feat(#2947): add new EPS limit tests

tests/integration/test_analysisd/test_eps/data/configuration_template/event_processing_test_module/configuration_drop_events_when_queue_is_full.yaml

@@ -0,0 +1,21 @@
+- sections:
+ - section: remote
+ elements:
+ - connection:
+ value: syslog
+ - port:
+ value: PORT
+ - protocol:
+ value: PROTOCOL
+ - allowed-ips:
+ value: 0.0.0.0/0
+ - section: global
+ elements:
+ - limits:
+ elements:
+ - eps:
+ elements:
+ - maximum:
+ value: MAXIMUM
+ - timeframe:
+ value: TIMEFRAME

tests/integration/test_analysisd/test_eps/data/configuration_template/event_processing_test_module/configuration_processing_events_in_order_multi_thread.yaml

@@ -0,0 +1,23 @@
+- sections:
+ - section: remote
+ elements:
+ - connection:
+ value: syslog
+ - port:
+ value: PORT
+ - protocol:
+ value: PROTOCOL
+ - allowed-ips:
+ value: 0.0.0.0/0
+ - section: global
+ elements:
+ - limits:
+ elements:
+ - eps:
+ elements:
+ - maximum:
+ value: MAXIMUM
+ - timeframe:
+ value: TIMEFRAME
+ - logall:
+ value: 'yes'

tests/integration/test_analysisd/test_eps/data/configuration_template/event_processing_test_module/configuration_processing_events_in_order_single_thread.yaml

@@ -0,0 +1,23 @@
+- sections:
+ - section: remote
+ elements:
+ - connection:
+ value: syslog
+ - port:
+ value: PORT
+ - protocol:
+ value: PROTOCOL
+ - allowed-ips:
+ value: 0.0.0.0/0
+ - section: global
+ elements:
+ - limits:
+ elements:
+ - eps:
+ elements:
+ - maximum:
+ value: MAXIMUM
+ - timeframe:
+ value: TIMEFRAME
+ - logall:
+ value: 'yes'

tests/integration/test_analysisd/test_eps/data/configuration_template/event_processing_test_module/configuration_queueing_events_after_limitation.yaml

@@ -0,0 +1,21 @@
+- sections:
+ - section: remote
+ elements:
+ - connection:
+ value: syslog
+ - port:
+ value: PORT
+ - protocol:
+ value: PROTOCOL
+ - allowed-ips:
+ value: 0.0.0.0/0
+ - section: global
+ elements:
+ - limits:
+ elements:
+ - eps:
+ elements:
+ - maximum:
+ value: MAXIMUM
+ - timeframe:
+ value: TIMEFRAME

tests/integration/test_analysisd/test_eps/data/test_cases/basic_test_module/cases_enabled.yaml

@@ -1,4 +1,4 @@
-- name: maximum 20 - timeframe 5
+- name: enabled
  description: EPS Limits enabled
  configuration_parameters:
  MAXIMUM: '20'

tests/integration/test_analysisd/test_eps/data/test_cases/configuration_test_module/cases_accepted_values.yaml

@@ -1,5 +1,5 @@
 - name: maximum 5000 - timeframe 10
- description: acepted value
+ description: accepted value
  configuration_parameters:
  MAXIMUM: '5000'
  TIMEFRAME: '10'

tests/integration/test_analysisd/test_eps/data/test_cases/event_processing_test_module/cases_drop_events_when_queue_is_full.yaml

@@ -0,0 +1,17 @@
+- name: drop events
+ description: Drop events when events queue is full
+ configuration_parameters:
+ PORT: 514
+ PROTOCOL: tcp
+ MAXIMUM: '1'
+ TIMEFRAME: '100'
+ metadata:
+ maximum: 1
+ timeframe: 100
+ # syslog simulator parameters
+ address: 'localhost'
+ port: 514
+ protocol: 'tcp'
+ messages_number: 50000
+ eps: 5000
+

tests/integration/test_analysisd/test_eps/data/test_cases/event_processing_test_module/cases_limitation.yaml

@@ -1,12 +1,12 @@
-- name: maximum 500 - timeframe 5
+- name: not process events after exceeding the limit
  description: EPS limitation
  configuration_parameters:
  PORT: 514
  PROTOCOL: tcp
- MAXIMUM: '250'
+ MAXIMUM: '500'
  TIMEFRAME: '10'
  metadata:
- maximum: 250
+ maximum: 500
  timeframe: 10
  # syslog simulator parameters
  address: 'localhost'

tests/integration/test_analysisd/test_eps/data/test_cases/event_processing_test_module/cases_processing_events_in_order_multi_thread.yaml

@@ -0,0 +1,23 @@
+- name: batch events order - multi-thread
+ description: Process events in batch order
+ configuration_parameters:
+ PORT: 514
+ PROTOCOL: tcp
+ MAXIMUM: '20'
+ TIMEFRAME: '5'
+ metadata:
+ maximum: 20
+ timeframe: 5
+ # syslog simulator parameters
+ address: 'localhost'
+ num_batches: 5
+ batch_sending_time: 3
+ message_1: 'Login failed: admin, test - Group 1'
+ message_2: 'Login failed: admin, test - Group 2'
+ message_3: 'Login failed: admin, test - Group 3'
+ message_4: 'Login failed: admin, test - Group 4'
+ message_5: 'Login failed: admin, test - Group 5'
+ port: 514
+ protocol: 'tcp'
+ eps: 100
+ messages_number: 100

tests/integration/test_analysisd/test_eps/data/test_cases/event_processing_test_module/cases_processing_events_in_order_single_thread.yaml

@@ -0,0 +1,19 @@
+- name: messages events order - single-thread
+ description: Process events in messages order
+ configuration_parameters:
+ PORT: 514
+ PROTOCOL: tcp
+ MAXIMUM: '20'
+ TIMEFRAME: '5'
+ metadata:
+ maximum: 20
+ timeframe: 5
+ # syslog simulator parameters
+ address: 'localhost'
+ message: 'Login failed: admin, test'
+ port: 514
+ protocol: 'tcp'
+ numbered_messages: 1
+ messages_number_1: 300
+ eps: 300
+ messages_number_2: 200

tests/integration/test_analysisd/test_eps/data/test_cases/event_processing_test_module/cases_queueing_events_after_limitation.yaml

@@ -0,0 +1,16 @@
+- name: queue non-processed events
+ description: Queueing events after processing limitation
+ configuration_parameters:
+ PORT: 514
+ PROTOCOL: tcp
+ MAXIMUM: '100'
+ TIMEFRAME: '10'
+ metadata:
+ maximum: 100
+ timeframe: 10
+ # syslog simulator parameters
+ address: 'localhost'
+ port: 514
+ protocol: 'tcp'
+ messages_number: 10000
+ eps: 1000

tests/integration/test_analysisd/test_eps/test_basic.py

@@ -3,7 +3,6 @@
 
 from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data
 from wazuh_testing.modules.analysisd import event_monitor as evm
-from wazuh_testing.modules.analysisd import ANALYSISD_STATE_INTERNAL_DEFAULT
 from wazuh_testing.processes import check_if_daemons_are_running
 
 pytestmark = [pytest.mark.server]
@@ -13,10 +12,9 @@
 TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
 CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template', 'basic_test_module')
 TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases', 'basic_test_module')
-local_internal_options = {'wazuh_modules.debug': '2', 'monitord.rotate_log': '0',
- 'analysisd.state_interval': f"{ANALYSISD_STATE_INTERNAL_DEFAULT}"}
+local_internal_options = {'wazuh_modules.debug': '2', 'monitord.rotate_log': '0'}
 
-# ------------------------------- TEST_ENABLED -------------------------------------------------------------------------
+# ---------------------------------------------------- TEST_ENABLED ----------------------------------------------------
 # Configuration and cases data
 configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_enabled.yaml')
 t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_enabled.yaml')
@@ -26,7 +24,7 @@
 t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters,
  t1_configuration_metadata)
 
-# ------------------------------- TEST_DISABLED ------------------------------------------------------------------------
+# ---------------------------------------------------- TEST_DISABLED ---------------------------------------------------
 # Configuration and cases data
 t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_disabled.yaml')
 t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_disabled.yaml')
@@ -40,7 +38,57 @@
 @pytest.mark.tier(level=0)
 @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids)
 def test_enabled(configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
- configure_local_internal_options_module, truncate_monitored_files, restart_wazuh_daemon_function):
+ configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_daemon_function):
+ """
+ description: Check whether the event analysis limitation is activated after its activation in the configuration.
+
+ test_phases:
+ - setup:
+ - Load Wazuh light configuration.
+ - Apply ossec.conf configuration changes according to the configuration template and use case.
+ - Apply custom settings in local_internal_options.conf.
+ - Truncate wazuh logs.
+ - Restart wazuh-manager service to apply configuration changes.
+ - test:
+ - Check in the ossec.log that a line has appeared indicating that EPS limiting has been enabled.
+ - Check that wazuh-analysisd is running (it has not been crashed).
+ - tierdown:
+ - Truncate wazuh logs.
+ - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+
+ wazuh_min_version: 4.4.0
+
+ parameters:
+ - configuration:
+ type: dict
+ brief: Get configurations from the module.
+ - metadata:
+ type: dict
+ brief: Get metadata from the module.
+ - load_wazuh_basic_configuration:
+ type: fixture
+ brief: Load basic wazuh configuration.
+ - set_wazuh_configuration:
+ type: fixture
+ brief: Apply changes to the ossec.conf configuration.
+ - configure_local_internal_options_function:
+ type: fixture
+ brief: Apply changes to the local_internal_options.conf configuration.
+ - truncate_monitored_files:
+ type: fixture
+ brief: Truncate wazuh logs.
+ - restart_wazuh_daemon_function:
+ type: fixture
+ brief: Restart the wazuh service.
+
+ assertions:
+ - Check in the log that the EPS limitation has been activated.
+ - Check that wazuh-analysisd daemon does not crash.
+
+ input_description:
+ - The `configuration_enabled` file provides the module configuration for this test.
+ - The `cases_enabled` file provides the test cases.
+ """
  evm.check_eps_enabled(metadata['maximum'], metadata['timeframe'])
 
  # Check that wazuh-analysisd is running
@@ -50,7 +98,57 @@ def test_enabled(configuration, metadata, load_wazuh_basic_configuration, set_wa
 @pytest.mark.tier(level=0)
 @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids)
 def test_disabled(configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
- configure_local_internal_options_module, truncate_monitored_files, restart_wazuh_daemon_function):
+ configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_daemon_function):
+ """
+ description: Check if when the EPS limitation setting is not applied, the feature is not activated.
+
+ test_phases:
+ - setup:
+ - Load Wazuh light configuration.
+ - Apply ossec.conf configuration changes according to the configuration template and use case.
+ - Apply custom settings in local_internal_options.conf.
+ - Truncate wazuh logs.
+ - Restart wazuh-manager service to apply configuration changes.
+ - test:
+ - Look in the ossec.log to see if the EPS limitation activation does not appear.
+ - Check that wazuh-analysisd is running (it has not been crashed).
+ - tierdown:
+ - Truncate wazuh logs.
+ - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+
+ wazuh_min_version: 4.4.0
+
+ parameters:
+ - configuration:
+ type: dict
+ brief: Get configurations from the module.
+ - metadata:
+ type: dict
+ brief: Get metadata from the module.
+ - load_wazuh_basic_configuration:
+ type: fixture
+ brief: Load basic wazuh configuration.
+ - set_wazuh_configuration:
+ type: fixture
+ brief: Apply changes to the ossec.conf configuration.
+ - configure_local_internal_options_function:
+ type: fixture
+ brief: Apply changes to the local_internal_options.conf configuration.
+ - truncate_monitored_files:
+ type: fixture
+ brief: Truncate wazuh logs.
+ - restart_wazuh_daemon_function:
+ type: fixture
+ brief: Restart the wazuh service.
+
+ assertions:
+ - Check in the ossec.log to see if the EPS limitation activation does not appear.
+ - Check that wazuh-analysisd daemon does not crash.
+
+ input_description:
+ - The `configuration_disabled` file provides the module configuration for this test.
+ - The `cases_disabled` file provides the test cases.
+ """
  evm.check_eps_disabled()
 
  # Check that wazuh-analysisd is running