Analysisd - add new test to check the pre-decoding stage of analysisd

CHANGELOG.md

@@ -3,7 +3,7 @@ All notable changes to this project will be documented in this file.
 
 ## [v1.0.0]
 ### Added
-
+- Add a test to check the pre-decoding stage of analysisd [#2406](https:/wazuh/wazuh-qa/pull/2406)
 ### Changed
 - Refactor: FIM `test_synchronization` according to new standard. Phase 1. ([#2358](https:/wazuh/wazuh-qa/pull/2358))
 

deps/wazuh_testing/wazuh_testing/qa_ctl/configuration/config_generator.py

@@ -231,7 +231,7 @@ def _check_validate(check, test_info, allowed_values):
  # Validate version requirements
  if parse(str(test_info['tests'][0]['wazuh_min_version'])) > parse(str(self.wazuh_version)):
  error_message = f"The minimal version of wazuh to launch the {test_info['test_name']} is " \
- f"{test_info['wazuh_min_version']} and you are using {self.wazuh_version}"
+ f"{test_info['tests'][0]['wazuh_min_version']} and you are using {self.wazuh_version}"
  raise QAValueError(error_message, QACTLConfigGenerator.LOGGER.error, QACTL_LOGGER)
 
  return True

tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml

@@ -0,0 +1,71 @@
+---
+-
+ name: "Syslog date format 1"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "Dec 29 10:00:01 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"program_name":"sshd","timestamp":"Dec 29 10:00:01","hostname":"linux-agent"}'
+-
+ name: "Syslog date format 2"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "2015 Dec 29 10:00:01 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"program_name":"sshd","timestamp":"2015 Dec 29 10:00:01"}'
+-
+ name: "Syslog date format for rsyslog"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "2009-05-22T09:36:46.214994-07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"program_name":"sshd","timestamp":"2009-05-22T09:36:46.214994-07:00"}'
+-
+ name: "Syslog date format for proftpd 1.3.5"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "2015-04-16 21:51:02,805 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"program_name":"sshd","timestamp":"2015-04-16 21:51:02,80"}'
+-
+ name: "Syslog date format for xferlog date format"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "Mon Apr 17 18:27:14 2006 1 64.160.42.130 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"timestamp":"Mon Apr 17 18:27:14 2006"}'
+-
+ name: "Syslog date format for snort date format"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "01/28-09:13:16.240702 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"timestamp":"01/28-09:13:16.240702"}'
+-
+ name: "Syslog date format for suricata date format"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "01/28/1979-09:13:16.240702 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"timestamp":"01/28/1979-09:13:16.240702"}'
+-
+ name: "Syslog date format for apache log format"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "[Fri Feb 11 18:06:35 2004] [warn] linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"timestamp":"Fri Feb 11 18:06:35 2004"}'
+-
+ name: "Syslog date format for macos ULS --syslog output"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "2021-04-21 10:16:09.404756-0700 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"program_name":"sshd","timestamp":"2021-04-21 10:16:09.404756-0700"}'
+-
+ name: "Syslog Umlaut date format"
+ description: "Check valid input"
+ test_case:
+ -
+ input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "Mär 02 17:30:52 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}'
+ output: '{"program_name":"sshd","timestamp":"Mär 02 17:30:5"}'

tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py

@@ -0,0 +1,115 @@
+'''
+copyright: Copyright (C) 2015-2021, Wazuh Inc.
+
+ Created by Wazuh, Inc. <[email protected]>.
+
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules.
+ It then creates an alert when a log message matches an applicable rule.
+ Specifically, these tests will verify if the pre-decoding stage of 'wazuh-analysisd' daemon correctly handles
+ syslog formats.
+
+tier: 2
+
+modules:
+ - analysisd
+
+components:
+ - manager
+
+daemons:
+ - wazuh-analysisd
+
+os_platform:
+ - linux
+
+os_version:
+ - Arch Linux
+ - Amazon Linux 2
+ - Amazon Linux 1
+ - CentOS 8
+ - CentOS 7
+ - CentOS 6
+ - Ubuntu Focal
+ - Ubuntu Bionic
+ - Ubuntu Xenial
+ - Ubuntu Trusty
+ - Debian Buster
+ - Debian Stretch
+ - Debian Jessie
+ - Debian Wheezy
+ - Red Hat 8
+ - Red Hat 7
+ - Red Hat 6
+
+references:
+ - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html
+
+'''
+
+import os
+
+import pytest
+import yaml
+import json
+from wazuh_testing.tools import WAZUH_PATH
+
+# Marks
+pytestmark = [pytest.mark.linux, pytest.mark.tier(level=2), pytest.mark.server]
+
+# Configurations
+
+test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+messages_path = os.path.join(test_data_path, 'syslog_socket_input.yaml')
+with open(messages_path) as f:
+ test_cases = yaml.safe_load(f)
+
+# Variables
+
+logtest_path = os.path.join(os.path.join(WAZUH_PATH, 'queue', 'sockets', 'logtest'))
+receiver_sockets_params = [(logtest_path, 'AF_UNIX', 'TCP')]
+receiver_sockets = None # Set in the fixtures
+
+
+# Tests
+
+@pytest.mark.parametrize('test_case',
+ [test_case['test_case'] for test_case in test_cases],
+ ids=[test_case['name'] for test_case in test_cases])
+def test_precoder_supported_formats(connect_to_sockets_function, test_case: list):
+ '''
+ description: Check that the predecoder returns the correct fields when receives different sets of syslog formats.
+ To do this, it receives syslog format and checks that the predecoder JSON responses
+ are the same that the loaded ouput for each test case from the 'syslog_socket_input.yaml' file.
+
+ wazuh_min_version: 4.3.0
+
+ parameters:
+ - connect_to_sockets_function:
+ type: fixture
+ brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test.
+ - test_case:
+ type: list
+ brief: List of tests to be performed.
+
+ assertions:
+ - Checks that the predecoder gives the expected output.
+
+ input_description: Different test cases that are contained in an external YAML file (syslog_socket_input.yaml)
+ that includes syslog events data and the expected precoder output.
+
+ expected_output:
+ - Precoder JSON with the correct fields (timestamp, program name, etc) corresponding to each test case.
+ '''
+ stage = test_case[0]
+
+ receiver_sockets[0].send(stage['input'], size=True)
+
+ result = json.loads(receiver_sockets[0].receive(size=True).rstrip(b'\x00').decode())
+
+ assert json.loads(stage['output']) == result["data"]["output"]["predecoder"], \
+ 'Failed test case stage {}: the receved precoded is: {} but was expected to be {}' \
+ .format(test_case.index(stage) + 1, result["data"]["output"]["predecoder"], stage['output'])