Verify input behavior with the new engine

[damarisg]

Target version	Related issue	Related PR/dev branch
5.0	https://github.com/wazuh/wazuh/issues/15083	https://github.com/wazuh/wazuh/issues/11334

Description

Since the team is reworking the engine, we need to cover this new engine rework. This issue will add the new tests to the qa framework and if it was necessary, the manual testing.

First of all, the engine module should be added to the framework so we could start adding modules, their tests and their cases.

Proposed test cases

• [x] We want to test a correct input returns a valid result, an incorrect input returns an error and an unexpected input doesn't crash the program. The module to test are:
  • [x] https://github.com/wazuh/wazuh-qa/issues/3475
  • [x] https://github.com/wazuh/wazuh-qa/issues/3530
  • [x] https://github.com/wazuh/wazuh-qa/issues/3535
  • [x] https://github.com/wazuh/wazuh-qa/issues/3537

Considerations

After the research and when the first module approach is created, we will add a module for each type(input, resources, output) and a test for each scenario(events, api, etc.) and its specific Tcases.

[roronoasins]

Review data

Tester	PR commit
@roronoasins	https://github.com/wazuh/wazuh/issues/11334

Testing environment

OS	OS version	Deployment	Image/AMI
Ubuntu	20.04	Vagrant	generic/ubuntu2004

Tested packages

OS	Package
Ubuntu	Engine's vagrantfile

The dev team provided a vagrantfile with the engine's mvp

Conclusion

Each problem mentioned in the description has details about each tested case.

Here it is intended to add relevant information about the tests carried out.

Improvements proposed:

I'll start listing the ones related to events and APIs:

1. Error logs that are not that descriptive for a user: 🟡

   Referencing the `store` files

   **Log Error:** ``` Error: [Catalog] Could not get content [rule] from store, [FileDriver] File [/var/ossec/engine/store/rule] does not exist ``` **These logs appear for these cases:** - List an empty `item-type` - Get a non-existing version for a certain item - Create an item where it already exists - Update a uncorrect id or version for a given `item-type` - Invoke `delete` without an `item-type` at least. The log refers to `name` when it can confuse an user because it is the error log when there is something happening, for example, with the name of a decoder(defined in its yaml file). And here the user may try to delete all the possible combinations by just running the delete option. The `--help` advice is good, but the `name` reference may confuse the user - Delete non-valid item ids and versions - Validate a decoder with no name section - Load an already existing `item-type`
   Referencing the store and files

   **Log Error:** ``` 14:44:31.406714 cmdGraph.cpp:77 ERR[4089 ] Exception while building environment: [exception: [Environment] Error retreiving environment [my-env] from store: [FileDriver] File [/var/ossec/engine/store/my-env] does not exist ``` **These logs appear for these cases:** - Generate a graph file using a non-valid environment - Set with a env name that does not exist - Running test with a non-existent kvdb path - Use a path where no assets are located - Running test with a non-existent environment
   Logs that are very short and could be more descriptive, like adding the proper way to call them

   **Log Error:** ``` root@engine:/home/vagrant/engine/wazuh/src/engine# /var/ossec/engine/wazuh-engine env set environment is required Run with --help for more information. ``` **This affects to the following cases:** - Set without any name - Set with a not supported environment format - Set the environment that is already active - Invoke delete without an env name - Delete the current env - Delete the current environment when it has not been set yet. or ``` root@engine:/home/vagrant/engine/wazuh/src/engine# /var/ossec/engine/wazuh-engine env get No active environments found root@engine:/home/vagrant/engine/wazuh/src/engine# ``` **This affects to the following cases:** - Get current env when there is no env set
   Uncompleted logging

   **Log Error:** ``` Error: Invalid collection type [newtype] ``` or ``` Could not convert: --protocol_queue = 128 Run with --help for more information. ``` **These logs appear for these cases:** - Create a not supported collection type - Use a not expected queue value - Delete an empty `item-type` - Delete non-valid item-types
   JSON wrong format

   **Log Error:** ``` 10:44:00.649499 cmdKvdb.cpp:77 ERR[3870 ] Error parsing JSON: exception: [Json(jsonString)] Unable to build json document because: Invalid encoding in string. at 33 ``` > We could add some logging to the stack trace so the last logging message is more user-friendly. **These logs appear for these cases:** - Creating a database using a non-well-formatted json input file
   Logs that has not the right format

   **Log Error:** ``` root@engine:/home/vagrant/engine/wazuh/src/engine# /var/ossec/engine/wazuh-engine env set environment/wazuh/1 Environment created and startedroot@engine:/home/vagrant/engine/wazuh/src/engine# ``` **These logs appear for these cases:** - Set with a not supported environment format - Set an existent environment - Set the environment that is already active - Delete the current env - Delete the current environment when it has not been set yet.
   Unsupported type

   **Log Error:** ``` --input_type: yaml not in {json} ``` This log can be improved so the log do not seem to be a conditional fragment from a source code. **These logs appear for these cases:** - Create a db using a non valid input file format

2. Rename the kvdb's -i option: 🟡 The format used for --input-type is -t, so we could use the same format.

3. If the --kvdb-path option it could warn the users about this, so they can know that any action that needs the kvdb won't work 🟡

   Affected cases: Dir that is not kvdb path.

4. The --kvdb-path is \ sensitive in the end of the string. It should accept both. 🟡 Affected cases:

   • test subcommand does not accept kvdb paths without an ending \
   • test subcommand accepts kvdb paths with an ending \

5. When the log does not trigger any rule, it appears empty 🟡 This occurs, for example, in Run test with different environments: one with a loaded rule and other without it case. Maybe it could not appear or say that no rule has been triggered.

6. Setting a custom protocol queue option, which also appears here. 🟡

7. Check that validation is correct: 🟡 Is there a way to have a trace of the checks that it performs to know if the validate went good? If not, could we add it?

8. The catalog list command must have default rules and filter. 🟡

9. Helper of catalog command: 🟡

   A clarification about item-type values expected could be usefull, so the users can have detailed info without run the tool and getting errors.

   We could also add a reference to the engine's wiki based on the command. For example, if we use the help option with the whole engine, a reference to the index or very first page of wiki. If we use the help option with a command, a reference to the command's entry.

I will continue with the behavior of the Ruleset:

1. When changing some decoders, rules or something you have to update and reload the components. This can be automated with a custom script but I don't know if another approach to update and reload the items could be better/faster. 🟡

It needs to be fixed:

I'll start listing the ones related to events and APIs.

Location being splitted 🔴

> When the location contains at least a colon, the substring that take place after that colon appears as part of the original log. There is also an aditional colon where this substring and the log are combined. - Input: ``` root@engine:/home/vagrant/engine/wazuh/src/engine# ./build/main test -l "location:asd" ``` - Current output: ``` Enter log in single line (Crtl+C to exit): a sample log **OUTPUT**: { "wazuh": { "queue": 49, "origin": "location" }, "event": { "original": "asd:a sample log" } } ``` - Expected output: ``` Enter log in single line (Crtl+C to exit): a sample log **OUTPUT**: { "wazuh": { "queue": 49, "origin": "location:asd" }, "event": { "original": "a sample log" } } ```

Uncorrect logs 🔴

- Current output ``` Error: Invalid collection type [newtype] for [error_type] ``` - Expected output Fix the string `error_type` and print the supported `item-types`. It could contains a reference to the help option instead (or both). **These logs appear for these cases:** - Update a non-existent `item-type`

Graph file is not generated 🔴

- When the previous level directory does not exist Cases: - Generate a graph file specifying an output path with a directory level that does not exist - Generate a graph file specifying an output path with a directory that does not exist

Setting a custom protocol location option 🔴

- Also appears [here](https://github.com/wazuh/wazuh-qa/issues/3475#issuecomment-1292339045).

[roronoasins]

Events' inputs

Using the agent localfile feature

- Sending valid json format log :green_circle: - Sending a log that contains unicode characters :green_circle: - Sending a log with expected syslog format :green_circle: - Sending a log with non-desired log format :green_circle: - Sending a mix of unicode and special characters log :green_circle:

Using wazuh-engine test command

- Verify that `original` field contains the specified log - Check json format log :green_circle: - Check log that contains unicode characters :green_circle: - Check log with correct format :green_circle: - Check log with wrong format :green_circle: - Check log mixing unicode chars and special chars :green_circle: - Verify that `location` field contains the specified string - location value contains a colon :red_circle: - using a large location value :green_circle: - Using a mix of special and unicode characters :green_circle: - Verify that `queue` field contains the corresponding (decimal) ascii value from the specified string :yellow_circle:

NOTE: Details in 3475 issue.

[damarisg]

API

CATALOG command

- `list` parameter - List loaded decoders :green_circle: - List loaded schemas :green_circle: - List loaded environments :green_circle: - List loaded outputs :green_circle: - List loaded rule 🔴 - List loaded filter 🔴 - `get` parameter - Obtain some decoders by its id and version :green_circle: - Obtain some decoders with non-existing version :yellow_circle: - `update` parameter - Update an existing decoder version :green_circle: - Update a non-existent item-type :red_circle: - Update a uncorrect id or version for a given item-type :yellow_circle: - `create` parameter - Create a custom decoder using a yml file :green_circle: - Create a custom decoder that already exists using a yml file :yellow_circle: - Create an item using a type that is not expected :yellow_circle: - `delete` parameter - Delete an existing decoder :green_circle: - Try to delete empty item type :yellow_circle: - Missing required parameter :yellow_circle: - Delete non-valid types, ids and versions :yellow_circle: - `validate` parameter - Validate a decoder with valid syntax 🟡 - Validate a decoder with no name section :yellow_circle: - Validate a decoder with no sources section :green_circle: - Validate a decoder with no check section :green_circle: - Validate a decoder with no parse section :green_circle: - `load` parameter - Could not load existing decoders :yellow_circle: - Load some decoders that already exists and other that do not :yellow_circle: - Path with special and unicode characters :green_circle: - Load decoders :green_circle: - Load decoder version :green_circle:

KVDB command

- `-i/--input-file` parameter - Create a db using a json input file :green_circle: - Create db with a wrong formatted json :yellow_circle: - Create db using a non-existent input file :green_circle: - `-t/--input-type` - Create a db using a non valid input file format :green_circle:

GRAPH command

- Generate a graph file :green_circle: - Generate a graph file using a non-valid environment :yellow_circle: - Generate a graph file specifying an output path with a directory level that does not exist :red_circle: - Generate a graph file specifying an output path with a directory that does not exist :red_circle:

ENV command

- `get` subcommand - Get current env :green_circle: - Get current env when there is no env set 🟡 - `set` subcommand - Set without any name :yellow_circle: - Set with a env name that does not exist :yellow_circle: - Set with a not supported environment format :yellow_circle: - Set an existent environment :yellow_circle: - Set the environment that is already active :yellow_circle: - `delete` subcommand - Invoke delete without an env name :yellow_circle: - Delete the current env :yellow_circle: - Delete the current environment when it has not been set yet :yellow_circle:

TEST command

- `--kvdb-path` option - Dir that is not kvdb path :yellow_circle: - `test` subcommand does not accept kvdb paths without an ending `\` :red_circle: - `test` subcommand accepts kvdb paths with an ending `\` :red_circle: - Running test with a non-existent kvdb path 🟡 - `-f,--file_storage` option - Use a non-existent path :green_circle: - Use a path where no assets are located :yellow_circle: - `--environment` option - Running test with a non-existent environment :yellow_circle: - Run test with different environments: one with a loaded rule and other without it :yellow_circle: - Setting a custom protocol queue option :yellow_circle: - Setting a custom protocol location option :red_circle: - Verifying debug mode - No debug :green_circle: - Verifying asset history :green_circle: - Verifying asset history plus full tracing :green_circle: - Verify the trace for a selection of assets - assets: `rule/source-malicious-ip/0` :green_circle: - assets: `decoder/apache-access/0` :green_circle: - assets: `decoder/apache-access/0,rule/source-malicious-ip/0` :green_circle:

NOTE: Details in 3475 issue and 3530 issue.

[damarisg]

RULESET

• Test the decoder addition process 🟢

Note: Details in 3535 issue.