Release 4.3.4 - Release Candidate 1 - E2E UX tests - macOS log data collection

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information


Test name	macOS log data collection
Category	Log data analysis
Main E2E UX test issue	https://github.com/wazuh/wazuh/issues/13670
Release candidate #	RC1

Installation procedure

Wazuh indexer:

Installation: AIO using the wazuh-install.sh
Type: -
OS: -

Wazuh manager:

Installation: AIO using the wazuh-install.sh
Type: -
OS: -

Wazuh dashboard:

Installation: AIO using the wazuh-install.sh
OS: -

Wazuh agent:

Installation: Installing Wazuh agents
OS: macOS

Test description

Create rule for macOS native logs (new feature in 4.3.0) and use wazuh-logtest command line tool in verbose mode (added to 4.3.0) and also try the WUI log test.

Test report procedure

All test results must have one of the following statuses:
:green_circle:	All checks passed.
:red_circle:	There is at least one failed result.
:yellow_circle:	There is at least one expected failure or skipped test and no failures.

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Conclusions

All tests have been executed and the results can be found in the issue updates.

Status	Test	Failure type	Notes
:green_circle:	wazuh-logtest command line	--	https://github.com/wazuh/wazuh/issues/13697#issuecomment-1148626606
:green_circle:	Create rule and decoder	--	https://github.com/wazuh/wazuh/issues/13697#issuecomment-1148626606
:warning:*	WUI logtest	--	https://github.com/wazuh/wazuh/issues/13697#issuecomment-1148652745
:green_circle:	Shared and precedence configuration	--	https://github.com/wazuh/wazuh/issues/13697#issuecomment-1148663635

Found inconsistency between WUI log test and wazuh-logtest binary.

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

[ ] @alberpilot
[ ] @vikman90
[ ] @okynos

Update report - Install and connection

Installed an AIO using the wazuh-install.sh script in a AmazonLinux2 instance in AWS
Installed a macos agent in macos catalina
Agent connected

sh-3.2# uname -a
Darwin macos-1015 19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64
sh-3.2#

[root@ip-172-31-10-77 ec2-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: macos-1015
   IP address: any/any
   Status:     Active

   Operating system:    Darwin |macos-1015 |19.0.0 |Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 |x86_64
   Client version:      Wazuh v4.3.3
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1654518247

   Syscheck last started at:  Mon Jun  6 12:22:48 2022
   Syscheck last ended at:    Mon Jun  6 12:22:49 2022

[root@ip-172-31-10-77 ec2-user]#

Alert received

** Alert 1654518247.703734: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2022 Jun 06 12:24:07 (macos-1015) any->sca
Rule: 19004 (level 7) -> 'SCA summary: CIS Apple macOS 10.15 Benchmark: Score less than 50% (47)'
{"type":"summary","scan_id":2015596844,"name":"CIS Apple macOS 10.15 Benchmark","policy_id":"cis_apple_macos_10_15","file":"cis_apple_macOS_10.15.yml","description":"This document, CIS Apple macOS 10.15 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.15. This guide was tested against Apple macOS 10.15.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":27,"failed":30,"invalid":1,"total_checks":58,"score":47.368423461914062,"start_time":1654518170,"end_time":1654518214,"hash":"437b8673f4582849280487d7ff415dba90cbea6ae579b71ef727f5b7504ba307","hash_file":"cc5b467f45f67942cb49e76467bddfe17f5aace63791279b4a71a74139ad2d2a","force_alert":"1","force_alert":"1"}
sca.type: summary
sca.scan_id: 2015596844
sca.policy: CIS Apple macOS 10.15 Benchmark
sca.description: This document, CIS Apple macOS 10.15 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.15. This guide was tested against Apple macOS 10.15.
sca.policy_id: cis_apple_macos_10_15
sca.passed: 27
sca.failed: 30
sca.invalid: 1
sca.total_checks: 58
sca.score: 47
sca.file: cis_apple_macOS_10.15.yml

Update report - Create rule and decoder

Use log stream commando to get log input

sh-3.2# log stream
Timestamp                       Thread     Type        Activity             PID    TTL  
2022-06-06 05:39:52.533252-0700 0x30e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

Create Decoder:

<decoder name="macos_air">
  <prematch>^(\d+-\d+-\d+ \d+:\d+:\d+-\d+) (\S+) AirPlayXPCHelper:</prematch>
</decoder>

<decoder name="macos_air_child">
  <parent>macos_air</parent>
  <regex>(\S+) (\S+):</regex>
  <order>hostname, program_name</order>
</decoder>

Create Rule:

<group name="macos_air">
  <rule id="100004" level="3">
   <program_name>AirPlayXPCHelper</program_name>
   <match>Retry timer fired</match>
   <description>parent macos air</description>
  </rule>
</group>

Testing rule and decoder:

[root@ip-172-31-10-77 etc]# /var/ossec/bin/wazuh-logtest -d
2022-06-06 12:54:25,455 wazuh-logtest[INFO] Starting wazuh-logtest v4.3.3
2022-06-06 12:54:25,455 wazuh-logtest[INFO] Type one log per line

2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-06 12:54:31,184 wazuh-logtest[INFO] 
2022-06-06 12:54:31,185 wazuh-logtest[DEBUG] Request: {"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location": "stdin", "log_format": "syslog", "event": "2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired"}}

2022-06-06 12:54:31,995 wazuh-logtest[DEBUG] Reply: {"error":0,"data":{"messages":["INFO: (7202): Session initialized with token '3657de8a'"],"token":"3657de8a","output":{"timestamp":"2022-06-06T12:54:31.995+0000","rule":{"level":3,"description":"parent macos air","id":"100004","firedtimes":1,"mail":false,"groups":["macos_air"]},"agent":{"id":"000","name":"ip-172-31-10-77.ec2.internal"},"manager":{"name":"ip-172-31-10-77.ec2.internal"},"id":"1654520071.717278","full_log":"2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired","predecoder":{"program_name":"AirPlayXPCHelper","timestamp":"2022-06-06 05:39:52.533252-0700"},"decoder":{},"location":"stdin"},"alert":true,"codemsg":0}}

2022-06-06 12:54:31,995 wazuh-logtest[DEBUG] {
  "messages": [
    "INFO: (7202): Session initialized with token '3657de8a'"
  ],
  "token": "3657de8a",
  "output": {
    "timestamp": "2022-06-06T12:54:31.995+0000",
    "rule": {
      "level": 3,
      "description": "parent macos air",
      "id": "100004",
      "firedtimes": 1,
      "mail": false,
      "groups": [
        "macos_air"
      ]
    },
    "agent": {
      "id": "000",
      "name": "ip-172-31-10-77.ec2.internal"
    },
    "manager": {
      "name": "ip-172-31-10-77.ec2.internal"
    },
    "id": "1654520071.717278",
    "full_log": "2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired",
    "predecoder": {
      "program_name": "AirPlayXPCHelper",
      "timestamp": "2022-06-06 05:39:52.533252-0700"
    },
    "decoder": {},
    "location": "stdin"
  },
  "alert": true,
  "codemsg": 0
}
2022-06-06 12:54:31,995 wazuh-logtest[INFO] **Phase 1: Completed pre-decoding.
2022-06-06 12:54:31,995 wazuh-logtest[INFO]     full event: '2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired'
2022-06-06 12:54:31,995 wazuh-logtest[INFO]     timestamp: '2022-06-06 05:39:52.533252-0700'
2022-06-06 12:54:31,996 wazuh-logtest[INFO]     program_name: 'AirPlayXPCHelper'
2022-06-06 12:54:31,996 wazuh-logtest[INFO] 
2022-06-06 12:54:31,996 wazuh-logtest[INFO] **Phase 2: Completed decoding.
2022-06-06 12:54:31,996 wazuh-logtest[INFO]     No decoder matched.
2022-06-06 12:54:31,996 wazuh-logtest[INFO] 
2022-06-06 12:54:31,996 wazuh-logtest[INFO] **Phase 3: Completed filtering (rules).
2022-06-06 12:54:31,996 wazuh-logtest[INFO]     id: '100004'
2022-06-06 12:54:31,996 wazuh-logtest[INFO]     level: '3'
2022-06-06 12:54:31,996 wazuh-logtest[INFO]     description: 'parent macos air'
2022-06-06 12:54:31,996 wazuh-logtest[INFO]     groups: '['macos_air']'
2022-06-06 12:54:31,996 wazuh-logtest[INFO]     firedtimes: '1'
2022-06-06 12:54:31,996 wazuh-logtest[INFO]     mail: 'False'
2022-06-06 12:54:31,996 wazuh-logtest[INFO] **Alert to be generated.

^C2022-06-06 12:54:34,182 wazuh-logtest[DEBUG] Removing session with token 3657de8a.
[root@ip-172-31-10-77 etc]#

Configure localfile to colletct log data from filles:

sh-3.2# cat ossec.conf | grep -n2 macos
142-
143-  <localfile>
144:    <location>macos</location>
145:    <log_format>macos</log_format>
146-    <query type="trace,log,activity" level="info">process == "AirPlayXPCHelper" AND  message CONTAINS "Retry timer fired"</query>
147-  </localfile>

Restart agent:

sh-3.2# sudo /Library/Ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.3.3 Stopped
Starting Wazuh v4.3.3...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
sh-3.2#

Restart Manager:

[root@ip-172-31-10-77 etc]# systemctl restart wazuh-indexer
[root@ip-172-31-10-77 etc]# systemctl restart wazuh-dashboard
[root@ip-172-31-10-77 etc]# systemctl restart wazuh-manager
[root@ip-172-31-10-77 etc]# systemctl restart filebeat

The alerts started to be generated: Macos:

sh-3.2# log stream | grep "Retry timer fired"
2022-06-06 06:05:58.604168-0700 0x30e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-06 06:06:01.985310-0700 0x30f      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-06 06:06:05.192940-0700 0x30f      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-06 06:06:08.763204-0700 0x30e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

Manager:

[root@ip-172-31-10-77 etc]# tail -f ../logs/alerts/alerts.log 
** Alert 1654520767.747782: - macos_air
2022 Jun 06 13:06:07 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-06 06:05:51.977603-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

** Alert 1654520769.748034: - macos_air
2022 Jun 06 13:06:09 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-06 06:05:55.552597-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

** Alert 1654520773.748286: - macos_air
2022 Jun 06 13:06:13 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-06 06:05:58.604168-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

** Alert 1654520775.748538: - macos_air
2022 Jun 06 13:06:15 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-06 06:06:01.985310-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

^C
[root@ip-172-31-10-77 etc]#

Into dashboard:

Update report - WUI logtest

Log test from WUI

Some differences were detected in the outputs of the wazuh-logtest WUI compared to the wazuh-logtest binary.

Update report - Shared and precedence configuration

Enable remote commands into agent:

  sh-3.2# cat local_internal_options.conf 
  # local_internal_options.conf
  #
  # This file should be handled with care. It contains
  # run time modifications that can affect the use
  # of OSSEC. Only change it if you know what you
  # are doing. Look first at ossec.conf
  # for most of the things you want to change.
  #
  # This file will not be overwritten during upgrades.
  logcollector.remote_commands=1
  sh-3.2#

Adding share agent configuration into manager:

[root@ip-172-31-10-77 etc]# cat shared/default/agent.conf
<agent_config>

  <!-- Shared agent configuration here -->

  <localfile>
    <location>macos</location>
    <log_format>macos</log_format>
    <query type="trace,log,activity" level="info">process == "sshd"</query>
  </localfile>

</agent_config>
[root@ip-172-31-10-77 etc]#

Verify agent conf:

[root@ip-172-31-10-77 etc]# /var/ossec/bin/verify-agent-conf

verify-agent-conf: Verifying [etc/shared/default/agent.conf]
verify-agent-conf: OK

[root@ip-172-31-10-77 etc]#

Synchronizing agent:

[root@ip-172-31-10-77 etc]# TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   398  100   398    0     0   1217      0 --:--:-- --:--:-- --:--:--  1217
[root@ip-172-31-10-77 etc]# curl -k -X GET "https://localhost:55000/agents/001/group/is_sync?pretty=true" -H  "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "id": "001",
            "synced": true
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "Sync info was returned for all selected agents",
   "error": 0
}[root@ip-172-31-10-77 etc]# /var/ossec/bin/agent_groups -S -i 001
Agent '001' is synchronized. 
[root@ip-172-31-10-77 etc]#

The configuration appeared in agent:

sh-3.2# cat shared/agent.conf | grep -n2 macos
4-
5-  <localfile>
6:    <location>macos</location>
7:    <log_format>macos</log_format>
8-    <query type="trace,log,activity" level="info">process == "sshd"</query>
9-  </localfile>

Found added shared configuration in Wazuh WUI -> Management -> Groups

Added new localfile section:

Agent shared agent.conf see the new localfile:

sh-3.2# cat /Library/Ossec/etc/shared/agent.conf | grep -n2 macos
2-    <!-- Shared agent configuration here -->
3-    <localfile>
4:      <location>macos</location>
5:      <log_format>macos</log_format>
6-      <query type="trace,log,activity" level="info">process == "sshd"</query>
7-    </localfile>
--
--
8-    <localfile>
9:      <location>macos</location>
10:      <log_format>macos</log_format>
11-      <query type="trace,log,activity" level="info">process == "nano"</query>
12-    </localfile>
sh-3.2#

Manager side:

[root@ip-172-31-10-77 etc]# cat shared/default/agent.conf 
  <agent_config>
    <!-- Shared agent configuration here -->
    <localfile>
      <location>macos</location>
      <log_format>macos</log_format>
      <query type="trace,log,activity" level="info">process == "sshd"</query>
    </localfile>
    <localfile>
      <location>macos</location>
      <log_format>macos</log_format>
      <query type="trace,log,activity" level="info">process == "nano"</query>
    </localfile>
  </agent_config>
[root@ip-172-31-10-77 etc]#

Update report - Install and connection

Installed an AIO using the wazuh-install.sh script in a AmazonLinux2 instance in AWS
Installed a macos agent in macos catalina
Agent connected

sh-3.2# uname -a
Darwin macos-1015 19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64
sh-3.2# 
sh-3.2# /Library/Ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.4"
WAZUH_REVISION="40316"
WAZUH_TYPE="agent"

Manager:

[root@ip-172-31-27-196 ec2-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.4"
WAZUH_REVISION="40316"
WAZUH_TYPE="server"
[root@ip-172-31-27-196 ec2-user]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ip-172-31-27-196.ec2.internal (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: macos-1015, IP: any, Active

List of agentless devices:

[root@ip-172-31-27-196 ec2-user]#
[root@ip-172-31-27-196 ec2-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: macos-1015
   IP address: any/any
   Status:     Active

   Operating system:    Darwin |macos-1015 |19.0.0 |Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 |x86_64
   Client version:      Wazuh v4.3.4
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1654605759

   Syscheck last started at:  Tue Jun  7 12:35:55 2022
   Syscheck last ended at:    Tue Jun  7 12:37:03 2022

Alert received

** Alert 1654605731.653602: - ossec,pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Jun 07 12:42:11 (macos-1015) any->netstat listening ports
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
ossec: output: 'netstat listening ports':
udp4 *.* *.*
udp46 *.* *.*
tcp4 *.22 *.*
tcp4 10.0.2.15.22 10.0.2.2.50228
tcp6 *.22 *.*
udp4 *.137 *.*
udp4 *.138 *.*
udp4 *.5353 *.*
udp6 *.5353 *.*
       a        5        0     8192    32768 com.apple.network.tcp_ccdebug 
tcp4 10.0.2.15.53334 172.31.27.196.1514
tcp4 10.0.2.15.53339 17.248.180.135.443
tcp4 10.0.2.15.53365 17.171.27.65.443
udp4 *.54537 *.*
Previous output:
ossec: output: 'netstat listening ports':
udp4 *.* *.*
udp46 *.* *.*
tcp4 *.22 *.*
tcp4 10.0.2.15.22 10.0.2.2.50228
tcp6 *.22 *.*
udp4 *.137 *.*
udp4 *.138 *.*
tcp4 127.0.0.1.631 *.*
tcp6 ::1.631 *.*
udp4 *.5353 *.*
udp6 *.5353 *.*
       a        5        0     8192    32768 com.apple.network.tcp_ccdebug 
tcp4 10.0.2.15.53280 17.248.180.177.443
tcp4 10.0.2.15.53320 172.31.27.196.1514
tcp4 10.0.2.15.53321 23.62.184.183.443
tcp4 10.0.2.15.53322 23.62.184.25.443
udp4 *.54537 *.*

Update report - Create rule and decoder

Use log stream commando to get log input

sh-3.2# log stream | grep AirPlayXPCHelper
2022-06-07 05:45:51.398195-0700 0x27e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreMedia) [com.apple.coremedia:] <<<< TimeSyncClock >>>> figTimeSyncClock_Monitor: nowMonClock: 335618.090031; lastMonClock: 335608.089437; nowMonNet: 335618.090 (0x0900272570550000); lastMonNet: 335608.089 (0x0900272570550000); nowMonRef: 335618.090; lasMontRef: 335608.089; lastSynthAnchor: 335618.090; lastGM: 0x0900272570550000; offset 0.000; lastRefTimelineAnchor: 335618.090
2022-06-07 05:45:52.019557-0700 0x27e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

Create Decoder:

[root@ip-172-31-27-196 ossec]# cat etc/decoders/local_decoder.xml 
<!-- Local Decoders -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->

<!--
  - Allowed static fields:
  - location   - where the log came from (only on FTS)
  - srcuser    - extracts the source username
  - dstuser    - extracts the destination (target) username
  - user       - an alias to dstuser (only one of the two can be used)
  - srcip      - source ip
  - dstip      - dst ip
  - srcport    - source port
  - dstport    - destination port
  - protocol   - protocol
  - id         - event id
  - url        - url of the event
  - action     - event action (deny, drop, accept, etc)
  - status     - event status (success, failure, etc)
  - extra_data - Any extra data
-->

<decoder name="local_decoder_example">
    <program_name>local_decoder_example</program_name>
</decoder>

<decoder name="macos_air">
  <prematch>^(\d+-\d+-\d+ \d+:\d+:\d+-\d+) (\S+) AirPlayXPCHelper:</prematch>
</decoder>

<decoder name="macos_air_child">
  <parent>macos_air</parent>
  <regex>(\S+) (\S+):</regex>
  <order>hostname, program_name</order>
</decoder>

Create Rule:

[root@ip-172-31-27-196 ossec]# cat etc/rules/local_rules.xml 
<!-- Local rules -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->

<!-- Example -->
<group name="local,syslog,sshd,">

  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

</group>

<group name="macos_air">
  <rule id="100004" level="3">
   <program_name>AirPlayXPCHelper</program_name>
   <match>Retry timer fired</match>
   <description>parent macos air</description>
  </rule>
</group>

Testing rule and decoder:

[root@ip-172-31-27-196 ossec]# /var/ossec/bin/wazuh-logtest -d
2022-06-07 12:50:49,116 wazuh-logtest[INFO] Starting wazuh-logtest v4.3.4
2022-06-07 12:50:49,117 wazuh-logtest[INFO] Type one log per line

2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 12:51:12,571 wazuh-logtest[INFO] 
2022-06-07 12:51:12,572 wazuh-logtest[DEBUG] Request: {"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location": "stdin", "log_format": "syslog", "event": "2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired"}}

2022-06-07 12:51:13,322 wazuh-logtest[DEBUG] Reply: {"error":0,"data":{"messages":["INFO: (7202): Session initialized with token '63d65238'"],"token":"63d65238","output":{"timestamp":"2022-06-07T12:51:13.322+0000","rule":{"level":3,"description":"parent macos air","id":"100004","firedtimes":1,"mail":false,"groups":["macos_air"]},"agent":{"id":"000","name":"ip-172-31-27-196.ec2.internal"},"manager":{"name":"ip-172-31-27-196.ec2.internal"},"id":"1654606273.654836","full_log":"2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired","predecoder":{"program_name":"AirPlayXPCHelper","timestamp":"2022-06-06 05:39:52.533252-0700"},"decoder":{},"location":"stdin"},"alert":true,"codemsg":0}}

2022-06-07 12:51:13,323 wazuh-logtest[DEBUG] {
  "messages": [
    "INFO: (7202): Session initialized with token '63d65238'"
  ],
  "token": "63d65238",
  "output": {
    "timestamp": "2022-06-07T12:51:13.322+0000",
    "rule": {
      "level": 3,
      "description": "parent macos air",
      "id": "100004",
      "firedtimes": 1,
      "mail": false,
      "groups": [
        "macos_air"
      ]
    },
    "agent": {
      "id": "000",
      "name": "ip-172-31-27-196.ec2.internal"
    },
    "manager": {
      "name": "ip-172-31-27-196.ec2.internal"
    },
    "id": "1654606273.654836",
    "full_log": "2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired",
    "predecoder": {
      "program_name": "AirPlayXPCHelper",
      "timestamp": "2022-06-06 05:39:52.533252-0700"
    },
    "decoder": {},
    "location": "stdin"
  },
  "alert": true,
  "codemsg": 0
}
2022-06-07 12:51:13,323 wazuh-logtest[INFO] **Phase 1: Completed pre-decoding.
2022-06-07 12:51:13,323 wazuh-logtest[INFO]     full event: '2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired'
2022-06-07 12:51:13,323 wazuh-logtest[INFO]     timestamp: '2022-06-06 05:39:52.533252-0700'
2022-06-07 12:51:13,323 wazuh-logtest[INFO]     program_name: 'AirPlayXPCHelper'
2022-06-07 12:51:13,323 wazuh-logtest[INFO] 
2022-06-07 12:51:13,323 wazuh-logtest[INFO] **Phase 2: Completed decoding.
2022-06-07 12:51:13,323 wazuh-logtest[INFO]     No decoder matched.
2022-06-07 12:51:13,323 wazuh-logtest[INFO] 
2022-06-07 12:51:13,324 wazuh-logtest[INFO] **Phase 3: Completed filtering (rules).
2022-06-07 12:51:13,324 wazuh-logtest[INFO]     id: '100004'
2022-06-07 12:51:13,324 wazuh-logtest[INFO]     level: '3'
2022-06-07 12:51:13,324 wazuh-logtest[INFO]     description: 'parent macos air'
2022-06-07 12:51:13,324 wazuh-logtest[INFO]     groups: '['macos_air']'
2022-06-07 12:51:13,324 wazuh-logtest[INFO]     firedtimes: '1'
2022-06-07 12:51:13,324 wazuh-logtest[INFO]     mail: 'False'
2022-06-07 12:51:13,324 wazuh-logtest[INFO] **Alert to be generated.

^C2022-06-07 12:51:40,946 wazuh-logtest[DEBUG] Removing session with token 63d65238.

Configure localfile to colletct log data from filled:

sh-3.2# pwd
/Library/Ossec
sh-3.2# cat etc/ossec.conf | grep -n2 macos
142-
143-  <localfile>
144:    <location>macos</location>
145:    <log_format>macos</log_format>
146-    <query type="trace,log,activity" level="info">process == "AirPlayXPCHelper" AND  message CONTAINS "Retry timer fired"</query>
147-  </localfile>

Restart agent:

sh-3.2# sudo /Library/Ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.3.4 Stopped
Starting Wazuh v4.3.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Restart Manager:

[root@ip-172-31-27-196 ossec]# systemctl restart wazuh-indexer
[root@ip-172-31-27-196 ossec]# systemctl restart wazuh-dashboard
[root@ip-172-31-27-196 ossec]# systemctl restart wazuh-manager
[root@ip-172-31-27-196 ossec]# systemctl restart filebeat
[root@ip-172-31-27-196 ossec]# systemctl restart wazuh-indexer
[root@ip-172-31-27-196 ossec]# systemctl restart wazuh-dashboard
[root@ip-172-31-27-196 ossec]# systemctl restart wazuh-manager

The alerts started to be generated: Macos:

sh-3.2# log stream | grep "Retry timer fired"
2022-06-07 06:01:40.286024-0700 0x30e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:01:43.402629-0700 0x30f      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:01:46.628497-0700 0x30f      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:01:49.797872-0700 0x30f      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:01:52.990860-0700 0x30f      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:01:56.635247-0700 0x30e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:01:59.898346-0700 0x30f      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:02:03.332581-0700 0x30e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:02:06.628476-0700 0x30f      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-06-07 06:02:10.023469-0700 0x30e      Default     0x0                  146    0    AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

Manager:

[root@ip-172-31-27-196 ossec]# pwd
/var/ossec
[root@ip-172-31-27-196 ossec]# tail -f logs/alerts/alerts.log 
** Alert 1654606928.673606: - macos_air
2022 Jun 07 13:02:08 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-07 06:01:49.797872-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

** Alert 1654606930.673858: - macos_air
2022 Jun 07 13:02:10 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-07 06:01:52.990860-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

** Alert 1654606934.674110: - macos_air
2022 Jun 07 13:02:14 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-07 06:01:56.635247-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

** Alert 1654606938.674362: - macos_air
2022 Jun 07 13:02:18 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-07 06:01:59.898346-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

** Alert 1654606940.674614: - macos_air
2022 Jun 07 13:02:20 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-07 06:02:03.332581-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

** Alert 1654606944.674866: - macos_air
2022 Jun 07 13:02:24 (macos-1015) any->macos
Rule: 100004 (level 3) -> 'parent macos air'
2022-06-07 06:02:06.628476-0700  localhost AirPlayXPCHelper[146]: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

Into dashboard:

Update report - WUI logtest

Log test from WUI

2022-06-06 05:39:52.533252-0700 Default AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired

Compare output of the wazuh-logtest WUI with wazuh-logtest binary.

Some differences were found

Update report - Shared and precedence configuration

Enable remote commands into agent:

sh-3.2# pwd
/Library/Ossec
sh-3.2# cat etc/local_internal_options.conf 
# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades.

logcollector.remote_commands=1
sh-3.2#

Adding share agent configuration into manager:

[root@ip-172-31-27-196 etc]# pwd
/var/ossec/etc
[root@ip-172-31-27-196 etc]# cat shared/default/agent.conf
<agent_config>

  <!-- Shared agent configuration here -->
  <localfile>
    <location>macos</location>
    <log_format>macos</log_format>
    <query type="trace,log,activity" level="info">process == "sshd"</query>
  </localfile>

</agent_config>
[root@ip-172-31-27-196 etc]#

Verify agent conf:

[root@ip-172-31-27-196 etc]# /var/ossec/bin/verify-agent-conf

verify-agent-conf: Verifying [etc/shared/default/agent.conf]
verify-agent-conf: OK

[root@ip-172-31-27-196 etc]#

Synchronizing agent:

[root@ip-172-31-27-196 etc]#  TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   398  100   398    0     0   1247      0 --:--:-- --:--:-- --:--:--  1247
[root@ip-172-31-27-196 etc]# curl -k -X GET "https://localhost:55000/agents/001/group/is_sync?pretty=true" -H  "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "id": "001",
            "synced": true
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "Sync info was returned for all selected agents",
   "error": 0
}[root@ip-172-31-27-196 etc]# /var/ossec/bin/agent_groups -S -i 001
Agent '001' is synchronized. 
[root@ip-172-31-27-196 etc]#

The configuration appeared in agent:

sh-3.2# pwd
/Library/Ossec
sh-3.2# cat etc/shared/agent.conf | grep -n2 macos
3-  <!-- Shared agent configuration here -->
4-  <localfile>
5:    <location>macos</location>
6:    <log_format>macos</log_format>
7-    <query type="trace,log,activity" level="info">process == "sshd"</query>
8-  </localfile>
sh-3.2#

Found added shared configuration in Wazuh WUI -> Management -> Groups

Added new localfile section:

    <localfile>
        <location>macos</location>
        <log_format>macos</log_format>
        <query type="trace,log,activity" level="info">process == "nano"</query>
    </localfile>

Agent shared agent.conf see the new localfile:

sh-3.2# cat etc/shared/agent.conf | grep -n2 macos
2-    <!-- Shared agent configuration here -->
3-    <localfile>
4:      <location>macos</location>
5:      <log_format>macos</log_format>
6-      <query type="trace,log,activity" level="info">process == "sshd"</query>
7-    </localfile>
--
--
7-    </localfile>
8-    <localfile>
9:      <location>macos</location>
10:      <log_format>macos</log_format>
11-      <query type="trace,log,activity" level="info">process == "nano"</query>
12-    </localfile>

Manager side:

[root@ip-172-31-27-196 etc]# cat shared/default/agent.conf 
  <agent_config>
    <!-- Shared agent configuration here -->
    <localfile>
      <location>macos</location>
      <log_format>macos</log_format>
      <query type="trace,log,activity" level="info">process == "sshd"</query>
    </localfile>
    <localfile>
      <location>macos</location>
      <log_format>macos</log_format>
      <query type="trace,log,activity" level="info">process == "nano"</query>
    </localfile>
  </agent_config>
[root@ip-172-31-27-196 etc]#

wazuh / wazuh