Release 4.9.0 - Alpha 3 - E2E UX tests - Wazuh Indexer ISM policies

davidjiglesias commented 1 month ago

End-to-End (E2E) Testing Guideline

Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-indexer team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

🟢 All checks passed
🟡 Found a known issue
🔴 Found a new error

Issue delivery and completion

Initial delivery: The issue's assignee must complete the testing and deliver the results by Jul 24, 2024 and notify the @wazuh/devel-indexer team via Slack using the c-release channel
Review: The @wazuh/devel-indexer team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Jul 25, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
Auditor: The QA team must audit, validate the results, and close the issue by Jul 26, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Quickstart	-	Red Hat Enterprise Linux 8
Server	Same as indexer, all-in-one	-	-
Dashboard	Same as indexer, all-in-one	-	-
Agent	Installing Wazuh agents	-	Red Hat Enterprise Linux 8 x86_64, Windows 11 x86_64

Test description

Follow and read documentation links to test ISM policies in Wazuh Indexer:

Retention policies
Rollover + alias

https://documentation-dev.wazuh.com/v4.9.0-alpha3/user-manual/wazuh-indexer/index-life-management.html https://opensearch.org/docs/latest/im-plugin/ism/index/

Known issues

https://github.com/wazuh/wazuh-packages/issues/1515

Conclusions

All tests were executed successfully.

Status	Test	Failure type	Notes
:green_circle:	Wazuh all-in-one installation	-	-
:green_circle:	Agent RHEL 8 install	-	-
:green_circle:	Agent Windows 11 install	-	-
:green_circle:	Retention policies	-	-
:green_circle:	Rollover + alias	-	-

Feedback

We value your feedback. Please provide insights on your testing experience.

Was the testing guideline clear? Were there any ambiguities?
- Everything was clear
Did you face any challenges not covered by the guideline?
- No
Suggestions for improvement:
- None

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

[x] @rauldpm
[x] @wazuh/devel-indexer

matias-braida commented 1 month ago

Environment description

all-in-one: ip: 192.168.1.30 user: vagrant

[vagrant@all-in-one ~]$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.9 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.9"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.9 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.9"

Environment setup

The Wazuh Indexer, Server, and Dashboard were set up using Quick Installer on RHEL 8

Download and run the Wazuh installation assistant :green_circle:

```console [vagrant@all-in-one ~]$ curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 24/07/2024 12:31:43 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0 24/07/2024 12:31:43 INFO: Verbose logging redirected to /var/log/wazuh-install.log 24/07/2024 12:31:47 INFO: Verifying that your system meets the recommended minimum hardware requirements. 24/07/2024 12:31:49 INFO: Wazuh web interface port will be 443. 24/07/2024 12:31:50 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1515, 1514, 443. 24/07/2024 12:31:51 INFO: Wazuh development repository added. 24/07/2024 12:31:51 INFO: --- Configuration files --- 24/07/2024 12:31:51 INFO: Generating configuration files. 24/07/2024 12:31:52 INFO: Generating the root certificate. 24/07/2024 12:31:52 INFO: Generating Admin certificates. 24/07/2024 12:31:52 INFO: Generating Wazuh indexer certificates. 24/07/2024 12:31:52 INFO: Generating Filebeat certificates. 24/07/2024 12:31:52 INFO: Generating Wazuh dashboard certificates. 24/07/2024 12:31:53 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 24/07/2024 12:31:54 INFO: --- Wazuh indexer --- 24/07/2024 12:31:54 INFO: Starting Wazuh indexer installation. 24/07/2024 12:34:26 INFO: Wazuh indexer installation finished. 24/07/2024 12:34:26 INFO: Wazuh indexer post-install configuration finished. 24/07/2024 12:34:26 INFO: Starting service wazuh-indexer. 24/07/2024 12:34:47 INFO: wazuh-indexer service started. 24/07/2024 12:34:47 INFO: Initializing Wazuh indexer cluster security settings. 24/07/2024 12:34:54 INFO: Wazuh indexer cluster security configuration initialized. 24/07/2024 12:34:54 INFO: Wazuh indexer cluster initialized. 24/07/2024 12:34:54 INFO: --- Wazuh server --- 24/07/2024 12:34:54 INFO: Starting the Wazuh manager installation. 24/07/2024 12:37:49 INFO: Wazuh manager installation finished. 24/07/2024 12:37:49 INFO: Wazuh manager vulnerability detection configuration finished. 24/07/2024 12:37:49 INFO: Starting service wazuh-manager. 24/07/2024 12:38:10 INFO: wazuh-manager service started. 24/07/2024 12:38:10 INFO: Starting Filebeat installation. 24/07/2024 12:38:45 INFO: Filebeat installation finished. 24/07/2024 12:38:50 INFO: Filebeat post-install configuration finished. 24/07/2024 12:38:50 INFO: Starting service filebeat. 24/07/2024 12:38:51 INFO: filebeat service started. 24/07/2024 12:38:51 INFO: --- Wazuh dashboard --- 24/07/2024 12:38:51 INFO: Starting Wazuh dashboard installation. 24/07/2024 12:42:23 INFO: Wazuh dashboard installation finished. 24/07/2024 12:42:25 INFO: Wazuh dashboard post-install configuration finished. 24/07/2024 12:42:25 INFO: Starting service wazuh-dashboard. 24/07/2024 12:42:28 INFO: wazuh-dashboard service started. 24/07/2024 12:42:29 INFO: Updating the internal users. 24/07/2024 12:43:30 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 24/07/2024 12:44:13 INFO: There was an error accessing the API. Retrying... 24/07/2024 12:45:06 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password. 24/07/2024 12:47:20 INFO: Initializing Wazuh dashboard web application. 24/07/2024 12:47:24 INFO: Wazuh dashboard web application initialized. 24/07/2024 12:47:24 INFO: --- Summary --- 24/07/2024 12:47:24 INFO: You can access the web interface https://:443 User: admin Password: 4taL?*L9dgKFmoEqrcPuHZPOssQ1a0k4 24/07/2024 12:47:25 INFO: Installation finished. ```

Check components status :green_circle:

```console [vagrant@all-in-one ~]$ systemctl status wazuh-indexer ● wazuh-indexer.service - wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2024-07-24 12:39:47 UTC; 27min ago Docs: https://documentation.wazuh.com Main PID: 2192 (java) Tasks: 75 (limit: 29598) Memory: 1.0G CGroup: /system.slice/wazuh-indexer.service └─2192 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headl> ``` ```console [vagrant@all-in-one ~]$ systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2024-07-24 13:00:29 UTC; 7min ago Tasks: 153 (limit: 29598) Memory: 1.2G CGroup: /system.slice/wazuh-manager.service ├─7801 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─7802 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─7805 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─7808 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─7852 /var/ossec/bin/wazuh-authd ├─7868 /var/ossec/bin/wazuh-db ├─7883 /var/ossec/bin/wazuh-execd ├─7897 /var/ossec/bin/wazuh-analysisd ├─7923 /var/ossec/bin/wazuh-syscheckd ├─7970 /var/ossec/bin/wazuh-remoted ├─8006 /var/ossec/bin/wazuh-logcollector ├─8027 /var/ossec/bin/wazuh-monitord └─8042 /var/ossec/bin/wazuh-modulesd ``` ```console [vagrant@all-in-one ~]$ systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2024-07-24 13:00:30 UTC; 7min ago Main PID: 8354 (node) Tasks: 11 (limit: 29598) Memory: 182.2M CGroup: /system.slice/wazuh-dashboard.service └─8354 /usr/share/wazuh-dashboard/node/bin/node /usr/share/wazuh-dashboard/src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml ```

Check web interface :green_circle:

![image](https://github.com/user-attachments/assets/6b0a54cc-9925-42f3-aa85-ae8c0d2a50eb) ![image](https://github.com/user-attachments/assets/40ed26ab-8739-4d5b-99b8-c85319498089)

Agents installation

Install the Wazuh agent on Red Hat 8 :green_circle:

1. Install a RHEL 8 VM. ```console [vagrant@agent ~]$ cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.9 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.9" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.9 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.9 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.9" ``` 2. Add the Wazuh repository ```console [vagrant@agent ~]$ sudo su [root@agent vagrant]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH ``` ```console [root@agent vagrant]# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 EOF [root@agent vagrant]# cat /etc/yum.repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 ``` 3. Deploy a Wazuh agent ```console [root@agent vagrant]# WAZUH_MANAGER="192.168.1.30" yum install wazuh-agent Failed to set locale, defaulting to C.UTF-8 EL-8 - Wazuh 1.7 MB/s | 28 MB 00:16 Last metadata expiration check: 0:00:26 ago on Wed Jul 24 14:42:50 2024. Dependencies resolved. ============================================================================================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================================================================================ Installing: wazuh-agent x86_64 4.9.0-1 wazuh 10 M Transaction Summary ============================================================================================================================================================================================================ Install 1 Package Total download size: 10 M Installed size: 31 M Is this ok [y/N]: y Downloading Packages: wazuh-agent-4.9.0-1.x86_64.rpm 1.7 MB/s | 10 MB 00:06 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Total 1.7 MB/s | 10 MB 00:06 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-agent-4.9.0-1.x86_64 1/1 Installing : wazuh-agent-4.9.0-1.x86_64 1/1 Running scriptlet: wazuh-agent-4.9.0-1.x86_64 1/1 Verifying : wazuh-agent-4.9.0-1.x86_64 1/1 Installed products updated. Installed: wazuh-agent-4.9.0-1.x86_64 Complete! ``` ```console [root@agent vagrant]# systemctl daemon-reload [root@agent vagrant]# systemctl enable wazuh-agent Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /usr/lib/systemd/system/wazuh-agent.service. [root@agent vagrant]# systemctl start wazuh-agent ```

Install the Wazuh agent on Windows 11 :green_circle:

1. Install a Windows 11 VM. ![image](https://github.com/user-attachments/assets/f54a45c5-903e-4a28-a118-50186bdcf007) 2. Download the Windows agent installer from `https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.9.0-1.msi` ![image](https://github.com/user-attachments/assets/c2746b92-6787-46b0-8ca2-ce33a6663481) 3. Install the Windows agent (CLI mode). ![image](https://github.com/user-attachments/assets/d837aa1f-614b-482c-b94f-c9758310bb93)

Check if all agents are connected to the server :green_circle:

![image](https://github.com/user-attachments/assets/5c3f45ed-c098-42ae-b703-8020c0d9fe22)

matias-braida commented 1 month ago

Creating a retention policy :green_circle:

Configured a retention policy as shown in the images below using this documentation

Checked the policy content as JSON.

policy.json

```json { "id": "wazuh-alert-retention-policy", "seqNo": 0, "primaryTerm": 1, "policy": { "policy_id": "wazuh-alert-retention-policy", "description": "Retention policy for the Release 4.9.0 - Alpha 3 - E2E UX tests - Wazuh Indexer ISM policies", "last_updated_time": 1721836259505, "schema_version": 21, "error_notification": null, "default_state": "initial", "states": [ { "name": "initial", "actions": [], "transitions": [ { "state_name": "delete_alerts", "conditions": { "min_index_age": "90d" } } ] }, { "name": "delete_alerts", "actions": [ { "retry": { "count": 3, "backoff": "exponential", "delay": "1m" }, "delete": {} } ], "transitions": [] } ], "ism_template": [ { "index_patterns": [ "wazuh-alerts-*" ], "priority": 1, "last_updated_time": 1721836259505 } ] } } ```

Applying the retention policy to alerts index :green_circle:

Applied an index to the policy as shown in the images below using this documentation

Also verified that configured policy can be edited, this is concerning the known issue https://github.com/wazuh/wazuh-packages/issues/1515

I changed the time for the "initial" state to 60d.

Rollover Alias :green_circle:

Applied a rollover policy as shown in the images below.

rollover_policy.json

``` { "policy": { "description": "Wazuh rollover and alias policy", "default_state": "active", "states": [ { "name": "active", "actions": [ { "rollover": { "min_primary_shard_size": "25gb", "min_index_age": "7d", "min_doc_count": "600000000" } } ] } ], "ism_template": { "index_patterns": ["wazuh-alerts-*", "wazuh-archives-*", "-wazuh-alerts-4.x-sample*"], "priority": "50" } } } ```

wazuh / wazuh