bytes)
            if sent == 0:
                raise Exception
            return sent
        except Exception as e:
            raise Exception

    def receive(self, header_format="<I", header_size=4):

        try:
            size = unpack(header_format, self.s.recv(header_size, socket.MSG_WAITALL))[0]
            return self.s.recv(size, socket.MSG_WAITALL)
        except Exception as e:
            raise Exception

s = WazuhSocket("/var/ossec/queue/sockets/remote")
msg = {'version': 1, 'origin': {'module': 'api'}, 'command': 'getstats', 'module': 'api', 'parameters': {}}
s.send(dumps(msg).encode())
data = loads(s.receive().decode())
print(data)
s.close()

[Deblintrake09]

Review data

Tester	PR commit
@Deblintrake09	369876c

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
Centos	8	<LOCAL \| Vagrant	qactl/centos_8

Tested packages

wazuh-manager	wazuh-agent
.rpm Manager	.rpm agent

Conclusion

Status

• [x] In progress
• [x] Pending Review
• [x] Team leader approved (@Rebits )
• [x] QA team manager approved (@jmv74211)
• [x] DEV team leader approved (@TomasTurina)

[Deblintrake09]

Testing remoted socket

Get socket configuration - getconfig - global :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "global"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "global":{ "remoted":{ "agents_disconnection_alert_time":0, "agents_disconnection_time":600 } } } ```

Get socket configuration - getconfig - remote :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "remote"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "remote":[ { "connection":"secure", "ipv6":"no", "protocol":[ "TCP", "UDP" ], "port":"1514", "queue_size":"131072" } ] } } ```

Get socket configuration - getconfig - internal :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "internal"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "internal":{ "remoted":{ "recv_counter_flush":128, "comp_average_printout":19999, "verify_msg_id":0, "recv_timeout":0, "pass_empty_keyfile":1, "sender_pool":8, "request_pool":1024, "request_rto_sec":1, "request_rto_msec":0, "max_attempts":4, "request_timeout":10, "response_timeout":60, "shared_reload":10, "rlimit_nofile":458752, "merge_shared":0, "guess_agent_group":0, "receive_chunk":4096, "send_chunk":4096, "buffer_relax":1, "send_buffer_size":131072, "send_timeout_to_retry":1, "tcp_keepidle":30, "tcp_keepintvl":10, "tcp_keepcnt":3 } } } } ```

Get socket configuration - getconfig - internal - invalid section :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "INVALID"}} ``` 2. Response ```json { "error":5, "message":"Empty section", "data":{} } ```

Get socket configuration - getconfig - internal - no section :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {}} ``` 2. Response ```json { "error":6, "message":"Unrecognized or not configured section", "data":{} } ```

---

Get socket stats - getstats :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getstats", "parameters": {}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659698893, "name":"wazuh-remoted", "metrics":{ "bytes":{ "received":158500, "sent":6458 }, "keys_reload_count":1, "messages":{ "received_breakdown":{ "control":6, "control_breakdown":{ "keepalive":3, "request":0, "shutdown":1, "startup":2 }, "dequeued_after":0, "discarded":0, "event":432, "ping":0, "unknown":0 }, "sent_breakdown":{ "ack":6, "ar":31, "cfga":2, "discarded":0, "request":0, "shared":3 } }, "queues":{ "received":{ "size":131072, "usage":0 } }, "tcp_sessions":1 } } } ```

Get socket stats - getstats - no parameters:green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getstats", "parameters": {}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659718683, "name":"wazuh-db", "metrics":{ "queries":{ "received":487480, "received_breakdown":{ "agent":12323, "agent_breakdown":{ "db":{ "begin":0, "close":0, "commit":0, "remove":0, "sql":0 }, "tables":{ "ciscat":{ "ciscat":0 }, "rootcheck":{ "rootcheck":8 }, "sca":{ "sca":4194 }, "sync":{ "dbsync":544 }, "syscheck":{ "fim_file":5328, "fim_registry":0, "syscheck":10 }, "syscollector":{ "syscollector_hotfixes":0, "syscollector_hwinfo":21, "syscollector_network_address":24, "syscollector_network_iface":30, "syscollector_network_protocol":24, "syscollector_osinfo":21, "syscollector_packages":1434, "syscollector_ports":59, "syscollector_processes":626, "deprecated":{ "hardware":0, "hotfix":0, "netaddr":0, "netinfo":0, "netproto":0, "osinfo":0, "package":0, "port":0, "process":0 } }, "vulnerability":{ "vuln_cves":0 } } }, "global":473855, "global_breakdown":{ "db":{ "backup":0, "sql":0 }, "tables":{ "agent":{ "delete-agent":0, "disconnect-agents":33, "find-agent":0, "get-agent-info":457512, "get-agents-by-connection-status":7916, "get-all-agents":2022, "get-groups-integrity":0, "insert-agent":227, "reset-agents-connection":1, "select-agent-group":2780, "select-agent-name":709, "set-agent-groups":2, "sync-agent-groups-get":0, "sync-agent-info-get":0, "sync-agent-info-set":0, "update-agent-data":2556, "update-agent-name":1, "update-connection-status":2, "update-keepalive":4 }, "belongs":{ "get-group-agents":0, "select-group-belong":0 }, "group":{ "delete-group":0, "find-group":1, "insert-agent-group":0, "select-groups":1 }, "labels":{ "get-labels":88 } } }, "mitre":1277, "mitre_breakdown":{ "db":{ "sql":1277 } }, "task":25, "task_breakdown":{ "db":{ "sql":0 }, "tables":{ "tasks":{ "delete_old":1, "set_timeout":23, "upgrade":0, "upgrade_cancel_tasks":1, "upgrade_custom":0, "upgrade_get_status":0, "upgrade_result":0, "upgrade_update_status":0 } } }, "wazuhdb":0, "wazuhdb_breakdown":{ "db":{ "remove":0 } } } }, "time":{ "execution":22355, "execution_breakdown":{ "agent":5291, "agent_breakdown":{ "db":{ "begin":0, "close":0, "commit":0, "remove":0, "sql":0 }, "tables":{ "ciscat":{ "ciscat":0 }, "rootcheck":{ "rootcheck":14 }, "sca":{ "sca":84 }, "sync":{ "dbsync":2860 }, "syscheck":{ "fim_file":1643, "fim_registry":0, "syscheck":13 }, "syscollector":{ "syscollector_hotfixes":0, "syscollector_hwinfo":58, "syscollector_network_address":66, "syscollector_network_iface":59, "syscollector_network_protocol":58, "syscollector_osinfo":54, "syscollector_packages":194, "syscollector_ports":67, "syscollector_processes":116, "deprecated":{ "hardware":0, "hotfix":0, "netaddr":0, "netinfo":0, "netproto":0, "osinfo":0, "package":0, "port":0, "process":0 } }, "vulnerability":{ "vuln_cves":0 } } }, "global":16972, "global_breakdown":{ "db":{ "backup":0, "sql":0 }, "tables":{ "agent":{ "delete-agent":0, "disconnect-agents":4, "find-agent":0, "get-agent-info":12777, "get-agents-by-connection-status":1210, "get-all-agents":2191, "get-groups-integrity":0, "insert-agent":7, "reset-agents-connection":0, "select-agent-group":200, "select-agent-name":5, "set-agent-groups":0, "sync-agent-groups-get":0, "sync-agent-info-get":0, "sync-agent-info-set":0, "update-agent-data":563, "update-agent-name":0, "update-connection-status":0, "update-keepalive":0 }, "belongs":{ "get-group-agents":0, "select-group-belong":0 }, "group":{ "delete-group":0, "find-group":0, "insert-agent-group":0, "select-groups":0 }, "labels":{ "get-labels":9 } } }, "mitre":89, "mitre_breakdown":{ "db":{ "sql":89 } }, "task":3, "task_breakdown":{ "db":{ "sql":0 }, "tables":{ "tasks":{ "delete_old":0, "set_timeout":2, "upgrade":0, "upgrade_cancel_tasks":0, "upgrade_custom":0, "upgrade_get_status":0, "upgrade_result":0, "upgrade_update_status":0 } } }, "wazuhdb":0, "wazuhdb_breakdown":{ "db":{ "remove":0 } } } } } } } ```

---

Get Agent stats - getagentstats -all agents - last_id = 0 :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getagentsstats", "parameters": {"agents": "all", "last_id":0}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659709761, "name":"wazuh-remoted", "agents":[ { "id":226, "metrics":{ "messages":{ "received_breakdown":{ "control":1089, "control_breakdown":{ "keepalive":1088, "request":0, "shutdown":0, "startup":1 }, "event":4246 }, "sent_breakdown":{ "ack":1089, "ar":49, "cfga":2, "discarded":0, "request":0, "shared":0 } } } } ] } } ```

Get Agent stats - getagentstats -all agents - no last_id :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getagentsstats", "parameters": {"agents": "all"}} ``` 2. Response ```json { "error":10, "message":"Empty last id", "data":{ } } ```

Get Agent stats - getagentstats - single agent :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getagentsstats", "parameters": {"agents": [226]}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659700814, "name":"wazuh-remoted", "agents":[ { "id":226, "metrics":{ "messages":{ "received_breakdown":{ "control":195, "control_breakdown":{ "keepalive":194, "request":0, "shutdown":0, "startup":1 }, "event":3816 }, "sent_breakdown":{ "ack":195, "ar":49, "cfga":2, "discarded":0, "request":0, "shared":0 } } } } ] } } ```

Get Agent stats - getagentstats - multiple agent :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getagentsstats", "parameters": {"agents": [226,227]}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659700814, "name":"wazuh-remoted", "agents":[ { "id":226, "metrics":{ "messages":{ "received_breakdown":{ "control":195, "control_breakdown":{ "keepalive":194, "request":0, "shutdown":0, "startup":1 }, "event":3816 }, "sent_breakdown":{ "ack":195, "ar":49, "cfga":2, "discarded":0, "request":0, "shared":0 } } } } ] } } ```

[Deblintrake09]

Test wazuhdb socket

Get socket configuration - getconfig - internal :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "internal"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659712998, "name":"wazuh-remoted", "agents":[ { "id":226, "metrics":{ "messages":{ "received_breakdown":{ "control":1413, "control_breakdown":{ "keepalive":1412, "request":0, "shutdown":0, "startup":1 }, "event":4338 }, "sent_breakdown":{ "ack":1413, "ar":49, "cfga":2, "discarded":0, "request":0, "shared":0 } } } }, { "id":227, "metrics":{ "messages":{ "received_breakdown":{ "control":5, "control_breakdown":{ "keepalive":5, "request":0, "shutdown":0, "startup":0 }, "event":1602 }, "sent_breakdown":{ "ack":5, "ar":50, "cfga":2, "discarded":0, "request":0, "shared":0 } } } } ] } } ```

Get socket configuration - getconfig - wdb :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "wdb"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "wdb":{ "backup":[ { "database":"global", "enabled":true, "interval":86400, "max_files":3 } ] } } } ```

Get socket configuration - invalid section - getconfig :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "invalid"}} ``` 2. Response ```json { "error":5, "message":"Empty section", "data":{} } ```

Get socket configuration - no section - getconfig :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {}} ``` 2. Response ```json { "error":6, "message":"Unrecognized or not configured section", "data":{} } ```

Get socket stats - getstats :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getstats", "parameters": {}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659715051, "name":"wazuh-db", "metrics":{ "queries":{ "received":401573, "received_breakdown":{ "agent":12114, "agent_breakdown":{ "db":{ "begin":0, "close":0, "commit":0, "remove":0, "sql":0 }, "tables":{ "ciscat":{ "ciscat":0 }, "rootcheck":{ "rootcheck":8 }, "sca":{ "sca":4194 }, "sync":{ "dbsync":396 }, "syscheck":{ "fim_file":5291, "fim_registry":0, "syscheck":10 }, "syscollector":{ "syscollector_hotfixes":0, "syscollector_hwinfo":18, "syscollector_network_address":21, "syscollector_network_iface":27, "syscollector_network_protocol":21, "syscollector_osinfo":18, "syscollector_packages":1431, "syscollector_ports":56, "syscollector_processes":623, "deprecated":{ "hardware":0, "hotfix":0, "netaddr":0, "netinfo":0, "netproto":0, "osinfo":0, "package":0, "port":0, "process":0 } }, "vulnerability":{ "vuln_cves":0 } } }, "global":388161, "global_breakdown":{ "db":{ "backup":0, "sql":0 }, "tables":{ "agent":{ "delete-agent":0, "disconnect-agents":27, "find-agent":0, "get-agent-info":375111, "get-agents-by-connection-status":6466, "get-all-agents":1659, "get-groups-integrity":0, "insert-agent":227, "reset-agents-connection":1, "select-agent-group":2054, "select-agent-name":709, "set-agent-groups":2, "sync-agent-groups-get":0, "sync-agent-info-get":0, "sync-agent-info-set":0, "update-agent-data":1830, "update-agent-name":1, "update-connection-status":2, "update-keepalive":4 }, "belongs":{ "get-group-agents":0, "select-group-belong":0 }, "group":{ "delete-group":0, "find-group":1, "insert-agent-group":0, "select-groups":1 }, "labels":{ "get-labels":66 } } }, "mitre":1277, "mitre_breakdown":{ "db":{ "sql":1277 } }, "task":21, "task_breakdown":{ "db":{ "sql":0 }, "tables":{ "tasks":{ "delete_old":1, "set_timeout":19, "upgrade":0, "upgrade_cancel_tasks":1, "upgrade_custom":0, "upgrade_get_status":0, "upgrade_result":0, "upgrade_update_status":0 } } }, "wazuhdb":0, "wazuhdb_breakdown":{ "db":{ "remove":0 } } } }, "time":{ "execution":17788, "execution_breakdown":{ "agent":4111, "agent_breakdown":{ "db":{ "begin":0, "close":0, "commit":0, "remove":0, "sql":0 }, "tables":{ "ciscat":{ "ciscat":0 }, "rootcheck":{ "rootcheck":14 }, "sca":{ "sca":84 }, "sync":{ "dbsync":2037 }, "syscheck":{ "fim_file":1419, "fim_registry":0, "syscheck":13 }, "syscollector":{ "syscollector_hotfixes":0, "syscollector_hwinfo":41, "syscollector_network_address":49, "syscollector_network_iface":40, "syscollector_network_protocol":43, "syscollector_osinfo":39, "syscollector_packages":179, "syscollector_ports":50, "syscollector_processes":97, "deprecated":{ "hardware":0, "hotfix":0, "netaddr":0, "netinfo":0, "netproto":0, "osinfo":0, "package":0, "port":0, "process":0 } }, "vulnerability":{ "vuln_cves":0 } } }, "global":13586, "global_breakdown":{ "db":{ "backup":0, "sql":0 }, "tables":{ "agent":{ "delete-agent":0, "disconnect-agents":4, "find-agent":0, "get-agent-info":10348, "get-agents-by-connection-status":932, "get-all-agents":1739, "get-groups-integrity":0, "insert-agent":7, "reset-agents-connection":0, "select-agent-group":141, "select-agent-name":5, "set-agent-groups":0, "sync-agent-groups-get":0, "sync-agent-info-get":0, "sync-agent-info-set":0, "update-agent-data":398, "update-agent-name":0, "update-connection-status":0, "update-keepalive":0 }, "belongs":{ "get-group-agents":0, "select-group-belong":0 }, "group":{ "delete-group":0, "find-group":0, "insert-agent-group":0, "select-groups":0 }, "labels":{ "get-labels":7 } } }, "mitre":89, "mitre_breakdown":{ "db":{ "sql":89 } }, "task":2, "task_breakdown":{ "db":{ "sql":0 }, "tables":{ "tasks":{ "delete_old":0, "set_timeout":2, "upgrade":0, "upgrade_cancel_tasks":0, "upgrade_custom":0, "upgrade_get_status":0, "upgrade_result":0, "upgrade_update_status":0 } } }, "wazuhdb":0, "wazuhdb_breakdown":{ "db":{ "remove":0 } } } } } } } ```

Get socket stats - no parametersgetstats :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getstats"} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659715051, "name":"wazuh-db", "metrics":{ "queries":{ "received":401573, "received_breakdown":{ "agent":12114, "agent_breakdown":{ "db":{ "begin":0, "close":0, "commit":0, "remove":0, "sql":0 }, "tables":{ "ciscat":{ "ciscat":0 }, "rootcheck":{ "rootcheck":8 }, "sca":{ "sca":4194 }, "sync":{ "dbsync":396 }, "syscheck":{ "fim_file":5291, "fim_registry":0, "syscheck":10 }, "syscollector":{ "syscollector_hotfixes":0, "syscollector_hwinfo":18, "syscollector_network_address":21, "syscollector_network_iface":27, "syscollector_network_protocol":21, "syscollector_osinfo":18, "syscollector_packages":1431, "syscollector_ports":56, "syscollector_processes":623, "deprecated":{ "hardware":0, "hotfix":0, "netaddr":0, "netinfo":0, "netproto":0, "osinfo":0, "package":0, "port":0, "process":0 } }, "vulnerability":{ "vuln_cves":0 } } }, "global":388161, "global_breakdown":{ "db":{ "backup":0, "sql":0 }, "tables":{ "agent":{ "delete-agent":0, "disconnect-agents":27, "find-agent":0, "get-agent-info":375111, "get-agents-by-connection-status":6466, "get-all-agents":1659, "get-groups-integrity":0, "insert-agent":227, "reset-agents-connection":1, "select-agent-group":2054, "select-agent-name":709, "set-agent-groups":2, "sync-agent-groups-get":0, "sync-agent-info-get":0, "sync-agent-info-set":0, "update-agent-data":1830, "update-agent-name":1, "update-connection-status":2, "update-keepalive":4 }, "belongs":{ "get-group-agents":0, "select-group-belong":0 }, "group":{ "delete-group":0, "find-group":1, "insert-agent-group":0, "select-groups":1 }, "labels":{ "get-labels":66 } } }, "mitre":1277, "mitre_breakdown":{ "db":{ "sql":1277 } }, "task":21, "task_breakdown":{ "db":{ "sql":0 }, "tables":{ "tasks":{ "delete_old":1, "set_timeout":19, "upgrade":0, "upgrade_cancel_tasks":1, "upgrade_custom":0, "upgrade_get_status":0, "upgrade_result":0, "upgrade_update_status":0 } } }, "wazuhdb":0, "wazuhdb_breakdown":{ "db":{ "remove":0 } } } }, "time":{ "execution":17788, "execution_breakdown":{ "agent":4111, "agent_breakdown":{ "db":{ "begin":0, "close":0, "commit":0, "remove":0, "sql":0 }, "tables":{ "ciscat":{ "ciscat":0 }, "rootcheck":{ "rootcheck":14 }, "sca":{ "sca":84 }, "sync":{ "dbsync":2037 }, "syscheck":{ "fim_file":1419, "fim_registry":0, "syscheck":13 }, "syscollector":{ "syscollector_hotfixes":0, "syscollector_hwinfo":41, "syscollector_network_address":49, "syscollector_network_iface":40, "syscollector_network_protocol":43, "syscollector_osinfo":39, "syscollector_packages":179, "syscollector_ports":50, "syscollector_processes":97, "deprecated":{ "hardware":0, "hotfix":0, "netaddr":0, "netinfo":0, "netproto":0, "osinfo":0, "package":0, "port":0, "process":0 } }, "vulnerability":{ "vuln_cves":0 } } }, "global":13586, "global_breakdown":{ "db":{ "backup":0, "sql":0 }, "tables":{ "agent":{ "delete-agent":0, "disconnect-agents":4, "find-agent":0, "get-agent-info":10348, "get-agents-by-connection-status":932, "get-all-agents":1739, "get-groups-integrity":0, "insert-agent":7, "reset-agents-connection":0, "select-agent-group":141, "select-agent-name":5, "set-agent-groups":0, "sync-agent-groups-get":0, "sync-agent-info-get":0, "sync-agent-info-set":0, "update-agent-data":398, "update-agent-name":0, "update-connection-status":0, "update-keepalive":0 }, "belongs":{ "get-group-agents":0, "select-group-belong":0 }, "group":{ "delete-group":0, "find-group":0, "insert-agent-group":0, "select-groups":0 }, "labels":{ "get-labels":7 } } }, "mitre":89, "mitre_breakdown":{ "db":{ "sql":89 } }, "task":2, "task_breakdown":{ "db":{ "sql":0 }, "tables":{ "tasks":{ "delete_old":0, "set_timeout":2, "upgrade":0, "upgrade_cancel_tasks":0, "upgrade_custom":0, "upgrade_get_status":0, "upgrade_result":0, "upgrade_update_status":0 } } }, "wazuhdb":0, "wazuhdb_breakdown":{ "db":{ "remove":0 } } } } } } } ```

[Deblintrake09]

Testing Analysisd socket -part 1

Get socket configuration - getconfig - global :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "global"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "global":{ "email_notification":"yes", "logall":"yes", "logall_json":"no", "integrity_checking":8, "rootkit_detection":8, "host_information":8, "prelude_output":"no", "zeromq_output":"no", "jsonout_output":"yes", "alerts_log":"yes", "stats":4, "memory_size":8192, "white_list":[ "127.0.0.1", "10.0.2.3", "localhost.localdomain" ], "rotate_interval":0, "max_output_size":0 } } } ```

Get socket configuration - getconfig - active_response :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "active_response"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "active-response":[ ] } } ```

Get socket configuration - getconfig - alerts :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "alerts"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "alerts":{ "email_alert_level":12, "log_alert_level":3 } } } ```

Get socket configuration - getconfig - decoders :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "decoders"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "decoders":[ { "id":21, "name":"aix-ipsec", "order":[ "action", "srcip", "dstip", "protocol", "srcport", "dstport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":" R:(\\w) \\w:\\S+ S:(\\S+) D:(\\S+) P:(\\S+) SP:(\\d+) DP:(\\d+) ", "type":"osregex" }, "program_name":{ "pattern":"^ipsec_logd", "type":"osmatch" }, "type":"firewall" }, { "id":22, "name":"apache-errorlog", "children":[ { "id":22, "name":"apache-errorlog", "parent":"apache-errorlog", "order":[ "srcip", "srcport", "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"[client \\S+:\\d+] \\S+:", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"[client (\\S+):(\\d+)] (\\S+): ", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":22, "name":"apache-errorlog", "parent":"apache-errorlog", "order":[ "srcip", "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"[client \\S+] \\S+:", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"[client (\\S+)] (\\S+): ", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^apache2|^httpd", "type":"osmatch" }, "type":"syslog" }, { "id":33, "name":"arpwatch", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^arpwatch", "type":"osmatch" }, "type":"syslog" }, { "id":35, "name":"asterisk", "children":[ { "id":35, "name":"asterisk", "parent":"asterisk", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^WARNING[\\d+]: \\S+ in \\S+: Don't know ", "type":"osregex" }, "regex":{ "pattern":"^\\S+ how to respond via '(\\w+/\\d.\\d/\\w+)'", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":35, "name":"asterisk", "parent":"asterisk", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^NOTICE[\\d+]: \\S+ in \\S+: Registration from ", "type":"osregex" }, "regex":{ "pattern":"^\\S+ failed for '(\\S+)'", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":35, "name":"asterisk", "parent":"asterisk", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Registration from ", "type":"osregex" }, "regex":{ "pattern":"failed for '(\\S+)'", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^asterisk", "type":"osmatch" }, "type":"syslog" }, { "id":54, "name":"barracuda-svf-email", "children":[ { "id":54, "name":"barracuda-svf-email", "parent":"barracuda-svf-email", "order":[ "srcip", "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\S+[\\S+]|^\\S+", "type":"osregex" }, "regex":{ "pattern":"^\\S+[(\\S+)] (\\d+-\\w+-\\w+) \\d+ \\d+ |^(\\S+) (\\d+-\\w+-\\w+) \\d+ \\d+ ", "type":"osregex" }, "type":"syslog" }, { "id":54, "name":"barracuda-svf-email", "parent":"barracuda-svf-email", "order":[ "action", "extra_data" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"(SCAN) (\\S+ \\S+ \\S+ \\S+ \\d+ \\d+ \\.+ SUBJ:\\.+)$", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":54, "name":"barracuda-svf-email", "parent":"barracuda-svf-email", "order":[ "action", "extra_data" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"(RECV) (\\S+ \\S+ \\d+ \\d+ \\.+)$", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^inbound/pass|^scan|^outbound/smtp", "type":"osmatch" }, "type":"syslog" }, { "id":51, "name":"barracuda-svf-admin", "children":[ { "id":51, "name":"barracuda-svf-admin", "parent":"barracuda-svf-admin", "order":[ "srcip", "action", "extra_data" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^[\\S+] global[] CHANGE", "type":"osregex" }, "regex":{ "pattern":"^[(\\S+)] global[] (CHANGE) (\\S+ \\(\\S*)\\)$", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^web", "type":"osmatch" }, "type":"syslog" }, { "id":60, "name":"checkpoint-syslog", "children":[ { "id":60, "name":"checkpoint-syslog", "parent":"checkpoint-syslog", "order":[ "action", "srcip", "dstip", "protocol" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^drop|^accept|^reject", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^(\\w+)\\s+\\S+ \\p\\S+ rule:\\.+src: (\\S+); dst: (\\S+); proto: (\\S+);", "type":"osregex" }, "regex_offset":"after_parent", "type":"firewall" }, { "id":60, "name":"checkpoint-syslog", "parent":"checkpoint-syslog", "order":[ "dstport", "srcport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"service: (\\d+); s_port: (\\d+);", "type":"osregex" }, "regex_offset":"after_regex", "type":"firewall" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\s*\\S+ \\d\\d:\\d\\d:\\d\\d ", "type":"osregex" }, "program_name":{ "pattern":"^Checkpoint", "type":"osmatch" }, "type":"syslog" }, { "id":66, "name":"cimserver", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^cimserver$", "type":"osmatch" }, "type":"syslog" }, { "id":139, "name":"cisco-estreamer", "children":[ ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"AlertPriority \\d+ SourceIp \\.+ DestinationIP \\.+", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "children":[ { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "action", "protocol", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SEC-6-IPACCESSLOGP: list \\S+ \\S+ \\S+", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) \\S+ \\S+ -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),|%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "ftscomment":"First time Cisco IOS IDS/IPS module rule fired.", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "id", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%IPS-4-SIGNATURE: Sig:\\d+ ", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Sig:(\\d+) \\.+[(\\d+.\\d+.\\d+.\\d+):(\\d+) -> (\\d+.\\d+.\\d+.\\d+):(\\d+)]", "type":"osregex" }, "fts":[ "srcip" ], "type":"ids" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\S+ on \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by (\\S+) on \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^%\\w+-\\d-\\w+: ", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "children":[ { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "action", "protocol", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SEC-6-IPACCESSLOGP: list \\S+ \\S+ \\S+", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) \\S+ \\S+ -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),|%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "ftscomment":"First time Cisco IOS IDS/IPS module rule fired.", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "id", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%IPS-4-SIGNATURE: Sig:\\d+ ", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Sig:(\\d+) \\.+[(\\d+.\\d+.\\d+.\\d+):(\\d+) -> (\\d+.\\d+.\\d+.\\d+):(\\d+)]", "type":"osregex" }, "fts":[ "srcip" ], "type":"ids" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\S+ on \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by (\\S+) on \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\d+: %\\w+-\\d-\\w+: ", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "children":[ { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "action", "protocol", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SEC-6-IPACCESSLOGP: list \\S+ \\S+ \\S+", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) \\S+ \\S+ -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),|%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "ftscomment":"First time Cisco IOS IDS/IPS module rule fired.", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "id", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%IPS-4-SIGNATURE: Sig:\\d+ ", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Sig:(\\d+) \\.+[(\\d+.\\d+.\\d+.\\d+):(\\d+) -> (\\d+.\\d+.\\d+.\\d+):(\\d+)]", "type":"osregex" }, "fts":[ "srcip" ], "type":"ids" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\S+ on \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by (\\S+) on \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+:\\s+%|^\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+:\\s+%|^\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+\\s+\\w+:\\s+%|^\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+\\s+\\w+:\\s+%|^\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+.\\d+:\\s+%|^\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+.\\d+:\\s+%|^\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+.\\d+\\s+\\w+:\\s+%|^\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+.\\d+\\s+\\w+:\\s+%", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "children":[ { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "action", "protocol", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SEC-6-IPACCESSLOGP: list \\S+ \\S+ \\S+", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) \\S+ \\S+ -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),|%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "ftscomment":"First time Cisco IOS IDS/IPS module rule fired.", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "id", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%IPS-4-SIGNATURE: Sig:\\d+ ", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Sig:(\\d+) \\.+[(\\d+.\\d+.\\d+.\\d+):(\\d+) -> (\\d+.\\d+.\\d+.\\d+):(\\d+)]", "type":"osregex" }, "fts":[ "srcip" ], "type":"ids" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\S+ on \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by (\\S+) on \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\d+:\\s\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+:\\s+%|^\\d+:\\s\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+:\\s+%|^\\d+:\\s\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+\\s+\\w+:\\s+%|^\\d+:\\s\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+\\s+\\w+:\\s+%|^\\d+:\\s\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+.\\d+:\\s+%|^\\d+:\\s\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+.\\d+:\\s+%|^\\d+:\\s\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+.\\d+\\s+\\w+:\\s+%|^\\d+:\\s\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+.\\d+\\s+\\w+:\\s+%", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "children":[ { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "action", "protocol", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SEC-6-IPACCESSLOGP: list \\S+ \\S+ \\S+", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) \\S+ \\S+ -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),|%(\\w+)-(\\d)-(\\w+): list \\S+ (\\w+) (\\w+) (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) -> (\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\),", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "ftscomment":"First time Cisco IOS IDS/IPS module rule fired.", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "id", "srcip", "srcport", "dstip", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%IPS-4-SIGNATURE: Sig:\\d+ ", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Sig:(\\d+) \\.+[(\\d+.\\d+.\\d+.\\d+):(\\d+) -> (\\d+.\\d+.\\d+.\\d+):(\\d+)]", "type":"osregex" }, "fts":[ "srcip" ], "type":"ids" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" }, { "id":179, "name":"cisco-ios", "parent":"cisco-ios", "order":[ "cisco.facility", "cisco.severity", "cisco.mnemonic", "srcuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"%SYS-5-CONFIG_I: Configured from console by \\S+ on \\w+ \\(", "type":"osregex" }, "regex":{ "pattern":"%(\\w+)-(\\d)-(\\w+): Configured from console by (\\S+) on \\w+ \\((\\d+.\\d+.\\d+.\\d+)\\)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\d+:\\s\\.+:\\s\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+:\\s+%|^\\d+:\\s\\.+:\\s\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+:\\s+%|^\\d+:\\s\\.+:\\s\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+\\s+\\w+:\\s+%|^\\d+:\\s\\.+:\\s\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+\\s+\\w+:\\s+%|^\\d+:\\s\\.+:\\s\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+.\\d+:\\s+%|^\\d+:\\s\\.+:\\s\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+.\\d+:\\s+%|^\\d+:\\s\\.+:\\s\\p*\\w+\\s+\\d*\\s\\d+:\\d+:\\d+.\\d+\\s+\\w+:\\s+%|^\\d+:\\s\\.+:\\s\\p*\\w+\\s+\\d*\\s\\d+\\s\\d+:\\d+:\\d+.\\d+\\s+\\w+:\\s+%", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":186, "name":"clamd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^clamd", "type":"osmatch" }, "type":"syslog" }, { "id":245, "name":"freshclam", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^freshclam", "type":"osmatch" }, "type":"syslog" }, { "id":188, "name":"courier", "children":[ { "id":188, "name":"courier", "parent":"courier", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^LOGIN, ", "type":"osregex" }, "regex":{ "pattern":"^user=(\\S+), ip=[(\\S+)]$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap", "type":"osmatch" }, "type":"syslog" }, { "id":198, "name":"dovecot", "children":[ { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "dstuser", "srcip", "dstip", "protocol" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\w\\w\\w\\w-login: Login: ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^user=\\p(\\S+)\\p, method=\\S+, rip=(\\S+), lip=(\\S+), mpid=\\S+, (\\S*)$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "dstuser", "srcip", "dstip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\w\\w\\w\\w-login: Aborted login", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":": user=\\p(\\S+)\\p, method=\\S+, rip=(\\S+), ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "dstip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"lip=(\\S+),", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "dstip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"lip=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "session" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":" session=\\p(\\S+\\S)>,", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "session" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":" session=\\p(\\S+\\S)>", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "protocol" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":" (\\S*)$", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^auth\\(default\\)|auth-worker\\(default\\)", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^: \\S+\\((\\S+),(\\S+)\\)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":198, "name":"dovecot", "parent":"dovecot", "order":[ "srcuser", "srcip", "dstip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\w\\w\\w\\w-login: Disconnected\\.+user=", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"user=(\\S+), method=\\S+, rip=(\\S+), lip=(\\S+),", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^dovecot", "type":"osmatch" }, "type":"syslog" }, { "id":203, "name":"dovecot-info", "children":[ { "id":203, "name":"dovecot-info", "parent":"dovecot-info", "order":[ "dstuser", "srcip", "dstip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"imap-login", "type":"osregex" }, "regex":{ "pattern":"Login: user=(\\S+), method=\\.+, rip=(\\S+), lip=(\\S+) ", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^Info$|^Warn$", "type":"osmatch" }, "type":"syslog" }, { "id":208, "name":"dropbear", "children":[ { "id":208, "name":"dropbear", "parent":"dropbear", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"password", "type":"osregex" }, "regex":{ "pattern":"for '(\\S+)' from (\\S+):\\d+$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":208, "name":"dropbear", "parent":"dropbear", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"nonexistent", "type":"osregex" }, "regex":{ "pattern":"from (\\S+):\\d+$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^dropbear", "type":"osmatch" }, "type":"syslog" }, { "id":232, "name":"fortiauth", "children":[ { "id":232, "name":"fortiauth", "parent":"fortiauth", "order":[ "category" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"category=\"(\\.+)\"", "type":"osregex" }, "type":"syslog" }, { "id":232, "name":"fortiauth", "parent":"fortiauth", "order":[ "subcategory" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"subcategory=\"(\\.+)\"", "type":"osregex" }, "type":"syslog" }, { "id":232, "name":"fortiauth", "parent":"fortiauth", "order":[ "typeid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"typeid=(\\d+) ", "type":"osregex" }, "type":"syslog" }, { "id":232, "name":"fortiauth", "parent":"fortiauth", "order":[ "level" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"level=\"(\\.+)\"", "type":"osregex" }, "type":"syslog" }, { "id":232, "name":"fortiauth", "parent":"fortiauth", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"user=\"(\\S+)\"", "type":"osregex" }, "type":"syslog" }, { "id":232, "name":"fortiauth", "parent":"fortiauth", "order":[ "nas" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"nas=\"(\\S+)\"", "type":"osregex" }, "type":"syslog" }, { "id":232, "name":"fortiauth", "parent":"fortiauth", "order":[ "data.action" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"action=\"(\\.*)\"", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^db$", "type":"osmatch" }, "type":"syslog" }, { "id":244, "name":"freeipa", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"ipa", "type":"osmatch" }, "type":"syslog" }, { "id":246, "name":"ftpd", "children":[ { "id":246, "name":"ftpd", "parent":"ftpd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Failed authentication from: \\S+ |^repeated login failures from ", "type":"osregex" }, "regex":{ "pattern":"^\\S+ [(\\S+)]$|^(\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":246, "name":"ftpd", "parent":"ftpd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^FTP LOGIN REFUSED ", "type":"osregex" }, "regex":{ "pattern":"[(\\S+)]$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":246, "name":"ftpd", "parent":"ftpd", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^login \\S+ from \\S+ failed.", "type":"osregex" }, "regex":{ "pattern":"^login (\\S+) from (\\S+) failed.$", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^ftpd|^in.ftpd", "type":"osmatch" }, "type":"syslog" }, { "id":289, "name":"imapd", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"user=(\\S+) \\.+ [(\\S+)]$", "type":"osregex" }, "regex_offset":"after_parent", "program_name":{ "pattern":"^imapd", "type":"osmatch" }, "type":"syslog" }, { "id":290, "name":"imperva", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"Imperva", "type":"osmatch" }, "type":"syslog" }, { "id":317, "name":"kernel", "children":[ { "id":317, "name":"kernel", "parent":"kernel", "order":[ "action", "srcip", "dstip", "protocol" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^[\\d+.\\d+] \\S+ IN=", "type":"osregex" }, "regex":{ "pattern":"^[\\d+.\\d+] (\\S+) \\.+ SRC=(\\S+) DST=(\\S+) \\.+ PROTO=(\\w+) ", "type":"osregex" }, "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "srcport", "dstport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^SPT=(\\d+) DPT=(\\d+) ", "type":"osregex" }, "regex_offset":"after_regex", "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "action", "srcip", "dstip", "protocol" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\S+ IN=", "type":"osregex" }, "regex":{ "pattern":"^(\\S+) \\.+ SRC=(\\S+) DST=(\\S+) \\.+ PROTO=(\\w+) ", "type":"osregex" }, "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "srcport", "dstport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^SPT=(\\d+) DPT=(\\d+) ", "type":"osregex" }, "regex_offset":"after_regex", "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "action", "srcip", "dstip", "protocol" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Shorewall:\\S+:", "type":"osregex" }, "regex":{ "pattern":"^(\\S+):\\.+ SRC=(\\S+) DST=(\\S+) \\.+ PROTO=(\\w+) ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "srcport", "dstport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^SPT=(\\d+) DPT=(\\d+) ", "type":"osregex" }, "regex_offset":"after_regex", "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "action", "srcip", "dstip", "protocol" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\p\\S+\\p Shorewall:\\S+:", "type":"osregex" }, "regex":{ "pattern":"^(\\S+):\\.+ SRC=(\\S+) DST=(\\S+) \\.+ PROTO=(\\w+) ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "action" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^[\\d+.\\d+] \\S+\\.*IN=", "type":"osregex" }, "regex":{ "pattern":"^[\\d+.\\d+] (\\S*)\\(", "type":"osregex" }, "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "srcip", "dstip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"SRC=(\\S+) DST=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "protocol" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"PROTO=(\\w+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "srcport", "dstport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"SPT=(\\d+) DPT=(\\d+) ", "type":"osregex" }, "regex_offset":"after_regex", "type":"firewall" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "status", "extra_data" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":" apparmor=", "type":"osregex" }, "regex":{ "pattern":" apparmor=\"(\\S+)\" operation=\"(\\S+)\"", "type":"osregex" }, "type":"syslog" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "id", "data", "status" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^[\\s\\d+.\\d+] mptscsih: ", "type":"osregex" }, "regex":{ "pattern":"^[\\s\\d+.\\d+] (\\w+): (\\w+): task abort: (\\w+)", "type":"osregex" }, "type":"syslog" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "id", "data", "action", "status" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^[\\s\\d+.\\d+] mptbase: ", "type":"osregex" }, "regex":{ "pattern":"^[\\s\\d+.\\d+] (\\w+): (\\w+):\\s+\\w+ is now (\\w+)\\p\\s(\\D+)$", "type":"osregex" }, "type":"syslog" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^usb|^[\\s*\\S+] usb", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^(usb) |^[\\s*\\S+] (usb)", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":317, "name":"kernel", "parent":"kernel", "order":[ "action", "srcip", "dstip", "protocol" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^[\\s*\\d+.\\d+] [\\.*] IN=", "type":"osregex" }, "regex":{ "pattern":"^[\\s*\\d+.\\d+] [(\\.*)] \\.+ SRC=(\\S+) DST=(\\S+) \\.+ PROTO=(\\w+) ", "type":"osregex" }, "type":"firewall" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^kernel", "type":"osmatch" }, "type":"syslog" }, { "id":320, "name":"mailscanner", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^MailScanner", "type":"osmatch" }, "type":"syslog" }, { "id":343, "name":"named", "children":[ { "id":343, "name":"named", "parent":"named", "order":[ "srcip", "url" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":": query: ", "type":"osregex" }, "regex":{ "pattern":"client (\\S+)#\\d+\\s*\\S*: query: (\\S+) IN ", "type":"osregex" }, "type":"syslog" }, { "id":343, "name":"named", "parent":"named", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^client ", "type":"osregex" }, "regex":{ "pattern":"^(\\S+)#", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":343, "name":"named", "parent":"named", "order":[ "dstip", "dstport", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":" for master", "type":"osregex" }, "regex":{ "pattern":"for master (\\S+):(\\d+) \\S+ \\(source (\\S+)#d+\\)$", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^named", "type":"osmatch" }, "type":"syslog" }, { "id":362, "name":"netscreenfw", "children":[ { "id":362, "name":"netscreenfw", "parent":"netscreenfw", "order":[ "protocol", "action", "srcip", "dstip", "srcport", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"system-notification-00257\\(traffic\\): ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":" proto=(\\w+) \\.+action=(\\w+) \\.+src=(\\S+) dst=(\\S+) src_port=(\\d+) dst_port=(\\d+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"firewall" }, { "id":362, "name":"netscreenfw", "parent":"netscreenfw", "order":[ "action", "id", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"system-critical-\\.+ from |system-alert-\\.+ from |system-emergency-\\.+ From ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"system-(\\w+)-(\\d+): \\.+ from\\.+(\\S+)", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^NetScreen device_id", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":374, "name":"ntpd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^ntpd", "type":"osmatch" }, "type":"syslog" }, { "id":376, "name":"open-userdel", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"user removed: name=(\\S+)$|delete user '(\\S+\\w)'", "type":"osregex" }, "program_name":{ "pattern":"userdel", "type":"osmatch" }, "type":"syslog" }, { "id":270, "name":"groupdel", "order":[ "extra_data" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^group deleted: name=(\\S+)$", "type":"osregex" }, "program_name":{ "pattern":"groupdel", "type":"osmatch" }, "type":"syslog" }, { "id":298, "name":"isakmpd", "children":[ { "id":298, "name":"isakmpd", "parent":"isakmpd", "order":[ "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"message from ", "type":"osregex" }, "regex":{ "pattern":"from (\\S+) port (\\d+)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^isakmpd", "type":"osmatch" }, "type":"syslog" }, { "id":57, "name":"bsd_kernel", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^/bsd", "type":"osmatch" }, "type":"syslog" }, { "id":334, "name":"mountd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^mountd", "type":"osmatch" }, "type":"syslog" }, { "id":431, "name":"pf", "children":[ { "id":431, "name":"pf", "parent":"pf", "order":[ "id", "action" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^\\S*,\\S*,\\S*,(\\S*),\\S*,\\S*,(\\S*),", "type":"osregex" }, "type":"syslog" }, { "id":431, "name":"pf", "parent":"pf", "order":[ "protocol", "srcip", "dstip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"\\S*,\\S*,\\S*,\\S*,\\S*,\\S*,\\S*,\\S*,\\S*,(\\S*),\\S*,(\\S*),(\\S*),", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":431, "name":"pf", "parent":"pf", "order":[ "srcport", "dstport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"(\\d*),(\\d*),\\S*", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^pf$", "type":"osmatch" }, "type":"firewall", "plugin_decoder":"PF_Decoder" }, { "id":520, "name":"smtpd", "children":[ { "id":520, "name":"smtpd", "parent":"smtpd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^client", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^client (\\S+) ", "type":"osregex" }, "type":"syslog" }, { "id":520, "name":"smtpd", "parent":"smtpd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"relay=", "type":"osregex" }, "regex":{ "pattern":"relay=\\S+ [(\\S+)], ", "type":"osregex" }, "type":"syslog" }, { "id":520, "name":"smtpd", "parent":"smtpd", "order":[ "status" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^smtp-in: ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^(\\S+) ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^smtpd", "type":"osmatch" }, "type":"syslog" }, { "id":195, "name":"doas", "children":[ { "id":195, "name":"doas", "parent":"doas", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^(\\S+) ran| for (\\S+):", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^doas", "type":"osmatch" }, "type":"syslog" }, { "id":377, "name":"openldap", "children":[ { "id":377, "name":"openldap", "parent":"openldap", "order":[ "id", "srcip", "dstip" ], "use_own_name":"false", "accumulate":"yes", "prematch":{ "pattern":"ACCEPT from IP=[", "type":"osregex" }, "regex":{ "pattern":"^conn=(\\d+) fd=\\d+ ACCEPT from IP=[(\\S+)]:\\d+ \\(IP=[(\\S+)]:", "type":"osregex" }, "type":"syslog" }, { "id":377, "name":"openldap", "parent":"openldap", "order":[ "id", "srcip", "dstip" ], "use_own_name":"false", "accumulate":"yes", "prematch":{ "pattern":"ACCEPT from IP=", "type":"osregex" }, "regex":{ "pattern":"^conn=(\\d+) fd=\\d+ ACCEPT from IP=(\\S+):\\d+ \\(IP=(\\S+):", "type":"osregex" }, "type":"syslog" }, { "id":377, "name":"openldap", "parent":"openldap", "order":[ "id", "dstuser" ], "use_own_name":"false", "accumulate":"yes", "prematch":{ "pattern":"BIND ", "type":"osregex" }, "regex":{ "pattern":"^conn=(\\d+) op=\\d+ BIND dn=\"\\w+=(\\S+),", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"yes", "program_name":{ "pattern":"^slapd", "type":"osmatch" }, "type":"syslog" }, { "id":386, "name":"openvpn", "children":[ { "id":386, "name":"openvpn", "parent":"openvpn", "order":[ "srcuser", "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\S+/\\S+:\\d+", "type":"osregex" }, "regex":{ "pattern":"^(\\S+)/(\\S+):(\\d+)", "type":"osregex" }, "type":"syslog" }, { "id":386, "name":"openvpn", "parent":"openvpn", "order":[ "srcip", "srcport", "srcuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"\\S+:\\d+ [", "type":"osregex" }, "regex":{ "pattern":"(\\S+):(\\d+) [(\\S+)]", "type":"osregex" }, "type":"syslog" }, { "id":386, "name":"openvpn", "parent":"openvpn", "order":[ "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":" [AF_INET]| [AF_INET6]", "type":"osregex" }, "regex":{ "pattern":"](\\S+):(\\d+)$", "type":"osregex" }, "type":"syslog" }, { "id":386, "name":"openvpn", "parent":"openvpn", "order":[ "srcip", "srcuser", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"\\S+ [", "type":"osregex" }, "regex":{ "pattern":"(\\S+) [(\\S+)]\\.+:(\\d+)$", "type":"osregex" }, "type":"syslog" }, { "id":386, "name":"openvpn", "parent":"openvpn", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^user '", "type":"osregex" }, "regex":{ "pattern":"^(\\S+)'", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":386, "name":"openvpn", "parent":"openvpn", "order":[ "ldap_data.error_message", "ldap_data.code", "ldap_data.ldaperr", "ldap_data.comment" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^LDAP bind failed: ", "type":"osregex" }, "regex":{ "pattern":"^(\\.+) \\((\\d+): LdapErr: (\\S+), comment: (\\.+),", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"openvpn|ovpn-server", "type":"osmatch" }, "type":"syslog" }, { "id":397, "name":"oscap", "children":[ { "id":397, "name":"oscap", "parent":"oscap", "order":[ "oscap.scan.id", "oscap.scan.content", "oscap.check.title", "oscap.check.id", "oscap.check.result", "oscap.check.severity", "oscap.check.description", "oscap.check.rationale", "oscap.check.references", "oscap.check.identifiers", "oscap.check.oval.id", "oscap.scan.benchmark.id", "oscap.scan.profile.id", "oscap.scan.profile.title" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^msg: \"xccdf-result\", ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^scan-id: \"(\\.*)\", content: \"(\\.*)\", title: \"(\\.*)\", id: \"(\\.*)\", result: \"(\\.*)\", severity: \"(\\.*)\", description: \"(\\.*)\", rationale: \"(\\.*)\" references: \"(\\.*)\", identifiers: \"(\\.*)\", oval-id: \"(\\.*)\", benchmark-id: \"(\\.*)\", profile-id: \"(\\.*)\", profile-title: \"(\\.*)\".$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":397, "name":"oscap", "parent":"oscap", "order":[ "oscap.scan.id", "oscap.scan.content", "oscap.check.title", "oscap.check.id", "oscap.check.result", "oscap.check.description", "oscap.scan.profile.title", "oscap.check.references" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^msg: \"oval-result\", ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^scan-id: \"(\\.*)\", content: \"(\\.*)\", title: \"(\\.*)\", id: \"(\\.*)\", result: \"(\\.*)\", description: \"(\\.*)\", profile-title: \"(\\.*)\", reference: \"(\\.*)\".$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":397, "name":"oscap", "parent":"oscap", "order":[ "oscap.scan.id", "oscap.scan.content", "oscap.scan.benchmark.id", "oscap.scan.profile.id", "oscap.scan.profile.title", "oscap.scan.score" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^msg: \"xccdf-overview\", ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^scan-id: \"(\\.*)\", content: \"(\\.*)\", benchmark-id: \"(\\.*)\", profile-id: \"(\\.*)\", profile-title: \"(\\.*)\", score: \"(\\.*)\".$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":397, "name":"oscap", "parent":"oscap", "order":[ "oscap.scan.id", "oscap.scan.content", "oscap.scan.score" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^msg: \"oval-overview\", ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^scan-id: \"(\\.*)\", content: \"(\\.*)\", score: \"(\\.*)\".$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":397, "name":"oscap", "parent":"oscap", "order":[ "oscap.scan.content", "oscap.scan.profile.id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Evaluation started. ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^Content: (\\S+), Profile: (\\S+).$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"oscap", "type":"osmatch" }, "type":"syslog" }, { "id":407, "name":"ossec-alert", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^ossec$", "type":"osmatch" }, "type":"syslog", "plugin_decoder":"OSSECAlert_Decoder" }, { "id":424, "name":"pam", "children":[ { "id":424, "name":"pam", "parent":"pam", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"\\)\\p* session \\w+ |^session \\w+ ", "type":"osregex" }, "regex":{ "pattern":"^for user (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "srcuser", "uid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"by (\\S+)\\(uid=(\\d+)\\)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "uid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"by \\(uid=(\\d+)\\)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"password changed for", "type":"osregex" }, "regex":{ "pattern":"^ (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "logname" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"logname=(\\S+)", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "uid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"uid=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "euid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"euid=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "tty" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"tty=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"ruser=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"rhost=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"(pam_unix)$", "type":"osmatch" }, "type":"syslog" }, { "id":424, "name":"pam", "children":[ { "id":424, "name":"pam", "parent":"pam", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"\\)\\p* session \\w+ |^session \\w+ ", "type":"osregex" }, "regex":{ "pattern":"^for user (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "srcuser", "uid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"by (\\S+)\\(uid=(\\d+)\\)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "uid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"by \\(uid=(\\d+)\\)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"password changed for", "type":"osregex" }, "regex":{ "pattern":"^ (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "logname" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"logname=(\\S+)", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "uid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"uid=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "euid" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"euid=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "tty" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"tty=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"ruser=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":424, "name":"pam", "parent":"pam", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"rhost=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^pam_unix|^\\(pam_unix\\)", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":448, "name":"portsentry", "children":[ { "id":448, "name":"portsentry", "parent":"portsentry", "order":[ "srcip", "protocol", "dstport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"attackalert: Connect from host: ", "type":"osregex" }, "regex":{ "pattern":"(\\S+)/\\S+ to (\\S+) port: (\\d+)$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^portsentry", "type":"osmatch" }, "type":"syslog" }, { "id":451, "name":"postfix", "children":[ { "id":452, "name":"postfix-reject", "parent":"postfix", "order":[ "srcip", "id" ], "use_own_name":"true", "accumulate":"no", "prematch":{ "pattern":"^NOQUEUE: reject: \\w\\w\\w\\w from ", "type":"osregex" }, "regex":{ "pattern":"[(\\S+)]: (\\d+) |[(\\S+)]:\\d+: (\\d+) ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":451, "name":"postfix", "parent":"postfix", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^warning: \\S+: SASL ", "type":"osregex" }, "regex":{ "pattern":"^warning: \\S+[(\\S+)]:", "type":"osregex" }, "type":"syslog" }, { "id":455, "name":"postfix-warning", "parent":"postfix", "order":[ "srcip" ], "use_own_name":"true", "accumulate":"no", "prematch":{ "pattern":"^warning:", "type":"osregex" }, "regex":{ "pattern":"^warning: (\\S+):|warning: Illegal address syntax from unknown[(\\S+)]|warning: hostname \\S+ does not resolve to address (\\S+): |warning: hostname \\S+ does not resolve to address (\\S+)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^postfix", "type":"osmatch" }, "type":"syslog" }, { "id":457, "name":"proftpd", "children":[ { "id":457, "name":"proftpd", "parent":"proftpd", "order":[ "srcip", "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":": Login successful", "type":"osregex" }, "regex":{ "pattern":"^\\S+ \\(\\S+[(\\S+)]\\)\\s*\\S \\w+ (\\S+): Login successful", "type":"osregex" }, "fts":[ "dstuser" ], "type":"syslog" }, { "id":457, "name":"proftpd", "parent":"proftpd", "order":[ "srcip", "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Login failed", "type":"osregex" }, "regex":{ "pattern":"^[\\.+]: \\S+ \\(\\S+[(\\S+)]\\) \\w+ USER (\\S*)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^proftpd", "type":"osmatch" }, "type":"syslog" }, { "id":466, "name":"puppet-master", "children":[ { "id":466, "name":"puppet-master", "parent":"puppet-master", "order":[ "extra_data" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Starting Puppet master ", "type":"osregex" }, "regex":{ "pattern":"^version (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^puppet-master", "type":"osmatch" }, "type":"syslog" }, { "id":461, "name":"puppet-agent", "children":[ { "id":461, "name":"puppet-agent", "parent":"puppet-agent", "order":[ "extra_data" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Starting Puppet client ", "type":"osregex" }, "regex":{ "pattern":"^version (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":461, "name":"puppet-agent", "parent":"puppet-agent", "order":[ "extra_data" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^No ", "type":"osregex" }, "regex":{ "pattern":"^(\\S+) file found", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":461, "name":"puppet-agent", "parent":"puppet-agent", "order":[ "extra_data" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"file ", "type":"osregex" }, "regex":{ "pattern":"^(\\S+) does not exist", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^puppet-agent", "type":"osmatch" }, "type":"syslog" }, { "id":469, "name":"pure-ftpd", "children":[ { "id":469, "name":"pure-ftpd", "parent":"pure-ftpd", "order":[ "srcip", "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\S+ [INFO] \\S+ is now logged in", "type":"osregex" }, "regex":{ "pattern":"^\\(?@(\\S+)\\) [INFO] (\\S+) is now logged in", "type":"osregex" }, "fts":[ "dstuser" ], "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^pure-ftpd", "type":"osmatch" }, "type":"syslog" }, { "id":487, "name":"roundcube", "children":[ { "id":487, "name":"roundcube", "parent":"roundcube", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":" Successful login for ", "type":"osregex" }, "regex":{ "pattern":"^(\\S+) \\(id \\d+\\) from (\\S+)$|^(\\S+) \\(ID: \\d+\\) from (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":487, "name":"roundcube", "parent":"roundcube", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"] \\w+ Error: Authentication ", "type":"osregex" }, "regex":{ "pattern":"^for (\\S+) failed", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^roundcube", "type":"osmatch" }, "type":"syslog" }, { "id":491, "name":"rsa-auth-manager", "children":[ ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"audit.runtime.com.rsa", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":493, "name":"rshd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^rshd$", "type":"osmatch" }, "type":"syslog" }, { "id":514, "name":"smbd", "children":[ { "id":514, "name":"smbd", "parent":"smbd", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"User name:", "type":"osregex" }, "regex":{ "pattern":"^ (\\S+).", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":514, "name":"smbd", "parent":"smbd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"from \\(", "type":"osregex" }, "regex":{ "pattern":" from \\((\\S+)\\)", "type":"osregex" }, "type":"syslog" }, { "id":514, "name":"smbd", "parent":"smbd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":" from (\\S+)$", "type":"osregex" }, "regex":{ "pattern":" from (\\S+)$", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^smbd", "type":"osmatch" }, "type":"syslog" }, { "id":373, "name":"nmbd", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^nmbd", "type":"osmatch" }, "type":"syslog" }, { "id":497, "name":"sendmail-reject", "children":[ { "id":497, "name":"sendmail-reject", "parent":"sendmail-reject", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\S+: rejecting commands from", "type":"osregex" }, "regex":{ "pattern":"^ \\S+ [(\\S+)]", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":497, "name":"sendmail-reject", "parent":"sendmail-reject", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"relay=[", "type":"osregex" }, "regex":{ "pattern":"^(\\d+.\\d+.\\d+.\\d+)]|^(\\w*:\\w*:\\w*)]|^(\\w*:\\w*:\\w*:\\w*)]|^(\\w*:\\w*:\\w*:\\w*:\\w*)]|^(\\w*:\\w*:\\w*:\\w*:\\w*:\\w*)]|^(\\w*:\\w*:\\w*:\\w*:\\w*:\\w*:\\w*)]|^(\\w*:\\w*:\\w*:\\w*:\\w*:\\w*:\\w*:\\w*)]", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^sendmail|^sm-mta|^sm-msp-queue", "type":"osmatch" }, "type":"syslog" }, { "id":519, "name":"smf-sav-reject", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^sender check failed|^sender check tempfailed", "type":"osregex" }, "regex":{ "pattern":"^ \\(cached\\): \\S+, (\\S+),|^: \\S+, (\\S+),", "type":"osregex" }, "regex_offset":"after_parent", "program_name":{ "pattern":"^smf-sav", "type":"osmatch" }, "type":"syslog" }, { "id":524, "name":"snort", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^snort", "type":"osmatch" }, "type":"syslog" }, { "id":526, "name":"solaris_bsm", "children":[ { "id":526, "name":"solaris_bsm", "parent":"solaris_bsm", "order":[ "status" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":" \\w+ session \\d+ by ", "type":"osregex" }, "regex":{ "pattern":" (\\w+) session \\d+ by", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^audit$", "type":"osmatch" }, "type":"syslog" }, { "id":292, "name":"ipfilter", "order":[ "action", "srcip", "srcport", "dstip", "dstport", "protocol" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":" (\\w) (\\S+),(\\d+) -> (\\S+),(\\d+) PR (\\w+) ", "type":"osregex" }, "program_name":{ "pattern":"^ipmon", "type":"osmatch" }, "type":"firewall" }, { "id":563, "name":"sshd", "children":[ { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Accepted", "type":"osregex" }, "regex":{ "pattern":"^ \\S+ for (\\S+) from (\\S+) port (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "fts":[ "dstuser" ], "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^User \\S+ from ", "type":"osregex" }, "regex":{ "pattern":"^User (\\S+) from (\\S+) ", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^User ", "type":"osregex" }, "regex":{ "pattern":"^(\\S+), coming from (\\S+), ", "type":"osregex" }, "regex_offset":"after_prematch", "fts":[ "dstuser" ], "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Postponed keyboard-interactive|^Failed keyboard-interactive", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":" user (\\S+) from (\\S+) port (\\d+) ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Failed \\S+ for invalid user|^Failed \\S+ for illegal user", "type":"osregex" }, "regex":{ "pattern":"(\\S+) from (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Failed \\S+ ", "type":"osregex" }, "regex":{ "pattern":"^for (\\S+) from (\\S+) port (\\d+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^error: PAM: Authentication \\w+ ", "type":"osregex" }, "regex":{ "pattern":"^for (\\S+) from (\\S+)$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^error: PAM: ", "type":"osregex" }, "regex":{ "pattern":"user (\\S+) from (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^reverse mapping checking ", "type":"osregex" }, "regex":{ "pattern":"^\\w+ for \\S+ [(\\S+)] |^\\w+ for (\\S+) ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Invalid user|^Illegal user", "type":"osregex" }, "regex":{ "pattern":"(\\S+) from (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"port (\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^scanned from", "type":"osregex" }, "regex":{ "pattern":" (\\S+) ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Broken pipe|^Did not receive identification |^Bad protocol version ", "type":"osregex" }, "regex":{ "pattern":" from (\\S+)$| from (\\S+) port (\\d+)$", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^refused connect ", "type":"osregex" }, "regex":{ "pattern":"^from (\\S+)$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Connection closed by \\S+ port \\S+", "type":"osregex" }, "regex":{ "pattern":"by (\\S+) port (\\S+)", "type":"osregex" }, "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Received disconnect ", "type":"osregex" }, "regex":{ "pattern":"^from (\\S+):", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^pam_ldap: ", "type":"osregex" }, "regex":{ "pattern":"user \"uid=(\\S+),ou=\\w+,dc=\\w+,dc=\\w+\"", "type":"osregex" }, "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"fatal: Unable to negotiate with ", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"^(\\S+) port (\\d+): |^(\\S+): ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip", "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"rhost=\\S+\\s+user=\\S+", "type":"osregex" }, "regex":{ "pattern":"rhost=(\\S+)\\s+user=(\\S+)", "type":"osregex" }, "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":" exceeded for ", "type":"osregex" }, "regex":{ "pattern":"^(\\S+) from (\\S+) port (\\d+) ", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"but this does not map back", "type":"osregex" }, "regex":{ "pattern":"Address (\\S+) maps to \\S+,", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":563, "name":"sshd", "parent":"sshd", "order":[ "dstuser", "srcip", "srcport" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Connection reset", "type":"osregex" }, "regex":{ "pattern":"(\\S+) (\\S+) port (\\d+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^sshd", "type":"osmatch" }, "type":"syslog" }, { "id":573, "name":"su", "children":[ { "id":573, "name":"su", "parent":"su", "order":[ "dstuser", "srcuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^'su ", "type":"osregex" }, "regex":{ "pattern":"^'su (\\S+)' \\S+ for (\\S+) on \\S+$", "type":"osregex" }, "fts":[ "srcuser" ], "type":"syslog" }, { "id":573, "name":"su", "parent":"su", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"pam_ldap", "type":"osregex" }, "regex":{ "pattern":"user \"uid=(\\S+),", "type":"osregex" }, "type":"syslog" }, { "id":573, "name":"su", "parent":"su", "order":[ "dstuser", "srcuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^FAILED su for \\S+ by", "type":"osregex" }, "regex":{ "pattern":"for (\\S+) by (\\S+)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^su$", "type":"osmatch" }, "type":"syslog" }, { "id":578, "name":"sudo", "children":[ { "id":578, "name":"sudo", "parent":"sudo", "ftscomment":"First time user executed the sudo command", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"\\s", "type":"osregex" }, "regex":{ "pattern":"^\\s*(\\S+)\\s*:", "type":"osregex" }, "fts":[ "srcuser" ], "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "tty" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"TTY=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "pwd" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"PWD=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"USER=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "command" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"COMMAND=(\\.+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "ftscomment":"First time user executed the sudo command", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"(\\S+)\\s+:\\s+HOST", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "fts":[ "srcuser" ], "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "host" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"=(\\S+)\\s*:", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "tty" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"TTY=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "pwd" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"PWD=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"USER=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^sudo", "type":"osmatch" }, "type":"syslog" }, { "id":578, "name":"sudo", "children":[ { "id":578, "name":"sudo", "parent":"sudo", "ftscomment":"First time user executed the sudo command", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"(\\S+)\\s+:\\s+HOST", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "fts":[ "srcuser" ], "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "host" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"=(\\S+)\\s*:", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "tty" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"TTY=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "pwd" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"PWD=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":578, "name":"sudo", "parent":"sudo", "order":[ "dstuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"USER=(\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\S+\\s+:\\s+HOST=\\S+\\s+:\\s+\\.+;", "type":"osregex" }, "program_name":{ "pattern":"", "type":"osmatch" }, "type":"syslog" }, { "id":581, "name":"suhosin", "order":[ "id", "srcip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^ALERT - (\\.+) \\(attacker '(\\S+)', ", "type":"osregex" }, "program_name":{ "pattern":"^suhosin", "type":"osmatch" }, "fts":[ "id" ], "type":"ids" }, { "id":595, "name":"telnetd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^telnetd|^in.telnetd", "type":"osmatch" }, "type":"syslog" }, { "id":602, "name":"unbound", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^unbound", "type":"osmatch" }, "type":"syslog" }, { "id":604, "name":"unix_chkpwd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^unix_chkpwd", "type":"osmatch" }, "type":"syslog" }, { "id":268, "name":"groupadd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"groupadd", "type":"osmatch" }, "type":"syslog" }, { "id":606, "name":"useradd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"useradd", "type":"osmatch" }, "type":"syslog" }, { "id":63, "name":"chfn", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"chfn", "type":"osmatch" }, "type":"syslog" }, { "id":261, "name":"gpasswd", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"gpasswd", "type":"osmatch" }, "type":"syslog" }, { "id":594, "name":"systemd", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"systemd", "type":"osmatch" }, "type":"syslog" }, { "id":608, "name":"vm-pop3d", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^vm-pop3d", "type":"osmatch" }, "type":"syslog" }, { "id":614, "name":"vmware-syslog", "children":[ { "id":614, "name":"vmware-syslog", "parent":"vmware-syslog", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^Accepted|^Rejected", "type":"osregex" }, "regex":{ "pattern":"^ \\S+ for user (\\S+) from (\\S+)$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"vmware", "type":"osmatch" }, "type":"syslog" }, { "id":615, "name":"vpopmail", "children":[ { "id":615, "name":"vpopmail", "parent":"vpopmail", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^vchkpw-\\S+: password fail", "type":"osregex" }, "regex":{ "pattern":" (\\S+)@\\S+:(\\S+)$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":615, "name":"vpopmail", "parent":"vpopmail", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^vchkpw-\\S+: vpopmail user not ", "type":"osregex" }, "regex":{ "pattern":"^found (\\S+):(\\S+)$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":615, "name":"vpopmail", "parent":"vpopmail", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^vchkpw-\\S+: null password ", "type":"osregex" }, "regex":{ "pattern":"^given (\\S+):(\\S+)$", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^vpopmail", "type":"osmatch" }, "type":"syslog" }, { "id":620, "name":"vsftpd", "children":[ { "id":620, "name":"vsftpd", "parent":"vsftpd", "order":[ "dstuser", "status", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":" LOGIN:", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"[(\\S+)] (\\S+ LOGIN): Client \"(\\S+\\w)\"$", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":620, "name":"vsftpd", "parent":"vsftpd", "order":[ "action", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^CONNECT:", "type":"osregex" }, "prematch_offset":"after_parent", "regex":{ "pattern":"(CONNECT): Client \"(\\S+\\w)\"$", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":620, "name":"vsftpd", "parent":"vsftpd", "order":[ "dstuser", "status", "srcip", "url" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"[\\S+] OK \\S+: Client", "type":"osregex" }, "regex":{ "pattern":"[(\\S+)] (OK \\S+): Client \"(\\S+)\", \"(\\.+\\w)\"\\.*", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\w\\w\\w \\w\\w\\w\\s+\\d+ \\S+ \\d+ [pid \\d+] ", "type":"osregex" }, "program_name":{ "pattern":"^vsftpd", "type":"osmatch" }, "type":"syslog" }, { "id":632, "name":"web-accesslog", "children":[ { "id":632, "name":"web-accesslog", "parent":"web-accesslog", "order":[ "srcip", "protocol", "url", "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\S+.\\D+", "type":"osregex" }, "regex":{ "pattern":"^\\S+ (\\S+) \\S+ \\.*[\\S+ \\S\\d+] \"(\\w+) (\\S+) HTTP\\S+\" (\\d+) ", "type":"osregex" }, "type":"web-log" }, { "id":632, "name":"web-accesslog", "parent":"web-accesslog", "order":[ "srcip2", "srcip", "protocol", "url", "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^\\S+ \\S+.\\S+ |^\\S+ \\S+:\\S+ ", "type":"osregex" }, "regex":{ "pattern":"^(\\S+) (\\S+) \\S+ \\.*[\\S+ \\S\\d+] \"(\\w+) (\\S+) HTTP\\S+\" (\\d+) ", "type":"osregex" }, "type":"web-log" }, { "id":632, "name":"web-accesslog", "parent":"web-accesslog", "order":[ "srcip", "protocol", "url", "id" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^(\\S+) \\S+ \\S+ \\.*[\\S+ \\S\\d+] \"(\\w+) (\\S+) HTTP\\S+\" (\\d+) ", "type":"osregex" }, "type":"web-log" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"nginx|apache", "type":"osmatch" }, "type":"web-log" }, { "id":323, "name":"mariadb-syslog", "children":[ { "id":323, "name":"mariadb-syslog", "parent":"mariadb-syslog", "order":[ "mariadb.info", "mariadb.username", "mariadb.host", "mariadb.connectionid", "mariadb.queryid", "mariadb.operation", "mariadb.database", "mariadb.object", "mariadb.retcode" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":" (\\.*),(\\.*),(\\.*),(\\.*),(\\.*),(\\.*),(\\.*),(\\.*),(\\.*)", "type":"osregex" }, "type":"syslog" }, { "id":323, "name":"mariadb-syslog", "parent":"mariadb-syslog", "order":[ "mariadb.ip", "mariadb.username", "mariadb.host", "mariadb.action", "mariadb.resource" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"ip-(\\.*),(\\.*),(\\.*),\\.*,\\.*,(\\.*),(\\.*)", "type":"osregex" }, "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"mysql", "type":"osmatch" }, "type":"syslog" }, { "id":640, "name":"windows", "children":[ { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.image", "srcuser", "sysmon.hash", "sysmon.parentImage" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"INFORMATION\\(1\\)\\.+HashType", "type":"osregex" }, "regex":{ "pattern":"Image: (\\.*) \\s*CommandLine: \\.* \\s*User: (\\.*) \\s*LogonGuid: \\S* \\s*LogonId: \\S* \\s*TerminalSessionId: \\S* \\s*IntegrityLevel: \\.*HashType: \\S* \\s*Hash: (\\S*) \\s*ParentProcessGuid: \\S* \\s*ParentProcessID: \\S* \\s*ParentImage: (\\.*) \\s*ParentCommandLine:", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"INFORMATION\\(1\\)\\.+Hashes", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.processGuid", "sysmon.processId", "sysmon.image", "sysmon.commandLine" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"ProcessGuid: (\\.*) \\s*ProcessId: (\\.*) \\s*Image: (\\.*) \\s*CommandLine: (\\.*)\\s+CurrentD", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.currentDirectory", "srcuser", "sysmon.logonGuid", "sysmon.logonId", "sysmon.terminalSessionId", "sysmon.integrityLevel", "sysmon.hashes", "sysmon.parentProcessGuid", "sysmon.parentProcessId", "sysmon.parentImage" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"irectory: (\\.*) \\s*User: (\\.*) \\s*LogonGuid: (\\S*) \\s*LogonId: (\\S*)\\s*TerminalSessionId: (\\S*) \\s*IntegrityLevel: (\\.*) \\s*Hashes: \\S+=(\\S*)\\s*ParentProcessGuid: (\\S*) \\s*ParentProcessId: (\\S*) \\s*ParentImage: (\\.*.\\S+) \\s*Parent", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.parentCommandLine" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"CommandLine: \"(\\.*)\"$", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(2\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.image", "sysmon.targetfilename", "sysmon.creationUtcTime", "sysmon.previousCreationUtcTime" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Image: (\\.*)\\s+TargetFilename: (\\.*)\\s+CreationUtcTime: (\\.*)\\s+PreviousCreationUtcTime: (\\.*)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(3\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.processGuid", "sysmon.processId", "sysmon.image", "srcuser", "protocol", "sysmon.initiated", "sysmon.sourceIsIpv6", "srcip", "sysmon.sourceHostname", "srcport", "sysmon.srcPortName", "sysmon.destinationIsIpv6", "dstip", "sysmon.destinationHostname", "dstport", "sysmon.dstPortName" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"ProcessGuid: (\\.*) \\s*ProcessId: (\\.*) \\s*Image: (\\.*)\\s+User: (\\.*)\\s+Protocol: (\\S*)\\s+Initiated: (\\.*) \\s*SourceIsIpv6: (\\.*) \\s*SourceIp: (\\S*)\\s+SourceHostname: (\\.*) \\s*SourcePort: (\\S*)\\s+SourcePortName: (\\.*)\\s*DestinationIsIpv6: (\\.*) \\s*DestinationIp: (\\S*)\\s+DestinationHostname: (\\.*) \\s*DestinationPort: (\\S*)\\s*DestinationPortName:\\s*(\\S*)\\s*$", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(4\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.state" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"State: (\\S*)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(5\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.image" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Image: (\\S*)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(6\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.imageLoaded", "sysmon.hashes", "sysmon.signed", "sysmon.signature" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"ImageLoaded: (\\S*)\\s+Hashes: \\S+=(\\S*)\\s+Signed: (\\S*)\\s+Signature: (\\.*)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(7\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.image", "sysmon.imageLoaded", "sysmon.hashes", "sysmon.signed", "sysmon.signature" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Image: (\\S*)\\s+ImageLoaded: (\\S*)\\s+Hashes: \\S+=(\\S*)\\s+Signed: (\\S*)\\s+Signature: (\\.*)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(8\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.sourceImage", "sysmon.targetImage", "sysmon.startModule", "sysmon.startFunction" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"SourceImage: (\\S*)\\s+\\.+TargetImage: (\\S*)\\s+\\.+StartModule: (\\S*)\\s+StartFunction: (\\.*)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(11\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.filecreated", "sysmon.utctime", "sysmon.processguid", "sysmon.processid", "sysmon.image", "sysmon.targetfilename", "sysmon.creationutctime" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"File created: (\\.*)\\s+UtcTime: (\\.*)\\s+ProcessGuid: (\\.*)\\s+ProcessId: (\\.*)\\s+Image: (\\.*)\\s+TargetFilename: (\\.*)\\s+CreationUtcTime: (\\.*)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Sysmon/Operational: INFORMATION\\(15\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Sysmon/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "sysmon.processId", "sysmon.image", "sysmon.targetfilename", "sysmon.creationUtcTime", "sysmon.hash" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"ProcessId: (\\.*)\\s+Image: (\\.*)\\s+TargetFilename: (\\.*)\\s+CreationUtcTime: (\\.*)\\s+Hash: \\S+=(\\S*)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "id" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-Windows Defender/Operational: \\S+\\(1\\d\\d\\d\\)", "type":"osregex" }, "regex":{ "pattern":"Microsoft-Windows-Windows Defender/Operational: \\S+\\((\\d+)\\)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "defender.name", "defender.id", "defender.severity", "defender.category", "defender.pathfound" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Name: (\\.*)\\s+ID: (\\.*)\\s+Severity: (\\.*)\\s+Category: (\\.*)\\s+Path: \\S+:(\\.*)\\s+Detection ", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "defender.detectiontype", "defender.detectionsource", "srcuser", "defender.processname" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Type: (\\.*)\\s+Detection Source: (\\.*)\\s+User: (\\.*)\\s+Process Name: (\\.*.\\S+)\\s+Signature", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "defender.name", "defender.id", "defender.severity", "defender.category", "defender.path" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Name: (\\.*)\\s+ID: (\\.*)\\s+Severity: (\\.*)\\s+Category: (\\.*)\\s+Path:\\s+\\S+:(\\.*);", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "srcuser" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"User: (\\S+ \\S+) | User: (\\S+) ", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "defender.processname", "defender.action" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Process Name: (\\.*.\\S+)\\s+Action: (\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "type", "status", "id", "account", "system_name" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Microsoft-Windows-TerminalServices-Gateway/Operational", "type":"osregex" }, "regex":{ "pattern":"^(Microsoft-Windows-TerminalServices-Gateway/Operational): (\\w+)\\((\\d+)\\): \\.+: (\\.+): \\.+: (\\S+): ", "type":"osregex" }, "fts":[ "location" ], "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "dstuser", "dstip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"\\whe user \"(\\.+)\", on client computer \"(\\.*)\", ", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "resource" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"resource\\p* \"(\\.*)\"", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "auth_method" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"method used was: \"(\\.*)\"", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "protocol" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"protocol used: \"(\\.*)\"", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "protocol" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"using (\\.*) connection protocol.", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "error_code" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"error occurred: \"(\\.*)\"", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "type", "status", "id", "extra_data", "dstuser", "system_name" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"\\s", "type":"osregex" }, "regex":{ "pattern":"^(\\.+): (\\w+)\\((\\d+)\\): (\\.+): (\\.+): \\.+: (\\S+): ", "type":"osregex" }, "regex_offset":"after_parent", "fts":[ "dstuser" ], "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "subject.security_id", "subject.account_name", "subject.account_domain", "subject.logon_id" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Subject\\s*:\\t*\\s*Security ID:\\t*\\s*(\\S\\S+)\\t*\\s*Account Name:\\t*\\s*(\\S\\S+)\\t*\\s*Account Domain:\\t*\\s*(\\S\\S+)\\t*\\s*Logon ID:\\t*\\s*(\\S\\S+)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "security_id" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Security ID:\\t*\\s*(\\S\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "account_name" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Account Name:\\t*\\s*(\\S\\S+)", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "account_domain" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Account Domain:\\t*\\s*(\\S\\S+)\\t*\\s*", "type":"osregex" }, "regex_offset":"after_regex", "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "logon_type" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Logon Type:\\t*\\s*(\\S+)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "caller_computer" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Caller Computer Name:\\t*\\s*(\\S+)", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "accesses" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"Accesses:\\s+(\\.+)\\s+Access Mask:|Accesses:\\t+(\\.+)Access Mask:", "type":"osregex" }, "type":"windows" }, { "id":640, "name":"windows", "parent":"windows", "order":[ "target_file" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"File\\s+Object Name:\\s+(\\w\\.+)\\s+Handle ID:|File\\t+Object Name:\\t+(\\w\\.+)\\t+Handle ID:", "type":"osregex" }, "type":"windows" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^WinEvtLog", "type":"osmatch" }, "type":"windows" }, { "id":647, "name":"wordpress", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^[", "type":"osregex" }, "regex":{ "pattern":"^(\\S+) ", "type":"osregex" }, "regex_offset":"after_parent", "program_name":{ "pattern":"^WPsyslog|^wpcore", "type":"osmatch" }, "type":"syslog" }, { "id":197, "name":"docker", "order":[ "docker.level", "docker.message" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"^time=\"\\d+-\\d+-\\d+T\\d+:\\d+:\\d+.\\d+\\w\" level=\\S+ msg=\"", "type":"osregex" }, "regex":{ "pattern":"level=(\\S+) msg=\"(\\.+)\"", "type":"osregex" }, "program_name":{ "pattern":"^dockerd|^containerd", "type":"osmatch" }, "type":"syslog" }, { "id":413, "name":"owncloud", "children":[ { "id":413, "name":"owncloud", "parent":"owncloud", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Login failed: user ", "type":"osregex" }, "regex":{ "pattern":"^'(\\w+)' , wrong password, IP:(\\d+.\\d+.\\d+.\\d+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":413, "name":"owncloud", "parent":"owncloud", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Login failed: ", "type":"osregex" }, "regex":{ "pattern":"^'(\\w+)' \\(Remote IP: '(\\d+.\\d+.\\d+.\\d+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":413, "name":"owncloud", "parent":"owncloud", "order":[ "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Passed filename is not valid, might be malicious ", "type":"osregex" }, "regex":{ "pattern":";ip:\"(\\d+.\\d+.\\d+.\\d+)|;ip:\\\\\"(\\d+.\\d+.\\d+.\\d+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^ownCloud", "type":"osmatch" }, "type":"syslog" }, { "id":473, "name":"pvedaemon", "children":[ { "id":473, "name":"pvedaemon", "parent":"pvedaemon", "order":[ "srcip", "dstuser" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"authentication failure; ", "type":"osregex" }, "regex":{ "pattern":"^rhost=(\\S+) user=(\\S+)@pam msg=|^rhost=(\\S+) user=(\\S+)@pve msg=", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^pvedaemon", "type":"osmatch" }, "type":"syslog" }, { "id":478, "name":"pvestatd", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^pvestatd", "type":"osmatch" }, "type":"syslog" }, { "id":476, "name":"pveproxy", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^pveproxy", "type":"osmatch" }, "type":"syslog" }, { "id":477, "name":"pvepw-logger", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^pvepw-logger", "type":"osmatch" }, "type":"syslog" }, { "id":271, "name":"gsad", "children":[ { "id":271, "name":"gsad", "parent":"gsad", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Authentication failure for '", "type":"osregex" }, "regex":{ "pattern":"^(\\.+)' from (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":271, "name":"gsad", "parent":"gsad", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Authentication success for '", "type":"osregex" }, "regex":{ "pattern":"^(\\.+)' from (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^gsad", "type":"osmatch" }, "type":"syslog" }, { "id":382, "name":"openvasmd", "children":[ { "id":382, "name":"openvasmd", "parent":"openvasmd", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Authentication failure for '", "type":"osregex" }, "regex":{ "pattern":"^(\\.+)' from (\\S+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^md$", "type":"osmatch" }, "type":"syslog" }, { "id":385, "name":"openvassd", "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^openvassd", "type":"osmatch" }, "type":"syslog" }, { "id":431, "name":"pf", "children":[ { "id":431, "name":"pf", "parent":"pf", "order":[ "id", "action" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"^\\S*,\\S*,\\S*,(\\S*),\\S*,\\S*,(\\S*),", "type":"osregex" }, "type":"syslog" }, { "id":431, "name":"pf", "parent":"pf", "order":[ "protocol", "srcip", "dstip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"\\S*,\\S*,\\S*,\\S*,\\S*,\\S*,\\S*,\\S*,\\S*,(\\S*),\\S*,(\\S*),(\\S*),", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" }, { "id":431, "name":"pf", "parent":"pf", "order":[ "srcport", "dstport" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":"(\\d*),(\\d*),\\S*", "type":"osregex" }, "regex_offset":"after_regex", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"filterlog", "type":"osmatch" }, "type":"syslog" }, { "id":319, "name":"kes_parent", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"kes", "type":"osmatch" }, "type":"syslog" }, { "id":429, "name":"perdition", "children":[ ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^perdition", "type":"osmatch" }, "type":"syslog" }, { "id":366, "name":"nextcloud", "children":[ { "id":366, "name":"nextcloud", "parent":"nextcloud", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Login failed: user ", "type":"osregex" }, "regex":{ "pattern":"^'(\\w+)' , wrong password, IP:(\\d+.\\d+.\\d+.\\d+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" }, { "id":366, "name":"nextcloud", "parent":"nextcloud", "order":[ "dstuser", "srcip" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"Login failed: ", "type":"osregex" }, "regex":{ "pattern":"^'(\\w+)' \\(Remote IP: '(\\d+.\\d+.\\d+.\\d+)", "type":"osregex" }, "regex_offset":"after_prematch", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"^NextCloud", "type":"osmatch" }, "type":"syslog" }, { "id":306, "name":"junos-ids", "children":[ { "id":306, "name":"junos-ids", "parent":"junos-ids", "order":[ "firewall_name", "cat", "sub_cat", "attack.name", "srcip", "dstip", "protocol_id", "source_zone", "interface", "action" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"IP spoofing", "type":"osregex" }, "regex":{ "pattern":" (\\.+) (\\S+) - (\\S+) [\\S+ attack-name=\"(\\.+)\" source-address=\"(\\S+)\" destination-address=\"(\\S+)\" protocol-id=\"(\\S+)\" source-zone-name=\"(\\S+)\" interface-name=\"(\\S+)\" action=\"(\\S+)\"]", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":306, "name":"junos-ids", "parent":"junos-ids", "order":[ "firewall_name", "cat", "sub_cat", "attack.name", "srcip", "srcport", "dstip", "dstport", "source_zone", "interface", "action" ], "use_own_name":"false", "accumulate":"no", "prematch":{ "pattern":"No TCP flag", "type":"osregex" }, "regex":{ "pattern":" (\\.+) (\\S+) - (\\S+) [\\S+ attack-name=\"(\\.+)\" source-address=\"(\\S+)\" source-port=\"(\\S+)\" destination-address=\"(\\S+)\" destination-port=\"(\\S+)\" source-zone-name=\"(\\S+)\" interface-name=\"(\\S+)\" action=\"(\\S+)\"]", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" }, { "id":306, "name":"junos-ids", "parent":"junos-ids", "order":[ "firewall_name", "cat", "sub_cat", "attack.name", "srcip" ], "use_own_name":"false", "accumulate":"no", "regex":{ "pattern":" (\\.+) (\\S+) - (\\S+) [\\S+ attack-name=\"(\\.+)\" source-address=\"(\\S+)\"", "type":"osregex" }, "regex_offset":"after_parent", "type":"syslog" } ], "use_own_name":"false", "accumulate":"no", "program_name":{ "pattern":"junos-ids", "type":"osmatch" }, "type":"syslog" } ```

[Deblintrake09]

Testing Analysisd socket -part 2

Get socket configuration - getconfig - rules :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "rules"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "rules":[ { "children":[ { "children":[ { "sigid":601, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Blocked by firewall-drop Active Response", "if_sid":"600", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"script", "pattern":"firewall-drop", "type":"osregex", "negate":false }, { "name":"type", "pattern":"add", "type":"osregex", "negate":false } ] }, { "sigid":602, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Unblocked by firewall-drop Active Response", "if_sid":"600", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"script", "pattern":"firewall-drop", "type":"osregex", "negate":false }, { "name":"type", "pattern":"delete", "type":"osregex", "negate":false } ] }, { "sigid":603, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Blocked by host-deny Active Response", "if_sid":"600", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"script", "pattern":"host-deny", "type":"osregex", "negate":false }, { "name":"type", "pattern":"add", "type":"osregex", "negate":false } ] }, { "sigid":604, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Unblocked by host-deny Active Response", "if_sid":"600", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"script", "pattern":"host-deny", "type":"osregex", "negate":false }, { "name":"type", "pattern":"delete", "type":"osregex", "negate":false } ] }, { "sigid":605, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Blocked by $(script) Active Response", "if_sid":"600", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"script", "pattern":"route-null", "type":"osregex", "negate":false }, { "name":"type", "pattern":"add", "type":"osregex", "negate":false } ] }, { "sigid":606, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Unblocked by $(script) Active Response", "if_sid":"600", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"script", "pattern":"route-null", "type":"osregex", "negate":false }, { "name":"type", "pattern":"delete", "type":"osregex", "negate":false } ] } ], "sigid":600, "level":0, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":27, "if_matched_sid":0, "group":"ossec,active_response,", "comment":"Active Response Messages Grouped", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog" }, { "children":[ { "sigid":651, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Blocked by firewall-drop Active Response", "if_sid":"650", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"parameters.program", "pattern":"firewall-drop", "type":"osregex", "negate":false }, { "name":"command", "pattern":"add", "type":"osregex", "negate":false } ] }, { "sigid":652, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Unblocked by firewall-drop Active Response", "if_sid":"650", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"parameters.program", "pattern":"firewall-drop", "type":"osregex", "negate":false }, { "name":"command", "pattern":"delete", "type":"osregex", "negate":false } ] }, { "sigid":653, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Blocked by host-deny Active Response", "if_sid":"650", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"parameters.program", "pattern":"host-deny", "type":"osregex", "negate":false }, { "name":"command", "pattern":"add", "type":"osregex", "negate":false } ] }, { "sigid":654, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Unblocked by host-deny Active Response", "if_sid":"650", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"parameters.program", "pattern":"host-deny", "type":"osregex", "negate":false }, { "name":"command", "pattern":"delete", "type":"osregex", "negate":false } ] }, { "sigid":655, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group":"ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,", "comment":"Host Blocked by route-null Active Response", "if_sid":"650", "rule_file":"ruleset/rules/0015-ossec_rules.xml", "category":"syslog", "field":[ { "name":"parameters.program", "pattern":"route-null", "type":"osregex", "negate":false }, { "name":"command", "pattern":"add", "type":"osregex", "negate":false } ] }, { "sigid":656, "level":3, "maxsize":0, "frequency":0, "timeframe":360, "ignore_time":0, "decoded_as":0, "if_matched_sid":0, "group": ```

Get socket configuration - getconfig - command :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "command"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "command":[ { "name":"disable-account", "executable":"disable-account", "timeout_allowed":1 }, { "name":"restart-wazuh", "executable":"restart-wazuh", "timeout_allowed":0 }, { "name":"firewall-drop", "executable":"firewall-drop", "timeout_allowed":1 }, { "name":"host-deny", "executable":"host-deny", "timeout_allowed":1 }, { "name":"route-null", "executable":"route-null", "timeout_allowed":1 }, { "name":"win_route-null", "executable":"route-null.exe", "timeout_allowed":1 }, { "name":"netsh", "executable":"netsh.exe", "timeout_allowed":1 } ] } } ```

Get socket configuration - getconfig - internal :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "internal"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "internal":{ "analysisd":{ "debug":2, "default_timeframe":360, "stats_maxdiff":999000, "stats_mindiff":1250, "stats_percent_diff":150, "fts_list_size":32, "fts_min_size_for_str":14, "log_fw":1, "decoder_order_size":256, "label_cache_maxage":10, "show_hidden_labels":0, "rlimit_nofile":458752, "min_rotate_interval":600 } } } } ```

Get socket configuration - getconfig - labels :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "labels"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "labels":[ ] } } ```

Get socket configuration - getconfig - rule_test :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "rule_test"}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "rule_test":{ "enabled":"yes", "threads":1, "max_sessions":64, "session_timeout":900 } } } ```

Get socket configuration - getconfig - invalid section :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {"section": "invalid"}} ``` 2. Response ```json { "error":7, "message":"Unrecognized or not configured section", "data":{ } } ```

Get socket configuration - getconfig - empty parameters :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getconfig", "parameters": {}} ``` 2. Response ```json { "error":6, "message":"Empty section", "data":{ } } ```

---

Get socket stats - getstats :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getstats", "parameters": {}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659713502, "name":"wazuh-analysisd", "metrics":{ "bytes":{ "received":5129587 }, "events":{ "processed":2041, "received":9543, "received_breakdown":{ "decoded_breakdown":{ "agent":0, "agentless":0, "dbsync":7492, "integrations_breakdown":{ "virustotal":0 }, "modules_breakdown":{ "aws":0, "azure":0, "ciscat":0, "command":0, "docker":0, "gcp":0, "github":0, "logcollector_breakdown":{ "eventchannel":0, "eventlog":0, "macos":0, "others":876 }, "office365":0, "oscap":0, "osquery":0, "rootcheck":8, "sca":758, "syscheck":10, "syscollector":396, "upgrade":0, "vulnerability":0 }, "monitor":1, "remote":2, "syslog":0 }, "dropped_breakdown":{ "agent":0, "agentless":0, "dbsync":0, "integrations_breakdown":{ "virustotal":0 }, "modules_breakdown":{ "aws":0, "azure":0, "ciscat":0, "command":0, "docker":0, "gcp":0, "github":0, "logcollector_breakdown":{ "eventchannel":0, "eventlog":0, "macos":0, "others":0 }, "office365":0, "oscap":0, "osquery":0, "rootcheck":0, "sca":0, "syscheck":0, "syscollector":0, "upgrade":0, "vulnerability":0 }, "monitor":0, "remote":0, "syslog":0 } }, "written_breakdown":{ "alerts":392, "archives":2041, "firewall":0, "fts":2, "stats":0 } }, "queues":{ "alerts":{ "size":16384, "usage":0 }, "archives":{ "size":16384, "usage":0 }, "dbsync":{ "size":16384, "usage":0 }, "eventchannel":{ "size":16384, "usage":0 }, "firewall":{ "size":16384, "usage":0 }, "fts":{ "size":16384, "usage":0 }, "hostinfo":{ "size":16384, "usage":0 }, "others":{ "size":16384, "usage":0 }, "processed":{ "size":16384, "usage":0 }, "rootcheck":{ "size":16384, "usage":0 }, "sca":{ "size":16384, "usage":0 }, "stats":{ "size":16384, "usage":0 }, "syscheck":{ "size":16384, "usage":0 }, "syscollector":{ "size":16384, "usage":0 }, "upgrade":{ "size":16384, "usage":0 } } } } } ```

---

Get Agent stats - getagentstats -all agents - last_id = 0 :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getagentsstats", "parameters": {"agents": "all", "last_id":0}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659713465, "name":"wazuh-analysisd", "agents":[ { "id":226, "metrics":{ "events":{ "processed":984, "received_breakdown":{ "decoded_breakdown":{ "agent":0, "dbsync":3420, "integrations_breakdown":{ "virustotal":0 }, "modules_breakdown":{ "aws":0, "azure":0, "ciscat":0, "command":0, "docker":0, "gcp":0, "github":0, "logcollector_breakdown":{ "eventchannel":0, "eventlog":0, "macos":0, "others":431 }, "office365":0, "oscap":0, "osquery":0, "rootcheck":2, "sca":378, "syscheck":2, "syscollector":173, "upgrade":0, "vulnerability":0 }, "monitor":0, "remote":0 } }, "written_breakdown":{ "alerts":192, "archives":984, "firewall":0 } } } }, { "id":227, "metrics":{ "events":{ "processed":415, "received_breakdown":{ "decoded_breakdown":{ "agent":0, "dbsync":3320, "integrations_breakdown":{ "virustotal":0 }, "modules_breakdown":{ "aws":0, "azure":0, "ciscat":0, "command":0, "docker":0, "gcp":0, "github":0, "logcollector_breakdown":{ "eventchannel":0, "eventlog":0, "macos":0, "others":35 }, "office365":0, "oscap":0, "osquery":0, "rootcheck":2, "sca":378, "syscheck":2, "syscollector":0, "upgrade":0, "vulnerability":0 }, "monitor":0, "remote":0 } }, "written_breakdown":{ "alerts":192, "archives":415, "firewall":0 } } } } ] } } ```

Get Agent stats - getagentstats -all agents - no last_id :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getagentsstats", "parameters": {"agents": "all"}} ``` 2. Response ```json { "error":10, "message":"Empty last id", "data":{ } } ```

Get Agent stats - getagentstats - single agent :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getagentsstats", "parameters": {"agents": [226]}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659713319, "name":"wazuh-analysisd", "agents":[ { "id":226, "metrics":{ "events":{ "processed":971, "received_breakdown":{ "decoded_breakdown":{ "agent":0, "dbsync":3420, "integrations_breakdown":{ "virustotal":0 }, "modules_breakdown":{ "aws":0, "azure":0, "ciscat":0, "command":0, "docker":0, "gcp":0, "github":0, "logcollector_breakdown":{ "eventchannel":0, "eventlog":0, "macos":0, "others":418 }, "office365":0, "oscap":0, "osquery":0, "rootcheck":2, "sca":378, "syscheck":2, "syscollector":173, "upgrade":0, "vulnerability":0 }, "monitor":0, "remote":0 } }, "written_breakdown":{ "alerts":192, "archives":971, "firewall":0 } } } } ] } } ```

Get Agent stats - getagentstats - multiple agent :green_circle:

1. Send request Json ```json {"version": 1, "origin": {"module": "api"}, "command": "getagentsstats", "parameters": {"agents": [226,227]}} ``` 2. Response ```json { "error":0, "message":"ok", "data":{ "timestamp":1659713266, "name":"wazuh-analysisd", "agents":[ { "id":226, "metrics":{ "events":{ "processed":924, "received_breakdown":{ "decoded_breakdown":{ "agent":0, "dbsync":3411, "integrations_breakdown":{ "virustotal":0 }, "modules_breakdown":{ "aws":0, "azure":0, "ciscat":0, "command":0, "docker":0, "gcp":0, "github":0, "logcollector_breakdown":{ "eventchannel":0, "eventlog":0, "macos":0, "others":409 }, "office365":0, "oscap":0, "osquery":0, "rootcheck":2, "sca":378, "syscheck":2, "syscollector":135, "upgrade":0, "vulnerability":0 }, "monitor":0, "remote":0 } }, "written_breakdown":{ "alerts":192, "archives":924, "firewall":0 } } } }, { "id":227, "metrics":{ "events":{ "processed":406, "received_breakdown":{ "decoded_breakdown":{ "agent":0, "dbsync":3320, "integrations_breakdown":{ "virustotal":0 }, "modules_breakdown":{ "aws":0, "azure":0, "ciscat":0, "command":0, "docker":0, "gcp":0, "github":0, "logcollector_breakdown":{ "eventchannel":0, "eventlog":0, "macos":0, "others":26 }, "office365":0, "oscap":0, "osquery":0, "rootcheck":2, "sca":378, "syscheck":2, "syscollector":0, "upgrade":0, "vulnerability":0 }, "monitor":0, "remote":0 } }, "written_breakdown":{ "alerts":192, "archives":406, "firewall":0 } } } } ] } } ```

[jmv74211]

🟢 Everything seems to be working properly

[jmv74211]

The issue is reopened because we need to complete the testing corresponding to the API part (it was not available before). As it corresponds to the same development, it will be done in this issue.

[jmv74211]

(1) Automatic EPS limitation tests have reported that the statistics of dropped events do not work correctly. I have tested it locally and it does not seem to work correctly.

https://user-images.githubusercontent.com/23462183/197550497-bbe6e750-46e8-4eee-9dff-67018de87ead.mp4

This will be discussed with the development team.

[fedepacher]

Review data

Tester	PR commit
@fedepacher	369876c

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
Ubuntu	Jammy	AWS|EC2

Tested packages

wazuh-manager	wazuh-agent
.deb Manager	.deb agent

Conclusion 🟢

[fedepacher]

Testing API endpoints - Part 1

Manager daemons statistics

Get API daemons statistics - manager :green_circle:

`curl -Ssk -X GET "https://localhost:55000/manager/daemons/stats" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "uptime": "2022-10-24T15:57:43+00:00", "timestamp": "2022-10-24T16:02:18+00:00", "name": "wazuh-remoted", "metrics": { "bytes": { "received": 19980, "sent": 4984 }, "keys_reload_count": 0, "messages": { "received_breakdown": { "control": 56, "control_breakdown": { "keepalive": 54, "request": 0, "shutdown": 0, "startup": 2 }, "dequeued_after": 0, "discarded": 0, "event": 18, "ping": 0, "unknown": 0 }, "sent_breakdown": { "ack": 56, "ar": 0, "discarded": 0, "request": 0, "sca": 0, "shared": 0 } }, "queues": { "received": { "size": 131072, "usage": 0 } }, "tcp_sessions": 2 } }, { "uptime": "2022-10-24T15:57:42+00:00", "timestamp": "2022-10-24T16:02:18+00:00", "name": "wazuh-analysisd", "metrics": { "bytes": { "received": 84104 }, "events": { "processed": 38, "received": 287, "received_breakdown": { "decoded_breakdown": { "agent": 0, "agentless": 0, "dbsync": 247, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 31 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 4, "sca": 2, "syscheck": 2, "syscollector": 0, "upgrade": 0, "vulnerability": 0 }, "monitor": 1, "remote": 0, "syslog": 0 }, "dropped_breakdown": { "agent": 0, "agentless": 0, "dbsync": 0, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 0 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 0, "sca": 0, "syscheck": 0, "syscollector": 0, "upgrade": 0, "vulnerability": 0 }, "monitor": 0, "remote": 0, "syslog": 0 } }, "written_breakdown": { "alerts": 4, "archives": 0, "firewall": 0, "fts": 0, "stats": 0 } }, "queues": { "alerts": { "size": 16384, "usage": 0 }, "archives": { "size": 16384, "usage": 0 }, "dbsync": { "size": 16384, "usage": 0 }, "eventchannel": { "size": 16384, "usage": 0 }, "firewall": { "size": 16384, "usage": 0 }, "fts": { "size": 16384, "usage": 0 }, "hostinfo": { "size": 16384, "usage": 0 }, "others": { "size": 16384, "usage": 0 }, "processed": { "size": 16384, "usage": 0 }, "rootcheck": { "size": 16384, "usage": 0 }, "sca": { "size": 16384, "usage": 0 }, "stats": { "size": 16384, "usage": 0 }, "syscheck": { "size": 16384, "usage": 0 }, "syscollector": { "size": 16384, "usage": 0 }, "upgrade": { "size": 16384, "usage": 0 } } } }, { "uptime": "2022-10-24T15:57:39+00:00", "timestamp": "2022-10-24T16:02:18+00:00", "name": "wazuh-db", "metrics": { "queries": { "received": 1918, "received_breakdown": { "agent": 259, "agent_breakdown": { "db": { "begin": 0, "close": 0, "commit": 0, "remove": 0, "sql": 0 }, "tables": { "ciscat": { "ciscat": 0 }, "rootcheck": { "rootcheck": 4 }, "sca": { "sca": 6 }, "sync": { "dbsync": 0 }, "syscheck": { "fim_file": 3, "fim_registry": 0, "syscheck": 2 }, "syscollector": { "syscollector_hotfixes": 1, "syscollector_hwinfo": 2, "syscollector_network_address": 1, "syscollector_network_iface": 4, "syscollector_network_protocol": 1, "syscollector_osinfo": 2, "syscollector_packages": 1, "syscollector_ports": 16, "syscollector_processes": 216, "deprecated": { "hardware": 0, "hotfix": 0, "netaddr": 0, "netinfo": 0, "netproto": 0, "osinfo": 0, "package": 0, "port": 0, "process": 0 } }, "vulnerability": { "vuln_cves": 0 } } }, "global": 327, "global_breakdown": { "db": { "backup": 0, "sql": 0 }, "tables": { "agent": { "delete-agent": 0, "disconnect-agents": 0, "find-agent": 0, "get-agent-info": 56, "get-agents-by-connection-status": 92, "get-all-agents": 29, "get-groups-integrity": 0, "insert-agent": 2, "reset-agents-connection": 1, "select-agent-group": 56, "select-agent-name": 4, "set-agent-groups": 0, "sync-agent-groups-get": 25, "sync-agent-info-get": 0, "sync-agent-info-set": 0, "update-agent-data": 55, "update-agent-name": 1, "update-connection-status": 0, "update-keepalive": 2 }, "belongs": { "get-group-agents": 0, "select-group-belong": 0 }, "group": { "delete-group": 0, "find-group": 1, "insert-agent-group": 0, "select-groups": 1 }, "labels": { "get-labels": 2 } } }, "mitre": 1328, "mitre_breakdown": { "db": { "sql": 1328 } }, "task": 4, "task_breakdown": { "db": { "sql": 0 }, "tables": { "tasks": { "delete_old": 1, "set_timeout": 1, "upgrade": 0, "upgrade_cancel_tasks": 2, "upgrade_custom": 0, "upgrade_get_status": 0, "upgrade_result": 0, "upgrade_update_status": 0 } } }, "wazuhdb": 0, "wazuhdb_breakdown": { "db": { "remove": 0 } } } }, "time": { "execution": 252, "execution_breakdown": { "agent": 113, "agent_breakdown": { "db": { "begin": 0, "close": 0, "commit": 0, "remove": 0, "sql": 0 }, "tables": { "ciscat": { "ciscat": 0 }, "rootcheck": { "rootcheck": 15 }, "sca": { "sca": 0 }, "sync": { "dbsync": 0 }, "syscheck": { "fim_file": 9, "fim_registry": 0, "syscheck": 6 }, "syscollector": { "syscollector_hotfixes": 5, "syscollector_hwinfo": 10, "syscollector_network_address": 5, "syscollector_network_iface": 6, "syscollector_network_protocol": 6, "syscollector_osinfo": 6, "syscollector_packages": 7, "syscollector_ports": 8, "syscollector_processes": 22, "deprecated": { "hardware": 0, "hotfix": 0, "netaddr": 0, "netinfo": 0, "netproto": 0, "osinfo": 0, "package": 0, "port": 0, "process": 0 } }, "vulnerability": { "vuln_cves": 0 } } }, "global": 19, "global_breakdown": { "db": { "backup": 0, "sql": 0 }, "tables": { "agent": { "delete-agent": 0, "disconnect-agents": 0, "find-agent": 0, "get-agent-info": 2, "get-agents-by-connection-status": 4, "get-all-agents": 1, "get-groups-integrity": 0, "insert-agent": 0, "reset-agents-connection": 0, "select-agent-group": 1, "select-agent-name": 0, "set-agent-groups": 0, "sync-agent-groups-get": 1, "sync-agent-info-get": 0, "sync-agent-info-set": 0, "update-agent-data": 6, "update-agent-name": 0, "update-connection-status": 0, "update-keepalive": 0 }, "belongs": { "get-group-agents": 0, "select-group-belong": 0 }, "group": { "delete-group": 0, "find-group": 0, "insert-agent-group": 0, "select-groups": 0 }, "labels": { "get-labels": 0 } } }, "mitre": 120, "mitre_breakdown": { "db": { "sql": 120 } }, "task": 0, "task_breakdown": { "db": { "sql": 0 }, "tables": { "tasks": { "delete_old": 0, "set_timeout": 0, "upgrade": 0, "upgrade_cancel_tasks": 0, "upgrade_custom": 0, "upgrade_get_status": 0, "upgrade_result": 0, "upgrade_update_status": 0 } } }, "wazuhdb": 0, "wazuhdb_breakdown": { "db": { "remove": 0 } } } } } } ], "total_affected_items": 3, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Cluster daemons statistics

Get API daemons statistics - worker :green_circle:

`curl -Ssk -X GET "https://localhost:55000/cluster/worker-node-1/daemons/stats" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "uptime": "2022-10-24T15:57:58+00:00", "timestamp": "2022-10-24T16:03:25+00:00", "name": "wazuh-remoted", "metrics": { "bytes": { "received": 0, "sent": 0 }, "keys_reload_count": 1, "messages": { "received_breakdown": { "control": 0, "control_breakdown": { "keepalive": 0, "request": 0, "shutdown": 0, "startup": 0 }, "dequeued_after": 0, "discarded": 0, "event": 0, "ping": 0, "unknown": 0 }, "sent_breakdown": { "ack": 0, "ar": 0, "discarded": 0, "request": 0, "sca": 0, "shared": 0 } }, "queues": { "received": { "size": 131072, "usage": 0 } }, "tcp_sessions": 0 } }, { "uptime": "2022-10-24T15:57:57+00:00", "timestamp": "2022-10-24T16:03:25+00:00", "name": "wazuh-analysisd", "metrics": { "bytes": { "received": 1179837 }, "events": { "processed": 496, "received": 2533, "received_breakdown": { "decoded_breakdown": { "agent": 0, "agentless": 0, "dbsync": 2035, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 489 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 4, "sca": 2, "syscheck": 2, "syscollector": 0, "upgrade": 0, "vulnerability": 0 }, "monitor": 1, "remote": 0, "syslog": 0 }, "dropped_breakdown": { "agent": 0, "agentless": 0, "dbsync": 0, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 0 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 0, "sca": 0, "syscheck": 0, "syscollector": 0, "upgrade": 0, "vulnerability": 0 }, "monitor": 0, "remote": 0, "syslog": 0 } }, "written_breakdown": { "alerts": 39, "archives": 0, "firewall": 0, "fts": 0, "stats": 0 } }, "queues": { "alerts": { "size": 16384, "usage": 0 }, "archives": { "size": 16384, "usage": 0 }, "dbsync": { "size": 16384, "usage": 0 }, "eventchannel": { "size": 16384, "usage": 0 }, "firewall": { "size": 16384, "usage": 0 }, "fts": { "size": 16384, "usage": 0 }, "hostinfo": { "size": 16384, "usage": 0 }, "others": { "size": 16384, "usage": 0 }, "processed": { "size": 16384, "usage": 0 }, "rootcheck": { "size": 16384, "usage": 0 }, "sca": { "size": 16384, "usage": 0 }, "stats": { "size": 16384, "usage": 0 }, "syscheck": { "size": 16384, "usage": 0 }, "syscollector": { "size": 16384, "usage": 0 }, "upgrade": { "size": 16384, "usage": 0 } } } }, { "uptime": "2022-10-24T15:57:54+00:00", "timestamp": "2022-10-24T16:03:25+00:00", "name": "wazuh-db", "metrics": { "queries": { "received": 3587, "received_breakdown": { "agent": 2047, "agent_breakdown": { "db": { "begin": 0, "close": 0, "commit": 0, "remove": 0, "sql": 0 }, "tables": { "ciscat": { "ciscat": 0 }, "rootcheck": { "rootcheck": 4 }, "sca": { "sca": 6 }, "sync": { "dbsync": 0 }, "syscheck": { "fim_file": 1805, "fim_registry": 0, "syscheck": 2 }, "syscollector": { "syscollector_hotfixes": 1, "syscollector_hwinfo": 2, "syscollector_network_address": 1, "syscollector_network_iface": 4, "syscollector_network_protocol": 1, "syscollector_osinfo": 2, "syscollector_packages": 1, "syscollector_ports": 13, "syscollector_processes": 205, "deprecated": { "hardware": 0, "hotfix": 0, "netaddr": 0, "netinfo": 0, "netproto": 0, "osinfo": 0, "package": 0, "port": 0, "process": 0 } }, "vulnerability": { "vuln_cves": 0 } } }, "global": 212, "global_breakdown": { "db": { "backup": 0, "sql": 0 }, "tables": { "agent": { "delete-agent": 0, "disconnect-agents": 0, "find-agent": 0, "get-agent-info": 62, "get-agents-by-connection-status": 0, "get-all-agents": 36, "get-groups-integrity": 0, "insert-agent": 2, "reset-agents-connection": 1, "select-agent-group": 2, "select-agent-name": 0, "set-agent-groups": 32, "sync-agent-groups-get": 41, "sync-agent-info-get": 32, "sync-agent-info-set": 0, "update-agent-data": 1, "update-agent-name": 1, "update-connection-status": 0, "update-keepalive": 0 }, "belongs": { "get-group-agents": 0, "select-group-belong": 0 }, "group": { "delete-group": 0, "find-group": 1, "insert-agent-group": 0, "select-groups": 1 }, "labels": { "get-labels": 0 } } }, "mitre": 1328, "mitre_breakdown": { "db": { "sql": 1328 } }, "task": 0, "task_breakdown": { "db": { "sql": 0 }, "tables": { "tasks": { "delete_old": 0, "set_timeout": 0, "upgrade": 0, "upgrade_cancel_tasks": 0, "upgrade_custom": 0, "upgrade_get_status": 0, "upgrade_result": 0, "upgrade_update_status": 0 } } }, "wazuhdb": 0, "wazuhdb_breakdown": { "db": { "remove": 0 } } } }, "time": { "execution": 336, "execution_breakdown": { "agent": 207, "agent_breakdown": { "db": { "begin": 0, "close": 0, "commit": 0, "remove": 0, "sql": 0 }, "tables": { "ciscat": { "ciscat": 0 }, "rootcheck": { "rootcheck": 17 }, "sca": { "sca": 0 }, "sync": { "dbsync": 0 }, "syscheck": { "fim_file": 110, "fim_registry": 0, "syscheck": 5 }, "syscollector": { "syscollector_hotfixes": 6, "syscollector_hwinfo": 5, "syscollector_network_address": 4, "syscollector_network_iface": 5, "syscollector_network_protocol": 5, "syscollector_osinfo": 6, "syscollector_packages": 6, "syscollector_ports": 6, "syscollector_processes": 25, "deprecated": { "hardware": 0, "hotfix": 0, "netaddr": 0, "netinfo": 0, "netproto": 0, "osinfo": 0, "package": 0, "port": 0, "process": 0 } }, "vulnerability": { "vuln_cves": 0 } } }, "global": 9, "global_breakdown": { "db": { "backup": 0, "sql": 0 }, "tables": { "agent": { "delete-agent": 0, "disconnect-agents": 0, "find-agent": 0, "get-agent-info": 2, "get-agents-by-connection-status": 0, "get-all-agents": 1, "get-groups-integrity": 0, "insert-agent": 0, "reset-agents-connection": 0, "select-agent-group": 0, "select-agent-name": 0, "set-agent-groups": 0, "sync-agent-groups-get": 2, "sync-agent-info-get": 1, "sync-agent-info-set": 0, "update-agent-data": 0, "update-agent-name": 0, "update-connection-status": 0, "update-keepalive": 0 }, "belongs": { "get-group-agents": 0, "select-group-belong": 0 }, "group": { "delete-group": 0, "find-group": 0, "insert-agent-group": 0, "select-groups": 0 }, "labels": { "get-labels": 0 } } }, "mitre": 120, "mitre_breakdown": { "db": { "sql": 120 } }, "task": 0, "task_breakdown": { "db": { "sql": 0 }, "tables": { "tasks": { "delete_old": 0, "set_timeout": 0, "upgrade": 0, "upgrade_cancel_tasks": 0, "upgrade_custom": 0, "upgrade_get_status": 0, "upgrade_result": 0, "upgrade_update_status": 0 } } }, "wazuhdb": 0, "wazuhdb_breakdown": { "db": { "remove": 0 } } } } } } ], "total_affected_items": 3, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Agent daemons statistics

Get API daemons statistics agent :green_circle:

`curl -Ssk -X GET "https://localhost:55000/agents/001/daemons/stats" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "timestamp": "2022-10-24T16:07:41+00:00", "name": "wazuh-remoted", "agents": [ { "uptime": "2022-10-24T15:57:53+00:00", "id": 1, "metrics": { "messages": { "received_breakdown": { "control": 60, "control_breakdown": { "keepalive": 59, "request": 0, "shutdown": 0, "startup": 1 }, "event": 18 }, "sent_breakdown": { "ack": 60, "ar": 0, "discarded": 0, "request": 0, "sca": 0, "shared": 0 } } } } ] }, { "timestamp": "2022-10-24T16:07:41+00:00", "name": "wazuh-analysisd", "agents": [ { "uptime": "2022-10-24T15:59:04+00:00", "id": 1, "metrics": { "events": { "processed": 16, "received_breakdown": { "decoded_breakdown": { "agent": 0, "dbsync": 2, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 16 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 0, "sca": 0, "syscheck": 0, "syscollector": 0, "upgrade": 0, "vulnerability": 0 }, "monitor": 0, "remote": 0 } }, "written_breakdown": { "alerts": 0, "archives": 0, "firewall": 0 } } } } ] } ], "total_affected_items": 2, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Manager remoted endpoints

Get API daemons list statistics of the manager - wazuh-remoted :green_circle:

`curl -k -X GET "https://localhost:55000/manager/daemons/stats?daemons_list=wazuh-remoted" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "uptime": "2022-10-24T17:14:46+00:00", "timestamp": "2022-10-24T18:30:43+00:00", "name": "wazuh-remoted", "metrics": { "bytes": { "received": 366512, "sent": 81442 }, "keys_reload_count": 0, "messages": { "received_breakdown": { "control": 912, "control_breakdown": { "keepalive": 910, "request": 0, "shutdown": 0, "startup": 2 }, "dequeued_after": 0, "discarded": 0, "event": 400, "ping": 0, "unknown": 0 }, "sent_breakdown": { "ack": 912, "ar": 2, "discarded": 0, "request": 0, "sca": 0, "shared": 0 } }, "queues": { "received": { "size": 131072, "usage": 0 } }, "tcp_sessions": 2 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Global configuration

Get API active configuration from manager - request/global :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/request/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "global": { "remoted": { "agents_disconnection_alert_time": 0, "agents_disconnection_time": 600 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - request/remote :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/request/remote" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "remote": [ { "connection": "secure", "ipv6": "no", "protocol": [ "TCP" ], "port": "1514", "queue_size": "131072" } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - multiple remote blocks :green_circle:

#### ossec.conf ``` syslog 514 tcp 172.31.8.55/24 172.31.3.109 secure 1514 tcp 131072 ``` `curl -k -X GET "https://localhost:55000/manager/configuration/request/remote" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "remote": [ { "connection": "syslog", "ipv6": "no", "local_ip": "172.31.3.109", "protocol": [ "TCP" ], "port": "514", "allowed-ips": [ "172.31.8.55/24" ] }, { "connection": "secure", "ipv6": "no", "protocol": [ "TCP" ], "port": "1514", "queue_size": "131072" } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - request/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/request/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "remoted": { "recv_counter_flush": 128, "comp_average_printout": 19999, "verify_msg_id": 0, "recv_timeout": 0, "pass_empty_keyfile": 1, "sender_pool": 8, "request_pool": 1024, "request_rto_sec": 1, "request_rto_msec": 0, "max_attempts": 4, "request_timeout": 10, "response_timeout": 60, "shared_reload": 10, "rlimit_nofile": 458752, "merge_shared": 0, "guess_agent_group": 0, "receive_chunk": 4096, "send_chunk": 4096, "buffer_relax": 1, "send_buffer_size": 131072, "send_timeout_to_retry": 1, "tcp_keepidle": 30, "tcp_keepintvl": 10, "tcp_keepcnt": 3 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - request/invalid :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/request/invalid" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "'invalid' is not one of ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test']. Failed validating 'enum' in schema: {'enum': ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test'], 'type': 'string'}. On instance: 'invalid'" } ```

Get API active configuration from manager - request/empty :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/request/" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Not Found", "detail": "404: Not Found" } ```

Cluster remoted endpoints

Get API daemons list statistics of the worker 1 - wazuh-remoted :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/daemons/stats?daemons_list=wazuh-remoted" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "uptime": "2022-10-24T15:57:58+00:00", "timestamp": "2022-10-24T18:40:00+00:00", "name": "wazuh-remoted", "metrics": { "bytes": { "received": 0, "sent": 0 }, "keys_reload_count": 1, "messages": { "received_breakdown": { "control": 0, "control_breakdown": { "keepalive": 0, "request": 0, "shutdown": 0, "startup": 0 }, "dequeued_after": 0, "discarded": 0, "event": 0, "ping": 0, "unknown": 0 }, "sent_breakdown": { "ack": 0, "ar": 0, "discarded": 0, "request": 0, "sca": 0, "shared": 0 } }, "queues": { "received": { "size": 131072, "usage": 0 } }, "tcp_sessions": 0 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Global configuration

Get API active configuration from worker 1 - request/global :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/request/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "global": { "remoted": { "agents_disconnection_alert_time": 0, "agents_disconnection_time": 600 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - request/remote :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/request/remote" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "remote": [ { "connection": "secure", "ipv6": "no", "protocol": [ "TCP" ], "port": "1514", "queue_size": "131072" } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - multiple remote blocks :green_circle:

#### ossec.conf ``` syslog 514 tcp 172.31.8.55/24 172.31.3.109 secure 1514 tcp 131072 ``` `curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/request/remote" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "remote": [ { "connection": "syslog", "ipv6": "no", "local_ip": "172.31.3.109", "protocol": [ "TCP" ], "port": "514", "allowed-ips": [ "172.31.8.55/24" ] }, { "connection": "secure", "ipv6": "no", "protocol": [ "TCP" ], "port": "1514", "queue_size": "131072" } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - request/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/request/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "remoted": { "recv_counter_flush": 128, "comp_average_printout": 19999, "verify_msg_id": 0, "recv_timeout": 0, "pass_empty_keyfile": 1, "sender_pool": 8, "request_pool": 1024, "request_rto_sec": 1, "request_rto_msec": 0, "max_attempts": 4, "request_timeout": 10, "response_timeout": 60, "shared_reload": 10, "rlimit_nofile": 458752, "merge_shared": 1, "guess_agent_group": 0, "receive_chunk": 4096, "send_chunk": 4096, "buffer_relax": 1, "send_buffer_size": 131072, "send_timeout_to_retry": 1, "tcp_keepidle": 30, "tcp_keepintvl": 10, "tcp_keepcnt": 3 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - request/invalid :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/request/invalid" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "'invalid' is not one of ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test']. Failed validating 'enum' in schema: {'enum': ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test'], 'type': 'string'}. On instance: 'invalid'" } ```

Get API active configuration from worker 1 - request/empty :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/request/" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Not Found", "detail": "404: Not Found" } ```

Agent remoted endpoints

Get API daemons list statistics of the agent 1 - wazuh-remoted :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/daemons/stats?daemons_list=wazuh-remoted" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "timestamp": "2022-10-24T19:37:30+00:00", "name": "wazuh-remoted", "agents": [ { "uptime": "2022-10-24T17:14:55+00:00", "id": 1, "metrics": { "messages": { "received_breakdown": { "control": 858, "control_breakdown": { "keepalive": 856, "request": 1, "shutdown": 0, "startup": 1 }, "event": 365 }, "sent_breakdown": { "ack": 857, "ar": 2, "discarded": 0, "request": 1, "sca": 0, "shared": 0 } } } } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Global configuration

Get API active configuration from agent 1 - request/global :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/request/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: request:global", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: request:global" } }, "error": 1117 } ```

Get API active configuration from agent 1 - request/remote :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/request/remote" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: request:remote", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: request:remote" } }, "error": 1117 } ```

Get API active configuration from agent 1 - request/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/request/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: request:internal", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: request:internal" } }, "error": 1117 } ```

[fedepacher]

Testing API endpoints - Part 2

Manager wazuh-db endpoints

Get API daemons list statistics of the manager - wazuh-db :green_circle:

`curl -k -X GET "https://localhost:55000/manager/daemons/stats?daemons_list=wazuh-db" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "uptime": "2022-10-24T17:14:42+00:00", "timestamp": "2022-10-24T18:23:59+00:00", "name": "wazuh-db", "metrics": { "queries": { "received": 6929, "received_breakdown": { "agent": 528, "agent_breakdown": { "db": { "begin": 0, "close": 0, "commit": 0, "remove": 0, "sql": 0 }, "tables": { "ciscat": { "ciscat": 0 }, "rootcheck": { "rootcheck": 4 }, "sca": { "sca": 6 }, "sync": { "dbsync": 205 }, "syscheck": { "fim_file": 42, "fim_registry": 0, "syscheck": 2 }, "syscollector": { "syscollector_hotfixes": 4, "syscollector_hwinfo": 8, "syscollector_network_address": 4, "syscollector_network_iface": 7, "syscollector_network_protocol": 4, "syscollector_osinfo": 5, "syscollector_packages": 4, "syscollector_ports": 14, "syscollector_processes": 183, "deprecated": { "hardware": 0, "hotfix": 0, "netaddr": 0, "netinfo": 0, "netproto": 0, "osinfo": 36, "package": 0, "port": 0, "process": 0 } }, "vulnerability": { "vuln_cves": 0 } } }, "global": 5066, "global_breakdown": { "db": { "backup": 0, "sql": 12 }, "tables": { "agent": { "delete-agent": 0, "disconnect-agents": 6, "find-agent": 0, "get-agent-info": 868, "get-agents-by-connection-status": 1647, "get-all-agents": 417, "get-groups-integrity": 0, "insert-agent": 2, "reset-agents-connection": 1, "select-agent-group": 832, "select-agent-name": 4, "set-agent-groups": 0, "sync-agent-groups-get": 414, "sync-agent-info-get": 0, "sync-agent-info-set": 0, "update-agent-data": 831, "update-agent-name": 1, "update-connection-status": 0, "update-keepalive": 2 }, "belongs": { "get-group-agents": 0, "select-group-belong": 0 }, "group": { "delete-group": 0, "find-group": 1, "insert-agent-group": 0, "select-groups": 1 }, "labels": { "get-labels": 27 } } }, "mitre": 1328, "mitre_breakdown": { "db": { "sql": 1328 } }, "task": 7, "task_breakdown": { "db": { "sql": 0 }, "tables": { "tasks": { "delete_old": 1, "set_timeout": 5, "upgrade": 0, "upgrade_cancel_tasks": 1, "upgrade_custom": 0, "upgrade_get_status": 0, "upgrade_result": 0, "upgrade_update_status": 0 } } }, "wazuhdb": 0, "wazuhdb_breakdown": { "db": { "remove": 0 } } } }, "time": { "execution": 3739, "execution_breakdown": { "agent": 3268, "agent_breakdown": { "db": { "begin": 0, "close": 0, "commit": 0, "remove": 0, "sql": 0 }, "tables": { "ciscat": { "ciscat": 0 }, "rootcheck": { "rootcheck": 21 }, "sca": { "sca": 1 }, "sync": { "dbsync": 1821 }, "syscheck": { "fim_file": 980, "fim_registry": 0, "syscheck": 4 }, "syscollector": { "syscollector_hotfixes": 24, "syscollector_hwinfo": 31, "syscollector_network_address": 26, "syscollector_network_iface": 27, "syscollector_network_protocol": 24, "syscollector_osinfo": 26, "syscollector_packages": 49, "syscollector_ports": 33, "syscollector_processes": 188, "deprecated": { "hardware": 0, "hotfix": 0, "netaddr": 0, "netinfo": 0, "netproto": 0, "osinfo": 6, "package": 0, "port": 0, "process": 0 } }, "vulnerability": { "vuln_cves": 0 } } }, "global": 349, "global_breakdown": { "db": { "backup": 0, "sql": 0 }, "tables": { "agent": { "delete-agent": 0, "disconnect-agents": 0, "find-agent": 0, "get-agent-info": 46, "get-agents-by-connection-status": 90, "get-all-agents": 29, "get-groups-integrity": 0, "insert-agent": 0, "reset-agents-connection": 0, "select-agent-group": 29, "select-agent-name": 0, "set-agent-groups": 0, "sync-agent-groups-get": 22, "sync-agent-info-get": 0, "sync-agent-info-set": 0, "update-agent-data": 126, "update-agent-name": 0, "update-connection-status": 0, "update-keepalive": 0 }, "belongs": { "get-group-agents": 0, "select-group-belong": 0 }, "group": { "delete-group": 0, "find-group": 0, "insert-agent-group": 0, "select-groups": 0 }, "labels": { "get-labels": 1 } } }, "mitre": 121, "mitre_breakdown": { "db": { "sql": 121 } }, "task": 1, "task_breakdown": { "db": { "sql": 0 }, "tables": { "tasks": { "delete_old": 0, "set_timeout": 0, "upgrade": 0, "upgrade_cancel_tasks": 0, "upgrade_custom": 0, "upgrade_get_status": 0, "upgrade_result": 0, "upgrade_update_status": 0 } } }, "wazuhdb": 0, "wazuhdb_breakdown": { "db": { "remove": 0 } } } } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Global configuration

Get API active configuration from manager - wazuh-db/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/wazuh-db/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "wazuh_db": { "commit_time_max": 60, "commit_time_min": 10, "open_db_limit": 64, "worker_pool_size": 8 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - wazuh-db/wdb :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/wazuh-db/wdb" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "wdb": { "backup": [ { "database": "global", "enabled": true, "interval": 86400, "max_files": 3 } ] } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - wazuh-db/invalid :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/wazuh-db/invalid" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "'invalid' is not one of ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test']. Failed validating 'enum' in schema: {'enum': ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test'], 'type': 'string'}. On instance: 'invalid'" } ```

Get API active configuration from manager - wazuh-db/empty :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/wazuh-db/" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Not Found", "detail": "404: Not Found" } ```

Cluster wazuh-db endpoints

Get API daemons list statistics of the worker 1 - wazuh-db :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/daemons/stats?daemons_list=wazuh-db" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "uptime": "2022-10-24T15:57:54+00:00", "timestamp": "2022-10-24T18:38:24+00:00", "name": "wazuh-db", "metrics": { "queries": { "received": 9657, "received_breakdown": { "agent": 2227, "agent_breakdown": { "db": { "begin": 0, "close": 0, "commit": 0, "remove": 0, "sql": 0 }, "tables": { "ciscat": { "ciscat": 0 }, "rootcheck": { "rootcheck": 4 }, "sca": { "sca": 6 }, "sync": { "dbsync": 130 }, "syscheck": { "fim_file": 1835, "fim_registry": 0, "syscheck": 2 }, "syscollector": { "syscollector_hotfixes": 3, "syscollector_hwinfo": 6, "syscollector_network_address": 3, "syscollector_network_iface": 6, "syscollector_network_protocol": 3, "syscollector_osinfo": 4, "syscollector_packages": 3, "syscollector_ports": 15, "syscollector_processes": 207, "deprecated": { "hardware": 0, "hotfix": 0, "netaddr": 0, "netinfo": 0, "netproto": 0, "osinfo": 0, "package": 0, "port": 0, "process": 0 } }, "vulnerability": { "vuln_cves": 0 } } }, "global": 6102, "global_breakdown": { "db": { "backup": 0, "sql": 0 }, "tables": { "agent": { "delete-agent": 0, "disconnect-agents": 16, "find-agent": 0, "get-agent-info": 1922, "get-agents-by-connection-status": 0, "get-all-agents": 966, "get-groups-integrity": 0, "insert-agent": 2, "reset-agents-connection": 1, "select-agent-group": 2, "select-agent-name": 0, "set-agent-groups": 957, "sync-agent-groups-get": 1274, "sync-agent-info-get": 958, "sync-agent-info-set": 0, "update-agent-data": 1, "update-agent-name": 1, "update-connection-status": 0, "update-keepalive": 0 }, "belongs": { "get-group-agents": 0, "select-group-belong": 0 }, "group": { "delete-group": 0, "find-group": 1, "insert-agent-group": 0, "select-groups": 1 }, "labels": { "get-labels": 0 } } }, "mitre": 1328, "mitre_breakdown": { "db": { "sql": 1328 } }, "task": 0, "task_breakdown": { "db": { "sql": 0 }, "tables": { "tasks": { "delete_old": 0, "set_timeout": 0, "upgrade": 0, "upgrade_cancel_tasks": 0, "upgrade_custom": 0, "upgrade_get_status": 0, "upgrade_result": 0, "upgrade_update_status": 0 } } }, "wazuhdb": 0, "wazuhdb_breakdown": { "db": { "remove": 0 } } } }, "time": { "execution": 2253, "execution_breakdown": { "agent": 1865, "agent_breakdown": { "db": { "begin": 0, "close": 0, "commit": 0, "remove": 0, "sql": 0 }, "tables": { "ciscat": { "ciscat": 0 }, "rootcheck": { "rootcheck": 17 }, "sca": { "sca": 0 }, "sync": { "dbsync": 1069 }, "syscheck": { "fim_file": 570, "fim_registry": 0, "syscheck": 5 }, "syscollector": { "syscollector_hotfixes": 16, "syscollector_hwinfo": 22, "syscollector_network_address": 17, "syscollector_network_iface": 19, "syscollector_network_protocol": 19, "syscollector_osinfo": 21, "syscollector_packages": 28, "syscollector_ports": 18, "syscollector_processes": 38, "deprecated": { "hardware": 0, "hotfix": 0, "netaddr": 0, "netinfo": 0, "netproto": 0, "osinfo": 0, "package": 0, "port": 0, "process": 0 } }, "vulnerability": { "vuln_cves": 0 } } }, "global": 268, "global_breakdown": { "db": { "backup": 0, "sql": 0 }, "tables": { "agent": { "delete-agent": 0, "disconnect-agents": 0, "find-agent": 0, "get-agent-info": 77, "get-agents-by-connection-status": 0, "get-all-agents": 68, "get-groups-integrity": 0, "insert-agent": 0, "reset-agents-connection": 0, "select-agent-group": 0, "select-agent-name": 0, "set-agent-groups": 12, "sync-agent-groups-get": 62, "sync-agent-info-get": 45, "sync-agent-info-set": 0, "update-agent-data": 0, "update-agent-name": 0, "update-connection-status": 0, "update-keepalive": 0 }, "belongs": { "get-group-agents": 0, "select-group-belong": 0 }, "group": { "delete-group": 0, "find-group": 0, "insert-agent-group": 0, "select-groups": 0 }, "labels": { "get-labels": 0 } } }, "mitre": 120, "mitre_breakdown": { "db": { "sql": 120 } }, "task": 0, "task_breakdown": { "db": { "sql": 0 }, "tables": { "tasks": { "delete_old": 0, "set_timeout": 0, "upgrade": 0, "upgrade_cancel_tasks": 0, "upgrade_custom": 0, "upgrade_get_status": 0, "upgrade_result": 0, "upgrade_update_status": 0 } } }, "wazuhdb": 0, "wazuhdb_breakdown": { "db": { "remove": 0 } } } } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Global configuration

Get API active configuration from worker 1 - wazuh-db/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/wazuh-db/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "wazuh_db": { "commit_time_max": 60, "commit_time_min": 10, "open_db_limit": 64, "worker_pool_size": 8 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - wazuh-db/wdb :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/wazuh-db/wdb" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "wdb": { "backup": [ { "database": "global", "enabled": true, "interval": 86400, "max_files": 3 } ] } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - wazuh-db/invalid :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/wazuh-db/invalid" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "'invalid' is not one of ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test']. Failed validating 'enum' in schema: {'enum': ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test'], 'type': 'string'}. On instance: 'invalid'" } ```

Get API active configuration from manager - wazuh-db/empty :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/wazuh-db/" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Not Found", "detail": "404: Not Found" } ```

Agent wazuh-db endpoints

Global configuration

Get API active configuration from agent 1 - wazuh-db/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/wazuh-db/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: wazuh-db:internal", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: wazuh-db:internal" } }, "error": 1117 } ```

Get API active configuration from agent 1 - wazuh-db/wdb :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/wazuh-db/wdb" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: wazuh-db:wdb", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: wazuh-db:wdb" } }, "error": 1117 } ```

[fedepacher]

Testing API endpoints - Part 3

Manager analysisd endpoints

Get API daemons list statistics of the manager - wazuh-analysisd :green_circle:

`curl -k -X GET "https://localhost:55000/manager/daemons/stats?daemons_list=wazuh-analysisd" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "uptime": "2022-10-24T17:14:45+00:00", "timestamp": "2022-10-24T18:33:06+00:00", "name": "wazuh-analysisd", "metrics": { "bytes": { "received": 332564 }, "events": { "processed": 685, "received": 968, "received_breakdown": { "decoded_breakdown": { "agent": 0, "agentless": 0, "dbsync": 281, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 473 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 4, "sca": 2, "syscheck": 2, "syscollector": 205, "upgrade": 0, "vulnerability": 0 }, "monitor": 1, "remote": 0, "syslog": 0 }, "dropped_breakdown": { "agent": 0, "agentless": 0, "dbsync": 0, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 0 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 0, "sca": 0, "syscheck": 0, "syscollector": 0, "upgrade": 0, "vulnerability": 0 }, "monitor": 0, "remote": 0, "syslog": 0 } }, "written_breakdown": { "alerts": 22, "archives": 0, "firewall": 0, "fts": 1, "stats": 0 } }, "queues": { "alerts": { "size": 16384, "usage": 0 }, "archives": { "size": 16384, "usage": 0 }, "dbsync": { "size": 16384, "usage": 0 }, "eventchannel": { "size": 16384, "usage": 0 }, "firewall": { "size": 16384, "usage": 0 }, "fts": { "size": 16384, "usage": 0 }, "hostinfo": { "size": 16384, "usage": 0 }, "others": { "size": 16384, "usage": 0 }, "processed": { "size": 16384, "usage": 0 }, "rootcheck": { "size": 16384, "usage": 0 }, "sca": { "size": 16384, "usage": 0 }, "stats": { "size": 16384, "usage": 0 }, "syscheck": { "size": 16384, "usage": 0 }, "syscollector": { "size": 16384, "usage": 0 }, "upgrade": { "size": 16384, "usage": 0 } } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Global configuration

Get API active configuration from manager - analysis/global :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "global": { "email_notification": "no", "logall": "no", "logall_json": "no", "integrity_checking": 8, "rootkit_detection": 8, "host_information": 8, "prelude_output": "no", "zeromq_output": "no", "jsonout_output": "yes", "alerts_log": "yes", "stats": 4, "memory_size": 8192, "white_list": [ "127.0.0.1", "127.0.0.53", "localhost.localdomain" ], "rotate_interval": 0, "max_output_size": 0, "eps": { "maximum": 0, "timeframe": 10 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - analysis/alerts :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/alerts" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "alerts": { "email_alert_level": 12, "log_alert_level": 3 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - analysis/command :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/command" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "command": [ { "name": "disable-account", "executable": "disable-account", "timeout_allowed": 1 }, { "name": "restart-wazuh", "executable": "restart-wazuh", "timeout_allowed": 0 }, { "name": "firewall-drop", "executable": "firewall-drop", "timeout_allowed": 1 }, { "name": "host-deny", "executable": "host-deny", "timeout_allowed": 1 }, { "name": "route-null", "executable": "route-null", "timeout_allowed": 1 }, { "name": "win_route-null", "executable": "route-null.exe", "timeout_allowed": 1 }, { "name": "netsh", "executable": "netsh.exe", "timeout_allowed": 1 } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - analysis/decoders :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/decoders" -H "Authorization: Bearer $TOKEN" | jq .` [output_command_analysis_decoder_manager.zip](https://github.com/wazuh/wazuh-qa/files/9860726/output_command_analysis_decoder_manager.zip)

Get API active configuration from manager - analysis/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "analysisd": { "debug": 0, "default_timeframe": 360, "stats_maxdiff": 999000, "stats_mindiff": 1250, "stats_percent_diff": 150, "fts_list_size": 32, "fts_min_size_for_str": 14, "log_fw": 1, "decoder_order_size": 256, "label_cache_maxage": 10, "show_hidden_labels": 0, "rlimit_nofile": 458752, "min_rotate_interval": 600 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - analysis/rule_test :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/rule_test" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "rule_test": { "enabled": "yes", "threads": 1, "max_sessions": 64, "session_timeout": 900 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - analysis/invalid :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/invalid" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "'invalid' is not one of ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test']. Failed validating 'enum' in schema: {'enum': ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test'], 'type': 'string'}. On instance: 'invalid'" } ```

Get API active configuration from manager - analysis/empty :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Not Found", "detail": "404: Not Found" } ```

Cluster analysisd endpoints

Get API daemons list statistics of the worker 1 - wazuh-analysisd :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/daemons/stats?daemons_list=wazuh-analysisd" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "uptime": "2022-10-24T15:57:57+00:00", "timestamp": "2022-10-24T18:40:41+00:00", "name": "wazuh-analysisd", "metrics": { "bytes": { "received": 1317848 }, "events": { "processed": 904, "received": 2991, "received_breakdown": { "decoded_breakdown": { "agent": 0, "agentless": 0, "dbsync": 2085, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 767 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 4, "sca": 2, "syscheck": 2, "syscollector": 130, "upgrade": 0, "vulnerability": 0 }, "monitor": 1, "remote": 0, "syslog": 0 }, "dropped_breakdown": { "agent": 0, "agentless": 0, "dbsync": 0, "integrations_breakdown": { "virustotal": 0 }, "modules_breakdown": { "aws": 0, "azure": 0, "ciscat": 0, "command": 0, "docker": 0, "gcp": 0, "github": 0, "logcollector_breakdown": { "eventchannel": 0, "eventlog": 0, "macos": 0, "others": 0 }, "office365": 0, "oscap": 0, "osquery": 0, "rootcheck": 0, "sca": 0, "syscheck": 0, "syscollector": 0, "upgrade": 0, "vulnerability": 0 }, "monitor": 0, "remote": 0, "syslog": 0 } }, "written_breakdown": { "alerts": 41, "archives": 0, "firewall": 0, "fts": 0, "stats": 0 } }, "queues": { "alerts": { "size": 16384, "usage": 0 }, "archives": { "size": 16384, "usage": 0 }, "dbsync": { "size": 16384, "usage": 0 }, "eventchannel": { "size": 16384, "usage": 0 }, "firewall": { "size": 16384, "usage": 0 }, "fts": { "size": 16384, "usage": 0 }, "hostinfo": { "size": 16384, "usage": 0 }, "others": { "size": 16384, "usage": 0 }, "processed": { "size": 16384, "usage": 0 }, "rootcheck": { "size": 16384, "usage": 0 }, "sca": { "size": 16384, "usage": 0 }, "stats": { "size": 16384, "usage": 0 }, "syscheck": { "size": 16384, "usage": 0 }, "syscollector": { "size": 16384, "usage": 0 }, "upgrade": { "size": 16384, "usage": 0 } } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Statistical information for each daemon was successfully read", "error": 0 } ```

Global configuration

Get API active configuration from worker 1 - analysis/global :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/analysis/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "global": { "email_notification": "no", "logall": "no", "logall_json": "no", "integrity_checking": 8, "rootkit_detection": 8, "host_information": 8, "prelude_output": "no", "zeromq_output": "no", "jsonout_output": "yes", "alerts_log": "yes", "stats": 4, "memory_size": 8192, "white_list": [ "127.0.0.1", "127.0.0.53", "localhost.localdomain" ], "rotate_interval": 0, "max_output_size": 0, "eps": { "maximum": 0, "timeframe": 10 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - analysis/alerts :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/analysis/alerts" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "alerts": { "email_alert_level": 12, "log_alert_level": 3 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - analysis/command :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/analysis/command" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "command": [ { "name": "disable-account", "executable": "disable-account", "timeout_allowed": 1 }, { "name": "restart-wazuh", "executable": "restart-wazuh", "timeout_allowed": 0 }, { "name": "firewall-drop", "executable": "firewall-drop", "timeout_allowed": 1 }, { "name": "host-deny", "executable": "host-deny", "timeout_allowed": 1 }, { "name": "route-null", "executable": "route-null", "timeout_allowed": 1 }, { "name": "win_route-null", "executable": "route-null.exe", "timeout_allowed": 1 }, { "name": "netsh", "executable": "netsh.exe", "timeout_allowed": 1 } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - analysis/decoders :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/analysis/decoders" -H "Authorization: Bearer $TOKEN" | jq .` [output_command_analysis_decoder_worker.zip](https://github.com/wazuh/wazuh-qa/files/9860731/output_command_analysis_decoder_worker.zip)

Get API active configuration from worker 1 - analysis/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/analysis/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "analysisd": { "debug": 0, "default_timeframe": 360, "stats_maxdiff": 999000, "stats_mindiff": 1250, "stats_percent_diff": 150, "fts_list_size": 32, "fts_min_size_for_str": 14, "log_fw": 1, "decoder_order_size": 256, "label_cache_maxage": 10, "show_hidden_labels": 0, "rlimit_nofile": 458752, "min_rotate_interval": 600 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - analysis/rule_test :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/analysis/rule_test" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "rule_test": { "enabled": "yes", "threads": 1, "max_sessions": 64, "session_timeout": 900 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - analysis/invalid :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/invalid" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "'invalid' is not one of ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test']. Failed validating 'enum' in schema: {'enum': ['client', 'buffer', 'labels', 'internal', 'agentless', 'global', 'active_response', 'alerts', 'command', 'rules', 'decoders', 'auth', 'logging', 'reports', 'active-response', 'cluster', 'csyslog', 'integration', 'localfile', 'socket', 'remote', 'syscheck', 'rootcheck', 'wdb', 'wmodules', 'rule_test'], 'type': 'string'}. On instance: 'invalid'" } ```

Get API active configuration from manager - analysis/empty :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/analysis/" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Not Found", "detail": "404: Not Found" } ```

Agent analysisd endpoints

Get API analysisd global configuration of the agent 0 - wazuh-analysisd :green_circle:

`curl -k -X GET "https://localhost:55000/agents/000/config/analysis/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "global": { "email_notification": "no", "logall": "no", "logall_json": "no", "integrity_checking": 8, "rootkit_detection": 8, "host_information": 8, "prelude_output": "no", "zeromq_output": "no", "jsonout_output": "yes", "alerts_log": "yes", "stats": 4, "memory_size": 8192, "white_list": [ "127.0.0.1", "127.0.0.53", "localhost.localdomain" ], "rotate_interval": 0, "max_output_size": 0, "eps": { "maximum": 0, "timeframe": 10 } } }, "error": 0 } ```

Global configuration

Get API active configuration from agent 1 - analysis/global :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/analysis/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: analysis:global", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: analysis:global" } }, "error": 1117 } ```

Get API active configuration from agent 1 - analysis/alerts :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/analysis/alerts" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: analysis:alerts", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: analysis:alerts" } }, "error": 1117 } ```

Get API active configuration from agent 1 - analysis/command :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/analysis/command" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: analysis:command", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: analysis:command" } }, "error": 1117 } ```

Get API active configuration from agent 1 - analysis/decoders :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/analysis/decoders" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: analysis:decoders", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: analysis:decoders" } }, "error": 1117 } ```

Get API active configuration from agent 1 - analysis/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/analysis/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: auth:auth", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: auth:auth" } }, "error": 1117 } ```

Get API active configuration from agent 1 - analysis/rule_test :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/analysis/rule_test" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: auth:auth", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: auth:auth" } }, "error": 1117 } ```

[fedepacher]

Testing API endpoints - Extras

Manager endpoints

Get API active configuration from manager - agent/client :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/agent/client" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - agent/buffer :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/agent/buffer" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - agent/labels :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/agent/labels" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - agent/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/agent/labels" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - agentless/agentless :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/agentless/agentless" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agentless' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - auth/auth :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/auth/auth" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "auth": { "port": 1515, "disabled": "no", "remote_enrollment": "yes", "ipv6": "no", "use_source_ip": "no", "purge": "yes", "use_password": "no", "ssl_verify_host": "no", "ssl_auto_negotiate": "no", "ciphers": "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH", "ssl_manager_cert": "etc/sslmanager.cert", "ssl_manager_key": "etc/sslmanager.key", "key_request": { "enabled": "no" }, "force": { "enabled": "yes", "key_mismatch": "yes", "disconnected_time": { "enabled": "yes", "value": 3600 }, "after_registration_time": 3600 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - auth/auth :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/auth/auth" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "auth": { "port": 1515, "disabled": "no", "remote_enrollment": "yes", "ipv6": "no", "use_source_ip": "no", "purge": "yes", "use_password": "no", "ssl_verify_host": "no", "ssl_auto_negotiate": "no", "ciphers": "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH", "ssl_manager_cert": "etc/sslmanager.cert", "ssl_manager_key": "etc/sslmanager.key", "key_request": { "enabled": "no" }, "force": { "enabled": "yes", "key_mismatch": "yes", "disconnected_time": { "enabled": "yes", "value": 3600 }, "after_registration_time": 3600 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - com/active-response :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/com/active-response" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "active-response": { "disabled": "no" } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - com/logging :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/com/logging" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "logging": { "plain": "yes", "json": "no" } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - com/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/com/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "execd": { "request_timeout": 0, "max_restart_lock": 0 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - com/cluster :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/com/cluster" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "execd": { "request_timeout": 0, "max_restart_lock": 0 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - csyslog/csyslog :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/csyslog/csyslog" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'csyslog' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - integrator/integration :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/integrator/integration" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'integrator' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - logcollector/localfile :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/logcollector/localfile" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "localfile": [ { "logformat": "command", "command": "df -P", "alias": "df -P", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "logformat": "full_command", "command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d", "alias": "netstat listening ports", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "logformat": "full_command", "command": "last -n 20", "alias": "last -n 20", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "file": "/var/log/audit/audit.log", "logformat": "audit", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/ossec/logs/active-responses.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/auth.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/syslog", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/dpkg.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/kern.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - logcollector/socket :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/logcollector/socket" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 0, "failed_items": [] }, "message": "Could not read active configuration in specified node", "error": 0 } ```

Get API active configuration from manager - logcollector/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/logcollector/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "logcollector": { "remote_commands": 0, "loop_timeout": 2, "open_attempts": 8, "vcheck_files": 64, "max_lines": 10000, "max_files": 1000, "sock_fail_time": 300, "debug": 0, "sample_log_length": 64, "queue_size": 1024, "input_threads": 4, "force_reload": 0, "reload_interval": 64, "reload_delay": 1000, "exclude_files_interval": 86400, "state_interval": 60, "rlimit_nofile": 1100 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - mail/global :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/mail/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'mail' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - mail/alerts :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/mail/alerts" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'mail' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - mail/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/mail/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'mail' is properly configured" }, "id": [ "master-node" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from manager - monitor/global :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/monitor/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "monitord": { "agents_disconnection_time": 600, "agents_disconnection_alert_time": 0 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - monitor/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/monitor/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "monitord": { "agents_disconnection_time": 600, "agents_disconnection_alert_time": 0 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - syscheck/syscheck :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/syscheck/syscheck" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "remoted": { "recv_counter_flush": 128, "comp_average_printout": 19999, "verify_msg_id": 0, "recv_timeout": 0, "pass_empty_keyfile": 1, "sender_pool": 8, "request_pool": 1024, "request_rto_sec": 1, "request_rto_msec": 0, "max_attempts": 4, "request_timeout": 10, "response_timeout": 60, "shared_reload": 10, "rlimit_nofile": 458752, "merge_shared": 0, "guess_agent_group": 0, "receive_chunk": 4096, "send_chunk": 4096, "buffer_relax": 1, "send_buffer_size": 131072, "send_timeout_to_retry": 1, "tcp_keepidle": 30, "tcp_keepintvl": 10, "tcp_keepcnt": 3 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - syscheck/rootcheck :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/syscheck/rootcheck" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "rootcheck": { "disabled": "no", "base_directory": "", "rootkit_files": "etc/rootcheck/rootkit_files.txt", "rootkit_trojans": "etc/rootcheck/rootkit_trojans.txt", "scanall": "no", "skip_nfs": "yes", "frequency": 43200, "check_dev": "yes", "check_files": "yes", "check_if": "yes", "check_pids": "yes", "check_ports": "yes", "check_sys": "yes", "check_trojans": "yes", "check_unixaudit": "no" } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - syscheck/internal :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/syscheck/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "syscheck": { "rt_delay": 5, "default_max_depth": 256, "symlink_scan_interval": 600, "debug": 0, "file_max_size": 1073741824, "max_audit_entries": 256 }, "rootcheck": { "sleep": 50 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from manager - wmodules/wmodules :green_circle:

`curl -k -X GET "https://localhost:55000/manager/configuration/wmodules/wmodules" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "wmodules": [ { "agent-upgrade": { "enabled": "yes", "max_threads": 8, "chunk_size": 512 } }, { "task-manager": { "enabled": "yes" } }, { "cis-cat": { "disabled": "yes", "scan-on-start": "yes", "interval": 86400, "java_path": "wodles/java", "ciscat_path": "wodles/ciscat", "ciscat_binary": "CIS-CAT.sh", "timeout": 1800 } }, { "osquery": { "disabled": "yes", "run_daemon": "yes", "add_labels": "yes", "log_path": "/var/log/osquery/osqueryd.results.log", "config_path": "/etc/osquery/osquery.conf" } }, { "syscollector": { "disabled": "no", "scan-on-start": "yes", "interval": 3600, "network": "yes", "os": "yes", "hardware": "yes", "packages": "yes", "ports": "yes", "ports_all": "no", "processes": "yes", "sync_max_eps": 10 } }, { "sca": { "interval": 43200, "enabled": "yes", "scan_on_start": "yes", "skip_nfs": "yes", "policies": [ "/var/ossec/ruleset/sca/cis_ubuntu22-04.yml" ] } }, { "vulnerability-detector": { "enabled": "yes", "run_on_start": "yes", "interval": 300, "min_full_scan_interval": 21600, "retry_interval": 30, "providers": [ { "name": "debian", "version": "BUSTER", "url": "https://www.debian.org/security/oval/oval-definitions-buster.xml", "update_interval": 3600, "download_timeout": 300 }, { "name": "debian", "version": "BULLSEYE", "url": "https://www.debian.org/security/oval/oval-definitions-bullseye.xml", "update_interval": 3600, "download_timeout": 300 }, { "name": "nvd", "update_from_year": 2010, "update_interval": 3600, "download_timeout": 300 }, { "name": "msu", "update_interval": 3600, "download_timeout": 300 } ] } }, { "database": { "sync_agents": "yes", "real_time": "yes", "interval": 60, "max_queued_events": 0 } }, { "wazuh_download": { "enabled": "yes" } }, { "wazuh_control": { "enabled": "yes" } } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Cluster endpoint

Get API active configuration from worker 1 - agent/client :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/agent/client" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - agent/buffer :yelow_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/agent/buffer" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - agent/labels :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/agent/labels" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - agent/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/agent/labels" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agent' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - agentless/agentless :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/agentless/agentless" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'agentless' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - auth/auth :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/auth/auth" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "auth": { "port": 1515, "disabled": "no", "remote_enrollment": "yes", "ipv6": "no", "use_source_ip": "no", "purge": "yes", "use_password": "no", "ssl_verify_host": "no", "ssl_auto_negotiate": "no", "ciphers": "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH", "ssl_manager_cert": "etc/sslmanager.cert", "ssl_manager_key": "etc/sslmanager.key", "key_request": { "enabled": "no" }, "force": { "enabled": "yes", "key_mismatch": "yes", "disconnected_time": { "enabled": "yes", "value": 3600 }, "after_registration_time": 3600 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - auth/auth :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/auth/auth" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "auth": { "port": 1515, "disabled": "no", "remote_enrollment": "yes", "ipv6": "no", "use_source_ip": "no", "purge": "yes", "use_password": "no", "ssl_verify_host": "no", "ssl_auto_negotiate": "no", "ciphers": "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH", "ssl_manager_cert": "etc/sslmanager.cert", "ssl_manager_key": "etc/sslmanager.key", "key_request": { "enabled": "no" }, "force": { "enabled": "yes", "key_mismatch": "yes", "disconnected_time": { "enabled": "yes", "value": 3600 }, "after_registration_time": 3600 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - com/active-response :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/com/active-response" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "active-response": { "disabled": "no" } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - com/logging :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/com/logging" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "logging": { "plain": "yes", "json": "no" } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - com/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/com/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "execd": { "request_timeout": 0, "max_restart_lock": 0 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - com/cluster :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/com/cluster" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "name": "wazuh", "node_name": "worker-node-1", "node_type": "worker", "key": "c98b62a9b6169ac5f67dae55ae4a9088", "port": 1516, "bind_addr": "0.0.0.0", "nodes": [ "172.31.12.161" ], "hidden": "no", "disabled": false } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - csyslog/csyslog :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/csyslog/csyslog" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'csyslog' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - integrator/integrator :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/integrator/integration" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'integrator' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - logcollector/localfile :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/logcollector/localfile" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "localfile": [ { "logformat": "command", "command": "df -P", "alias": "df -P", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "logformat": "full_command", "command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d", "alias": "netstat listening ports", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "logformat": "full_command", "command": "last -n 20", "alias": "last -n 20", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "file": "/var/log/audit/audit.log", "logformat": "audit", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/ossec/logs/active-responses.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/auth.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/syslog", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/dpkg.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/kern.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - logcollector/socket :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/logcollector/socket" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 0, "failed_items": [] }, "message": "Could not read active configuration in specified node", "error": 0 } ```

Get API active configuration from worker 1 - logcollector/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/logcollector/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "logcollector": { "remote_commands": 0, "loop_timeout": 2, "open_attempts": 8, "vcheck_files": 64, "max_lines": 10000, "max_files": 1000, "sock_fail_time": 300, "debug": 0, "sample_log_length": 64, "queue_size": 1024, "input_threads": 4, "force_reload": 0, "reload_interval": 64, "reload_delay": 1000, "exclude_files_interval": 86400, "state_interval": 60, "rlimit_nofile": 1100 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - mail/global :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/mail/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'mail' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - mail/alerts :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/mail/alerts" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'mail' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - mail/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/mail/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [], "total_affected_items": 0, "total_failed_items": 1, "failed_items": [ { "error": { "code": 1121, "message": "Error connecting with socket: Please verify that the component 'mail' is properly configured" }, "id": [ "worker-node-1" ] } ] }, "message": "Could not read active configuration in specified node", "error": 1 } ```

Get API active configuration from worker 1 - monitor/global :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/monitor/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "monitord": { "agents_disconnection_time": 600, "agents_disconnection_alert_time": 0 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - monitor/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/monitor/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "monitord": { "day_wait": 10, "compress": 1, "sign": 1, "monitor_agents": 0, "keep_log_days": 31, "rotate_log": 1, "size_rotate": 536870912, "daily_rotations": 12, "delete_old_agents": 0 } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - syscheck/syscheck :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/syscheck/syscheck" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "syscheck": { "disabled": "no", "frequency": 43200, "skip_nfs": "yes", "skip_dev": "yes", "skip_sys": "yes", "skip_proc": "yes", "scan_on_start": "yes", "max_files_per_second": 0, "file_limit": { "enabled": "yes", "entries": 100000 }, "diff": { "disk_quota": { "enabled": "yes", "limit": 1048576 }, "file_size": { "enabled": "yes", "limit": 51200 } }, "directories": [ { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/bin", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/boot", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/etc", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/sbin", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/usr/bin", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/usr/sbin", "recursion_level": 256, "diff_size_limit": 51200 } ], "nodiff": [ "/etc/ssl/private.key" ], "ignore": [ "/etc/mtab", "/etc/hosts.deny", "/etc/mail/statistics", "/etc/random-seed", "/etc/random.seed", "/etc/adjtime", "/etc/httpd/logs", "/etc/utmpx", "/etc/wtmpx", "/etc/cups/certs", "/etc/dumpdates", "/etc/svc/volatile" ], "ignore_sregex": [ ".log$|.swp$" ], "whodata": { "restart_audit": "yes", "startup_healthcheck": "yes" }, "allow_remote_prefilter_cmd": "no", "synchronization": { "enabled": "yes", "max_interval": 3600, "interval": 300, "response_timeout": 30, "queue_size": 16384, "max_eps": 10 }, "max_eps": 100, "process_priority": 10, "database": "disk" } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - syscheck/rootcheck :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/syscheck/rootcheck" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "rootcheck": { "disabled": "no", "base_directory": "", "rootkit_files": "etc/rootcheck/rootkit_files.txt", "rootkit_trojans": "etc/rootcheck/rootkit_trojans.txt", "scanall": "no", "skip_nfs": "yes", "frequency": 43200, "check_dev": "yes", "check_files": "yes", "check_if": "yes", "check_pids": "yes", "check_ports": "yes", "check_sys": "yes", "check_trojans": "yes", "check_unixaudit": "no" } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - syscheck/internal :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/syscheck/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "internal": { "syscheck": { "rt_delay": 5, "default_max_depth": 256, "symlink_scan_interval": 600, "debug": 0, "file_max_size": 1073741824, "max_audit_entries": 256 }, "rootcheck": { "sleep": 50 } } } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Get API active configuration from worker 1 - wmodules/wmodules :green_circle:

`curl -k -X GET "https://localhost:55000/cluster/worker-node-1/configuration/wmodules/wmodules" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "affected_items": [ { "wmodules": [ { "agent-upgrade": { "enabled": "yes", "max_threads": 8, "chunk_size": 512 } }, { "task-manager": { "enabled": "yes" } }, { "cis-cat": { "disabled": "yes", "scan-on-start": "yes", "interval": 86400, "java_path": "wodles/java", "ciscat_path": "wodles/ciscat", "ciscat_binary": "CIS-CAT.sh", "timeout": 1800 } }, { "osquery": { "disabled": "yes", "run_daemon": "yes", "add_labels": "yes", "log_path": "/var/log/osquery/osqueryd.results.log", "config_path": "/etc/osquery/osquery.conf" } }, { "syscollector": { "disabled": "no", "scan-on-start": "yes", "interval": 3600, "network": "yes", "os": "yes", "hardware": "yes", "packages": "yes", "ports": "yes", "ports_all": "no", "processes": "yes", "sync_max_eps": 10 } }, { "sca": { "interval": 43200, "enabled": "yes", "scan_on_start": "yes", "skip_nfs": "yes", "policies": [ "/var/ossec/ruleset/sca/cis_ubuntu22-04.yml" ] } }, { "vulnerability-detector": { "enabled": "no", "run_on_start": "yes", "interval": 300, "min_full_scan_interval": 21600, "retry_interval": 30, "providers": [ { "name": "nvd", "update_from_year": 2010, "update_interval": 3600, "download_timeout": 300 }, { "name": "msu", "update_interval": 3600, "download_timeout": 300 } ] } }, { "database": { "sync_agents": "yes", "real_time": "yes", "interval": 60, "max_queued_events": 0 } }, { "wazuh_download": { "enabled": "yes" } }, { "wazuh_control": { "enabled": "yes" } } ] } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "Active configuration was successfully read in specified node", "error": 0 } ```

Agent endpoint

Get API active configuration from agent 1 - agent/client :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/agent/client" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "client": { "config-profile": "ubuntu, ubuntu22, ubuntu22.04", "notify_time": 10, "time-reconnect": 60, "force_reconnect_interval": 0, "ip_update_interval": 0, "auto_restart": "yes", "remote_conf": "yes", "crypto_method": "aes", "server": [ { "address": "172.31.12.161", "port": 1514, "max_retries": 5, "retry_interval": 10, "protocol": "tcp" } ], "enrollment": { "enabled": "yes", "delay_after_enrollment": 20, "port": 1515, "ssl_cipher": "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH", "auto_method": "no" } } }, "error": 0 } ```

Get API active configuration from agent 1 - agent/buffer :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/agent/buffer" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "buffer": { "disabled": "no", "queue_size": 5000, "events_per_second": 500 } }, "error": 0 } ```

Get API active configuration from agent 1 - agent/labels :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/agent/labels" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "labels": [] }, "error": 0 } ```

Get API active configuration from agent 1 - agent/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/agent/labels" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "labels": [] }, "error": 0 } ```

Get API active configuration from agent 1 - agentless/agentless :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/agentless/agentless" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: agentless:agentless", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: agentless:agentless" } }, "error": 1117 } ```

Get API active configuration from agent 1 - auth/auth :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/auth/auth" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: auth:auth", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: auth:auth" } }, "error": 1117 } ```

Get API active configuration from agent 1 - auth/auth :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/auth/auth" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: auth:auth", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: auth:auth" } }, "error": 1117 } ```

Get API active configuration from agent 1 - com/active-response :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/com/active-response" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "active-response": { "disabled": "no" } }, "error": 0 } ```

Get API active configuration from agent 1 - com/logging :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/com/logging" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "logging": { "plain": "yes", "json": "no" } }, "error": 0 } ```

Get API active configuration from agent 1 - com/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/com/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "internal": { "execd": { "request_timeout": 0, "max_restart_lock": 0 } } }, "error": 0 } ```

Get API active configuration from agent 1 - csyslog/csyslog :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/csyslog/csyslog" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: csyslog:csyslog", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: csyslog:csyslog" } }, "error": 1117 } ```

Get API active configuration from agent 1 - integrator/integration :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/integrator/integration" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: integrator:integration", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: integrator:integration" } }, "error": 1117 } ```

Get API active configuration from agent 1 - logcollector/localfile :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/logcollector/localfile" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "localfile": [ { "logformat": "command", "command": "df -P", "alias": "df -P", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "logformat": "full_command", "command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d", "alias": "netstat listening ports", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "logformat": "full_command", "command": "last -n 20", "alias": "last -n 20", "ignore_binaries": "no", "target": [ "agent" ], "frequency": 360 }, { "file": "/var/log/audit/audit.log", "logformat": "audit", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/ossec/logs/active-responses.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/auth.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/syslog", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/dpkg.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] }, { "file": "/var/log/kern.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", "target": [ "agent" ] } ] }, "error": 0 } ```

Get API active configuration from agent 1 - logcollector/socket :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/logcollector/socket" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": {}, "error": 0 } ```

Get API active configuration from agent 1 - logcollector/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/logcollector/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "internal": { "logcollector": { "remote_commands": 0, "loop_timeout": 2, "open_attempts": 8, "vcheck_files": 64, "max_lines": 10000, "max_files": 1000, "sock_fail_time": 300, "debug": 0, "sample_log_length": 64, "queue_size": 1024, "input_threads": 4, "force_reload": 0, "reload_interval": 64, "reload_delay": 1000, "exclude_files_interval": 86400, "state_interval": 60, "rlimit_nofile": 1100 } } }, "error": 0 } ```

Get API active configuration from agent 1 - mail/global :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/mail/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: mail:global", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: mail:global" } }, "error": 1117 } ```

Get API active configuration from agent 1 - mail/alerts :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/mail/alerts" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: mail:alerts", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: mail:alerts" } }, "error": 1117 } ```

Get API active configuration from agent 1 - mail/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/mail/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: mail:internal", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: mail:internal" } }, "error": 1117 } ```

Get API active configuration from agent 1 - monitor/global :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/monitor/global" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: monitor:global", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: monitor:global" } }, "error": 1117 } ```

Get API active configuration from agent 1 - monitor/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/monitor/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "title": "Bad Request", "detail": "Unable to connect with component. The component might be disabled.: monitor:internal", "dapi_errors": { "master-node": { "error": "Unable to connect with component. The component might be disabled.: monitor:internal" } }, "error": 1117 } ```

Get API active configuration from agent 1 - syscheck/syscheck :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/syscheck/syscheck" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "syscheck": { "disabled": "no", "frequency": 43200, "skip_nfs": "yes", "skip_dev": "yes", "skip_sys": "yes", "skip_proc": "yes", "scan_on_start": "yes", "max_files_per_second": 0, "file_limit": { "enabled": "yes", "entries": 100000 }, "diff": { "disk_quota": { "enabled": "yes", "limit": 1048576 }, "file_size": { "enabled": "yes", "limit": 51200 } }, "directories": [ { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/bin", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/boot", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/etc", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/sbin", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/usr/bin", "recursion_level": 256, "diff_size_limit": 51200 }, { "opts": [ "check_md5sum", "check_sha1sum", "check_perm", "check_size", "check_owner", "check_group", "check_mtime", "check_inode", "check_sha256sum" ], "dir": "/usr/sbin", "recursion_level": 256, "diff_size_limit": 51200 } ], "nodiff": [ "/etc/ssl/private.key" ], "ignore": [ "/etc/mtab", "/etc/hosts.deny", "/etc/mail/statistics", "/etc/random-seed", "/etc/random.seed", "/etc/adjtime", "/etc/httpd/logs", "/etc/utmpx", "/etc/wtmpx", "/etc/cups/certs", "/etc/dumpdates", "/etc/svc/volatile" ], "ignore_sregex": [ ".log$|.swp$" ], "whodata": { "restart_audit": "yes", "startup_healthcheck": "yes" }, "allow_remote_prefilter_cmd": "no", "synchronization": { "enabled": "yes", "max_interval": 3600, "interval": 300, "response_timeout": 30, "queue_size": 16384, "max_eps": 10 }, "max_eps": 100, "process_priority": 10, "database": "disk" } }, "error": 0 } ```

Get API active configuration from agent 1 - syscheck/rootcheck :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/syscheck/rootcheck" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "rootcheck": { "disabled": "no", "base_directory": "", "rootkit_files": "etc/shared/rootkit_files.txt", "rootkit_trojans": "etc/shared/rootkit_trojans.txt", "scanall": "no", "skip_nfs": "yes", "frequency": 43200, "check_dev": "yes", "check_files": "yes", "check_if": "yes", "check_pids": "yes", "check_ports": "yes", "check_sys": "yes", "check_trojans": "yes", "check_unixaudit": "no" } }, "error": 0 } ```

Get API active configuration from agent 1 - syscheck/internal :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/syscheck/internal" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "internal": { "syscheck": { "rt_delay": 5, "default_max_depth": 256, "symlink_scan_interval": 600, "debug": 0, "file_max_size": 1073741824, "max_audit_entries": 256 }, "rootcheck": { "sleep": 50 } } }, "error": 0 } ```

Get API active configuration from agent 1 - wmodules/wmodules :green_circle:

`curl -k -X GET "https://localhost:55000/agents/001/config/wmodules/wmodules" -H "Authorization: Bearer $TOKEN" | jq .` ``` { "data": { "wmodules": [ { "agent-upgrade": { "enabled": "yes", "ca_verification": "yes", "ca_store": [ "etc/wpk_root.pem" ] } }, { "cis-cat": { "disabled": "yes", "scan-on-start": "yes", "interval": 86400, "java_path": "wodles/java", "ciscat_path": "wodles/ciscat", "ciscat_binary": "CIS-CAT.sh", "timeout": 1800 } }, { "osquery": { "disabled": "yes", "run_daemon": "yes", "add_labels": "yes", "log_path": "/var/log/osquery/osqueryd.results.log", "config_path": "/etc/osquery/osquery.conf" } }, { "syscollector": { "disabled": "no", "scan-on-start": "yes", "interval": 3600, "network": "yes", "os": "yes", "hardware": "yes", "packages": "yes", "ports": "yes", "ports_all": "no", "processes": "yes", "sync_max_eps": 10 } }, { "sca": { "interval": 43200, "enabled": "yes", "scan_on_start": "yes", "skip_nfs": "yes", "policies": [ "/var/ossec/ruleset/sca/cis_ubuntu22-04.yml" ] } }, { "wazuh_control": { "enabled": "yes" } } ] }, "error": 0 } ```

[TomasTurina]

@jmv74211 I have uploaded this commit https://github.com/wazuh/wazuh/pull/13713/commits/51b4ceef3ae6a24894fdaea2aba37a90e5855e3c to take into account the syslog dropped events in the wazuh-analysisd state file. Now, you should see that the total dropped events counter increases when the syslog events used in the automatic tests are dropped.

[jmv74211]

After the fixes that have been applied in https://github.com/wazuh/wazuh/commit/51b4ceef3ae6a24894fdaea2aba37a90e5855e3c, everything seems to work properly.

https://user-images.githubusercontent.com/23462183/197809878-7c2d105f-82eb-4dd6-ac74-622ceaaf439d.mp4

In addition, the integration tests for EPS limit pass successfully.

========================================= test session starts ==========================================
platform linux -- Python 3.9.7, pytest-6.2.3, py-1.10.0, pluggy-0.13.1
rootdir: /home/vagrant/wazuh-qa-revert-3270-revert-3146-fix-wdb-getconfig/tests/integration, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, testinfra-5.0.0
collected 15 items                                                                                     

test_analysisd/test_limit_eps/test_basic.py ..                                                   [ 13%]
test_analysisd/test_limit_eps/test_configuration.py ........                                     [ 66%]
test_analysisd/test_limit_eps/test_event_processing.py .....                                     [100%]

==================================== 15 passed in 379.36s (0:06:19) ====================================

[jmv74211]

Closing conclusion 👍🏼

🟢	Solved

The development has been approved taking into account the following considerations proposed in the this review:

(1) Automatic EPS limitation tests have reported that the statistics of dropped events do not work correctly. I have tested it locally and it does not seem to work correctly. 🟢

This has been fixed in https://github.com/wazuh/wazuh/commit/51b4ceef3ae6a24894fdaea2aba37a90e5855e3c, and not it works properly.

---

On the other hand, all the tests performed on the different sockets and API requests seem to work correctly. A tier 0 testing has been performed, being tested each of the requests and responses obtained, but what has not been checked is that the values of each of the statistics are updated correctly. This is something that has been discussed with the development team, and that in part has already been tested during development, plus the tests performed by the cloud team.

During release testing, this development will be testing too so that for code closure it is decided that everything has passed correctly.