Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate Syscheck whodata buffer behavior #3962

Closed
Deblintrake09 opened this issue Feb 16, 2023 · 1 comment
Closed

Validate Syscheck whodata buffer behavior #3962

Deblintrake09 opened this issue Feb 16, 2023 · 1 comment
Assignees
@Deblintrake09
Labels
dev-testing feature/fim

Comments

@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Feb 16, 2023
edited
Loading

Target version Related issue Related PR
4.5.0 wazuh/wazuh#13920 wazuh/wazuh#16200

Description

This Issue aims to test the new FIM option whodata_queue_size that handles a new queue added for handling the messages that FIM receives from audit.

Test Cases

Linux Test cases (Manager & Agent)

Configuration test cases

Scenario: Default value 
 Given that `whodata_queue_size` is removed from ossec conf
 When manager/agent is restarted
 Then an INFO level message shows the configured value to be `16384`
Scenario: Valid values - whodata_queue_size is set to limit values 
Given that `whodata_queue_size` set to `1` or `1048576`
When manager/agent is restarted
Then an INFO level message shows the correct configured value
Scenario: Invalid values - whodata_queue_size is set to limit values 
Given that `whodata_queue_size` set to `-1` or `1048577`
When manager/agent is restarted
Then an ERROR level message appears 
And syscheck is not restarted.
Scenario: Invalid values - whodata_queue_size has characters 
Given that `whodata_queue_size` set to `10a`
When manager/agent is restarted
Then an ERROR level message appears explaining the conf error
And syscheck is not restarted.

Behavior test cases

Scenario: Queue does not overflow and drop events 
Given that `whodata_queue_size` is set to 3 and  `max_file_per_second` is set to  5
When X amount of files is created
Then all files are processed after X/5 seconds and no message is dropped
Scenario: Queue overflows and drop events from single insertion 
Given that `whodata_queue_size` is set to 3 and  `max_file_per_second` is set to  5
When X amount of files is created
Then as files are processed at rate X/5 seconds the last set of files is missing (was dropped out of queue)
Scenario: Queue overflows and drop events - 2 Insertions - Drop from first set 
Given that `whodata_queue_size` is set to 3 and  `max_file_per_second` is set to  5
When X amount of files is created
And files are processed at rate X/5 seconds
And a second X amount of files is created before events have finished appearing
Then files are processed some events from first batch are dropped before files from second batch appear.

NOTE: The X amount of files to be created in the behavior test cases needs to be determined through manual testing, as the actual amount of files that can occupy one slot in the queue is not known at the moment.

Window Test cases Agent

Configuration test cases

Scenario: Default value 
 Given that `whodata_queue_size` is removed from ossec conf
 When manager/agent is restarted
 Then an INFO level message shows the configured value to be `16384`
Scenario: Valid values - whodata_queue_size is set to limit values 
Given that `whodata_queue_size` set to `1` or `1048576`
When manager/agent is restarted
Then an INFO level message shows the correct configured value
Scenario: Invalid values - whodata_queue_size is set to limit values 
Given that `whodata_queue_size` set to `-1` or `1048577`
When manager/agent is restarted
Then an ERROR level message appears 
And syscheck is not restarted.
Scenario: Invalid values - whodata_queue_size has characters 
Given that `whodata_queue_size` set to `10a`
When manager/agent is restarted
Then an ERROR level message appears explaining the conf error
And syscheck is not restarted.

Behavior test cases

Scenario: Queue does not overflow and drop events 
Given that `whodata_queue_size` is set to 3 and  `max_file_per_second` is set to  5
When X amount of files is created
Then all files are processed after X/5 seconds and no message is dropped
Scenario: Queue overflows and drop events from single insertion 
Given that `whodata_queue_size` is set to 3 and  `max_file_per_second` is set to  5
When X amount of files is created
Then as files are processed at rate X/5 seconds the last set of files is missing (was dropped out of queue)
Scenario: Queue overflows and drop events - 2 Insertions - Drop from first set 
Given that `whodata_queue_size` is set to 3 and  `max_file_per_second` is set to  5
When X amount of files is created
And files are processed at rate X/5 seconds
And a second X amount of files is created before events have finished appearing
Then files are processed some events from first batch are dropped before files from second batch appear.

NOTE: The X amount of files to be created in the behavior test cases needs to be determined through manual testing, as the actual amount of files that can occupy one slot in the queue is not known at the moment.
@Deblintrake09 Deblintrake09 self-assigned this Feb 16, 2023
@Deblintrake09 Deblintrake09 mentioned this issue Feb 16, 2023
Closed
5 tasks
@Deblintrake09
Copy link
Contributor Author

The manual testing will be not necesary as IT tests have been developed in Issue #3963 that is pending Jenkins Checks

@damarisg damarisg closed this as not planned Won't fix, can't repro, duplicate, stale Mar 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Deblintrake09 Deblintrake09

Labels
dev-testing feature/fim
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@damarisg @Deblintrake09 @jmv74211