Migrate test_macos of test_logcollector documentation to qa-docs
#2175
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 tasks
1 task
…y of test_logcollector documentation Related: #1813
…migrate-doc-logc-macos
added 2 commits
January 11, 2022 09:48
…migrate-doc-logc-macos
QA-docs execution
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
As part of epic #1796, this PR adds the missing documentation and migrates the current documentation to the new format used by qa-docs.
The schema used is the one defined in issue #1694
New tags
The following tags are added to the wiki:
logcollector_macosGenerated documentation
test_macos_file_status_basic.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. Specifically, these tests will check if the logcollector generates the 'file_status.json' file used by the 'only future events' option when using ULS (unified logging system) events in macOS systems. Log data collection is the real-time process of making sense out of the records generated by servers or devices. This component can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices.", "tier": 0, "modules": [ "logcollector" ], "components": [ "agent" ], "daemons": [ "wazuh-logcollector" ], "os_platform": [ "macos" ], "os_version": [ "macOS Catalina" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html", "https://developer.apple.com/documentation/os/logging" ], "tags": [ "logcollector_macos" ], "name": "test_macos_file_status_basic.py", "id": 1, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-logcollector' builds and updates the 'file_status.json' file from ULS events. For this purpose, the test will configure a 'localfile' section using the macOS settings. Once the logcollector is started, it will wait until the macOS ULS module is ready, and then, the test will generate 'unified logging system' (ULS) events by using a logger tool. After this, it will check if the 'file_status.json' file has been created and if the 'macos' key is inside it. Finally, the test will verify that the 'file_status.json' file has valid content.", "wazuh_min_version": "4.2.0", "parameters": [ { "restart_logcollector_required_daemons_package": { "type": "fixture", "brief": "Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons." } }, { "truncate_log_file": { "type": "fixture", "brief": "Clear the 'ossec.log' file." } }, { "delete_file_status_json": { "type": "fixture", "brief": "Delete the 'file_status.json' file from logcollector." } }, { "configure_local_internal_options_module": { "type": "fixture", "brief": "Set internal configuration for testing." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } }, { "daemons_handler": { "type": "fixture", "brief": "Handler of Wazuh daemons." } } ], "assertions": [ "Verify that the logcollector detects the macOS ULS events.", "Verify that the logcollector generates the 'file_status.json' file with valid content." ], "input_description": "A configuration template (test_macos_file_status_basic) is contained in an external YAML file (wazuh_macos_file_status_basic.yaml). That template is combined with two test cases defined in the module. Those include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Monitoring macOS logs with.*'", "r'Monitoring macOS logs with.*log stream'", "r'Logger testing message - file status' (testing macOS ULS message)", "r'\"macos\"'" ], "tags": [ "logs" ], "name": "test_macos_file_status_basic", "inputs": [ "only_future_events_yes", "only_future_events_no" ] } ] }test_macos_file_status_basic.yaml
test_macos_file_status_predicate.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. Specifically, these tests will verify that the logcollector does not add to the 'file_status.json' file event-related data when the predicate used in the 'query' tag is invalid. Log data collection is the real-time process of making sense out of the records generated by servers or devices. This component can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices.", "tier": 0, "modules": [ "logcollector" ], "components": [ "agent" ], "daemons": [ "wazuh-logcollector" ], "os_platform": [ "macos" ], "os_version": [ "macOS Catalina" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query" ], "tags": [ "logcollector_macos" ], "name": "test_macos_file_status_predicate.py", "id": 2, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-logcollector' does not update the 'file_status.json' file from logging events when using an invalid predicate in the 'query' tag of the 'localfile' section. The agent uses a dummy localfile (/Library/Ossec/logs/active-responses.log) which triggers the creation of the 'file_status.json' file. For this purpose, the test will configure a 'localfile' section using the macOS settings but using an invalid predicate. Once the logcollector is started, it will verify that event errors are generated, indicating that an invalid setting has been detected. After this, the test will check if the 'file_status.json' file has been created, and finally, it will verify that the 'macos' key is not inside it since the predicate used is invalid.", "wazuh_min_version": "4.2.0", "parameters": [ { "restart_logcollector_required_daemons_package": { "type": "fixture", "brief": "Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons." } }, { "truncate_log_file": { "type": "fixture", "brief": "Clear the 'ossec.log' file." } }, { "delete_file_status_json": { "type": "fixture", "brief": "Delete the 'file_status.json' file from logcollector." } }, { "configure_local_internal_options_module": { "type": "fixture", "brief": "Set internal configuration for testing." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } }, { "daemons_handler": { "type": "fixture", "brief": "Handler of Wazuh daemons." } } ], "assertions": [ "Verify that the logcollector generates error events when it detects an invalid predicate.", "Verify that the logcollector generates the 'file_status.json' file without the 'macos' key." ], "input_description": "A configuration template (test_macos_file_status_predicate) is contained in an external YAML file (wazuh_macos_file_status_predicate.yaml). That template is combined with two test cases defined in the module. Those include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Execution error .*'", "r\"macOS 'log stream' process exited\"" ], "tags": [ "logs" ], "name": "test_macos_file_status_predicate", "inputs": [ "only_future_events_yes", "only_future_events_no" ] } ] }test_macos_file_status_predicate.yaml
test_macos_file_status_when_no_macos.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. Specifically, these tests will verify that the logcollector does not add to the 'file_status.json' file event-related data when the predicate used in the 'query' tag is invalid. Log data collection is the real-time process of making sense out of the records generated by servers or devices. This component can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices.", "tier": 0, "modules": [ "logcollector" ], "components": [ "agent" ], "daemons": [ "wazuh-logcollector" ], "os_platform": [ "macos" ], "os_version": [ "macOS Catalina" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query" ], "tags": [ "logcollector_macos" ], "name": "test_macos_file_status_when_no_macos.py", "id": 3, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-logcollector' does not store and removes if exists, previous macos-formatted localfile data in the 'file_status.json' file when the macOS localfile section does not exist in the configuration. For this purpose, the test will create a testing log file and configure a 'localfile' section to monitor it. Once the logcollector is started, it will check if the 'file_status.json' file exists, if not, the test will create it. Then it will verify that the 'macos' key is inside of that file, adding the key if necessary. After this, it will wait for the update of the 'file_status.json' file, and finally, the test will verify that the macOS key is not inside it since the localfile related section does not exist in the main configuration file.", "wazuh_min_version": "4.2.0", "parameters": [ { "restart_logcollector_required_daemons_package": { "type": "fixture", "brief": "Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons." } }, { "truncate_log_file": { "type": "fixture", "brief": "Clear the 'ossec.log' file." } }, { "handle_files": { "type": "fixture", "brief": "Create a dummy file to be monitored by logcollector." } }, { "delete_file_status_json": { "type": "fixture", "brief": "Delete the 'file_status.json' file from logcollector." } }, { "configure_local_internal_options_module": { "type": "fixture", "brief": "Set internal configuration for testing." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } }, { "daemons_handler": { "type": "fixture", "brief": "Handler of Wazuh daemons." } } ], "assertions": [ "Verify that the logcollector starts to monitor a log file.", "Verify that the logcollector removes the 'macos' key from the 'file_status.json' when no localfile is configured with macOS settings." ], "input_description": "A configuration template (test_macos_file_status_when_no_macos) is contained in an external YAML file (wazuh_macos_file_status_when_no_macos.yaml). That template is combined with a test case defined in the module. That include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Started'" ], "tags": [ "logs" ], "name": "test_macos_file_status_when_no_macos", "inputs": [ "get_configuration0" ] } ] }test_macos_file_status_when_no_macos.yaml
test_macos_format_basic.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. Specifically, these tests will check if the logcollector properly processes the macOS unified logging system (ULS) events. Log data collection is the real-time process of making sense out of the records generated by servers or devices. This component can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices.", "tier": 0, "modules": [ "logcollector" ], "components": [ "agent" ], "daemons": [ "wazuh-logcollector" ], "os_platform": [ "macos" ], "os_version": [ "macOS Catalina" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html", "https://developer.apple.com/documentation/os/logging" ], "tags": [ "logcollector_macos" ], "name": "test_macos_format_basic.py", "id": 4, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-logcollector' gathers properly macOS unified logging system (ULS) events. For this purpose, the test will configure a 'localfile' section using the macOS settings. Once the logcollector is started, it will check if the 'monitoring' event is triggered, indicating that the logcollector starts to monitor the macOS logs, and then, the test will generate a ULS event by using a logger tool. After this, it will create a custom callback from the testing ULS event, and finally, the test will verify that the logcollector event with the testing log message has been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "restart_logcollector_required_daemons_package": { "type": "fixture", "brief": "Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "configure_local_internal_options_module": { "type": "fixture", "brief": "Set internal configuration for testing." } }, { "macos_message": { "type": "dict", "brief": "Dictionary with the testing macOS ULS event." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } }, { "daemons_handler": { "type": "fixture", "brief": "Handler of Wazuh daemons." } }, { "restart_logcollector_function": { "type": "fixture", "brief": "Restart the 'wazuh-logcollector' daemon on each test case." } } ], "assertions": [ "Verify that the logcollector starts monitoring the macOS ULS log messages.", "Verify that the logcollector generates events from the macOS ULS log messages." ], "input_description": "A configuration template (test_macos_format_basic) is contained in an external YAML file (wazuh_macos_format_basic.yaml). That template is combined with two test cases defined in the module. Those include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Monitoring macOS logs with.*'", "r'Logger message example'", "r'Custom os_log event message'" ], "tags": [ "logs" ], "name": "test_macos_format_basic", "inputs": [ "get_configuration0-os_log_command", "get_configuration0-logger_command" ] } ] }test_macos_format_basic.yaml
test_macos_format_only_future_events.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. Specifically, these tests will check if the 'only-future-events' option of the logcollector properly works when using the macOS unified logging system (ULS). Log data collection is the real-time process of making sense out of the records generated by servers or devices. This component can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices.", "tier": 0, "modules": [ "logcollector" ], "components": [ "agent" ], "daemons": [ "wazuh-logcollector" ], "os_platform": [ "macos" ], "os_version": [ "macOS Catalina" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#only-future-events", "https://developer.apple.com/documentation/os/logging" ], "tags": [ "logcollector_macos" ], "name": "test_macos_format_only_future_events.py", "id": 5, "group_id": 0, "tests": [ { "description": "Check if the 'only-future-events' option is used properly by the 'wazuh-logcollector' when using the macOS unified logging system (ULS) events. For this purpose, the test will configure a 'localfile' section using the macOS settings. Once the logcollector is started, it will check if the 'monitoring' event is triggered, indicating that the logcollector starts to monitor the macOS logs, and then, the test will generate a ULS event by using a logger tool. After this, it will check if the logcollector event with the testing log message is triggered. Then, the test will stop the 'wazuh-logcollector' daemon, generate a ULS event, and start it again. The test will check if that event has been detected (depending on the value of the 'only-future-events' tag). Finally, it will verify that the logcollector continues detecting new ULS events.", "wazuh_min_version": "4.2.0", "parameters": [ { "restart_logcollector_required_daemons_package": { "type": "fixture", "brief": "Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "configure_local_internal_options_module": { "type": "fixture", "brief": "Set internal configuration for testing." } }, { "daemons_handler": { "type": "fixture", "brief": "Handler of Wazuh daemons." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } } ], "assertions": [ "Verify that the logcollector starts monitoring the macOS ULS log messages.", "Verify that the logcollector detects the logs messages generated while it stopped when it is started, and the 'only-future-events' option is disabled.", "Verify that the logcollector ignores the logs messages generated while it stopped when it is started, and the 'only-future-events' option is enabled.", "Verify that the log collector continues detecting new logs messages when it is started." ], "input_description": "A configuration template (test_macos_format_only_future_events) is contained in an external YAML file (wazuh_macos_format_only_future_events.yaml). That template is combined with two test cases defined in the module. Those include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Monitoring macOS logs with.*'", "r'Old logger message'", "r'New logger message'" ], "tags": [ "logs" ], "name": "test_macos_format_only_future_events", "inputs": [ "yes", "no" ] } ] }test_macos_format_only_future_events.yaml
test_macos_format_query.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. Specifically, these tests will check if the 'query' option of the logcollector properly works when using the macOS unified logging system (ULS). Log data collection is the real-time process of making sense out of the records generated by servers or devices. This component can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices.", "tier": 1, "modules": [ "logcollector" ], "components": [ "agent" ], "daemons": [ "wazuh-logcollector" ], "os_platform": [ "macos" ], "os_version": [ "macOS Catalina" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query", "https://developer.apple.com/documentation/os/logging" ], "tags": [ "logcollector_macos" ], "name": "test_macos_format_query.py", "id": 6, "group_id": 0, "tests": [ { "description": "Check if the 'query' option together with its attributes ('type' and 'level') is properly used by the 'wazuh-logcollector' when using the macOS unified logging system (ULS) events. For this purpose, the test will configure a 'localfile' section using the macOS settings. Once the logcollector is started, it will check if the 'monitoring' event is triggered, indicating that the logcollector starts to monitor the macOS logs, and then, the test will generate multiple ULS events by using a logger tool. Finally, it will verify that the log collector events with the testing log messages are only triggered if they fulfill the query predicate.", "wazuh_min_version": "4.2.0", "parameters": [ { "restart_logcollector_required_daemons_package": { "type": "fixture", "brief": "Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "get_connection_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "init_authd_remote_simulator": { "type": "fixture", "brief": "Initialize the 'authd' and 'remoted' simulators." } }, { "restart_logcollector": { "type": "fixture", "brief": "Reset the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that the logcollector starts monitoring the macOS ULS log messages.", "Verify that the logcollector generates events for all ULS events that fulfill the 'query' predicate and vice versa." ], "input_description": "Configuration templates (test_macos_format_query) are contained in external YAML files (wazuh_macos_format_query*.yaml, ). Those templates are combined with different test cases defined in the module. Those include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Monitoring macOS logs with.*'", "Multiple testing log messages from the ULS events." ], "tags": [ "logs" ], "name": "test_macos_format_query", "inputs": [ "eventMessage == \"Logger testing message.\"_default_log", "process = \"logger\"_default_log", "eventMessage CONTAINS", "NOT messageType == \"default\"_default_log,trace", "messageType == \"error\"_default_log", "messageType == \"fault\"_default_log,trace", "eventType == \"logEvent\"_default_log,activity", "eventType == \"traceEvent\"_default_log,trace", "eventType == \"activityCreateEvent\"_default_log", "process == \"customlog\"_info_log,activity", "process == \"customlog\"_debug_log,trace", "process == \"customlog\"_default_activity,log", "process == \"customlog\"_default_trace", "category CONTAINS", "subsystem BEGINSWITH", "! subsystem ENDSWITH", "process == \"logger\" AND eventMessage CONTAINS", "process BEGINSWITH", "eventMessage == \"Logger testing message.\"_default", "process = \"logger\"_default", "eventMessage CONTAINS", "NOT messageType == \"default\"_default", "messageType == \"error\"_default", "messageType == \"fault\"_default", "eventType == \"logEvent\"_default", "eventType == \"traceEvent\"_default", "eventType == \"activityCreateEvent\"_default", "process == \"customlog\"_info", "process == \"customlog\"_debug", "process == \"customlog\"_default0", "process == \"customlog\"_default1", "category CONTAINS", "subsystem BEGINSWITH", "! subsystem ENDSWITH", "process == \"logger\" AND eventMessage CONTAINS", "process BEGINSWITH", "eventMessage == \"Logger testing message.\"_log", "process = \"logger\"_log", "eventMessage CONTAINS", "NOT messageType == \"default\"_log,trace", "messageType == \"error\"_log", "messageType == \"fault\"_log,trace", "eventType == \"logEvent\"_log,activity", "eventType == \"traceEvent\"_log,trace", "eventType == \"activityCreateEvent\"_log", "process == \"customlog\"_log,activity", "process == \"customlog\"_log,trace", "process == \"customlog\"_activity,log", "process == \"customlog\"_trace", "category CONTAINS", "subsystem BEGINSWITH", "! subsystem ENDSWITH", "process == \"logger\" AND eventMessage CONTAINS", "process BEGINSWITH", "eventMessage == \"Logger testing message.\"", "process = \"logger\"", "eventMessage CONTAINS", "NOT messageType == \"default\"", "messageType == \"error\"", "messageType == \"fault\"", "eventType == \"logEvent\"", "eventType == \"traceEvent\"", "eventType == \"activityCreateEvent\"", "process == \"customlog\"0", "process == \"customlog\"1", "process == \"customlog\"2", "process == \"customlog\"3", "category CONTAINS", "subsystem BEGINSWITH", "! subsystem ENDSWITH", "process == \"logger\" AND eventMessage CONTAINS", "process BEGINSWITH" ] } ] }test_macos_format_query.yaml
test_macos_log_process.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. Specifically, these tests will check if macOS 'log stream' processes are properly managed by the logcollector. Log data collection is the real-time process of making sense out of the records generated by servers or devices. This component can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices.", "tier": 0, "modules": [ "logcollector" ], "components": [ "agent" ], "daemons": [ "wazuh-logcollector" ], "os_platform": [ "macos" ], "os_version": [ "macOS Catalina", "macOS Sierra" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html" ], "tags": [ "logcollector_macos" ], "name": "test_macos_log_process.py", "id": 7, "group_id": 0, "tests": [ { "description": "Check if the independent execution of log processes (external to Wazuh) is not altered when the Wazuh agent is started or stopped. For this purpose, the test will configure a 'localfile' section using the macOS settings. Once the logcollector is started, it will check if the 'monitoring' event is triggered, indicating that the logcollector starts to monitor the macOS logs. Then, the test will stop the Wazuh agent, launch a new log process and start it again. After this, it will verify that the log process is active by checking its PID, stopping the agent, and verifying that the log process remains active. Finally, the test will kill the log process launched and start the agent again to restore the initial estate of the system.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_required_logcollector_function": { "type": "fixture", "brief": "Restart the Wazuh agent." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } }, { "up_wazuh_after_module": { "type": "fixture", "brief": "Restart the Wazuh agent after the test execution." } } ], "assertions": [ "Verify that the logcollector starts monitoring the macOS ULS log messages.", "Verify that the Wazuh agent does not kill independent log processes when it is started.", "Verify that the Wazuh agent does not kill independent log processes when it is stopped." ], "input_description": "A configuration template (test_macos_log_process) is contained in an external YAML file (wazuh_macos_format_basic.yaml). That template is combined with a test case defined in the module. That include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Monitoring macOS logs with.*'", "PID of the log process launched." ], "tags": [ "logs" ], "name": "test_independent_log_process", "inputs": [ "" ] }, { "description": "Check if the 'wazuh-logcollector' daemon stops the 'log' and 'script' process when the Wazuh agent or logcollector are stopped. Two processes would run on the macOS system when the logcollector is configured to get macOS system logs. The log process and the script (only for Sierra) one. If the logcollector process is finished or the Wazuh agent is stopped, those processes must stop. For this purpose, the test will configure a 'localfile' section using the macOS settings. Once the logcollector is started, it will check if the 'monitoring' event is triggered, indicating that the logcollector starts to monitor the macOS logs. Then, the test will verify that the 'log' and 'script' processes are running, stop the 'wazuh-logcollector' daemon, verify that the 'log' and 'script' processes are stopped, and start it again. Finally, the test will repeat the previous steps, but stopping and starting the Wazuh agent instead of the 'wazuh-logcollector' daemon.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_required_logcollector_function": { "type": "fixture", "brief": "Restart the Wazuh agent." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } }, { "up_wazuh_after_module": { "type": "fixture", "brief": "Restart the Wazuh agent after the test execution." } } ], "assertions": [ "Verify that the logcollector starts monitoring the macOS ULS log messages.", "Verify that the 'log' and 'script' processes are finished when the 'wazuh-logcollector' daemon is stopped.", "Verify that the 'log' and 'script' processes are finished when the wazuh agent is stopped." ], "input_description": "A configuration template (test_macos_log_process) is contained in an external YAML file (wazuh_macos_format_basic.yaml). That template is combined with a test case defined in the module. That include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Monitoring macOS logs with.*'" ], "tags": [ "logs" ], "name": "test_macos_log_process_stop", "inputs": [ "" ] }, { "description": "Check if the 'wazuh-logcollector' daemon generates an error event when the 'log stream' process is stopped. In macOS Sierra, this test also checks if when the log process ends, then the 'script' process also ends. For this purpose, the test will configure a 'localfile' section using the macOS settings. Once the logcollector is started, it will check if the 'monitoring' event is triggered, indicating that the logcollector starts to monitor the macOS logs. Then, the test will verify that the 'log' and 'script' processes are running. After this, it will send a signal to terminate that processes and check if they are closed. Finally, the test will verify that a logcollector error event is generated when the log or script process is not detected.", "wazuh_min_version": "4.2.0", "parameters": [ { "restart_logcollector_required_daemons_package": { "type": "fixture", "brief": "Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_required_logcollector_function": { "type": "fixture", "brief": "Restart the Wazuh agent." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } }, { "up_wazuh_after_module": { "type": "fixture", "brief": "Restart the Wazuh agent after the test execution." } } ], "assertions": [ "Verify that the logcollector starts monitoring the macOS ULS log messages.", "Verify that the logcollector detects when the 'log' or 'script' process is closed." ], "input_description": "A configuration template (test_macos_log_process) is contained in an external YAML file (wazuh_macos_format_basic.yaml). That template is combined with a test case defined in the module. That include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Monitoring macOS logs with.*'", "r'macOS \"log stream\" process exited'" ], "tags": [ "logs" ], "name": "test_macos_log_process_stop_suddenly_warning", "inputs": [ "" ] } ] }test_macos_log_process.yaml
test_macos_multiline_values.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. Specifically, these tests will check if the 'wazuh-logcollector' daemon properly gathers macOS unified logging system (ULS) events when working with multi-line logs. Log data collection is the real-time process of making sense out of the records generated by servers or devices. This component can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices.", "tier": 0, "modules": [ "logcollector" ], "components": [ "agent" ], "daemons": [ "wazuh-logcollector" ], "os_platform": [ "macos" ], "os_version": [ "macOS Catalina" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html", "https://developer.apple.com/documentation/os/logging" ], "tags": [ "logcollector_macos" ], "name": "test_macos_multiline_values.py", "id": 8, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-logcollector' daemon collects multiline events from the macOS ULS (unified logging system). For this purpose, the test will configure a 'localfile' section using the macOS settings. Once the logcollector is started, it will check if the 'monitoring' event is triggered, indicating that the logcollector starts to monitor the macOS logs. Then, the test will generate a multiline ULS event by using a logger tool. Finally, the test will verify that a logcollector event with the testing log message has been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "restart_logcollector_required_daemons_package": { "type": "fixture", "brief": "Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "macos_message": { "type": "dict", "brief": "Dictionary with the testing macOS ULS event." } }, { "daemons_handler": { "type": "fixture", "brief": "Handler of Wazuh daemons." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } } ], "assertions": [ "Verify that the logcollector starts monitoring the macOS ULS log messages.", "Verify that the logcollector correctly gather unified logging system (ULS) events with multiline format." ], "input_description": "A configuration template (test_macos_multiline_values) is contained in an external YAML file (wazuh_macos_format_basic.yaml). That template is combined with a test case defined in the module. That include configuration settings for the 'wazuh-logcollector' daemon.", "expected_output": [ "r'Monitoring macOS logs with.*'", "r'Here is a multiline log.*'" ], "tags": [ "logs" ], "name": "test_macos_multiline_values", "inputs": [ "get_configuration0-macos_message0" ] } ] }test_macos_multiline_values.yaml
Tests
pycodestyle --max-line-length=120 --show-source --show-pep8 file.py.python3 DocGenerator.py -s