Release 4.9.0 - Alpha 3 - External integrations modules #24896
Assignees
Labels
Comments
Maltiverse tests results 🟢The test assumes there is a functional Maltiverse intelligence platform with an available API key. A test is considered valid if the following conditions are met:
Test using ossec.conf in a managerConfiguration <integration>
<name>maltiverse</name>
<hook_url>https://api.maltiverse.com</hook_url>
<api_key>**</api_key>
<alert_format>json</alert_format>
</integration>Additionally, the value ossec.logroot@wazuh-master:/var/ossec/logs# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2024/07/23 21:55:50 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2024/07/23 21:57:39 wazuh-integratord[2803] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/07/23 21:57:39 wazuh-integratord[2803] main.c:120 at main(): INFO: Remote integrations not configured. Clean exit.
2024/07/23 22:21:51 wazuh-integratord[20564] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/07/23 22:21:51 wazuh-integratord[20564] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/07/23 22:21:51 wazuh-integratord[20564] main.c:165 at main(): DEBUG: Chrooted to directory: /var/ossec, using user: wazuh
2024/07/23 22:21:51 wazuh-integratord[20564] main.c:176 at main(): INFO: Started (pid: 20564).
2024/07/23 22:21:51 wazuh-integratord[20564] integrator.c:53 at OS_IntegratorD(): DEBUG: JSON file queue connected.
2024/07/23 22:21:51 wazuh-integratord[20564] intgcom.c:76 at intgcom_main(): DEBUG: Local requests thread ready
2024/07/23 22:21:51 wazuh-integratord[20564] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'maltiverse'.
2024/07/23 22:21:51 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:21:52 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:21:53 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:21:54 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:21:55 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:21:56 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:21:57 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:21:58 wazuh-db[20592] wdb_parser.c:261 at wdb_parse(): DEBUG: Agent 000 query: syscollector_processes save2 {"attributes":{"argvs":null,"checksum":"dbed85bc8b5b72a1b0189999bd95f13afe3709d1","cmd":"/var/ossec/bin/wazuh-integratord","egroup":"wazuh","euser":"wazuh","fgroup":"wazuh","name":"wazuh-integrato","nice":12,"nlwp":2,"pgrp":20563,"pid":"20564","ppid":1,"priority":32,"processor":2,"resident":3432,"rgroup":"wazuh","ruser":"wazuh","scan_time":"2024/07/23 22:21:58","session":20563,"sgroup":"wazuh","share":512,"size":22430,"start_time":1721773310,"state":"S","stime":0,"suser":"wazuh","tgid":20564,"tty":0,"utime":0,"vm_size":89720},"index":"20564","timestamp":""}
2024/07/23 22:21:58 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:21:59 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:22:00 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:22:01 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:22:02 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:22:03 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:22:04 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:22:05 wazuh-integratord[20564] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 22:22:05 wazuh-integratord[20564] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/07/23 22:22:05 wazuh-integratord[20564] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/maltiverse-1721773325--1928112645.alert was written.
2024/07/23 22:22:06 wazuh-integratord[20564] integrator.c:451 at OS_IntegratorD(): DEBUG: # Starting
2024/07/23 22:22:06 wazuh-integratord[20564] integrator.c:451 at OS_IntegratorD(): DEBUG: # File location: /tmp/maltiverse-1721773325--1928112645.alert
2024/07/23 22:22:06 wazuh-integratord[20564] integrator.c:451 at OS_IntegratorD(): DEBUG: # API Key: **
2024/07/23 22:22:06 wazuh-integratord[20564] integrator.c:451 at OS_IntegratorD(): DEBUG: # Hook Url: https://api.maltiverse.com
2024/07/23 22:22:06 wazuh-integratord[20564] integrator.c:451 at OS_IntegratorD(): DEBUG: # Processing alert: {'timestamp': '2024-07-23T22:22:04.632+0000', 'rule': {'level': 3, 'description': 'Wazuh server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1721773324.5163613', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}
2024/07/23 22:22:06 wazuh-integratord[20564] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.integrations.logroot@wazuh-master:/var/ossec/logs# cat integrations.log
# Starting
# File location: /tmp/maltiverse-1721773325--1928112645.alert
# API Key: *
# Hook Url: https://api.maltiverse.com
# Processing alert: {'timestamp': '2024-07-23T22:22:04.632+0000', 'rule': {'level': 3, 'description': 'Wazuh server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1721773324.5163613', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}ConclusionThe integration works as expected, getting information from Maltiverse. |
PagerDuty tests results 🟢The test assumes there is a functional PagerDuty service with an available API key. A test is considered valid if the following conditions are met:
Test using ossec.conf in a managerConfiguration <integration>
<name>pagerduty</name>
<api_key>**</api_key>
<level>3</level>
<alert_format>json</alert_format>
</integration>Additionally, the key ossec.logroot@wazuh-master:/var/ossec/bin# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2024/07/23 23:22:37 wazuh-integratord[13655] integrator.c:53 at OS_IntegratorD(): DEBUG: JSON file queue connected.
2024/07/23 23:22:37 wazuh-integratord[13655] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'pagerduty'.
2024/07/23 23:22:37 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:38 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:39 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:40 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:41 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:42 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:43 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:44 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:45 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:45 wazuh-db[13683] wdb_parser.c:261 at wdb_parse(): DEBUG: Agent 000 query: syscollector_processes save2 {"attributes":{"argvs":null,"checksum":"182c2070829495907282a60e5e9b2c477c060d90","cmd":"/var/ossec/bin/wazuh-integratord","egroup":"wazuh","euser":"wazuh","fgroup":"wazuh","name":"wazuh-integrato","nice":12,"nlwp":2,"pgrp":13654,"pid":"13655","ppid":1,"priority":32,"processor":4,"resident":3176,"rgroup":"wazuh","ruser":"wazuh","scan_time":"2024/07/23 23:22:45","session":13654,"sgroup":"wazuh","share":480,"size":22430,"start_time":1721776956,"state":"S","stime":0,"suser":"wazuh","tgid":13655,"tty":0,"utime":0,"vm_size":89720},"index":"13655","timestamp":""}
2024/07/23 23:22:46 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:47 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:48 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:50 wazuh-integratord[13655] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:22:50 wazuh-integratord[13655] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/07/23 23:22:50 wazuh-integratord[13655] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1721776970-317439352.alert was written.
2024/07/23 23:22:51 wazuh-integratord[13655] integrator.c:451 at OS_IntegratorD(): DEBUG: # Running PagerDuty script
2024/07/23 23:22:51 wazuh-integratord[13655] integrator.c:451 at OS_IntegratorD(): DEBUG: # JSON file for options doesn't exist
2024/07/23 23:22:51 wazuh-integratord[13655] integrator.c:451 at OS_IntegratorD(): DEBUG: # Opening options file at '' with 'None'
2024/07/23 23:22:51 wazuh-integratord[13655] integrator.c:451 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/pagerduty-1721776970-317439352.alert' with '{'timestamp': '2024-07-23T23:22:49.422+0000', 'rule': {'level': 3, 'description': 'Wazuh server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1721776969.814352', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}'
2024/07/23 23:22:51 wazuh-integratord[13655] integrator.c:451 at OS_IntegratorD(): DEBUG: # Generating message
2024/07/23 23:22:51 wazuh-integratord[13655] integrator.c:451 at OS_IntegratorD(): DEBUG: # Sending message {"routing_key": "812ebe1639df4301c0545eeca99b33cc", "event_action": "trigger", "payload": {"summary": "Wazuh server started.", "timestamp": "2024-07-23T23:22:49.422+0000", "source": "wazuh-master", "severity": "info", "group": "ossec", "custom_details": {"timestamp": "2024-07-23T23:22:49.422+0000", "rule": {"level": 3, "description": "Wazuh server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "wazuh-master"}, "manager": {"name": "wazuh-master"}, "id": "1721776969.814352", "cluster": {"name": "wazuh", "node": "master-node"}, "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}}, "client": "Wazuh Monitoring Service", "client_url": "https://wazuh.com"} to PagerDuty server
2024/07/23 23:22:51 wazuh-integratord[13655] integrator.c:451 at OS_IntegratorD(): DEBUG: # Response received: <bound method Response.json of <Response [202]>>
2024/07/23 23:22:51 wazuh-integratord[13655] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.integrations.log# Running PagerDuty script
# JSON file for options doesn't exist
# Opening options file at '' with 'None'
# Opening alert file at '/tmp/pagerduty-1721776970-317439352.alert' with '{'timestamp': '2024-07-23T23:22:49.422+0000', 'rule': {'level': 3, 'description': 'Wazuh server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1721776969.814352', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}'
# Generating message
# Sending message {"routing_key": "812ebe1639df4301c0545eeca99b33cc", "event_action": "trigger", "payload": {"summary": "Wazuh server started.", "timestamp": "2024-07-23T23:22:49.422+0000", "source": "wazuh-master", "severity": "info", "group": "ossec", "custom_details": {"timestamp": "2024-07-23T23:22:49.422+0000", "rule": {"level": 3, "description": "Wazuh server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "wazuh-master"}, "manager": {"name": "wazuh-master"}, "id": "1721776969.814352", "cluster": {"name": "wazuh", "node": "master-node"}, "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}}, "client": "Wazuh Monitoring Service", "client_url": "https://wazuh.com"} to PagerDuty server
# Response received: <bound method Response.json of <Response [202]>>Alerts
ConclusionThe integration works as expected, sending the alerts to PagerDuty. |
Slack tests results 🟢The test assumes there is a functional Slack app with an available API key. A test is considered valid if the following conditions are met:
Test using ossec.conf in a managerConfiguration<integration>
<name>slack</name>
<hook_url>**</hook_url>
<alert_format>json</alert_format>
</integration>
Additionally, the key ossec.logroot@wazuh-master:/var/ossec# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2024/07/23 23:32:18 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
2024/07/23 23:34:39 wazuh-integratord[4001] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/07/23 23:34:39 wazuh-integratord[4001] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/07/23 23:34:39 wazuh-integratord[4001] main.c:165 at main(): DEBUG: Chrooted to directory: /var/ossec, using user: wazuh
2024/07/23 23:34:39 wazuh-integratord[4001] intgcom.c:76 at intgcom_main(): DEBUG: Local requests thread ready
2024/07/23 23:34:39 wazuh-integratord[4001] main.c:176 at main(): INFO: Started (pid: 4001).
2024/07/23 23:34:39 wazuh-integratord[4001] integrator.c:53 at OS_IntegratorD(): DEBUG: JSON file queue connected.
2024/07/23 23:34:39 wazuh-integratord[4001] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'slack'.integrations.logroot@wazuh-master:/var/ossec# cat /var/ossec/logs/integrations.log
/tmp/slack-1721777693-561779870.alert **
# Running Slack script
# JSON file for options doesn't exist
# Opening options file at '' with 'None'
# Opening alert file at '/tmp/slack-1721777693-561779870.alert' with '{'timestamp': '2024-07-23T23:34:53.196+0000', 'rule': {'level': 3, 'description': 'Wazuh server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1721777693.813845', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}'
# Generating message
# Sending message {"attachments": [{"color": "good", "pretext": "WAZUH Alert", "title": "Wazuh server started.", "text": "ossec: Manager started.", "fields": [{"title": "Agent", "value": "(000) - wazuh-master"}, {"title": "Location", "value": "wazuh-monitord"}, {"title": "Rule ID", "value": "502 _(Level 3)_"}], "ts": "1721777693.813845"}]} to Slack server
# Response received: <bound method Response.json of <Response [200]>>Messages
ConclusionThe integration works as expected, sending the messages to Slack. |
Shuffle tests results 🟢The test assumes there is a functional Shuffle instance with an available webhook. A test is considered valid if the following conditions are met:
Test using ossec.conf in a managerConfiguration<integration>
<name>shuffle</name>
<hook_url>https://shuffler.io/api/v1/hooks/webhook_**</hook_url>
<level>3</level>
<alert_format>json</alert_format>
</integration>Additionally, the key ossec.logroot@wazuh-master:/var/ossec/bin# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2024/07/23 23:49:29 wazuh-integratord[9037] integrator.c:53 at OS_IntegratorD(): DEBUG: JSON file queue connected.
2024/07/23 23:49:29 wazuh-integratord[9037] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'shuffle'.
2024/07/23 23:49:29 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:29 wazuh-integratord[9037] intgcom.c:76 at intgcom_main(): DEBUG: Local requests thread ready
2024/07/23 23:49:30 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:31 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:32 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:33 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:34 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:35 wazuh-db[9069] wdb_parser.c:261 at wdb_parse(): DEBUG: Agent 000 query: syscollector_processes save2 {"attributes":{"argvs":null,"checksum":"f88c0bb061c1763513bd0418b449327c18adae0b","cmd":"/var/ossec/bin/wazuh-integratord","egroup":"wazuh","euser":"wazuh","fgroup":"wazuh","name":"wazuh-integrato","nice":12,"nlwp":2,"pgrp":9036,"pid":"9037","ppid":1,"priority":32,"processor":2,"resident":3432,"rgroup":"wazuh","ruser":"wazuh","scan_time":"2024/07/23 23:49:35","session":9036,"sgroup":"wazuh","share":544,"size":22429,"start_time":1721778568,"state":"S","stime":0,"suser":"wazuh","tgid":9037,"tty":0,"utime":0,"vm_size":89716},"index":"9037","timestamp":""}
2024/07/23 23:49:35 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:36 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:37 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:38 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:39 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:40 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:41 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:42 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:43 wazuh-integratord[9037] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/07/23 23:49:43 wazuh-integratord[9037] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/07/23 23:49:43 wazuh-integratord[9037] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1721778583-1437696189.alert was written.
2024/07/23 23:49:45 wazuh-integratord[9037] integrator.c:451 at OS_IntegratorD(): DEBUG: # Running Shuffle script
2024/07/23 23:49:45 wazuh-integratord[9037] integrator.c:451 at OS_IntegratorD(): DEBUG: # JSON file for options doesn't exist
2024/07/23 23:49:45 wazuh-integratord[9037] integrator.c:451 at OS_IntegratorD(): DEBUG: # Opening options file at '' with 'None'
2024/07/23 23:49:45 wazuh-integratord[9037] integrator.c:451 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/shuffle-1721778583-1437696189.alert' with '{'timestamp': '2024-07-23T23:49:42.661+0000', 'rule': {'level': 3, 'description': 'Wazuh server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1721778582.814099', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}'
2024/07/23 23:49:45 wazuh-integratord[9037] integrator.c:451 at OS_IntegratorD(): DEBUG: # Generating message
2024/07/23 23:49:45 wazuh-integratord[9037] integrator.c:451 at OS_IntegratorD(): DEBUG: # Sending message {"severity": 1, "pretext": "WAZUH Alert", "title": "Wazuh server started.", "text": "ossec: Manager started.", "rule_id": "502", "timestamp": "2024-07-23T23:49:42.661+0000", "id": "1721778582.814099", "all_fields": {"timestamp": "2024-07-23T23:49:42.661+0000", "rule": {"level": 3, "description": "Wazuh server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "wazuh-master"}, "manager": {"name": "wazuh-master"}, "id": "1721778582.814099", "cluster": {"name": "wazuh", "node": "master-node"}, "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}} to Shuffle server
2024/07/23 23:49:45 wazuh-integratord[9037] integrator.c:451 at OS_IntegratorD(): DEBUG: # Response received: <bound method Response.json of <Response [200]>>
2024/07/23 23:49:45 wazuh-integratord[9037] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.integrations.logroot@wazuh-master:/var/ossec/bin# cat /var/ossec/logs/integrations.log
# Running Shuffle script
# JSON file for options doesn't exist
# Opening options file at '' with 'None'
# Opening alert file at '/tmp/shuffle-1721778583-1437696189.alert' with '{'timestamp': '2024-07-23T23:49:42.661+0000', 'rule': {'level': 3, 'description': 'Wazuh server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1721778582.814099', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}'
# Generating message
# Sending message {"severity": 1, "pretext": "WAZUH Alert", "title": "Wazuh server started.", "text": "ossec: Manager started.", "rule_id": "502", "timestamp": "2024-07-23T23:49:42.661+0000", "id": "1721778582.814099", "all_fields": {"timestamp": "2024-07-23T23:49:42.661+0000", "rule": {"level": 3, "description": "Wazuh server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "wazuh-master"}, "manager": {"name": "wazuh-master"}, "id": "1721778582.814099", "cluster": {"name": "wazuh", "node": "master-node"}, "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}} to Shuffle server
# Response received: <bound method Response.json of <Response [200]>>Emails
ConclusionThe integration works as expected, sending the alerts to Shuffle and the emails to the configured account. |
Docker listener tests results 🟢The test assumes there is a functional Docker service. A test is considered valid if the following conditions are met:
Test using ossec.conf in a managerConfiguration<wodle name="docker-listener">
<disabled>no</disabled>
<interval>10s</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
</wodle>The value Additionally, a volume was added to the wazuh-master container to share the host docker socket with the docker environment. volumes:
...
- /var/run/docker.sock:/var/run/docker.sockossec.logroot@wazuh-master:/var/ossec/logs# cat ossec.log | grep wazuh-modulesd:docker
2024/07/23 21:57:44 wazuh-modulesd:docker-listener: INFO: Module docker-listener started.
2024/07/23 21:57:44 wazuh-modulesd:docker-listener: INFO: Starting to listening Docker events.Running alpine containerfederamos@pop-os:~$ docker run --name test alpine
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
c6a83fedfae6: Pull complete
Digest: sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
Status: Downloaded newer image for alpine:latest
archives/archives.logroot@wazuh-master:/var/ossec/logs# cat archives/archives.log | grep dockeralerts.logroot@wazuh-master:/var/ossec/logs/alerts# cat alerts.log | grep alpine
Rule: 87932 (level 3) -> 'Docker: Image or repository alpine pulled'
{"integration": "docker", "docker": {"status": "pull", "id": "alpine:latest", "Type": "image", "Action": "pull", "Actor": {"ID": "alpine:latest", "Attributes": {"name": "alpine"}}, "scope": "local", "time": 1721771869, "timeNano": 1721771869395364403}}
docker.id: alpine:latest
docker.Actor.ID: alpine:latest
docker.Actor.Attributes.name: alpine
{"integration": "docker", "docker": {"status": "create", "id": "df30ef66eb55af48f0b9284053a6a07fe3973df39fab2e373297ca3e8dcca830", "from": "alpine", "Type": "container", "Action": "create", "Actor": {"ID": "df30ef66eb55af48f0b9284053a6a07fe3973df39fab2e373297ca3e8dcca830", "Attributes": {"image": "alpine", "name": "test"}}, "scope": "local", "time": 1721771889, "timeNano": 1721771889003686745}}
docker.from: alpine
docker.Actor.Attributes.image: alpine
{"integration": "docker", "docker": {"status": "attach", "id": "df30ef66eb55af48f0b9284053a6a07fe3973df39fab2e373297ca3e8dcca830", "from": "alpine", "Type": "container", "Action": "attach", "Actor": {"ID": "df30ef66eb55af48f0b9284053a6a07fe3973df39fab2e373297ca3e8dcca830", "Attributes": {"image": "alpine", "name": "test"}}, "scope": "local", "time": 1721771889, "timeNano": 1721771889004565426}}
docker.from: alpine
docker.Actor.Attributes.image: alpine
{"integration": "docker", "docker": {"status": "start", "id": "df30ef66eb55af48f0b9284053a6a07fe3973df39fab2e373297ca3e8dcca830", "from": "alpine", "Type": "container", "Action": "start", "Actor": {"ID": "df30ef66eb55af48f0b9284053a6a07fe3973df39fab2e373297ca3e8dcca830", "Attributes": {"image": "alpine", "name": "test"}}, "scope": "local", "time": 1721771893, "timeNano": 1721771893977337300}}
docker.from: alpine
docker.Actor.Attributes.image: alpine
{"integration": "docker", "docker": {"status": "die", "id": "df30ef66eb55af48f0b9284053a6a07fe3973df39fab2e373297ca3e8dcca830", "from": "alpine", "Type": "container", "Action": "die", "Actor": {"ID": "df30ef66eb55af48f0b9284053a6a07fe3973df39fab2e373297ca3e8dcca830", "Attributes": {"execDuration": "0", "exitCode": "0", "image": "alpine", "name": "test"}}, "scope": "local", "time": 1721771899, "timeNano": 1721771899523688713}}
docker.from: alpine
docker.Actor.Attributes.image: alpineConclusionThe integration works as expected, but it didn't log the events to the |
Azure tests results 🟡The azure module is failing both in the manager and the agent because the Error...
File "/var/ossec/wodles/azure/azure_services/storage.py", line 16, in <module>
from azure.storage.blob import BlockBlobService
ImportError: cannot import name 'BlockBlobService' from 'azure.storage.blob' (/usr/local/lib/python3.10/site-packages/azure/storage/blob/__init__.py)This will be fixed in the issue #24061 and will be available for |
AWS integration tests 🟡Run: https://github.com/wazuh/wazuh/actions/runs/10068578246
Security Lake as a subscriber integration 🟢Configuration<wodle name="aws-s3">
<disabled>no</disabled>
<interval>30s</interval>
<run_on_start>yes</run_on_start>
<subscriber type="security_lake">
<sqs_name>AmazonSecurityLake-***-Main-Queue</sqs_name>
<external_id>wazuh-external-id</external_id>
<iam_role_arn>arn:aws:iam::***:role/AmazonSecurityLake-***-Main-Queue</iam_role_arn>
</subscriber>
</wodle>Additionally, the key ossec.log2024/07/25 13:44:12 wazuh-modulesd:aws-s3[15003] wm_aws.c:84 at wm_aws_main(): INFO: Starting fetching of logs.
2024/07/25 13:44:12 wazuh-modulesd:aws-s3[15003] wm_aws.c:196 at wm_aws_main(): INFO: Executing Subscriber fetch: (Type and SQS: security_lake **)
2024/07/25 13:44:12 wazuh-modulesd:aws-s3[15003] wm_aws.c:727 at wm_aws_run_subscriber(): DEBUG: Create argument list
2024/07/25 13:44:12 wazuh-modulesd:aws-s3[15003] wm_aws.c:806 at wm_aws_run_subscriber(): DEBUG: Launching S3 Subscriber Command: wodles/aws/aws-s3 --subscriber security_lake --queue A** --external_id wazuh-external-id --iam_role_arn ** --debug 2
DEBUG: +++ Debug mode on - Level: 2
DEBUG: Generating default configuration for retries: mode standard - max_attempts 10
DEBUG: The SQS queue is: **
DEBUG: Generating default configuration for retries: mode standard - max_attempts 10
DEBUG: Retrieving messages from: **
DEBUG: The message is: {'source': 'aws.s3', 'time': '2024-07-25T13:30:06Z', 'account': '**', 'region': 'us-east-1', 'resources': ['**'], 'detail': {'bucket': {'name': '**'}, 'object': {'key': 'aws/ROUTE53/2.0/region=us-east-1/accountId=**/eventDay=20240725/e6c8750ace418d35149e71e080b167ca.gz.parquet', 'size': 22751, 'etag': 'f1d948655b8af4b682659493dd919185'}, 'request-id': 'S09HPFT6VQVD73JA', 'requester': 'securitylake.amazonaws.com'}}
Found 1 events in file {'source': 'aws.s3', 'time': '2024-07-25T13:30:06Z', 'account': '**', 'region': 'us-east-1', 'resources': ['**'], 'detail': {'bucket': {'name': '**'}, 'object': {'key': 'aws/ROUTE53/2.0/region=us-east-1/accountId=**/eventDay=20240725/e6c8750ace418d35149e71e080b167ca.gz.parquet', 'size': 22751, 'etag': 'f1d948655b8af4b682659493dd919185'}, 'request-id': 'S09HPFT6VQVD73JA', 'requester': 'securitylake.amazonaws.com'}}
DEBUG: 1 events sent to Analysisd
..
DEBUG: 4 events sent to Analysisd
DEBUG: Message deleted from queue: AmazonSecurityLake-***-Main-Queue
DEBUG: Retrieving messages from: AmazonSecurityLake-***-Main-QueueSecurity Hub integration 🟢Configuration<wodle name="aws-s3">
<disabled>no</disabled>
<interval>1h</interval>
<run_on_start>yes</run_on_start>
<subscriber type="security_hub">
<sqs_name>***</sqs_name>
<aws_profile>default</aws_profile>
</subscriber>
</wodle>Additionally, the key ossec.logroot@wazuh-master:/var/ossec/logs# cat /var/ossec/logs/ossec.log | grep "wazuh-modulesd:aws"
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21195] wmodules-aws.c:522 at wm_aws_read(): DEBUG: Found a subscriber tag
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21195] wmodules-aws.c:538 at wm_aws_read(): DEBUG: Creating first subscriber structure
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21195] wmodules-aws.c:566 at wm_aws_read(): DEBUG: Loop through child nodes
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21195] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: sqs_name
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21195] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: aws_profile
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21904] wmodules-aws.c:522 at wm_aws_read(): DEBUG: Found a subscriber tag
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21904] wmodules-aws.c:538 at wm_aws_read(): DEBUG: Creating first subscriber structure
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21904] wmodules-aws.c:566 at wm_aws_read(): DEBUG: Loop through child nodes
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21904] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: sqs_name
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21904] wmodules-aws.c:569 at wm_aws_read(): DEBUG: Parse child node: aws_profile
2024/07/25 16:24:44 wazuh-modulesd:aws-s3[21904] wm_aws.c:62 at wm_aws_main(): INFO: Module AWS started
2024/07/25 16:24:51 wazuh-modulesd:aws-s3[21904] wm_aws.c:84 at wm_aws_main(): INFO: Starting fetching of logs.
2024/07/25 16:24:51 wazuh-modulesd:aws-s3[21904] wm_aws.c:196 at wm_aws_main(): INFO: Executing Subscriber fetch: (Type and SQS: **)
2024/07/25 16:24:51 wazuh-modulesd:aws-s3[21904] wm_aws.c:727 at wm_aws_run_subscriber(): DEBUG: Create argument list
2024/07/25 16:24:51 wazuh-modulesd:aws-s3[21904] wm_aws.c:806 at wm_aws_run_subscriber(): DEBUG: Launching S3 Subscriber Command: wodles/aws/aws-s3 --subscriber **--aws_profile default --debug 2
DEBUG: +++ Debug mode on - Level: 2
DEBUG: Generating default configuration for retries: mode standard - max_attempts 10
DEBUG: The SQS queue is: https://sqs.us-east-1.amazonaws.com/**/**
DEBUG: Generating default configuration for retries: mode standard - max_attempts 10
DEBUG: Retrieving messages from: **
DEBUG: The message is: {"Records":[{"eventVersion":"2.1","eventSource":"aws:s3","awsRegion":"us-east-1","eventTime":"2024-07-25T13:39:26.959Z","eventName":"ObjectCreated:Put","userIdentity":{"principalId":"**3"},"requestParameters":{"sourceIPAddress":"**"},"responseElements":{"x-amz-request-id":"**","x-amz-id-2":"**/KxkiW9uBD+pMDfoZBO8RWax7HhXNa4jM84sy2UKz5T3Wiy61jU0DtFdzo"},"s3":{"s3SchemaVersion":"1.0","configurationId":"**","bucket":{"name":"**","ownerIdentity":{"principalId":"**"},"arn":"**"},"object":{"key":"2024/07/25/13/wazuh-security-hub-findings-1-2024-07-25-13-34-25-7760cdaa-aa45-497f-80e2-33e25d8611c4","size":3214,"eTag":"2501da293aff0a8cbc0bc20f06820f59","sequencer":"0066A2558EE3E523C7"}}}]}
DEBUG: Retrieving messages from: **ConclusionThe changes from #23431 have been merged into 4.10. On the other hand, the agent, and the Security Lake and Security Hub integrations worked as expected. |
Virustotal tests results 🟢The test assumes there is a functional Virustotal service with an available API key. A test is considered valid if the following conditions are met:
Test using ossec.conf in a managerConfiguration<integration>
<name>virustotal</name>
<api_key>***</api_key>
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>Additionally, the value ossec.logroot@wazuh-master:/# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2024/07/17 16:28:23 wazuh-integratord[52242] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/07/17 16:28:23 wazuh-integratord[52242] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/07/17 16:28:23 wazuh-integratord[52242] main.c:165 at main(): DEBUG: Chrooted to directory: /var/ossec, using user: wazuh
2024/07/17 16:28:23 wazuh-integratord[52242] intgcom.c:76 at intgcom_main(): DEBUG: Local requests thread ready
2024/07/17 16:28:23 wazuh-integratord[52242] main.c:176 at main(): INFO: Started (pid: 52242).
2024/07/17 16:28:23 wazuh-integratord[52242] integrator.c:53 at OS_IntegratorD(): DEBUG: JSON file queue connected.
2024/07/17 16:28:23 wazuh-integratord[52242] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'virustotal'.
...
2024/07/17 16:28:48 wazuh-integratord[52242] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
...integrations.logroot@wazuh-master:/var/ossec# cat /var/ossec/logs/integrations.log
# Running VirusTotal script
# Opening alert file at '/tmp/virustotal-1721852214--539810883.alert' with '{'timestamp': '2024-07-24T20:16:51.992+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'wazuh-master'}, 'manager': {'name': 'wazuh-master'}, 'id': '1721852211.814352', 'cluster': {'name': 'wazuh', 'node': 'master-node'}, 'full_log': "File '/usr/bin/malware' added\nMode: scheduled\n", 'syscheck': {'path': '/usr/bin/malware', 'mode': 'scheduled', 'size_after': '0', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'd41d8cd98f00b204e9800998ecf8427e', 'sha1_after': 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'sha256_after': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2024-07-24T20:16:37', 'inode_after': 9550161, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'}'
# Requesting VirusTotal information
# Querying VirusTotal API
# Request result from VT server: 1:virustotal:{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1721852211.814352", "file": "/usr/bin/malware", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2024-07-24 19:54:12", "positives": 0, "total": 63, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1721850852"}, "integration": "virustotal"}
ConclusionThe integration works as expected when using the |
|
LGTM! |
2 tasks
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following issue aims to perform all the required testing for the current release candidate to ensure the modules (AWS, GCP, Azure, DockerListener, and Shuffle) work as expected, report the results, and open new issues for any encountered errors.
Modules test information
Test report procedure
All test results must have one of the following statuses:
Any failing test must be adequately addressed with a new issue detailing the error and the possible cause. It must be included in the Fixes section of the current release candidate's central issue.
The resulting logs for the tests must be included in the status report so the auditors can use them to dig deeper into any possible failures and details.
Conclusions
4.10)beta 1)All tests have passed and the fails have been reported or justified. I therefore conclude that this issue is finished and OK for this release candidate.
Auditors validation
The definition of done for this one is the validation of the conclusions and the test results from all auditors.
All checks from below must be accepted to close this issue.
The text was updated successfully, but these errors were encountered: