feat(wazuh/wazuh#17388): add inspector discard regex test and cases

wazuh · Jul 4, 2023 · 18cd27b · 18cd27b
1 parent ee3af70
commit 18cd27b
Show file tree

Hide file tree

Showing 4 changed files with 156 additions and 1 deletion.
diff --git a/...nfiguration_template/discard_regex_test_module/configuration_inspector_discard_regex.yaml b/...nfiguration_template/discard_regex_test_module/configuration_inspector_discard_regex.yaml
@@ -0,0 +1,21 @@
+- sections:
+ - section: wodle
+ attributes:
+ - name: aws-s3
+ elements:
+ - disabled:
+ value: 'no'
+ - service:
+ attributes:
+ - type: SERVICE_TYPE
+ elements:
+ - aws_profile:
+ value: qa
+ - only_logs_after:
+ value: ONLY_LOGS_AFTER
+ - regions:
+ value: REGIONS
+ - discard_regex:
+ attributes:
+ - field: DISCARD_FIELD
+ value: DISCARD_REGEX
diff --git a/...on/test_aws/data/test_cases/discard_regex_test_module/cases_cloudwatch_discard_regex.yaml b/...on/test_aws/data/test_cases/discard_regex_test_module/cases_cloudwatch_discard_regex.yaml
@@ -29,7 +29,7 @@
  service_type: cloudwatchlogs
  log_group_name: wazuh-cloudwatchlogs-integration-tests
  only_logs_after: 2023-JAN-12
- discard_field: ''
+ discard_field=''
  discard_regex: .*Test.*
  regions: us-east-1
  found_logs: 3
diff --git a/...ion/test_aws/data/test_cases/discard_regex_test_module/cases_inspector_discard_regex.yaml b/...ion/test_aws/data/test_cases/discard_regex_test_module/cases_inspector_discard_regex.yaml
@@ -0,0 +1,15 @@
+- name: inspector_discard_regex
+ description: Inspector discard regex configurations
+ configuration_parameters:
+ SERVICE_TYPE: inspector
+ REGIONS: us-east-1
+ DISCARD_FIELD: assetAttributes.tags.value
+ DISCARD_REGEX: .*inspector-integration-test.*
+ ONLY_LOGS_AFTER: 2023-JAN-12
+ metadata:
+ service_type: inspector
+ only_logs_after: 2023-JAN-12
+ discard_field: assetAttributes.tags.value
+ discard_regex: .*inspector-integration-test.*
+ regions: us-east-1
+ found_logs: 4
diff --git a/tests/integration/test_aws/test_discard_regex.py b/tests/integration/test_aws/test_discard_regex.py
@@ -259,4 +259,123 @@ def test_cloudwatch_discard_regex(
  accum_results=found_logs
  ).result()
 
+ assert services_db_exists()
+
+# ---------------------------------------------------- TEST_INSPECTOR_DISCARD_REGEX -------------------------------------------------------
+t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_inspector_discard_regex.yaml')
+t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_inspector_discard_regex.yaml')
+
+t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path)
+t2_configurations = load_configuration_template(
+ t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata
+)
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids)
+def test_inspector_discard_regex(
+ configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration, clean_aws_services_db,
+ configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring,
+):
+ """
+ description: Fetch logs excluding the ones that match with the regex.
+ test_phases:
+ - setup:
+ - Load Wazuh light configuration.
+ - Apply ossec.conf configuration changes according to the configuration template and use case.
+ - Apply custom settings in local_internal_options.conf.
+ - Truncate wazuh logs.
+ - Restart wazuh-manager service to apply configuration changes.
+ - test:
+ - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+ - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket and skips
+ the ones that match with regex.
+ - Check the database was created and updated accordingly.
+ - teardown:
+ - Truncate wazuh logs.
+ - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+ - Delete the uploaded file
+ wazuh_min_version: 4.5.0
+ parameters:
+ - configuration:
+ type: dict
+ brief: Get configurations from the module.
+ - metadata:
+ type: dict
+ brief: Get metadata from the module.
+ - load_wazuh_basic_configuration:
+ type: fixture
+ brief: Load basic wazuh configuration.
+ - set_wazuh_configuration:
+ type: fixture
+ brief: Apply changes to the ossec.conf configuration.
+ - clean_aws_services_db:
+ type: fixture
+ brief: Delete the DB file before and after the test execution.
+ - configure_local_internal_options_function:
+ type: fixture
+ brief: Apply changes to the local_internal_options.conf configuration.
+ - truncate_monitored_files:
+ type: fixture
+ brief: Truncate wazuh logs.
+ - restart_wazuh_daemon_function:
+ type: fixture
+ brief: Restart the wazuh service.
+ - file_monitoring:
+ type: fixture
+ brief: Handle the monitoring of a specified file.
+ assertions:
+ - Check in the log that the module was called with correct parameters.
+ - Check the expected number of events were forwarded to analysisd.
+ - Check the database was created and updated accordingly.
+ input_description:
+ - The `configuration_inspector_discard_regex` file provides the module configuration for this test.
+ - The `cases_inspector_discard_regex` file provides the test cases.
+ """
+ service_type = metadata.get('service_type')
+ only_logs_after = metadata.get('only_logs_after')
+ regions: str = metadata.get('regions')
+ discard_field = metadata.get('discard_field', '')
+ discard_regex = metadata.get('discard_regex')
+ found_logs = metadata.get('found_logs')
+
+ pattern_json = fr'.*The "{discard_regex}" regex found a match in the "{discard_field}" field. The event will be skipped.'
+ pattern_simple_text = fr'.*The "{discard_regex}" regex found a match. The event will be skipped.'
+
+ parameters = [
+ 'wodles/aws/aws-s3',
+ '--service', service_type,
+ '--aws_profile', 'qa',
+ '--only_logs_after', only_logs_after,
+ '--regions', regions,
+ '--discard-field' if discard_field else '' , discard_field,
+ '--discard-regex', discard_regex,
+ '--debug', '2'
+ ]
+
+
+ # Check AWS module started
+ log_monitor.start(
+ timeout=global_parameters.default_timeout,
+ callback=event_monitor.callback_detect_aws_module_start,
+ error_message='The AWS module did not start as expected',
+ ).result()
+
+ # Check command was called correctly
+ log_monitor.start(
+ timeout=global_parameters.default_timeout,
+ callback=event_monitor.callback_detect_aws_module_called(parameters),
+ error_message='The AWS module was not called with the correct parameters',
+ ).result()
+
+ log_monitor.start(
+ timeout=T_20,
+ callback=event_monitor.callback_detect_event_processed_or_skipped(pattern_json if discard_field else pattern_simple_text),
+ error_message=(
+ 'The AWS module did not show the correct message about discard regex or ',
+ 'did not process the expected amount of logs'
+ ),
+ accum_results=found_logs
+ ).result()
+
  assert services_db_exists()