search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
11.01k stars 1.67k forks source link

Release 4.4.0 - Release Candidate 1 - External Integrations modules #16184

Closed fdalmaup closed 1 year ago

fdalmaup commented 1 year ago

The following issue aims to perform all the required testing for the current release candidate to ensure the modules (AWS, GCP, Azure, DockerListener and Shuffle) works as expected, report the results, and open new issues for any encountered errors.

Modules tests information
Main release candidate issue #16132
Version 4.4.0
Release candidate # RC1
Tag v4.4.0-rc1
Previous modules tests issue #15750

Test report procedure

All test results must have one of the following statuses:
:green_circle: The test passed successfully.
:yellow_circle: The test passed but some enhancements need to be applied to the module.
:red_circle: The test failed.
:white_circle: The test does not apply.

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause. It must be included in the Fixes section of the current release candidate main issue.

The resulting logs for the tests must be included in the status report so it can be used by the auditors to dig deeper into any possible failures and details.

Conclusions

Module Status Notes
AWS :green_circle:
Azure :green_circle:
GCP :green_circle:
Docker Listener :green_circle:
Shuffle :green_circle:

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

fdalmaup commented 1 year ago

AWS Test results

A test is considered valid if the following conditions are met:

The data available in our Wazuh-dev environment for each of these supported services will be used. Additional logs may be created if they are necessary or there is insufficient data for testing.

Test results

Bucket/Service type Status Issue ref.
Test using ossec.conf in a manager :green_circle: -
Test using ossec.conf in an agent (Python 3.6) :green_circle: -

Test using ossec.conf in a manager

Configuration no no 10m yes no dev wazuh-aws-wodle-cloudtrail 2022-MAR-21 dev wazuh-aws-wodle-macie 2022-JAN-01 dev 4_4_test 2022-DEC-01 us-east-1
Output 2023/02/13 10:41:49 wazuh-modulesd:aws-s3[8574] wm_aws.c:60 at wm_aws_main(): INFO: Module AWS started 2023/02/13 10:41:49 wazuh-modulesd:aws-s3[8574] wm_aws.c:82 at wm_aws_main(): INFO: Starting fetching of logs. 2023/02/13 10:41:49 wazuh-modulesd:aws-s3[8574] wm_aws.c:134 at wm_aws_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-aws-wodle-cloudtrail, Type: cloudtrail, Profile: dev) 2023/02/13 10:41:49 wazuh-modulesd:aws-s3[8574] wm_aws.c:329 at wm_aws_run_s3(): DEBUG: Create argument list 2023/02/13 10:41:49 wazuh-modulesd:aws-s3[8574] wm_aws.c:444 at wm_aws_run_s3(): DEBUG: Launching S3 Command: wodles/aws/aws-s3 --bucket wazuh-aws-wodle-cloudtrail --aws_profile dev --only_logs_after 2022-MAR-21 --type cloudtrail --debug 2 2023/02/13 10:41:53 wazuh-modulesd:aws-s3[8574] wm_aws.c:484 at wm_aws_run_s3(): DEBUG: Bucket: - OUTPUT: DEBUG: +++ Debug mode on - Level: 2 DEBUG: Generating default configuration for retries: mode standard - max_attempts 10 DEBUG: +++ Table does not exist; create DEBUG: +++ Working on 123456789123 - us-west-1 DEBUG: +++ Marker: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/21 DEBUG: ++ Found new log: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/30/123456789123_CloudTrail_us-west-1_20220330T0000Z_HASDoKlxgfdNInHa.json.gz DEBUG: ++ Found new log: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/30/123456789123_CloudTrail_us-west-1_20220330T0000Z_HASDoKlxgfdNInHa.json.zip DEBUG: ++ Found new log: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/30/123456789123_CloudTrail_us-west-1_20220330T0000Z_HASDoKlxgfdkdIOa.json.txt DEBUG: ++ Found new log: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/30/123456789123_CloudTrail_us-west-1_20220330T0002Z_HASDoKlxgfdNInHa.json.zip DEBUG: +++ DB Maintenance DEBUG: +++ Working on 123123456789 - us-west-1 DEBUG: +++ Marker: AWSLogs/123123456789/CloudTrail/us-west-1/2022/03/21 DEBUG: +++ No logs to process in bucket: 123123456789/us-west-1 DEBUG: +++ DB Maintenance DEBUG: +++ Working on 789123123456 - us-west-1 DEBUG: +++ Marker: AWSLogs/789123123456/CloudTrail/us-west-1/2022/03/21 DEBUG: ++ Found new log: AWSLogs/789123123456/CloudTrail/us-west-1/2023/01/25/123456789123_CloudTrail_us-west-1_20211223T0000Z_HASDOtJxxxxxxxxx.json.gz DEBUG: +++ DB Maintenance 2023/02/13 10:41:53 wazuh-modulesd:aws-s3[8574] wm_aws.c:134 at wm_aws_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-aws-wodle-macie, Type: custom, Profile: dev) 2023/02/13 10:41:53 wazuh-modulesd:aws-s3[8574] wm_aws.c:329 at wm_aws_run_s3(): DEBUG: Create argument list 2023/02/13 10:41:53 wazuh-modulesd:aws-s3[8574] wm_aws.c:444 at wm_aws_run_s3(): DEBUG: Launching S3 Command: wodles/aws/aws-s3 --bucket wazuh-aws-wodle-macie --aws_profile dev --only_logs_after 2022-JAN-01 --type custom --debug 2 2023/02/13 10:41:57 wazuh-modulesd:aws-s3[8574] wm_aws.c:484 at wm_aws_run_s3(): DEBUG: Bucket: - OUTPUT: DEBUG: +++ Debug mode on - Level: 2 DEBUG: Generating default configuration for retries: mode standard - max_attempts 10 DEBUG: +++ Table does not exist; create DEBUG: +++ Marker: 2022/01/01 DEBUG: ++ Found new log: 2022/02/14/firehose_macie-1-2022-02-14-01-20-42-eb1f80bc-5d9d-426b-a0a1-e0ad8d3ef656 DEBUG: ++ Found new log: 2022/11/09/firehose_macie-1-2021-12-01-00-40-40-e269348f-0b8e-4f61-a4e9-995424ftest1 DEBUG: ++ Found new log: 2022/11/09/firehose_macie-1-2021-12-01-00-40-40-e269348f-0b8e-4f61-a4e9-995424ftest1nolat DEBUG: ++ Found new log: 2022/11/09/firehose_macie-1-2021-12-01-00-40-40-e269348f-0b8e-4f61-a4e9-995424ftest2 DEBUG: ++ Found new log: 2022/11/09/firehose_macie-1-2022-02-14-01-20-42-eb1f80bc-5d9d-426b-a0a1-e0ad8d3ef656 DEBUG: ++ Found new log: 2022/11/10/firehose_macie-1-2021-12-01-00-40-40-with-geolocation-1 DEBUG: ++ Found new log: 2022/11/10/firehose_macie-1-2021-12-01-00-40-40-with-geolocation-2 DEBUG: ++ Found new log: 2022/11/10/firehose_macie-1-2022-02-14-01-20-42-no-geolocation DEBUG: +++ DB Maintenance 2023/02/13 10:41:59 wazuh-modulesd:aws-s3[8574] wm_aws.c:169 at wm_aws_main(): INFO: Executing Service Analysis: (Service: cloudwatchlogs, Profile: dev) 2023/02/13 10:41:59 wazuh-modulesd:aws-s3[8574] wm_aws.c:508 at wm_aws_run_service(): DEBUG: Create argument list 2023/02/13 10:41:59 wazuh-modulesd:aws-s3[8574] wm_aws.c:612 at wm_aws_run_service(): DEBUG: Launching S3 Command: wodles/aws/aws-s3 --service cloudwatchlogs --aws_profile dev --only_logs_after 2022-DEC-01 --regions us-east-1 --aws_log_groups 4_4_test --debug 2 2023/02/13 10:42:02 wazuh-modulesd:aws-s3[8574] wm_aws.c:653 at wm_aws_run_service(): DEBUG: Service: cloudwatchlogs - OUTPUT: DEBUG: +++ Debug mode on - Level: 2 DEBUG: +++ Getting alerts from "us-east-1" region. DEBUG: Generating default configuration for retries: mode standard - max_attempts 10 DEBUG: only logs: 1669852800000 DEBUG: +++ Table does not exist; create DEBUG: Getting log streams for "4_4_test" log group DEBUG: Found "test_stream" log stream in 4_4_test DEBUG: Getting data from DB for log stream "test_stream" in log group "4_4_test" DEBUG: Token: "None", start_time: "None", end_time: "None" DEBUG: Getting CloudWatch logs from log stream "test_stream" in log group "4_4_test" using token "None", start_time "1669852800000" and end_time "None" DEBUG: +++ Sending events to Analysisd... DEBUG: The message is "test log 05-12-22 #1" DEBUG: +++ Sending events to Analysisd... DEBUG: The message is "test log 12-12-22 #1" DEBUG: +++ Sending events to Analysisd... DEBUG: The message is "test log 12-12-22 #2" DEBUG: Getting CloudWatch logs from log stream "test_stream" in log group "4_4_test" using token "f/37261757152099465362158772923796054646091708432059990016/s", start_time "1669852800000" and end_time "None" DEBUG: Saving data for log group "4_4_test" and log stream "test_stream". DEBUG: The saved values are "{'token': 'f/37261757152132916477936604954625336921053419536048422911/s', 'start_time': 1669852800000, 'end_time': 1670874978409}" DEBUG: Purging the BD DEBUG: Getting log streams for "4_4_test" log group DEBUG: Found "test_stream" log stream in 4_4_test DEBUG: committing changes and closing the DB 2023/02/13 10:42:02 wazuh-modulesd:aws-s3[8574] wm_aws.c:174 at wm_aws_main(): INFO: Fetching logs finished. 2023/02/13 10:42:02 wazuh-modulesd:aws-s3[8574] wm_aws.c:78 at wm_aws_main(): DEBUG: Sleeping until: 2023/02/13 10:51:49

Conclusions

The module worked as expected.

Test using ossec.conf in an agent

Deploy a CentOS 8 agent and install the required dependencies described in the official Wazuh documentation, then run the module adding the following configuration to the ossec.conf using Python 3.6:

Configuration no no 10m yes no dev wazuh-aws-wodle-cloudtrail 2022-MAR-21 dev wazuh-aws-wodle-macie 2022-JAN-01 dev 4_4_test 2022-DEC-01 us-east-1
Output 2023/02/13 14:06:01 wazuh-modulesd:aws-s3[5663] wm_aws.c:60 at wm_aws_main(): INFO: Module AWS started 2023/02/13 14:06:01 wazuh-modulesd:aws-s3[5663] wm_aws.c:82 at wm_aws_main(): INFO: Starting fetching of logs. 2023/02/13 14:06:01 wazuh-modulesd:aws-s3[5663] wm_aws.c:134 at wm_aws_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-aws-wodle-cloudtrail, Type: cloudtrail, Profile: dev) 2023/02/13 14:06:01 wazuh-modulesd:aws-s3[5663] wm_aws.c:329 at wm_aws_run_s3(): DEBUG: Create argument list 2023/02/13 14:06:01 wazuh-modulesd:aws-s3[5663] wm_aws.c:444 at wm_aws_run_s3(): DEBUG: Launching S3 Command: wodles/aws/aws-s3 --bucket wazuh-aws-wodle-cloudtrail --aws_profile dev --only_logs_after 2022-MAR-21 --type cloudtrail --debug 2 2023/02/13 14:06:04 wazuh-modulesd:aws-s3[5663] wm_aws.c:484 at wm_aws_run_s3(): DEBUG: Bucket: - OUTPUT: DEBUG: +++ Debug mode on - Level: 2 DEBUG: Generating default configuration for retries: mode standard - max_attempts 10 DEBUG: +++ Table does not exist; create DEBUG: +++ Working on 123456789123 - us-west-1 DEBUG: +++ Marker: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/21 DEBUG: ++ Found new log: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/30/123456789123_CloudTrail_us-west-1_20220330T0000Z_HASDoKlxgfdNInHa.json.gz DEBUG: ++ Found new log: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/30/123456789123_CloudTrail_us-west-1_20220330T0000Z_HASDoKlxgfdNInHa.json.zip DEBUG: ++ Found new log: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/30/123456789123_CloudTrail_us-west-1_20220330T0000Z_HASDoKlxgfdkdIOa.json.txt DEBUG: ++ Found new log: AWSLogs/123456789123/CloudTrail/us-west-1/2022/03/30/123456789123_CloudTrail_us-west-1_20220330T0002Z_HASDoKlxgfdNInHa.json.zip DEBUG: +++ DB Maintenance DEBUG: +++ Working on 123123456789 - us-west-1 DEBUG: +++ Marker: AWSLogs/123123456789/CloudTrail/us-west-1/2022/03/21 DEBUG: +++ No logs to process in bucket: 123123456789/us-west-1 DEBUG: +++ DB Maintenance DEBUG: +++ Working on 789123123456 - us-west-1 DEBUG: +++ Marker: AWSLogs/789123123456/CloudTrail/us-west-1/2022/03/21 DEBUG: ++ Found new log: AWSLogs/789123123456/CloudTrail/us-west-1/2023/01/25/123456789123_CloudTrail_us-west-1_20211223T0000Z_HASDOtJxxxxxxxxx.json.gz DEBUG: +++ DB Maintenance 2023/02/13 14:06:04 wazuh-modulesd:aws-s3[5663] wm_aws.c:134 at wm_aws_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-aws-wodle-macie, Type: custom, Profile: dev) 2023/02/13 14:06:04 wazuh-modulesd:aws-s3[5663] wm_aws.c:329 at wm_aws_run_s3(): DEBUG: Create argument list 2023/02/13 14:06:04 wazuh-modulesd:aws-s3[5663] wm_aws.c:444 at wm_aws_run_s3(): DEBUG: Launching S3 Command: wodles/aws/aws-s3 --bucket wazuh-aws-wodle-macie --aws_profile dev --only_logs_after 2022-JAN-01 --type custom --debug 2 2023/02/13 14:06:08 wazuh-modulesd:aws-s3[5663] wm_aws.c:484 at wm_aws_run_s3(): DEBUG: Bucket: - OUTPUT: DEBUG: +++ Debug mode on - Level: 2 DEBUG: Generating default configuration for retries: mode standard - max_attempts 10 DEBUG: +++ Table does not exist; create DEBUG: +++ Marker: 2022/01/01 DEBUG: ++ Found new log: 2022/02/14/firehose_macie-1-2022-02-14-01-20-42-eb1f80bc-5d9d-426b-a0a1-e0ad8d3ef656 DEBUG: ++ Found new log: 2022/11/09/firehose_macie-1-2021-12-01-00-40-40-e269348f-0b8e-4f61-a4e9-995424ftest1 DEBUG: ++ Found new log: 2022/11/09/firehose_macie-1-2021-12-01-00-40-40-e269348f-0b8e-4f61-a4e9-995424ftest1nolat DEBUG: ++ Found new log: 2022/11/09/firehose_macie-1-2021-12-01-00-40-40-e269348f-0b8e-4f61-a4e9-995424ftest2 DEBUG: ++ Found new log: 2022/11/09/firehose_macie-1-2022-02-14-01-20-42-eb1f80bc-5d9d-426b-a0a1-e0ad8d3ef656 DEBUG: ++ Found new log: 2022/11/10/firehose_macie-1-2021-12-01-00-40-40-with-geolocation-1 DEBUG: ++ Found new log: 2022/11/10/firehose_macie-1-2021-12-01-00-40-40-with-geolocation-2 DEBUG: ++ Found new log: 2022/11/10/firehose_macie-1-2022-02-14-01-20-42-no-geolocation DEBUG: +++ DB Maintenance 2023/02/13 14:06:10 wazuh-modulesd:aws-s3[5663] wm_aws.c:169 at wm_aws_main(): INFO: Executing Service Analysis: (Service: cloudwatchlogs, Profile: dev) 2023/02/13 14:06:10 wazuh-modulesd:aws-s3[5663] wm_aws.c:508 at wm_aws_run_service(): DEBUG: Create argument list 2023/02/13 14:06:10 wazuh-modulesd:aws-s3[5663] wm_aws.c:612 at wm_aws_run_service(): DEBUG: Launching S3 Command: wodles/aws/aws-s3 --service cloudwatchlogs --aws_profile dev --only_logs_after 2022-DEC-01 --regions us-east-1 --aws_log_groups 4_4_test --debug 2 2023/02/13 14:06:12 wazuh-modulesd:aws-s3[5663] wm_aws.c:653 at wm_aws_run_service(): DEBUG: Service: cloudwatchlogs - OUTPUT: DEBUG: +++ Debug mode on - Level: 2 DEBUG: +++ Getting alerts from "us-east-1" region. DEBUG: Generating default configuration for retries: mode standard - max_attempts 10 DEBUG: only logs: 1669852800000 DEBUG: +++ Table does not exist; create DEBUG: Getting log streams for "4_4_test" log group DEBUG: Found "test_stream" log stream in 4_4_test DEBUG: Getting data from DB for log stream "test_stream" in log group "4_4_test" DEBUG: Token: "None", start_time: "None", end_time: "None" DEBUG: Getting CloudWatch logs from log stream "test_stream" in log group "4_4_test" using token "None", start_time "1669852800000" and end_time "None" DEBUG: +++ Sending events to Analysisd... DEBUG: The message is "test log 05-12-22 #1" DEBUG: +++ Sending events to Analysisd... DEBUG: The message is "test log 12-12-22 #1" DEBUG: +++ Sending events to Analysisd... DEBUG: The message is "test log 12-12-22 #2" DEBUG: Getting CloudWatch logs from log stream "test_stream" in log group "4_4_test" using token "f/37261757152099465362158772923796054646091708432059990016/s", start_time "1669852800000" and end_time "None" DEBUG: Saving data for log group "4_4_test" and log stream "test_stream". DEBUG: The saved values are "{'token': 'f/37261757152132916477936604954625336921053419536048422911/s', 'start_time': 1669852800000, 'end_time': 1670874978409}" DEBUG: Purging the BD DEBUG: Getting log streams for "4_4_test" log group DEBUG: Found "test_stream" log stream in 4_4_test DEBUG: committing changes and closing the DB 2023/02/13 14:06:12 wazuh-modulesd:aws-s3[5663] wm_aws.c:174 at wm_aws_main(): INFO: Fetching logs finished. 2023/02/13 14:06:12 wazuh-modulesd:aws-s3[5663] wm_aws.c:78 at wm_aws_main(): DEBUG: Sleeping until: 2023/02/13 14:16:01

Conclusions

The module worked as expected.

fdalmaup commented 1 year ago

GCP Test results

No data must be modified or removed unless it was specified for the test.

The tests assume there is a valid authentication file located at /var/ossec/wodles/gcloud/credentials.json.

A test is considered valid if the following conditions are met:

Test results

Bucket/Service type Status Issue ref.
Test using ossec.conf in a manager :green_circle: -
Test using ossec.conf in a agent (Python 3.6) :green_circle: -

Environment details

To test Pub/Sub integration we developed a script able to publish any number of messages in the testing topic so we can ensure there always will be data available for the tests. This was required because of how Pub/Sub is designed as the messages are consumed once they are pulled.

Test using ossec.conf in a manager

Run the module using the following ossec.conf configuration:

ossec.conf yes 1d wazuh-dev-123456 wazuh-framework-subscription 4 info 50 /var/ossec/wodles/gcloud/credentials.json yes 1d info framework-test-bucket /var/ossec/wodles/gcloud/credentials.json framework-test-bucket /var/ossec/wodles/gcloud/credentials.json 2022-Jul-01 test_prefix
Ossec.log output 2023/02/13 11:49:09 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:131 at wm_gcp_pubsub_main(): INFO: Module started. 2023/02/13 11:49:09 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs. 2023/02/13 11:49:09 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list 2023/02/13 11:49:09 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project wazuh-dev-123456 --subscription_id wazuh-framework-subscription --credentials_file /var/ossec/wodles/gcloud/credentials.json --max_messages 50 --num_threads 4 --log_level 2 2023/02/13 11:49:09 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:170 at wm_gcp_bucket_main(): INFO: Module started. 2023/02/13 11:49:09 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs. 2023/02/13 11:49:09 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: framework-test-bucket, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/credentials.json) 2023/02/13 11:49:09 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list 2023/02/13 11:49:09 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name framework-test-bucket --credentials_file /var/ossec/wodles/gcloud/credentials.json --log_level 2 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_1_new.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Setting 4 threads to pull 50 messages in total 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_22.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_2_new.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_3.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Processing event: {"integration": "gcp", "gcp": [Mon Feb 13 11:48:09 2023] - Framework publish message 8} 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_3_new.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_4.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_5.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": [Mon Feb 13 11:48:09 2023] - Framework publish message 8}'" 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_6.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_7.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_8.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_9.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Processing event: {"integration": "gcp", "gcp": [Mon Feb 13 11:48:09 2023] - Framework publish message 10} 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_release_4_4.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of testingfile.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Received 0 messages 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": [Mon Feb 13 11:48:09 2023] - Framework publish message 10}'" 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: framework-test-bucket, Path: test_prefix, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/credentials.json) 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list 2023/02/13 11:49:13 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name framework-test-bucket --credentials_file /var/ossec/wodles/gcloud/credentials.json --prefix test_prefix --only_logs_after 2022-Jul-01 --log_level 2 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Processing event: {"integration": "gcp", "gcp": [Mon Feb 13 11:48:08 2023] - Framework publish message 0} 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": [Mon Feb 13 11:48:08 2023] - Framework publish message 0}'" ... 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Received and acknowledged 50 messages 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished. 2023/02/13 11:49:13 wazuh-modulesd:gcp-pubsub[16452] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2023/02/14 11:49:09 2023/02/13 11:49:14 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_prefix/test_1.txt is older than 2022-07-01 00:00:00+00:00. Skipping it... 2023/02/13 11:49:14 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Processing test_prefix/test_2.txt 2023/02/13 11:49:14 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"GOOGLE CLOUD STORAGE TEST": "Log 1", "source": "gcp_bucket"}}'" 2023/02/13 11:49:14 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Updating previously processed files. 2023/02/13 11:49:14 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Received 1 message 2023/02/13 11:49:14 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished. 2023/02/13 11:49:14 wazuh-modulesd:gcp-bucket[16452] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2023/02/14 11:49:09

Conclusions

The module worked as expected, 50 events were sent to analysisd.

Test using ossec.conf in an agent with Python 3.6

Run the module using the following ossec.conf configuration:

ossec.conf yes 1d wazuh-dev-123456 wazuh-framework-subscription 4 info 50 /var/ossec/wodles/gcloud/credentials.json yes 1d info framework-test-bucket /var/ossec/wodles/gcloud/credentials.json framework-test-bucket /var/ossec/wodles/gcloud/credentials.json 2022-Jul-01 test_prefix
Ossec.log output 2023/02/13 15:01:54 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:131 at wm_gcp_pubsub_main(): INFO: Module started. 2023/02/13 15:01:54 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs. 2023/02/13 15:01:54 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list 2023/02/13 15:01:54 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project wazuh-dev-123456 --subscription_id wazuh-framework-subscription --credentials_file /var/ossec/wodles/gcloud/credentials.json --max_messages 50 --num_threads 4 --log_level 2 2023/02/13 15:01:54 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:170 at wm_gcp_bucket_main(): INFO: Module started. 2023/02/13 15:01:54 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs. 2023/02/13 15:01:54 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: framework-test-bucket, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/credentials.json) 2023/02/13 15:01:54 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list 2023/02/13 15:01:54 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name framework-test-bucket --credentials_file /var/ossec/wodles/gcloud/credentials.json --log_level 2 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_1_new.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_22.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_2_new.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_3.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_3_new.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_4.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_5.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_6.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_7.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_8.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_9.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_release_4_4.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of testingfile.txt is older than 2023-02-13 00:00:00+00:00. Skipping it... 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Received 0 messages 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: framework-test-bucket, Path: test_prefix, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/credentials.json) 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list 2023/02/13 15:01:55 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name framework-test-bucket --credentials_file /var/ossec/wodles/gcloud/credentials.json --prefix test_prefix --only_logs_after 2022-Jul-01 --log_level 2 2023/02/13 15:01:56 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: The creation time of test_prefix/test_1.txt is older than 2022-07-01 00:00:00+00:00. Skipping it... 2023/02/13 15:01:56 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Processing test_prefix/test_2.txt 2023/02/13 15:01:56 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"GOOGLE CLOUD STORAGE TEST": "Log 1", "source": "gcp_bucket"}}'" 2023/02/13 15:01:56 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Updating previously processed files. 2023/02/13 15:01:56 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Received 1 message 2023/02/13 15:01:56 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished. 2023/02/13 15:01:56 wazuh-modulesd:gcp-bucket[10243] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2023/02/14 15:01:54 2023/02/13 15:01:57 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Setting 4 threads to pull 50 messages in total 2023/02/13 15:01:57 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Processing event: {"integration": "gcp", "gcp": [Mon Feb 13 11:54:38 2023] - Framework publish message 6} 2023/02/13 15:01:57 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": [Mon Feb 13 11:54:38 2023] - Framework publish message 6}'" ... 2023/02/13 15:01:57 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Received and acknowledged 50 messages 2023/02/13 15:01:57 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished. 2023/02/13 15:01:57 wazuh-modulesd:gcp-pubsub[10243] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2023/02/14 15:01:54

Conclusions

The module worked as expected, 50 events were sent to analysisd.

fdalmaup commented 1 year ago

Azure Test results

The following tests must be performed in sequential order. No data must be modified or removed unless it was specified for the test.

The tests assume there is a valid authentication file located at {wazuh_path}/wodles/azure/credentials.

A test is considered valid if the following conditions are met:

Test results

Bucket/Service type Status Issue ref.
Test using ossec.conf in a manager :green_circle: -
Test using ossec.conf in a agent (Python 3.6) :green_circle: -

Test using ossec.conf in a manager

Remove the database file and run the module using the following configuration. Check the output and the database status.

Configuration used no 10m yes /var/ossec/wodles/azure/credentials wazuh.onmicrosoft.com auditLogs/directoryaudits 30d auditLogs/signIns 30d auditLogs/provisioning 30d /var/ossec/wodles/azure/credentials-analytics wazuh.onmicrosoft.com d6b...efa AzureActivity 30d /var/ossec/wodles/azure/credentials-storage azure-activity 30d
Ossec.log output 2023/02/13 12:57:09 wazuh-modulesd:azure-logs[18126] wm_azure.c:54 at wm_azure_main(): INFO: Module started. 2023/02/13 12:57:09 wazuh-modulesd:azure-logs[18126] wm_azure.c:74 at wm_azure_main(): INFO: Starting fetching of logs. 2023/02/13 12:57:09 wazuh-modulesd:azure-logs[18126] wm_azure.c:85 at wm_azure_main(): INFO: Starting Graphs log collection for the domain 'wazuh.onmicrosoft.com'. 2023/02/13 12:57:09 wazuh-modulesd:azure-logs[18126] wm_azure.c:209 at wm_azure_graphs(): DEBUG: Creating argument list. 2023/02/13 12:57:09 wazuh-modulesd:azure-logs[18126] wm_azure.c:259 at wm_azure_graphs(): DEBUG: Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain wazuh.onmicrosoft.com --graph_tag request_1353914436 --graph_query 'auditLogs/directoryaudits' --graph_time_offset 30d --debug 2 2023/02/13 12:57:12 wazuh-modulesd:azure-logs[18126] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'request_1353914436'. 2023/02/13 12:57:12 wazuh-modulesd:azure-logs[18126] wm_azure.c:209 at wm_azure_graphs(): DEBUG: Creating argument list. 2023/02/13 12:57:12 wazuh-modulesd:azure-logs[18126] wm_azure.c:259 at wm_azure_graphs(): DEBUG: Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain wazuh.onmicrosoft.com --graph_tag request_2106948842 --graph_query 'auditLogs/signIns' --graph_time_offset 30d --debug 2 2023/02/13 12:57:14 wazuh-modulesd:azure-logs[18126] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'request_2106948842'. 2023/02/13 12:57:14 wazuh-modulesd:azure-logs[18126] wm_azure.c:209 at wm_azure_graphs(): DEBUG: Creating argument list. 2023/02/13 12:57:14 wazuh-modulesd:azure-logs[18126] wm_azure.c:259 at wm_azure_graphs(): DEBUG: Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain wazuh.onmicrosoft.com --graph_tag request_847147825 --graph_query 'auditLogs/provisioning' --graph_time_offset 30d --debug 2 2023/02/13 12:57:16 wazuh-modulesd:azure-logs[18126] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'request_847147825'. 2023/02/13 12:57:16 wazuh-modulesd:azure-logs[18126] wm_azure.c:87 at wm_azure_main(): INFO: Finished Graphs log collection for the domain 'wazuh.onmicrosoft.com'. 2023/02/13 12:57:16 wazuh-modulesd:azure-logs[18126] wm_azure.c:81 at wm_azure_main(): INFO: Starting Log Analytics collection for the domain 'wazuh.onmicrosoft.com'. 2023/02/13 12:57:16 wazuh-modulesd:azure-logs[18126] wm_azure.c:120 at wm_azure_log_analytics(): DEBUG: Creating argument list. 2023/02/13 12:57:16 wazuh-modulesd:azure-logs[18126] wm_azure.c:172 at wm_azure_log_analytics(): DEBUG: Launching command: wodles/azure/azure-logs --log_analytics --la_auth_path /var/ossec/wodles/azure/credentials-analytics --la_tenant_domain wazuh.onmicrosoft.com --la_tag request_996815604 --la_query "AzureActivity" --workspace d6b...efa --la_time_offset 30d --debug 2 2023/02/13 12:57:18 wazuh-modulesd:azure-logs[18126] wm_azure.c:189 at wm_azure_log_analytics(): INFO: Finished Log Analytics collection for request 'request_996815604'. 2023/02/13 12:57:18 wazuh-modulesd:azure-logs[18126] wm_azure.c:83 at wm_azure_main(): INFO: Finished Log Analytics collection for the domain 'wazuh.onmicrosoft.com'. 2023/02/13 12:57:18 wazuh-modulesd:azure-logs[18126] wm_azure.c:92 at wm_azure_main(): INFO: Starting Storage log collection for 'azure-activity'. 2023/02/13 12:57:18 wazuh-modulesd:azure-logs[18126] wm_azure.c:297 at wm_azure_storage(): DEBUG: Creating argument list. 2023/02/13 12:57:18 wazuh-modulesd:azure-logs[18126] wm_azure.c:359 at wm_azure_storage(): DEBUG: Launching command: wodles/azure/azure-logs --storage --storage_auth_path /var/ossec/wodles/azure/credentials-storage --container "frameworktestcontainer" --blobs "*" --storage_tag azure-activity --storage_time_offset 30d --debug 2 2023/02/13 12:57:20 wazuh-modulesd:azure-logs[18126] wm_azure.c:376 at wm_azure_storage(): INFO: Finished Storage log collection for container 'frameworktestcontainer'. 2023/02/13 12:57:20 wazuh-modulesd:azure-logs[18126] wm_azure.c:297 at wm_azure_storage(): DEBUG: Creating argument list. 2023/02/13 12:57:20 wazuh-modulesd:azure-logs[18126] wm_azure.c:359 at wm_azure_storage(): DEBUG: Launching command: wodles/azure/azure-logs --storage --storage_auth_path /var/ossec/wodles/azure/credentials-storage --container "frameworktestcontainer" --blobs "*" --storage_tag azure-activity --debug 2 2023/02/13 12:57:21 wazuh-modulesd:azure-logs[18126] wm_azure.c:376 at wm_azure_storage(): INFO: Finished Storage log collection for container 'frameworktestcontainer'. 2023/02/13 12:57:21 wazuh-modulesd:azure-logs[18126] wm_azure.c:297 at wm_azure_storage(): DEBUG: Creating argument list. 2023/02/13 12:57:21 wazuh-modulesd:azure-logs[18126] wm_azure.c:359 at wm_azure_storage(): DEBUG: Launching command: wodles/azure/azure-logs --storage --storage_auth_path /var/ossec/wodles/azure/credentials-storage --container "frameworktestcontainer" --blobs "*" --storage_tag azure-activity --debug 2 2023/02/13 12:57:23 wazuh-modulesd:azure-logs[18126] wm_azure.c:376 at wm_azure_storage(): INFO: Finished Storage log collection for container 'frameworktestcontainer'. 2023/02/13 12:57:23 wazuh-modulesd:azure-logs[18126] wm_azure.c:94 at wm_azure_main(): INFO: Finished Storage log collection for 'azure-activity'. 2023/02/13 12:57:23 wazuh-modulesd:azure-logs[18126] wm_azure.c:100 at wm_azure_main(): DEBUG: Fetching logs finished. 2023/02/13 12:57:23 wazuh-modulesd:azure-logs[18126] wm_azure.c:70 at wm_azure_main(): DEBUG: Sleeping until: 2023/02/13 13:07:09
database status after the test sqlite3 azure.db 'SELECT * from graph' 169e36eda7ce0ec7141250c5a2d03285|auditLogs/directoryaudits|2023-01-14T15:57:09.808529Z|2023-02-12T14:50:09.7614201Z 2012f3812bfc764b6a927f00ddcd7c16|auditLogs/signIns|2023-01-14T15:57:12.905890Z|2023-01-14T15:57:12.905890Z 6dda2a850e8dae924bc8a63fe246b0ad|auditLogs/provisioning|2023-01-14T15:57:15.459871Z|2023-01-14T15:57:15.459871Z sqlite3 azure.db 'SELECT * from log_analytics' f90c15b0327962c9e661142547368572|AzureActivity|2023-01-14T15:57:17.357188Z|2023-01-30T23:07:04.860231Z sqlite3 azure.db 'SELECT * from storage' 82e049b81fa6eb88ebf85f1677785f2b|frameworkteststorage|2023-01-14T15:57:20.122713Z|2023-01-14T15:57:20.122713Z

Conclusions

The module worked as expected. The events were sent to the analysis engine.

Test using ossec.conf in a agent with Python 3.6

Remove the database file and run the module using the following configuration. Check the output and the database status.

Configuration used no 10m yes /var/ossec/wodles/azure/credentials wazuh.onmicrosoft.com auditLogs/directoryaudits 30d auditLogs/signIns 30d auditLogs/provisioning 30d /var/ossec/wodles/azure/credentials-analytics wazuh.onmicrosoft.com d6b...efa AzureActivity 30d /var/ossec/wodles/azure/credentials-storage azure-activity 30d
Ossec.log output 2023/02/13 16:10:09 wazuh-modulesd:azure-logs[12429] wm_azure.c:54 at wm_azure_main(): INFO: Module started. 2023/02/13 16:10:09 wazuh-modulesd:azure-logs[12429] wm_azure.c:74 at wm_azure_main(): INFO: Starting fetching of logs. 2023/02/13 16:10:09 wazuh-modulesd:azure-logs[12429] wm_azure.c:85 at wm_azure_main(): INFO: Starting Graphs log collection for the domain 'wazuh.onmicrosoft.com'. 2023/02/13 16:10:09 wazuh-modulesd:azure-logs[12429] wm_azure.c:209 at wm_azure_graphs(): DEBUG: Creating argument list. 2023/02/13 16:10:09 wazuh-modulesd:azure-logs[12429] wm_azure.c:259 at wm_azure_graphs(): DEBUG: Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain wazuh.onmicrosoft.com --graph_tag request_1024477046 --graph_query 'auditLogs/directoryaudits' --graph_time_offset 30d --debug 2 2023/02/13 16:10:12 wazuh-modulesd:azure-logs[12429] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'request_1024477046'. 2023/02/13 16:10:12 wazuh-modulesd:azure-logs[12429] wm_azure.c:209 at wm_azure_graphs(): DEBUG: Creating argument list. 2023/02/13 16:10:12 wazuh-modulesd:azure-logs[12429] wm_azure.c:259 at wm_azure_graphs(): DEBUG: Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain wazuh.onmicrosoft.com --graph_tag request_553957529 --graph_query 'auditLogs/signIns' --graph_time_offset 30d --debug 2 2023/02/13 16:10:14 wazuh-modulesd:azure-logs[12429] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'request_553957529'. 2023/02/13 16:10:14 wazuh-modulesd:azure-logs[12429] wm_azure.c:209 at wm_azure_graphs(): DEBUG: Creating argument list. 2023/02/13 16:10:14 wazuh-modulesd:azure-logs[12429] wm_azure.c:259 at wm_azure_graphs(): DEBUG: Launching command: wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain wazuh.onmicrosoft.com --graph_tag request_199025250 --graph_query 'auditLogs/provisioning' --graph_time_offset 30d --debug 2 2023/02/13 16:10:16 wazuh-modulesd:azure-logs[12429] wm_azure.c:276 at wm_azure_graphs(): INFO: Finished Graphs log collection for request 'request_199025250'. 2023/02/13 16:10:16 wazuh-modulesd:azure-logs[12429] wm_azure.c:87 at wm_azure_main(): INFO: Finished Graphs log collection for the domain 'wazuh.onmicrosoft.com'. 2023/02/13 16:10:16 wazuh-modulesd:azure-logs[12429] wm_azure.c:81 at wm_azure_main(): INFO: Starting Log Analytics collection for the domain 'wazuh.onmicrosoft.com'. 2023/02/13 16:10:16 wazuh-modulesd:azure-logs[12429] wm_azure.c:120 at wm_azure_log_analytics(): DEBUG: Creating argument list. 2023/02/13 16:10:16 wazuh-modulesd:azure-logs[12429] wm_azure.c:172 at wm_azure_log_analytics(): DEBUG: Launching command: wodles/azure/azure-logs --log_analytics --la_auth_path /var/ossec/wodles/azure/credentials-analytics --la_tenant_domain wazuh.onmicrosoft.com --la_tag request_345878887 --la_query "AzureActivity" --workspace d6b...efa --la_time_offset 30d --debug 2 2023/02/13 16:10:19 wazuh-modulesd:azure-logs[12429] wm_azure.c:189 at wm_azure_log_analytics(): INFO: Finished Log Analytics collection for request 'request_345878887'. 2023/02/13 16:10:19 wazuh-modulesd:azure-logs[12429] wm_azure.c:83 at wm_azure_main(): INFO: Finished Log Analytics collection for the domain 'wazuh.onmicrosoft.com'. 2023/02/13 16:10:19 wazuh-modulesd:azure-logs[12429] wm_azure.c:92 at wm_azure_main(): INFO: Starting Storage log collection for 'azure-activity'. 2023/02/13 16:10:19 wazuh-modulesd:azure-logs[12429] wm_azure.c:297 at wm_azure_storage(): DEBUG: Creating argument list. 2023/02/13 16:10:19 wazuh-modulesd:azure-logs[12429] wm_azure.c:359 at wm_azure_storage(): DEBUG: Launching command: wodles/azure/azure-logs --storage --storage_auth_path /var/ossec/wodles/azure/credentials-storage --container "frameworktestcontainer" --blobs "*" --storage_tag azure-activity --storage_time_offset 30d --debug 2 2023/02/13 16:10:20 wazuh-modulesd:azure-logs[12429] wm_azure.c:376 at wm_azure_storage(): INFO: Finished Storage log collection for container 'frameworktestcontainer'. 2023/02/13 16:10:20 wazuh-modulesd:azure-logs[12429] wm_azure.c:297 at wm_azure_storage(): DEBUG: Creating argument list. 2023/02/13 16:10:20 wazuh-modulesd:azure-logs[12429] wm_azure.c:359 at wm_azure_storage(): DEBUG: Launching command: wodles/azure/azure-logs --storage --storage_auth_path /var/ossec/wodles/azure/credentials-storage --container "frameworktestcontainer" --blobs "*" --storage_tag azure-activity --debug 2 2023/02/13 16:10:22 wazuh-modulesd:azure-logs[12429] wm_azure.c:376 at wm_azure_storage(): INFO: Finished Storage log collection for container 'frameworktestcontainer'. 2023/02/13 16:10:22 wazuh-modulesd:azure-logs[12429] wm_azure.c:297 at wm_azure_storage(): DEBUG: Creating argument list. 2023/02/13 16:10:22 wazuh-modulesd:azure-logs[12429] wm_azure.c:359 at wm_azure_storage(): DEBUG: Launching command: wodles/azure/azure-logs --storage --storage_auth_path /var/ossec/wodles/azure/credentials-storage --container "frameworktestcontainer" --blobs "*" --storage_tag azure-activity --debug 2 2023/02/13 16:10:24 wazuh-modulesd:azure-logs[12429] wm_azure.c:376 at wm_azure_storage(): INFO: Finished Storage log collection for container 'frameworktestcontainer'. 2023/02/13 16:10:24 wazuh-modulesd:azure-logs[12429] wm_azure.c:94 at wm_azure_main(): INFO: Finished Storage log collection for 'azure-activity'. 2023/02/13 16:10:24 wazuh-modulesd:azure-logs[12429] wm_azure.c:100 at wm_azure_main(): DEBUG: Fetching logs finished. 2023/02/13 16:10:24 wazuh-modulesd:azure-logs[12429] wm_azure.c:70 at wm_azure_main(): DEBUG: Sleeping until: 2023/02/13 16:20:09
database status after the test sqlite3 azure.db 'SELECT * from graph' 169e36eda7ce0ec7141250c5a2d03285|auditLogs/directoryaudits|2023-01-14T16:10:10.409625Z|2023-02-12T14:50:09.7614201Z 2012f3812bfc764b6a927f00ddcd7c16|auditLogs/signIns|2023-01-14T16:10:12.898297Z|2023-01-14T16:10:12.898297Z 6dda2a850e8dae924bc8a63fe246b0ad|auditLogs/provisioning|2023-01-14T16:10:14.950398Z|2023-01-14T16:10:14.950398Z sqlite3 azure.db 'SELECT * from log_analytics' f90c15b0327962c9e661142547368572|AzureActivity|2023-01-14T16:10:17.031665Z|2023-01-30T23:07:04.860231Z sqlite3 azure.db 'SELECT * from storage' 82e049b81fa6eb88ebf85f1677785f2b|frameworkteststorage|2023-01-14T16:10:20.262532Z|2023-01-14T16:10:20.262532Z

Conclusions

The module worked as expected. The events were sent to the analysis engine.

fdalmaup commented 1 year ago

Docker Listener Test results

The logall_json option must be enabled in the ossec.conf file before starting the tests.

Test docker listener using ossec.conf in a manager

Apply the following configuration, restart Wazuh and check ossec.log to verify the module is running

<wodle name="docker-listener">
    <interval>30s</interval>
    <attempts>5</attempts>
    <run_on_start>yes</run_on_start>
    <disabled>no</disabled>
</wodle>
ossec.log output 2023/02/13 13:22:27 wazuh-modulesd[20840] main.c:95 at main(): DEBUG: Created new thread for the 'docker-listener' module. 2023/02/13 13:22:27 wazuh-modulesd:docker-listener[20840] wm_docker.c:46 at wm_docker_main(): INFO: Module docker-listener started. 2023/02/13 13:22:27 wazuh-modulesd:docker-listener[20840] wm_docker.c:59 at wm_docker_main(): INFO: Starting to listening Docker events. 2023/02/13 13:22:27 wazuh-modulesd:docker-listener[20840] wm_docker.c:63 at wm_docker_main(): DEBUG: Launching command 'wodles/docker/DockerListener'

Run a container with no cache available

docker run ubuntu
Archives.json output {"timestamp":"2023-02-13T16:27:53.941+0000","rule":{"level":3,"description":"Docker: Image or repository ubuntu pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"],"hipaa":["164.312.b"],"nist_800_53":["AU.14"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305673.1862519","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"pull\", \"id\": \"ubuntu:latest\", \"Type\": \"image\", \"Action\": \"pull\", \"Actor\": {\"ID\": \"ubuntu:latest\", \"Attributes\": {\"name\": \"ubuntu\", \"org.opencontainers.image.ref.name\": \"ubuntu\", \"org.opencontainers.image.version\": \"22.04\"}}, \"scope\": \"local\", \"time\": 1676305673, \"timeNano\": 1676305673941344388}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"pull","id":"ubuntu:latest","Type":"image","Action":"pull","Actor":{"ID":"ubuntu:latest","Attributes":{"name":"ubuntu","org":{"opencontainers":{"image":{"ref":{"name":"ubuntu"},"version":"22.04"}}}}},"scope":"local","time":"1676305673","timeNano":"1676305673941344512.000000"}},"location":"Wazuh-Docker"} {"timestamp":"2023-02-13T16:27:54.023+0000","rule":{"level":3,"description":"Docker: Container pedantic_elion created","id":"87901","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"],"hipaa":["164.312.b"],"nist_800_53":["AU.14"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305674.1863490","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"create\", \"id\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"from\": \"ubuntu\", \"Type\": \"container\", \"Action\": \"create\", \"Actor\": {\"ID\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"Attributes\": {\"image\": \"ubuntu\", \"name\": \"pedantic_elion\", \"org.opencontainers.image.ref.name\": \"ubuntu\", \"org.opencontainers.image.version\": \"22.04\"}}, \"scope\": \"local\", \"time\": 1676305674, \"timeNano\": 1676305674022908662}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"create","id":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","from":"ubuntu","Type":"container","Action":"create","Actor":{"ID":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","Attributes":{"image":"ubuntu","name":"pedantic_elion","org":{"opencontainers":{"image":{"ref":{"name":"ubuntu"},"version":"22.04"}}}}},"scope":"local","time":"1676305674","timeNano":"1676305674022908672.000000"}},"location":"Wazuh-Docker"} {"timestamp":"2023-02-13T16:27:54.024+0000","rule":{"level":3,"description":"Docker: Attached local standard input, output, and error streams to container pedantic_elion","id":"87922","firedtimes":2,"mail":false,"groups":["docker"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305674.1864791","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"attach\", \"id\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"from\": \"ubuntu\", \"Type\": \"container\", \"Action\": \"attach\", \"Actor\": {\"ID\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"Attributes\": {\"image\": \"ubuntu\", \"name\": \"pedantic_elion\", \"org.opencontainers.image.ref.name\": \"ubuntu\", \"org.opencontainers.image.version\": \"22.04\"}}, \"scope\": \"local\", \"time\": 1676305674, \"timeNano\": 1676305674023880239}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"attach","id":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","from":"ubuntu","Type":"container","Action":"attach","Actor":{"ID":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","Attributes":{"image":"ubuntu","name":"pedantic_elion","org":{"opencontainers":{"image":{"ref":{"name":"ubuntu"},"version":"22.04"}}}}},"scope":"local","time":"1676305674","timeNano":"1676305674023880192.000000"}},"location":"Wazuh-Docker"} {"timestamp":"2023-02-13T16:27:54.035+0000","rule":{"level":3,"description":"Docker: Network bridge connected","id":"87928","firedtimes":2,"mail":false,"groups":["docker"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305674.1866065","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"Type\": \"network\", \"Action\": \"connect\", \"Actor\": {\"ID\": \"98142bb3e0328d83b031db00ca67c5d3f55044bfcabdb7a7fd89e36cec4cb9c8\", \"Attributes\": {\"container\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"name\": \"bridge\", \"type\": \"bridge\"}}, \"scope\": \"local\", \"time\": 1676305674, \"timeNano\": 1676305674035184933}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"Type":"network","Action":"connect","Actor":{"ID":"98142bb3e0328d83b031db00ca67c5d3f55044bfcabdb7a7fd89e36cec4cb9c8","Attributes":{"container":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","name":"bridge","type":"bridge"}},"scope":"local","time":"1676305674","timeNano":"1676305674035184896.000000"}},"location":"Wazuh-Docker"} {"timestamp":"2023-02-13T16:27:54.301+0000","rule":{"level":3,"description":"Docker: Container pedantic_elion started","id":"87903","firedtimes":2,"mail":false,"groups":["docker"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305674.1866988","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"start\", \"id\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"from\": \"ubuntu\", \"Type\": \"container\", \"Action\": \"start\", \"Actor\": {\"ID\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"Attributes\": {\"image\": \"ubuntu\", \"name\": \"pedantic_elion\", \"org.opencontainers.image.ref.name\": \"ubuntu\", \"org.opencontainers.image.version\": \"22.04\"}}, \"scope\": \"local\", \"time\": 1676305674, \"timeNano\": 1676305674301038466}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"start","id":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","from":"ubuntu","Type":"container","Action":"start","Actor":{"ID":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","Attributes":{"image":"ubuntu","name":"pedantic_elion","org":{"opencontainers":{"image":{"ref":{"name":"ubuntu"},"version":"22.04"}}}}},"scope":"local","time":"1676305674","timeNano":"1676305674301038592.000000"}},"location":"Wazuh-Docker"} {"timestamp":"2023-02-13T16:27:54.469+0000","rule":{"level":4,"description":"Docker: Network bridge disconnected","id":"87929","firedtimes":2,"mail":false,"groups":["docker"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305674.1868206","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"Type\": \"network\", \"Action\": \"disconnect\", \"Actor\": {\"ID\": \"98142bb3e0328d83b031db00ca67c5d3f55044bfcabdb7a7fd89e36cec4cb9c8\", \"Attributes\": {\"container\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"name\": \"bridge\", \"type\": \"bridge\"}}, \"scope\": \"local\", \"time\": 1676305674, \"timeNano\": 1676305674468669689}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"Type":"network","Action":"disconnect","Actor":{"ID":"98142bb3e0328d83b031db00ca67c5d3f55044bfcabdb7a7fd89e36cec4cb9c8","Attributes":{"container":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","name":"bridge","type":"bridge"}},"scope":"local","time":"1676305674","timeNano":"1676305674468669696.000000"}},"location":"Wazuh-Docker"} {"timestamp":"2023-02-13T16:27:54.481+0000","rule":{"level":7,"description":"Docker: Container pedantic_elion received the action: die","id":"87924","firedtimes":2,"mail":false,"groups":["docker"],"gdpr":["IV_32.2"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305674.1869138","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"die\", \"id\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"from\": \"ubuntu\", \"Type\": \"container\", \"Action\": \"die\", \"Actor\": {\"ID\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"Attributes\": {\"exitCode\": \"0\", \"image\": \"ubuntu\", \"name\": \"pedantic_elion\", \"org.opencontainers.image.ref.name\": \"ubuntu\", \"org.opencontainers.image.version\": \"22.04\"}}, \"scope\": \"local\", \"time\": 1676305674, \"timeNano\": 1676305674480608767}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"die","id":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","from":"ubuntu","Type":"container","Action":"die","Actor":{"ID":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","Attributes":{"exitCode":"0","image":"ubuntu","name":"pedantic_elion","org":{"opencontainers":{"image":{"ref":{"name":"ubuntu"},"version":"22.04"}}}}},"scope":"local","time":"1676305674","timeNano":"1676305674480608768.000000"}},"location":"Wazuh-Docker"}

Remove the image

Archives.json output {"timestamp":"2023-02-13T16:29:17.129+0000","rule":{"level":5,"description":"Docker: Container pedantic_elion destroyed","id":"87902","mitre":{"id":["T1561.001"],"tactic":["Impact"],"technique":["Disk Content Wipe"]},"firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7","11.5"],"hipaa":["164.312.b","164.312.c.1","164.312.c.2"],"nist_800_53":["AU.14","SI.7"],"tsc":["CC6.8","CC7.2","CC7.3","PI1.4","PI1.5","CC6.1"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305757.1870431","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"destroy\", \"id\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"from\": \"ubuntu\", \"Type\": \"container\", \"Action\": \"destroy\", \"Actor\": {\"ID\": \"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0\", \"Attributes\": {\"image\": \"ubuntu\", \"name\": \"pedantic_elion\", \"org.opencontainers.image.ref.name\": \"ubuntu\", \"org.opencontainers.image.version\": \"22.04\"}}, \"scope\": \"local\", \"time\": 1676305757, \"timeNano\": 1676305757129150880}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"destroy","id":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","from":"ubuntu","Type":"container","Action":"destroy","Actor":{"ID":"4c2ef8f756c667b1f1c4a86faa499f558189b0af8ec690b35e54f63ca25a33f0","Attributes":{"image":"ubuntu","name":"pedantic_elion","org":{"opencontainers":{"image":{"ref":{"name":"ubuntu"},"version":"22.04"}}}}},"scope":"local","time":"1676305757","timeNano":"1676305757129150976.000000"}},"location":"Wazuh-Docker"} {"timestamp":"2023-02-13T16:29:18.985+0000","rule":{"level":3,"description":"Docker: Image sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02 untagged","id":"87919","firedtimes":2,"mail":false,"groups":["docker"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305758.1871834","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"untag\", \"id\": \"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02\", \"Type\": \"image\", \"Action\": \"untag\", \"Actor\": {\"ID\": \"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02\", \"Attributes\": {\"name\": \"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02\", \"org.opencontainers.image.ref.name\": \"ubuntu\", \"org.opencontainers.image.version\": \"22.04\"}}, \"scope\": \"local\", \"time\": 1676305758, \"timeNano\": 1676305758984705579}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"untag","id":"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02","Type":"image","Action":"untag","Actor":{"ID":"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02","Attributes":{"name":"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02","org":{"opencontainers":{"image":{"ref":{"name":"ubuntu"},"version":"22.04"}}}}},"scope":"local","time":"1676305758","timeNano":"1676305758984705536.000000"}},"location":"Wazuh-Docker"} {"timestamp":"2023-02-13T16:29:19.021+0000","rule":{"level":7,"description":"Docker: Container sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02 deleted","id":"87921","mitre":{"id":["T1070.004","T1561.001"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Disk Content Wipe"]},"firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7","11.5"],"hipaa":["164.312.b","164.312.c.1","164.312.c.2"],"nist_800_53":["AU.14","SI.7"],"tsc":["CC6.8","CC7.2","CC7.3","PI1.4","PI1.5","CC6.1"]},"agent":{"id":"000","name":"94ab9303e773"},"manager":{"name":"94ab9303e773"},"id":"1676305759.1873145","cluster":{"name":"wazuh","node":"manager"},"full_log":"{\"integration\": \"docker\", \"docker\": {\"status\": \"delete\", \"id\": \"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02\", \"Type\": \"image\", \"Action\": \"delete\", \"Actor\": {\"ID\": \"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02\", \"Attributes\": {\"name\": \"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02\"}}, \"scope\": \"local\", \"time\": 1676305759, \"timeNano\": 1676305759020984661}}","decoder":{"name":"json"},"data":{"integration":"docker","docker":{"status":"delete","id":"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02","Type":"image","Action":"delete","Actor":{"ID":"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02","Attributes":{"name":"sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02"}},"scope":"local","time":"1676305759","timeNano":"1676305759020984576.000000"}},"location":"Wazuh-Docker"}

Conclusions

The module worked as expected

fdalmaup commented 1 year ago

Shuffle Test Results

The test assumes there is a functional Shuffle instance with an available webhook.

A test is considered valid if the following conditions are met:

Test using ossec.conf in a manager

The following configuration has to be added to ossec.conf

<integration>
     <name>shuffle</name>
     <hook_url>http://<IP>:3001/api/v1/hooks/<HOOK_ID></hook_url>
     <level>3</level>
     <alert_format>json</alert_format>
 </integration>

Also, the configuration integrator.debug=2 to local_internal_options.conf.

Restart the Wazuh Manager.

ossec.log 2023/02/13 18:20:29 wazuh-integratord[16728] integrator.c:403 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/shuffle-1676312429--440813932.alert http://:3001/api/v1/hooks/ debug 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: /var/ossec/framework/python/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host '172.21.0.6'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: # Starting 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: # Webhook 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: http://:3001/api/v1/hooks/ 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: # File location 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: /tmp/shuffle-1676312429--440813932.alert 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: # Processing alert 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: {'timestamp': '2023-02-13T18:20:28.152+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': '547658cb07c1'}, 'manager': {'name': '547658cb07c1'}, 'id': '1676312428.510102', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'} 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: # Generating message 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: {"severity": 1, "pretext": "WAZUH Alert", "title": "Ossec server started.", "text": "ossec: Manager started.", "rule_id": "502", "timestamp": "2023-02-13T18:20:28.152+0000", "id": "1676312428.510102", "all_fields": {"timestamp": "2023-02-13T18:20:28.152+0000", "rule": {"level": 3, "description": "Ossec server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "547658cb07c1"}, "manager": {"name": "547658cb07c1"}, "id": "1676312428.510102", "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}} 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: # Sending message 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: # In send msg 2023/02/13 18:20:30 wazuh-integratord[16728] integrator.c:412 at OS_IntegratorD(): DEBUG: integratord: Mon Feb 13 18:20:30 UTC 2023: # After send msg:
integrations.log Mon Feb 13 18:20:30 UTC 2023 /tmp/shuffle-1676312429--440813932.alert http://:3001/api/v1/hooks/ debug Mon Feb 13 18:20:30 UTC 2023: # Starting Mon Feb 13 18:20:30 UTC 2023: # Webhook Mon Feb 13 18:20:30 UTC 2023: http://:3001/api/v1/hooks/ Mon Feb 13 18:20:30 UTC 2023: # File location Mon Feb 13 18:20:30 UTC 2023: /tmp/shuffle-1676312429--440813932.alert Mon Feb 13 18:20:30 UTC 2023: # Processing alert Mon Feb 13 18:20:30 UTC 2023: {'timestamp': '2023-02-13T18:20:28.152+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': '547658cb07c1'}, 'manager': {'name': '547658cb07c1'}, 'id': '1676312428.510102', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'} Mon Feb 13 18:20:30 UTC 2023: # Generating message Mon Feb 13 18:20:30 UTC 2023: {"severity": 1, "pretext": "WAZUH Alert", "title": "Ossec server started.", "text": "ossec: Manager started.", "rule_id": "502", "timestamp": "2023-02-13T18:20:28.152+0000", "id": "1676312428.510102", "all_fields": {"timestamp": "2023-02-13T18:20:28.152+0000", "rule": {"level": 3, "description": "Ossec server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "547658cb07c1"}, "manager": {"name": "547658cb07c1"}, "id": "1676312428.510102", "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}} Mon Feb 13 18:20:30 UTC 2023: # Sending message Mon Feb 13 18:20:30 UTC 2023: # In send msg Mon Feb 13 18:20:30 UTC 2023: # After send msg:

Conclusions

The integration works as expected, sending the alerts to Shuffle.