From f4dddbbc9578506ec390041977a3fe31d1117f46 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 9 Nov 2022 18:49:39 -0300 Subject: [PATCH 01/34] feat(#3480): add variables and checker functions --- .../modules/logcollector/__init__.py | 20 +++++++++ .../modules/logcollector/event_monitor.py | 42 ++++++++++++++++--- 2 files changed, 56 insertions(+), 6 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py index 5697cf620c..ecaf5a5be2 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py @@ -1,5 +1,25 @@ +import sys + LOG_COLLECTOR_PREFIX = r'.*wazuh-logcollector.*' WINDOWS_AGENT_PREFIX = r'.*wazuh-agent.*' MAILD_PREFIX = r'.*wazuh-maild.*' GENERIC_CALLBACK_ERROR_COMMAND_MONITORING = 'The expected command monitoring log has not been produced' + + +# Error Messages +ERR_MSG_UNEXPECTED_IGNORE_EVENT = "Found unexpected 'Ignoring the log... due to ignore/restrict config' event" + + +# Local_internal_options +if sys.platform == 'win32': + LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS = { + 'windows.debug': '2', + 'agent.debug': '2' + } +else: + LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS = { + 'logcollector.debug': '2', + 'monitord.rotate_log': '0', + 'agent.debug': '0', + } \ No newline at end of file diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py index 1cbbc9e6c6..703494161d 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py @@ -1,6 +1,6 @@ import re -from wazuh_testing import T_30 +from wazuh_testing import T_30, T_10 from wazuh_testing.modules.logcollector import LOG_COLLECTOR_PREFIX from wazuh_testing.tools.monitoring import FileMonitor from wazuh_testing import LOG_FILE_PATH @@ -27,6 +27,7 @@ def make_logcollector_callback(pattern, prefix=LOG_COLLECTOR_PREFIX, escape=Fals else: pattern = r'\s+'.join(pattern.split()) regex = re.compile(r'{}{}'.format(prefix, pattern)) + print("REGEX------------" + str(regex)) return lambda line: regex.match(line) is not None @@ -50,11 +51,13 @@ def check_logcollector_event(file_monitor=None, callback='', error_message=None, error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ error_message - file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, - callback=make_logcollector_callback(callback, prefix, escape), error_message=error_message) + result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, + callback=make_logcollector_callback(callback, prefix, escape), + error_message=error_message).result() + return result -def check_analyzing_file(file, error_message, prefix, file_monitor=None): +def check_analyzing_file(file, prefix, error_message=None, file_monitor=None): """Create a callback to detect if logcollector is monitoring a file. Args: @@ -63,12 +66,15 @@ def check_analyzing_file(file, error_message, prefix, file_monitor=None): prefix (str): Daemon that generates the error log. file_monitor (FileMonitor): Log monitor. """ + if error_message is None: + error_message = f"Did not receive the expected 'Analizing file: {file}' event" + check_logcollector_event(file_monitor=file_monitor, timeout=T_30, - callback=fr".*Analyzing file: '{re.escape(file)}'.*", + callback=fr".*Analyzing file: '{file}'.*", error_message=error_message, prefix=prefix) -def check_syslog_messages(message, error_message, prefix, file_monitor=None, timeout=T_30, escape=False): +def check_syslog_messages(message, prefix, error_message=None, file_monitor=None, timeout=T_30, escape=False): """Create a callback to detect "DEBUG: Read lines from command " debug line. Args: message (str): Command to be monitored. @@ -78,6 +84,30 @@ def check_syslog_messages(message, error_message, prefix, file_monitor=None, tim timeout (int): Timeout to check the log. escape (bool): Flag to escape special characters in the pattern. """ + if error_message is None: + error_message = f"Did not receive the expected 'Reading syslog message: {message}' event" callback_msg = fr"DEBUG: Reading syslog message: '{message}'" + check_logcollector_event(file_monitor=file_monitor, timeout=timeout, callback=callback_msg, error_message=error_message, prefix=prefix, escape=escape) + + +def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=None, file_monitor=None, timeout=T_10, + escape=False): + """Create a callback to detect "DEBUG: Ignoring the log ... due to config" debug line. + Args: + message (str): Command to be monitored. + regex (str): regex pattern configured to ignore or restrict to. + tag (str): string with the configured tag. Values: 'ignore' or 'restrict' + error_message (str): Error message. + prefix (str): Daemon that generates the error log. + file_monitor (FileMonitor): Log monitor. + timeout (int): Timeout to check the log. + escape (bool): Flag to escape special characters in the pattern. + """ + if error_message is None: + error_message = f"Did not receive the expected 'Ignoring the log line: {message} due to {tag} config' event" + callback_msg = fr"Ignoring the log line '{message}' due to {tag} config: '{regex}'" + + return check_logcollector_event(file_monitor=file_monitor, timeout=timeout, callback=callback_msg, + error_message=error_message, prefix=prefix, escape=escape) From f2894ae8e469da49a0caf57e77600f9c5abde819 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 9 Nov 2022 18:51:09 -0300 Subject: [PATCH 02/34] feat(#3480): add new test cases --- .../configuration_ignore_regex_default.yaml | 46 +++++ .../configuration_restrict_regex_default.yaml | 46 +++++ .../cases_ignore_regex_default.yaml | 17 ++ .../cases_restrict_regex_default.yaml | 17 ++ .../test_options/test_ignore_regex.py | 171 +++++++++++++++++ .../test_options/test_restrict_regex.py | 172 ++++++++++++++++++ 6 files changed, 469 insertions(+) create mode 100644 tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml create mode 100644 tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml create mode 100644 tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml create mode 100644 tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml create mode 100644 tests/integration/test_logcollector/test_options/test_ignore_regex.py create mode 100644 tests/integration/test_logcollector/test_options/test_restrict_regex.py diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml new file mode 100644 index 0000000000..d106786b30 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml @@ -0,0 +1,46 @@ +- sections: + - section: localfile + elements: + - log_format: + value: syslog + - location: + value: LOCATION + - ignore: + value: REGEX + + - section: vulnerability-detector + elements: + - enabled: + value: 'no' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: syscheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: 'syscollector' + elements: + - disabled: + value: 'yes' + + - section: auth + elements: + - disabled: + value: 'yes' + + - section: rule_test + elements: + - enabled: + value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml new file mode 100644 index 0000000000..2b31546600 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml @@ -0,0 +1,46 @@ +- sections: + - section: localfile + elements: + - log_format: + value: syslog + - location: + value: LOCATION + - restrict: + value: REGEX + + - section: vulnerability-detector + elements: + - enabled: + value: 'no' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: syscheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: 'syscollector' + elements: + - disabled: + value: 'yes' + + - section: auth + elements: + - disabled: + value: 'yes' + + - section: rule_test + elements: + - enabled: + value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml new file mode 100644 index 0000000000..b099fab599 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml @@ -0,0 +1,17 @@ +- name: 'Test Ignore Default - Match' + description: 'Test Ignore with default regex, with matching log' + configuration_parameters: + REGEX: .+test + metadata: + regex: .+test + log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" + matches: True + +- name: 'Test Ignore Default - Does not Match' + description: 'Test Ignore with default regex, with not matching log' + configuration_parameters: + REGEX: .+test + metadata: + regex: .+test + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: False diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml new file mode 100644 index 0000000000..29b9e99267 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml @@ -0,0 +1,17 @@ +- name: Test Restrict Default - Match + description: Test Restrict with default regex, with matching log + configuration_parameters: + REGEX: .+test + metadata: + regex: .+test + log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" + matches: True + +- name: Test Restrict Default - Does not Match + description: Test Restrict with default regex, with not matching log + configuration_parameters: + REGEX: .+test + metadata: + regex: .+test + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: False diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py new file mode 100644 index 0000000000..79ce61bfb1 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -0,0 +1,171 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests check the behavior of the restrict and ignore options, that allow + users to configure regex patterns that limit if a log will be sent to analysis or will be ignored. + The restrict causes any log that does not match the regex to be ignored, conversely, the 'ignore' option + causes logs that match the regex to be ignored and not be sent for analysis. + +components: + - logcollector + +suite: options + +targets: + - agent + - manager + +daemons: + - wazuh-logcollector + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + - Windows 10 + - Windows Server 2019 + - Windows Server 2016 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html + - https://documentation.wazuh.com/current/user-manual/reference/statistics-files/wazuh-logcollector-state.html + - https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#logcollector + +tags: + - logcollector_options +''' +import os +import pytest +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.local_actions import run_local_command_returning_output +from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data +from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX +from wazuh_testing.modules.logcollector import event_monitor as evm +from wazuh_testing.modules import logcollector as lc + + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# Configuration and cases data +t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_default.yaml') +t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_default.yaml') + +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_default.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') + +# Test configurations +test_file = os.path.join(PREFIX, 'test.log') + +t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['LOCATION'] = test_file +t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) + +t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['LOCATION'] = test_file +t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) + + + + +@pytest.mark.tier(level=0) +@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) +@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) +def test_ignore_default(configuration, metadata, new_file_path, truncate_monitored_files, local_internal_options, + set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): + ''' + description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a + given log file. + + test_phases: + - Set a custom Wazuh configuration. + - Restart monitord. + - Insert the log message. + - Check expected response. + + wazuh_min_version: 4.5.0 + + tier: 0 + + parameters: + - configuration: + type: dict + brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. + - metadata: + type: dict + brief: Wazuh configuration metadata + - new_file_path: + type: str + brief: path for the log file to be created and deleted after the test. + - local_internal_options + type: dict + brief: Contains the options to configure in local_internal_options + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - set_wazuh_configuration_with_local_internal_options: + type: fixture + brief: Set the wazuh configuration according to the configuration data and local_internal_options. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh. + + assertions: + - Check that logcollector is analyzing the log file. + - Check that logs are ignored when they match with configured regex + + input_description: + - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. + - The `cases_ignore_regex_default` file provides the test cases. + + expected_output: + - r".*wazuh-logcollector.*Analizing file: '{file}'.*" + - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" + - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" + ''' + log = metadata['log_sample'] + command = f"echo '{log}' >> {test_file}" + + # Check log file is being analized + evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + # Insert log + run_local_command_returning_output(command) + + # Check the log is read from the monitored file + evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + + # Check response + if metadata['matches'] is not True: + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + else: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + + diff --git a/tests/integration/test_logcollector/test_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_regex.py new file mode 100644 index 0000000000..19ee0c6b18 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/test_restrict_regex.py @@ -0,0 +1,172 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will check if the logcollector updates the 'wazuh-logcollector.state' + file at the periods set in the 'logcollector.state_interval' internal option. Log data collection + is the real-time process of making sense out of the records generated by servers or devices. + This component can receive logs through text files or Windows event logs. It can also directly + receive logs via remote syslog which is useful for firewalls and other such devices. + +components: + - logcollector + +suite: options + +targets: + - agent + - manager + +daemons: + - wazuh-logcollector + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + - Windows 10 + - Windows Server 2019 + - Windows Server 2016 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html + - https://documentation.wazuh.com/current/user-manual/reference/statistics-files/wazuh-logcollector-state.html + - https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#logcollector + +tags: + - logcollector_options +''' +import os +import pytest + +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.local_actions import run_local_command_returning_output +from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data +from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX +from wazuh_testing.modules.logcollector import event_monitor as evm +from wazuh_testing.modules import logcollector as lc + + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# Configuration and cases data +t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') +t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') + +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') + +# Test configurations +test_file = os.path.join(PREFIX, 'test.log') + +t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['LOCATION'] = test_file +t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) + +t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['LOCATION'] = test_file +t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) + + + + +@pytest.mark.tier(level=0) +@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) +@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) +def test_restrict_default(configuration, metadata, new_file_path, truncate_monitored_files, + local_internal_options, set_wazuh_configuration_with_local_internal_options, + restart_wazuh_function): + ''' + description: Check if logcollector reads or ignores a log according to a regex configured in the restrict tag for a + given log file. + + test_phases: + - Set a custom Wazuh configuration. + - Restart monitord. + - Insert the log message. + - Check expected response. + + wazuh_min_version: 4.5.0 + + tier: 0 + + parameters: + - configuration: + type: dict + brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. + - metadata: + type: dict + brief: Wazuh configuration metadata + - new_file_path: + type: str + brief: path for the log file to be created and deleted after the test. + - local_internal_options + type: dict + brief: Contains the options to configure in local_internal_options + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - set_wazuh_configuration_with_local_internal_options: + type: fixture + brief: Set the wazuh configuration according to the configuration data and local_internal_options. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh. + + assertions: + - Check that logcollector is analyzing the log file. + - Check that logs are ignored when they do not match with configured regex + + input_description: + - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. + - The `cases_ignore_regex_default` file provides the test cases. + + expected_output: + - r".*wazuh-logcollector.*Analizing file: '{file}'.*" + - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" + - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" + ''' + log = metadata['log_sample'] + command = f"echo '{log}' >> {test_file}" + + # Check log file is being analized + evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + + # Insert log + run_local_command_returning_output(command) + # Check the log is read from the monitored file + evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + # Check response + if metadata['matches']: + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + else: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + + From 2c3eb8016eb38e3e44b05cfa880cabcae9903da4 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 9 Nov 2022 18:51:45 -0300 Subject: [PATCH 03/34] fix(#3480): move configuration file --- .../wazuh_configuration.yaml | 0 .../test_options/test_options_state_interval_no_file.py | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename tests/integration/test_logcollector/test_options/data/{configuration => configuration_template}/wazuh_configuration.yaml (100%) diff --git a/tests/integration/test_logcollector/test_options/data/configuration/wazuh_configuration.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml similarity index 100% rename from tests/integration/test_logcollector/test_options/data/configuration/wazuh_configuration.yaml rename to tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml diff --git a/tests/integration/test_logcollector/test_options/test_options_state_interval_no_file.py b/tests/integration/test_logcollector/test_options/test_options_state_interval_no_file.py index e219664e99..1401b759ff 100644 --- a/tests/integration/test_logcollector/test_options/test_options_state_interval_no_file.py +++ b/tests/integration/test_logcollector/test_options/test_options_state_interval_no_file.py @@ -69,7 +69,7 @@ pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1), pytest.mark.server] # Configuration -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data', 'configuration') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data', 'configuration_template') configurations_path = os.path.join(test_data_path, 'wazuh_configuration.yaml') daemons_handler_configuration = {'all_daemons': True} From 0ef22602b3a144e68bdbc65fc7026fcb5d2e94c7 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 9 Nov 2022 18:52:41 -0300 Subject: [PATCH 04/34] feat(#3480): add configuration fixtures --- tests/integration/conftest.py | 38 ++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index 1a94061e3a..b84465df75 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -1017,10 +1017,46 @@ def set_wazuh_configuration(configuration): conf.write_wazuh_conf(backup_config) +@pytest.fixture(scope='function') +def set_wazuh_configuration_with_local_internal_options(configuration, set_wazuh_configuration, + set_local_internal_options, local_internal_options): + """Set wazuh configuration + Args: + configuration (dict): Configuration template data to write in the ossec.conf. + local_internal_options(dict): Object containing the local_internal_options_values to be configured. + set_wazuh_configuration (fixture): Set the wazuh configuration according to the configuration data. + set_local_internal_options (fixture): Set the local_internal_options.conf file. + """ + yield + + +@pytest.fixture(scope='function') +def set_local_internal_options(local_internal_options): + """Fixture to configure the local internal options file. + Args: + local_internal_options(dict): Object containing the local_internal_options_values to be configured. + """ + + # Backup the old local internal options + backup_local_internal_options = conf.get_wazuh_local_internal_options() + + # Set the new local internal options configuration + conf.set_wazuh_local_internal_options(conf.create_local_internal_options(local_internal_options)) + + yield + + # Backup the old local internal options cofiguration + conf.set_wazuh_local_internal_options(backup_local_internal_options) + + @pytest.fixture(scope='function') def truncate_monitored_files(): """Truncate all the log files and json alerts files before and after the test execution""" - log_files = [LOG_FILE_PATH, ALERT_FILE_PATH] + + if 'agent' in get_service(): + log_files = [LOG_FILE_PATH] + else: + log_files = [LOG_FILE_PATH, ALERT_FILE_PATH] for log_file in log_files: truncate_file(log_file) From 81e4cbce8c136b56f4be6a4dad00346299323784 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 10 Nov 2022 15:07:11 -0300 Subject: [PATCH 05/34] feat(#3480): add new test cases --- ...onfiguration_ignore_regex_type_values.yaml | 48 +++++++++++ ...figuration_restrict_regex_type_values.yaml | 48 +++++++++++ .../cases_ignore_regex_type_values.yaml | 65 ++++++++++++++ .../cases_restrict_regex_type_values.yaml | 65 ++++++++++++++ .../test_options/test_ignore_regex.py | 85 ++++++++++++++++++- .../test_options/test_restrict_regex.py | 84 +++++++++++++++++- 6 files changed, 387 insertions(+), 8 deletions(-) create mode 100644 tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml create mode 100644 tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml create mode 100644 tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml create mode 100644 tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml new file mode 100644 index 0000000000..93080ac9e4 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml @@ -0,0 +1,48 @@ +- sections: + - section: localfile + elements: + - log_format: + value: syslog + - location: + value: LOCATION + - ignore: + value: REGEX + attributes: + - type: REGEX_TYPE + + - section: vulnerability-detector + elements: + - enabled: + value: 'no' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: syscheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: 'syscollector' + elements: + - disabled: + value: 'yes' + + - section: auth + elements: + - disabled: + value: 'yes' + + - section: rule_test + elements: + - enabled: + value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml new file mode 100644 index 0000000000..96198a7dd2 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml @@ -0,0 +1,48 @@ +- sections: + - section: localfile + elements: + - log_format: + value: syslog + - location: + value: LOCATION + - restrict: + value: REGEX + attributes: + - type: REGEX_TYPE + + - section: vulnerability-detector + elements: + - enabled: + value: 'no' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: syscheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: 'syscollector' + elements: + - disabled: + value: 'yes' + + - section: auth + elements: + - disabled: + value: 'yes' + + - section: rule_test + elements: + - enabled: + value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml new file mode 100644 index 0000000000..5809857126 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml @@ -0,0 +1,65 @@ +- name: Test Ignore PCRE2 - Match + description: Test Ignore with PCRE2 regex, with matching log + configuration_parameters: + REGEX: .*test + REGEX_TYPE: PCRE2 + metadata: + regex: .*test + regex_type: PCRE2 + log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" + matches: True + +- name: Test Ignore PCRE2 - Does not Match + description: Test Ignore with PCRE2 regex, with not matching log + configuration_parameters: + REGEX: .*test + REGEX_TYPE: PCRE2 + metadata: + regex: .*test + regex_type: PCRE2 + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: False + +- name: Test Ignore osmatch - Match + description: Test Ignore with osmatch regex, with matching log + configuration_parameters: + REGEX: test$ + REGEX_TYPE: osmatch + metadata: + regex: test\$ + regex_type: osmatch + log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" + matches: True + +- name: Test Ignore osmatch - Does not Match + description: Test Ignore with osmatch regex, with not matching log + configuration_parameters: + REGEX: test$ + REGEX_TYPE: osmatch + metadata: + regex: test\$ + regex_type: osmatch + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: False + +- name: Test Ignore osregex - Match + description: Test Ignore with osregex regex, with matching log + configuration_parameters: + REGEX: \.test + REGEX_TYPE: osregex + metadata: + regex: \\.test + regex_type: osregex + log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" + matches: True + +- name: Test Ignore osregex - Does not Match + description: Test Ignore with osregex regex, with not matching log + configuration_parameters: + REGEX: \.test + REGEX_TYPE: osregex + metadata: + regex: \\.test + regex_type: osregex + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: False diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml new file mode 100644 index 0000000000..959baa656d --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml @@ -0,0 +1,65 @@ +- name: Test Restrict PCRE2 - Match + description: Test Restrict with PCRE2 regex, with matching log + configuration_parameters: + REGEX: .*test + REGEX_TYPE: PCRE2 + metadata: + regex: .*test + regex_type: PCRE2 + log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" + matches: True + +- name: Test Restrict PCRE2 - Does not Match + description: Test Restrict with PCRE2 regex, with not matching log + configuration_parameters: + REGEX: .*test + REGEX_TYPE: PCRE2 + metadata: + regex: .*test + regex_type: PCRE2 + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: False + +- name: Test Restrict osmatch - Match + description: Test Restrict with osmatch regex, with matching log + configuration_parameters: + REGEX: test$ + REGEX_TYPE: osmatch + metadata: + regex: test\$ + regex_type: osmatch + log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" + matches: True + +- name: Test Restrict osmatch - Does not Match + description: Test Restrict with osmatch regex, with not matching log + configuration_parameters: + REGEX: test$ + REGEX_TYPE: osmatch + metadata: + regex: test\$ + regex_type: osmatch + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: False + +- name: Test Restrict osregex - Match + description: Test Restrict with osregex regex, with matching log + configuration_parameters: + REGEX: \.test + REGEX_TYPE: osregex + metadata: + regex: \\.test + regex_type: osregex + log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" + matches: True + +- name: Test Restrict osregex - Does not Match + description: Test Restrict with osregex regex, with not matching log + configuration_parameters: + REGEX: \.test + REGEX_TYPE: osregex + metadata: + regex: \\.test + regex_type: osregex + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: False diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py index 79ce61bfb1..d691f47d9b 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -71,8 +71,8 @@ t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_default.yaml') t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_default.yaml') -t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_default.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_type_values.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_type_values.yaml') # Test configurations test_file = os.path.join(PREFIX, 'test.log') @@ -90,7 +90,7 @@ -@pytest.mark.tier(level=0) +@pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) @@ -108,7 +108,7 @@ def test_ignore_default(configuration, metadata, new_file_path, truncate_monitor wazuh_min_version: 4.5.0 - tier: 0 + tier: 1 parameters: - configuration: @@ -169,3 +169,80 @@ def test_ignore_default(configuration, metadata, new_file_path, truncate_monitor prefix=LOG_COLLECTOR_DETECTOR_PREFIX) +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) +@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) +def test_ignore_regex_type_values(configuration, metadata, new_file_path, truncate_monitored_files, local_internal_options, + set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): + ''' + description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a + given log file, , with each configured value for the ignore 'type' attribute value configured. + + test_phases: + - Set a custom Wazuh configuration. + - Restart monitord. + - Insert the log message. + - Check expected response. + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. + - metadata: + type: dict + brief: Wazuh configuration metadata + - new_file_path: + type: str + brief: path for the log file to be created and deleted after the test. + - local_internal_options + type: dict + brief: Contains the options to configure in local_internal_options + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - set_wazuh_configuration_with_local_internal_options: + type: fixture + brief: Set the wazuh configuration according to the configuration data and local_internal_options. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh. + + assertions: + - Check that logcollector is analyzing the log file. + - Check that logs are ignored when they match with configured regex + + input_description: + - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. + - The `cases_ignore_regex_default` file provides the test cases. + + expected_output: + - r".*wazuh-logcollector.*Analizing file: '{file}'.*" + - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" + - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" + ''' + log = metadata['log_sample'] + command = f"echo '{log}' >> {test_file}" + + # Check log file is being analized + evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + # Insert log + run_local_command_returning_output(command) + + # Check the log is read from the monitored file + evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + + # Check response + if metadata['matches'] is not True: + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + else: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_regex.py index 19ee0c6b18..d68c6b218f 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_regex.py @@ -73,8 +73,8 @@ t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') -t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_type_values.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_type_values.yaml') # Test configurations test_file = os.path.join(PREFIX, 'test.log') @@ -92,7 +92,7 @@ -@pytest.mark.tier(level=0) +@pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) @@ -111,7 +111,7 @@ def test_restrict_default(configuration, metadata, new_file_path, truncate_monit wazuh_min_version: 4.5.0 - tier: 0 + tier: 1 parameters: - configuration: @@ -170,3 +170,79 @@ def test_restrict_default(configuration, metadata, new_file_path, truncate_monit evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) +@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) +def test_restrict_regex_type_values(configuration, metadata, new_file_path, truncate_monitored_files, + local_internal_options, set_wazuh_configuration_with_local_internal_options, + restart_wazuh_function): + ''' + description: Check if logcollector reads or ignores a log according to a regex configured in the restrict tag for a + given log file, with each configured value for the restrict 'type' attribute value configured. + + test_phases: + - Set a custom Wazuh configuration. + - Restart monitord. + - Insert the log message. + - Check expected response. + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. + - metadata: + type: dict + brief: Wazuh configuration metadata + - new_file_path: + type: str + brief: path for the log file to be created and deleted after the test. + - local_internal_options + type: dict + brief: Contains the options to configure in local_internal_options + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - set_wazuh_configuration_with_local_internal_options: + type: fixture + brief: Set the wazuh configuration according to the configuration data and local_internal_options. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh. + + assertions: + - Check that logcollector is analyzing the log file. + - Check that logs are ignored when they do not match with configured regex + + input_description: + - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. + - The `cases_ignore_regex_default` file provides the test cases. + + expected_output: + - r".*wazuh-logcollector.*Analizing file: '{file}'.*" + - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" + - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" + ''' + log = metadata['log_sample'] + command = f"echo '{log}' >> {test_file}" + + # Check log file is being analized + evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + + # Insert log + run_local_command_returning_output(command) + # Check the log is read from the monitored file + evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + # Check response + if metadata['matches']: + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + else: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) From bb2e91725d0a60da8479f6175ea0adeeaba14bff Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 10 Nov 2022 15:10:07 -0300 Subject: [PATCH 06/34] feat(#3480): add new test module --- ...guration_restrict_ignore_regex_values.yaml | 52 +++++ .../cases_restrict_ignore_regex_values.yaml | 51 +++++ .../test_restrict_ignore_regex.py | 193 ++++++++++++++++++ 3 files changed, 296 insertions(+) create mode 100644 tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml create mode 100644 tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml create mode 100644 tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml new file mode 100644 index 0000000000..6704548d7f --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml @@ -0,0 +1,52 @@ +- sections: + - section: localfile + elements: + - log_format: + value: syslog + - location: + value: LOCATION + - restrict: + value: RESTRICT_REGEX + attributes: + - type: RESTRICT_TYPE + - ignore: + value: IGNORE_REGEX + attributes: + - type: IGNORE_TYPE + + - section: vulnerability-detector + elements: + - enabled: + value: 'no' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: syscheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: 'syscollector' + elements: + - disabled: + value: 'yes' + + - section: auth + elements: + - disabled: + value: 'yes' + + - section: rule_test + elements: + - enabled: + value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml new file mode 100644 index 0000000000..1e5e61160c --- /dev/null +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml @@ -0,0 +1,51 @@ +- name: Test Restrict+Ignore - Matches Restrict + description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches restrict + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: .*ignore + RESTRICT_TYPE: PCRE2 + IGNORE_TYPE: PCRE2 + metadata: + restrict_regex: .*restrict + ignore_regex: .*ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" + matches: restrict + +- name: Test Restrict+Ignore - Matches Ignore Only + description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches ignore + configuration_parameters: + RESTRICT_REGEX: \.restrict + IGNORE_REGEX: \.ignore + RESTRICT_TYPE: osregex + IGNORE_TYPE: osregex + metadata: + restrict_regex: \\.restrict + ignore_regex: \\.ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" + matches: ignore + +- name: Test Restrict+Ignore - Matches Both + description: Test Restrict + Ignore tags both with osmatch regex. Log matches both + configuration_parameters: + RESTRICT_REGEX: restrict$ + IGNORE_REGEX: ignore + RESTRICT_TYPE: osmatch + IGNORE_TYPE: osmatch + metadata: + restrict_regex: restrict\$ + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" + matches: ignore - restrict + +- name: Test Restrict+Ignore - Matches None + description: Test Restrict + Ignore tags (PCRE2+osregex) . Log matches None + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: \.ignore + RESTRICT_TYPE: PCRE2 + IGNORE_TYPE: osregex + metadata: + restrict_regex: .*restrict + ignore_regex: \\.ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: None diff --git a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py new file mode 100644 index 0000000000..830f514e52 --- /dev/null +++ b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py @@ -0,0 +1,193 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will check if the logcollector updates the 'wazuh-logcollector.state' + file at the periods set in the 'logcollector.state_interval' internal option. Log data collection + is the real-time process of making sense out of the records generated by servers or devices. + This component can receive logs through text files or Windows event logs. It can also directly + receive logs via remote syslog which is useful for firewalls and other such devices. + +components: + - logcollector + +suite: options + +targets: + - agent + - manager + +daemons: + - wazuh-logcollector + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + - Windows 10 + - Windows Server 2019 + - Windows Server 2016 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html + - https://documentation.wazuh.com/current/user-manual/reference/statistics-files/wazuh-logcollector-state.html + - https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#logcollector + +tags: + - logcollector_options +''' +import os +import pytest + +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.local_actions import run_local_command_returning_output +from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data +from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX +from wazuh_testing.modules.logcollector import event_monitor as evm +from wazuh_testing.modules import logcollector as lc + + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# Configuration and cases data +t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') +t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') + +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_ignore_regex_values.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_ignore_regex_values.yaml') + +# Test configurations +test_file = os.path.join(PREFIX, 'test.log') + +t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['LOCATION'] = test_file +t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) + +t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['LOCATION'] = test_file +t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) + + +# Tests +@pytest.mark.tier(level=2) +@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) +@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) +def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, truncate_monitored_files, + local_internal_options, set_wazuh_configuration_with_local_internal_options, + restart_wazuh_function): + ''' + description: Check if logcollector reads or ignores a log according to a regex configured in the restrict and restrict tag tag for a + given log file, with each configured value for the restrict 'type' attribute value configured. + + test_phases: + - Set a custom Wazuh configuration. + - Restart monitord. + - Insert the log message. + - Check expected response. + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. + - metadata: + type: dict + brief: Wazuh configuration metadata + - new_file_path: + type: str + brief: path for the log file to be created and deleted after the test. + - local_internal_options + type: dict + brief: Contains the options to configure in local_internal_options + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - set_wazuh_configuration_with_local_internal_options: + type: fixture + brief: Set the wazuh configuration according to the configuration data and local_internal_options. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh. + + assertions: + - Check that logcollector is analyzing the log file. + - Check that logs are ignored when they do not match with configured regex + + input_description: + - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. + - The `cases_ignore_regex_default` file provides the test cases. + + expected_output: + - r".*wazuh-logcollector.*Analizing file: '{file}'.*" + - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" + - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" + ''' + log = metadata['log_sample'] + command = f"echo '{log}' >> {test_file}" + + # Check log file is being analized + evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + + # Insert log + run_local_command_returning_output(command) + # Check the log is read from the monitored file + evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + + # Check responses + # If matches with restrict, it should not be ignored due to restrict config + if metadata['matches'] == 'restrict': + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + + # If it matches with ignore, it should ignore the log due to ignore config + if 'ignore' in metadata['matches']: + evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + if 'restrict' in metadata['matches']: + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + + # If it matches with None, the log should be ignored due to restrict config and not due to ignore config + if metadata['matches'] == None: + evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT \ No newline at end of file From e475e8022fac3e6f6d750fa6839f591cf91b00c8 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 10 Nov 2022 17:09:10 -0300 Subject: [PATCH 07/34] style(#3480): fix spacing and indentations --- .../configuration_ignore_regex_default.yaml | 16 +- ...onfiguration_ignore_regex_type_values.yaml | 14 +- ...guration_restrict_ignore_regex_values.yaml | 14 +- .../configuration_restrict_regex_default.yaml | 16 +- ...figuration_restrict_regex_type_values.yaml | 14 +- .../wazuh_configuration.yaml | 20 +- .../cases_ignore_regex_default.yaml | 12 +- .../cases_ignore_regex_type_values.yaml | 12 +- .../cases_restrict_ignore_regex_values.yaml | 270 +++++++++++++++++- .../cases_restrict_regex_default.yaml | 4 +- .../cases_restrict_regex_type_values.yaml | 12 +- .../test_options/test_ignore_regex.py | 38 +-- .../test_restrict_ignore_regex.py | 86 +++--- .../test_options/test_restrict_regex.py | 44 +-- 14 files changed, 417 insertions(+), 155 deletions(-) diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml index d106786b30..b71bc9a337 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml @@ -5,7 +5,7 @@ value: syslog - location: value: LOCATION - - ignore: + - ignore: value: REGEX - section: vulnerability-detector @@ -15,22 +15,22 @@ - section: sca elements: - - enabled: - value: 'no' + - enabled: + value: 'no' - section: rootcheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: syscheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: wodle attributes: - - name: 'syscollector' + - name: syscollector elements: - disabled: value: 'yes' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml index 93080ac9e4..b1d6328bb9 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml @@ -17,22 +17,22 @@ - section: sca elements: - - enabled: - value: 'no' + - enabled: + value: 'no' - section: rootcheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: syscheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: wodle attributes: - - name: 'syscollector' + - name: syscollector elements: - disabled: value: 'yes' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml index 6704548d7f..1629ecf88f 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml @@ -21,22 +21,22 @@ - section: sca elements: - - enabled: - value: 'no' + - enabled: + value: 'no' - section: rootcheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: syscheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: wodle attributes: - - name: 'syscollector' + - name: syscollector elements: - disabled: value: 'yes' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml index 2b31546600..70ac8ee245 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml @@ -5,7 +5,7 @@ value: syslog - location: value: LOCATION - - restrict: + - restrict: value: REGEX - section: vulnerability-detector @@ -15,22 +15,22 @@ - section: sca elements: - - enabled: - value: 'no' + - enabled: + value: 'no' - section: rootcheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: syscheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: wodle attributes: - - name: 'syscollector' + - name: syscollector elements: - disabled: value: 'yes' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml index 96198a7dd2..888f8f0551 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml @@ -17,22 +17,22 @@ - section: sca elements: - - enabled: - value: 'no' + - enabled: + value: 'no' - section: rootcheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: syscheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: wodle attributes: - - name: 'syscollector' + - name: syscollector elements: - disabled: value: 'yes' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml index f0b89052ff..2d27149430 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml @@ -1,13 +1,13 @@ - tags: - - test_options + - test_options apply_to_modules: - - test_options_state_interval_no_file + - test_options_state_interval_no_file sections: - - section: localfile - attributes: - - name: 'testing files' - elements: - - log_format: - value: 'syslog' - - location: - value: LOCATION + - section: localfile + attributes: + - name: testing files + elements: + - log_format: + value: syslog + - location: + value: LOCATION diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml index b099fab599..0b620af602 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml @@ -1,17 +1,17 @@ -- name: 'Test Ignore Default - Match' - description: 'Test Ignore with default regex, with matching log' +- name: Test Ignore Default - Match + description: Test Ignore with default regex, with matching log configuration_parameters: REGEX: .+test metadata: regex: .+test log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: True + matches: true -- name: 'Test Ignore Default - Does not Match' - description: 'Test Ignore with default regex, with not matching log' +- name: Test Ignore Default - Does not Match + description: Test Ignore with default regex, with not matching log configuration_parameters: REGEX: .+test metadata: regex: .+test log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: False + matches: false diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml index 5809857126..13cb592c98 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml @@ -7,7 +7,7 @@ regex: .*test regex_type: PCRE2 log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: True + matches: true - name: Test Ignore PCRE2 - Does not Match description: Test Ignore with PCRE2 regex, with not matching log @@ -18,7 +18,7 @@ regex: .*test regex_type: PCRE2 log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: False + matches: false - name: Test Ignore osmatch - Match description: Test Ignore with osmatch regex, with matching log @@ -29,7 +29,7 @@ regex: test\$ regex_type: osmatch log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: True + matches: true - name: Test Ignore osmatch - Does not Match description: Test Ignore with osmatch regex, with not matching log @@ -40,7 +40,7 @@ regex: test\$ regex_type: osmatch log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: False + matches: false - name: Test Ignore osregex - Match description: Test Ignore with osregex regex, with matching log @@ -51,7 +51,7 @@ regex: \\.test regex_type: osregex log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: True + matches: true - name: Test Ignore osregex - Does not Match description: Test Ignore with osregex regex, with not matching log @@ -62,4 +62,4 @@ regex: \\.test regex_type: osregex log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: False + matches: false diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml index 1e5e61160c..3b03db21c0 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml @@ -1,3 +1,4 @@ +# Test PCRE2 - name: Test Restrict+Ignore - Matches Restrict description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches restrict configuration_parameters: @@ -13,6 +14,59 @@ - name: Test Restrict+Ignore - Matches Ignore Only description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches ignore + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: .*ignore + RESTRICT_TYPE: PCRE2 + IGNORE_TYPE: PCRE2 + metadata: + restrict_regex: .*restrict + ignore_regex: .*ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" + matches: ignore + +- name: Test Restrict+Ignore - Matches Both + description: Test Restrict + Ignore tags both with pcre2 regex. Log matches both + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: .*ignore + RESTRICT_TYPE: PCRE2 + IGNORE_TYPE: PCRE2 + metadata: + restrict_regex: .*restrict + ignore_regex: .*ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" + matches: ignore - restrict + +- name: Test Restrict+Ignore - Matches None + description: Test Restrict + Ignore tags both with pcre2 regex. Log matches None + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: .*ignore + RESTRICT_TYPE: PCRE2 + IGNORE_TYPE: PCRE2 + metadata: + restrict_regex: .*restrict + ignore_regex: .*ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: None + +# Test osregex +- name: Test Restrict+Ignore - Matches Restrict + description: Test Restrict + Ignore tags both with osregex regex. Log matches restrict + configuration_parameters: + RESTRICT_REGEX: \.restrict + IGNORE_REGEX: \.ignore + RESTRICT_TYPE: osregex + IGNORE_TYPE: osregex + metadata: + restrict_regex: \\.restrict + ignore_regex: \\.ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" + matches: restrict + +- name: Test Restrict+Ignore - Matches Ignore Only + description: Test Restrict + Ignore tags both with osregex regex. Log matches ignore configuration_parameters: RESTRICT_REGEX: \.restrict IGNORE_REGEX: \.ignore @@ -24,6 +78,59 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore +- name: Test Restrict+Ignore - Matches Both + description: Test Restrict + Ignore tags both with osregex regex. Log matches both + configuration_parameters: + RESTRICT_REGEX: \.restrict + IGNORE_REGEX: \.ignore + RESTRICT_TYPE: osregex + IGNORE_TYPE: osregex + metadata: + restrict_regex: \\.restrict + ignore_regex: \\.ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" + matches: ignore - restrict + +- name: Test Restrict+Ignore - Matches None + description: Test Restrict + Ignore tags both with osregex regex. Log matches None + configuration_parameters: + RESTRICT_REGEX: \.restrict + IGNORE_REGEX: \.ignore + RESTRICT_TYPE: osregex + IGNORE_TYPE: osregex + metadata: + restrict_regex: \\.restrict + ignore_regex: \\.ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: None + +# Test osmatch +- name: Test Restrict+Ignore - Matches Restrict + description: Test Restrict + Ignore tags both with osmatch regex. Log matches restrict + configuration_parameters: + RESTRICT_REGEX: restrict$ + IGNORE_REGEX: ignore + RESTRICT_TYPE: osmatch + IGNORE_TYPE: osmatch + metadata: + restrict_regex: restrict\$ + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" + matches: restrict + +- name: Test Restrict+Ignore - Matches Ignore Only + description: Test Restrict + Ignore tags both with osmatch regex. Log matches ignore + configuration_parameters: + RESTRICT_REGEX: restrict$ + IGNORE_REGEX: ignore + RESTRICT_TYPE: osmatch + IGNORE_TYPE: osmatch + metadata: + restrict_regex: restrict\$ + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" + matches: ignore + - name: Test Restrict+Ignore - Matches Both description: Test Restrict + Ignore tags both with osmatch regex. Log matches both configuration_parameters: @@ -38,14 +145,173 @@ matches: ignore - restrict - name: Test Restrict+Ignore - Matches None - description: Test Restrict + Ignore tags (PCRE2+osregex) . Log matches None + description: Test Restrict + Ignore tags both with osmatch regex. Log matches None + configuration_parameters: + RESTRICT_REGEX: restrict$ + IGNORE_REGEX: ignore + RESTRICT_TYPE: osmatch + IGNORE_TYPE: osmatch + metadata: + restrict_regex: restrict\$ + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: None + +# Test pcre2 + osregex +- name: Test Restrict+Ignore - Matches Restrict + description: Test Restrict + Ignore tags (pcre2+osregex). Log matches restrict configuration_parameters: RESTRICT_REGEX: .*restrict IGNORE_REGEX: \.ignore - RESTRICT_TYPE: PCRE2 + RESTRICT_TYPE: pcre2 + IGNORE_TYPE: osregex + metadata: + restrict_regex: .*restrict + ignore_regex: \\.ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" + matches: restrict + +- name: Test Restrict+Ignore - Matches Ignore Only + description: Test Restrict + Ignore tags (pcre2+osregex). Log matches ignore + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: \.ignore + RESTRICT_TYPE: pcre2 + IGNORE_TYPE: osregex + metadata: + restrict_regex: .*restrict + ignore_regex: \\.ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" + matches: ignore + +- name: Test Restrict+Ignore - Matches Both + description: Test Restrict + Ignore tags (pcre2+osregex). Log matches both + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: \.ignore + RESTRICT_TYPE: pcre2 + IGNORE_TYPE: osregex + metadata: + restrict_regex: .*restrict + ignore_regex: \\.ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" + matches: ignore - restrict + +- name: Test Restrict+Ignore - Matches None + description: Test Restrict + Ignore tags (pcre2+osregex). Log matches None + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: \.ignore + RESTRICT_TYPE: pcre2 IGNORE_TYPE: osregex metadata: restrict_regex: .*restrict ignore_regex: \\.ignore log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: None + +# Test pcre2 + osmatch +- name: Test Restrict+Ignore - Matches Restrict + description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches restrict + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: ignore + RESTRICT_TYPE: pcre2 + IGNORE_TYPE: osmatch + metadata: + restrict_regex: .*restrict + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" + matches: restrict + +- name: Test Restrict+Ignore - Matches Ignore Only + description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches ignore + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: ignore + RESTRICT_TYPE: pcre2 + IGNORE_TYPE: osmatch + metadata: + restrict_regex: .*restrict + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" + matches: ignore + +- name: Test Restrict+Ignore - Matches Both + description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches both + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: ignore + RESTRICT_TYPE: pcre2 + IGNORE_TYPE: osmatch + metadata: + restrict_regex: .*restrict + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" + matches: ignore - restrict + +- name: Test Restrict+Ignore - Matches None + description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches None + configuration_parameters: + RESTRICT_REGEX: .*restrict + IGNORE_REGEX: ignore + RESTRICT_TYPE: pcre2 + IGNORE_TYPE: osmatch + metadata: + restrict_regex: .*restrict + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: None + +# Test osmatch + osregex +- name: Test Restrict+Ignore - Matches Restrict + description: Test Restrict + Ignore tags (osregex+osmatch). Log matches restrict + configuration_parameters: + RESTRICT_REGEX: \.restrict + IGNORE_REGEX: ignore + RESTRICT_TYPE: osregex + IGNORE_TYPE: osmatch + metadata: + restrict_regex: \\.restrict + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" + matches: restrict + +- name: Test Restrict+Ignore - Matches Ignore Only + description: Test Restrict + Ignore tags (osregex+osmatch). Log matches ignore + configuration_parameters: + RESTRICT_REGEX: \.restrict + IGNORE_REGEX: ignore + RESTRICT_TYPE: osregex + IGNORE_TYPE: osmatch + metadata: + restrict_regex: \\.restrict + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" + matches: ignore + +- name: Test Restrict+Ignore - Matches Both + description: Test Restrict + Ignore tags (osregex+osmatch). Log matches both + configuration_parameters: + RESTRICT_REGEX: \.restrict + IGNORE_REGEX: ignore + RESTRICT_TYPE: osregex + IGNORE_TYPE: osmatch + metadata: + restrict_regex: \\.restrict + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" + matches: ignore - restrict + +- name: Test Restrict+Ignore - Matches None + description: Test Restrict + Ignore tags (osregex+osmatch). Log matches None + configuration_parameters: + RESTRICT_REGEX: \.restrict + IGNORE_REGEX: ignore + RESTRICT_TYPE: osregex + IGNORE_TYPE: osmatch + metadata: + restrict_regex: \\.restrict + ignore_regex: ignore + log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" + matches: None diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml index 29b9e99267..6e8cba8940 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml @@ -5,7 +5,7 @@ metadata: regex: .+test log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: True + matches: true - name: Test Restrict Default - Does not Match description: Test Restrict with default regex, with not matching log @@ -14,4 +14,4 @@ metadata: regex: .+test log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: False + matches: false diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml index 959baa656d..b4fbfb0f5d 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml @@ -7,7 +7,7 @@ regex: .*test regex_type: PCRE2 log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: True + matches: true - name: Test Restrict PCRE2 - Does not Match description: Test Restrict with PCRE2 regex, with not matching log @@ -18,7 +18,7 @@ regex: .*test regex_type: PCRE2 log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: False + matches: false - name: Test Restrict osmatch - Match description: Test Restrict with osmatch regex, with matching log @@ -29,7 +29,7 @@ regex: test\$ regex_type: osmatch log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: True + matches: true - name: Test Restrict osmatch - Does not Match description: Test Restrict with osmatch regex, with not matching log @@ -40,7 +40,7 @@ regex: test\$ regex_type: osmatch log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: False + matches: false - name: Test Restrict osregex - Match description: Test Restrict with osregex regex, with matching log @@ -51,7 +51,7 @@ regex: \\.test regex_type: osregex log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: True + matches: true - name: Test Restrict osregex - Does not Match description: Test Restrict with osregex regex, with not matching log @@ -62,4 +62,4 @@ regex: \\.test regex_type: osregex log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: False + matches: false diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py index d691f47d9b..b584affc60 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -80,17 +80,18 @@ t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) for count, value in enumerate(t1_configuration_parameters): t1_configuration_parameters[count]['LOCATION'] = test_file -t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) +t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, + t1_configuration_metadata) t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) for count, value in enumerate(t2_configuration_parameters): t2_configuration_parameters[count]['LOCATION'] = test_file -t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) +t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, + t2_configuration_metadata) - - -@pytest.mark.tier(level=1) +# Tests +@pytest.mark.tier(level=0) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) @@ -108,7 +109,7 @@ def test_ignore_default(configuration, metadata, new_file_path, truncate_monitor wazuh_min_version: 4.5.0 - tier: 1 + tier: 0 parameters: - configuration: @@ -153,28 +154,29 @@ def test_ignore_default(configuration, metadata, new_file_path, truncate_monitor evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) # Insert log run_local_command_returning_output(command) - + # Check the log is read from the monitored file evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - + # Check response if metadata['matches'] is not True: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT - else: + else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) -def test_ignore_regex_type_values(configuration, metadata, new_file_path, truncate_monitored_files, local_internal_options, - set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): +def test_ignore_regex_type_values(configuration, metadata, new_file_path, truncate_monitored_files, + local_internal_options, set_wazuh_configuration_with_local_internal_options, + restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a given log file, , with each configured value for the ignore 'type' attribute value configured. @@ -232,17 +234,17 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, trunca evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) # Insert log run_local_command_returning_output(command) - + # Check the log is read from the monitored file evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - + # Check response if metadata['matches'] is not True: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT - else: + else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py index 830f514e52..34382eaa1a 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py @@ -8,11 +8,10 @@ type: integration brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. - Specifically, these tests will check if the logcollector updates the 'wazuh-logcollector.state' - file at the periods set in the 'logcollector.state_interval' internal option. Log data collection - is the real-time process of making sense out of the records generated by servers or devices. - This component can receive logs through text files or Windows event logs. It can also directly - receive logs via remote syslog which is useful for firewalls and other such devices. + Specifically, these tests check the behavior of the restrict and ignore options, that allow + users to configure regex patterns that limit if a log will be sent to analysis or will be ignored. + The restrict causes any log that does not match the regex to be ignored, conversely, the 'ignore' option + causes logs that match the regex to be ignored and not be sent for analysis. components: - logcollector @@ -70,37 +69,30 @@ TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') # Configuration and cases data -t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') -t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') - -t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_ignore_regex_values.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_ignore_regex_values.yaml') +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_ignore_regex_values.yaml') +cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_ignore_regex_values.yaml') # Test configurations test_file = os.path.join(PREFIX, 'test.log') -t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) -for count, value in enumerate(t1_configuration_parameters): - t1_configuration_parameters[count]['LOCATION'] = test_file -t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) - -t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) -for count, value in enumerate(t2_configuration_parameters): - t2_configuration_parameters[count]['LOCATION'] = test_file -t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) +configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) +for count, value in enumerate(configuration_parameters): + configuration_parameters[count]['LOCATION'] = test_file +configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) # Tests -@pytest.mark.tier(level=2) +@pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) -@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) +@pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, truncate_monitored_files, - local_internal_options, set_wazuh_configuration_with_local_internal_options, - restart_wazuh_function): + local_internal_options, set_wazuh_configuration_with_local_internal_options, + restart_wazuh_function): ''' - description: Check if logcollector reads or ignores a log according to a regex configured in the restrict and restrict tag tag for a - given log file, with each configured value for the restrict 'type' attribute value configured. + description: Check if logcollector reads or ignores a log according to a regex configured in the restrict and + restrict tag tag for a given log file, with each configured value for the restrict 'type' attribute + value configured. test_phases: - Set a custom Wazuh configuration. @@ -153,41 +145,41 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, tr # Check log file is being analized evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - + # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - + # Check responses + # If it matches with ignore, it should ignore the log due to ignore config + if 'ignore' in metadata['matches']: + evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + if 'restrict' in metadata['matches']: + log_found = False + with pytest.raises(TimeoutError): + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], + tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT # If matches with restrict, it should not be ignored due to restrict config - if metadata['matches'] == 'restrict': + elif metadata['matches'] == 'restrict': log_found = False with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], + tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT log_found = False with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], + tag='ignore', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT - - # If it matches with ignore, it should ignore the log due to ignore config - if 'ignore' in metadata['matches']: - evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - if 'restrict' in metadata['matches']: - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT - - # If it matches with None, the log should be ignored due to restrict config and not due to ignore config - if metadata['matches'] == None: - evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + else: + # If it matches with None, the log should be ignored due to restrict config and not due to ignore config log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT \ No newline at end of file + assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_regex.py index d68c6b218f..873bf27933 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_regex.py @@ -8,11 +8,10 @@ type: integration brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. - Specifically, these tests will check if the logcollector updates the 'wazuh-logcollector.state' - file at the periods set in the 'logcollector.state_interval' internal option. Log data collection - is the real-time process of making sense out of the records generated by servers or devices. - This component can receive logs through text files or Windows event logs. It can also directly - receive logs via remote syslog which is useful for firewalls and other such devices. + Specifically, these tests check the behavior of the restrict and ignore options, that allow + users to configure regex patterns that limit if a log will be sent to analysis or will be ignored. + The restrict causes any log that does not match the regex to be ignored, conversely, the 'ignore' option + causes logs that match the regex to be ignored and not be sent for analysis. components: - logcollector @@ -82,23 +81,24 @@ t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) for count, value in enumerate(t1_configuration_parameters): t1_configuration_parameters[count]['LOCATION'] = test_file -t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) +t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, + t1_configuration_metadata) t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) for count, value in enumerate(t2_configuration_parameters): t2_configuration_parameters[count]['LOCATION'] = test_file -t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) - - +t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, + t2_configuration_metadata) +# @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) def test_restrict_default(configuration, metadata, new_file_path, truncate_monitored_files, - local_internal_options, set_wazuh_configuration_with_local_internal_options, - restart_wazuh_function): + local_internal_options, set_wazuh_configuration_with_local_internal_options, + restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the restrict tag for a given log file. @@ -154,20 +154,21 @@ def test_restrict_default(configuration, metadata, new_file_path, truncate_monit # Check log file is being analized evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - + # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - # Check response + # Check response if metadata['matches']: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT - else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + else: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) @pytest.mark.tier(level=1) @@ -175,8 +176,8 @@ def test_restrict_default(configuration, metadata, new_file_path, truncate_monit @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) def test_restrict_regex_type_values(configuration, metadata, new_file_path, truncate_monitored_files, - local_internal_options, set_wazuh_configuration_with_local_internal_options, - restart_wazuh_function): + local_internal_options, set_wazuh_configuration_with_local_internal_options, + restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the restrict tag for a given log file, with each configured value for the restrict 'type' attribute value configured. @@ -232,17 +233,18 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, trun # Check log file is being analized evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - + # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) - # Check response + # Check response if metadata['matches']: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT - else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + else: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', + prefix=LOG_COLLECTOR_DETECTOR_PREFIX) From 79c05b48318997c112c6678000f898976160a7bc Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 10 Nov 2022 17:33:43 -0300 Subject: [PATCH 08/34] docs(#3480): update changelog.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 563730fa9e..5d9002542a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Release report: TBD ### Added +- Add new tests for logcollector 'ignore' and 'restrict' options ([#3582](https://github.com/wazuh/wazuh-qa/pull/3582)) \- (Tests) - Add 'Force reconnect' feature to agent_simulator tool. ([#3111](https://github.com/wazuh/wazuh-qa/pull/3111)) \- (Tools) ### Changed From b9f4e1ef17e797d1510d6e4f3afb77bbb9d50b27 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 11 Nov 2022 11:00:37 -0300 Subject: [PATCH 09/34] fix(#3480): modify prefix for Win32 support --- .../test_options/test_ignore_regex.py | 20 ++++++++-------- .../test_restrict_ignore_regex.py | 21 +++++++++-------- .../test_options/test_restrict_regex.py | 23 +++++++++++-------- 3 files changed, 35 insertions(+), 29 deletions(-) diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py index b584affc60..adb16fb4ea 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -53,11 +53,12 @@ - logcollector_options ''' import os +import sys import pytest from wazuh_testing.tools import PREFIX from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data -from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX +from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX,AGENT_DETECTOR_PREFIX from wazuh_testing.modules.logcollector import event_monitor as evm from wazuh_testing.modules import logcollector as lc @@ -89,6 +90,7 @@ t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) +prefix = AGENT_DETECTOR_PREFIX if sys.platform == 'win32' else LOG_COLLECTOR_DETECTOR_PREFIX # Tests @pytest.mark.tier(level=0) @@ -151,23 +153,23 @@ def test_ignore_default(configuration, metadata, new_file_path, truncate_monitor command = f"echo '{log}' >> {test_file}" # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_analyzing_file(file=test_file, prefix=prefix) # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_syslog_messages(message=log, prefix=prefix) # Check response if metadata['matches'] is not True: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) @pytest.mark.tier(level=1) @@ -231,20 +233,20 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, trunca command = f"echo '{log}' >> {test_file}" # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_analyzing_file(file=test_file, prefix=prefix) # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_syslog_messages(message=log, prefix=prefix) # Check response if metadata['matches'] is not True: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py index 34382eaa1a..f72c4bcf80 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py @@ -53,12 +53,13 @@ - logcollector_options ''' import os +import sys import pytest from wazuh_testing.tools import PREFIX from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data -from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX +from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX, AGENT_DETECTOR_PREFIX from wazuh_testing.modules.logcollector import event_monitor as evm from wazuh_testing.modules import logcollector as lc @@ -79,7 +80,7 @@ for count, value in enumerate(configuration_parameters): configuration_parameters[count]['LOCATION'] = test_file configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) - +prefix = AGENT_DETECTOR_PREFIX if sys.platform == 'win32' else LOG_COLLECTOR_DETECTOR_PREFIX # Tests @pytest.mark.tier(level=1) @@ -144,42 +145,42 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, tr command = f"echo '{log}' >> {test_file}" # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_analyzing_file(file=test_file, prefix=prefix) # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_syslog_messages(message=log, prefix=prefix) # Check responses # If it matches with ignore, it should ignore the log due to ignore config if 'ignore' in metadata['matches']: evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) if 'restrict' in metadata['matches']: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], - tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + tag='restrict', prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT # If matches with restrict, it should not be ignored due to restrict config elif metadata['matches'] == 'restrict': log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], - tag='restrict', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + tag='restrict', prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], - tag='ignore', prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + tag='ignore', prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT else: # If it matches with None, the log should be ignored due to restrict config and not due to ignore config log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_regex.py index 873bf27933..5458c0c241 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_regex.py @@ -53,12 +53,13 @@ - logcollector_options ''' import os +import sys import pytest from wazuh_testing.tools import PREFIX from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data -from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX +from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX, AGENT_DETECTOR_PREFIX from wazuh_testing.modules.logcollector import event_monitor as evm from wazuh_testing.modules import logcollector as lc @@ -90,8 +91,10 @@ t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) +prefix = AGENT_DETECTOR_PREFIX if sys.platform == 'win32' else LOG_COLLECTOR_DETECTOR_PREFIX -# + +# Tests @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @@ -153,22 +156,22 @@ def test_restrict_default(configuration, metadata, new_file_path, truncate_monit command = f"echo '{log}' >> {test_file}" # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_analyzing_file(file=test_file, prefix=prefix) # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_syslog_messages(message=log, prefix=prefix) # Check response if metadata['matches']: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) @pytest.mark.tier(level=1) @@ -232,19 +235,19 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, trun command = f"echo '{log}' >> {test_file}" # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_analyzing_file(file=test_file, prefix=prefix) # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + evm.check_syslog_messages(message=log, prefix=prefix) # Check response if metadata['matches']: log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', - prefix=LOG_COLLECTOR_DETECTOR_PREFIX) + prefix=prefix) From ff61b12499ccabd2d883698cbeb0b3adcc04aa5f Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 11 Nov 2022 11:03:42 -0300 Subject: [PATCH 10/34] fix(#3480): remove unused conf sections --- .../configuration_ignore_regex_default.yaml | 15 --------------- .../configuration_ignore_regex_type_values.yaml | 15 --------------- ...onfiguration_restrict_ignore_regex_values.yaml | 15 --------------- .../configuration_restrict_regex_default.yaml | 15 --------------- .../configuration_restrict_regex_type_values.yaml | 15 --------------- 5 files changed, 75 deletions(-) diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml index b71bc9a337..4a3ac56944 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml @@ -8,11 +8,6 @@ - ignore: value: REGEX - - section: vulnerability-detector - elements: - - enabled: - value: 'no' - - section: sca elements: - enabled: @@ -34,13 +29,3 @@ elements: - disabled: value: 'yes' - - - section: auth - elements: - - disabled: - value: 'yes' - - - section: rule_test - elements: - - enabled: - value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml index b1d6328bb9..72fa5efc85 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml @@ -10,11 +10,6 @@ attributes: - type: REGEX_TYPE - - section: vulnerability-detector - elements: - - enabled: - value: 'no' - - section: sca elements: - enabled: @@ -36,13 +31,3 @@ elements: - disabled: value: 'yes' - - - section: auth - elements: - - disabled: - value: 'yes' - - - section: rule_test - elements: - - enabled: - value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml index 1629ecf88f..3c8b8bcd1e 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml @@ -14,11 +14,6 @@ attributes: - type: IGNORE_TYPE - - section: vulnerability-detector - elements: - - enabled: - value: 'no' - - section: sca elements: - enabled: @@ -40,13 +35,3 @@ elements: - disabled: value: 'yes' - - - section: auth - elements: - - disabled: - value: 'yes' - - - section: rule_test - elements: - - enabled: - value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml index 70ac8ee245..29f730cf20 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml @@ -8,11 +8,6 @@ - restrict: value: REGEX - - section: vulnerability-detector - elements: - - enabled: - value: 'no' - - section: sca elements: - enabled: @@ -34,13 +29,3 @@ elements: - disabled: value: 'yes' - - - section: auth - elements: - - disabled: - value: 'yes' - - - section: rule_test - elements: - - enabled: - value: 'no' diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml index 888f8f0551..5b5179c23c 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml @@ -10,11 +10,6 @@ attributes: - type: REGEX_TYPE - - section: vulnerability-detector - elements: - - enabled: - value: 'no' - - section: sca elements: - enabled: @@ -36,13 +31,3 @@ elements: - disabled: value: 'yes' - - - section: auth - elements: - - disabled: - value: 'yes' - - - section: rule_test - elements: - - enabled: - value: 'no' From 6e8cfc6261b92ea7a1a1fe4ab8be0681c55419a6 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 11 Nov 2022 15:50:06 -0300 Subject: [PATCH 11/34] fix(#3480): add create_file fixture --- .../test_options/test_ignore_regex.py | 16 +++++++++++----- .../test_options/test_restrict_ignore_regex.py | 8 +++++--- .../test_options/test_restrict_regex.py | 13 +++++++++---- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py index adb16fb4ea..2e985ab809 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -55,10 +55,10 @@ import os import sys import pytest +import time from wazuh_testing.tools import PREFIX from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data -from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX,AGENT_DETECTOR_PREFIX from wazuh_testing.modules.logcollector import event_monitor as evm from wazuh_testing.modules import logcollector as lc @@ -90,14 +90,14 @@ t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) -prefix = AGENT_DETECTOR_PREFIX if sys.platform == 'win32' else LOG_COLLECTOR_DETECTOR_PREFIX +prefix = lc.LOG_COLLECTOR_PREFIX # Tests @pytest.mark.tier(level=0) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) -def test_ignore_default(configuration, metadata, new_file_path, truncate_monitored_files, local_internal_options, +def test_ignore_default(configuration, metadata, new_file_path, create_file, truncate_monitored_files, local_internal_options, set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a @@ -123,6 +123,9 @@ def test_ignore_default(configuration, metadata, new_file_path, truncate_monitor - new_file_path: type: str brief: path for the log file to be created and deleted after the test. + - create_file: + type: fixture + brief: Create an empty file for logging - local_internal_options type: dict brief: Contains the options to configure in local_internal_options @@ -152,7 +155,7 @@ def test_ignore_default(configuration, metadata, new_file_path, truncate_monitor log = metadata['log_sample'] command = f"echo '{log}' >> {test_file}" - # Check log file is being analized + # Check log file is being analyzed evm.check_analyzing_file(file=test_file, prefix=prefix) # Insert log run_local_command_returning_output(command) @@ -176,7 +179,7 @@ def test_ignore_default(configuration, metadata, new_file_path, truncate_monitor @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) -def test_ignore_regex_type_values(configuration, metadata, new_file_path, truncate_monitored_files, +def test_ignore_regex_type_values(configuration, metadata, new_file_path, create_file, truncate_monitored_files, local_internal_options, set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): ''' @@ -203,6 +206,9 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, trunca - new_file_path: type: str brief: path for the log file to be created and deleted after the test. + - create_file: + type: fixture + brief: Create an empty file for logging - local_internal_options type: dict brief: Contains the options to configure in local_internal_options diff --git a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py index f72c4bcf80..d548e631e4 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py @@ -59,7 +59,6 @@ from wazuh_testing.tools import PREFIX from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data -from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX, AGENT_DETECTOR_PREFIX from wazuh_testing.modules.logcollector import event_monitor as evm from wazuh_testing.modules import logcollector as lc @@ -80,14 +79,14 @@ for count, value in enumerate(configuration_parameters): configuration_parameters[count]['LOCATION'] = test_file configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) -prefix = AGENT_DETECTOR_PREFIX if sys.platform == 'win32' else LOG_COLLECTOR_DETECTOR_PREFIX +prefix = lc.LOG_COLLECTOR_PREFIX # Tests @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) -def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, truncate_monitored_files, +def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, create_file, truncate_monitored_files, local_internal_options, set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): ''' @@ -115,6 +114,9 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, tr - new_file_path: type: str brief: path for the log file to be created and deleted after the test. + - create_file: + type: fixture + brief: Create an empty file for logging - local_internal_options type: dict brief: Contains the options to configure in local_internal_options diff --git a/tests/integration/test_logcollector/test_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_regex.py index 5458c0c241..942bc8ec4a 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_regex.py @@ -59,7 +59,6 @@ from wazuh_testing.tools import PREFIX from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data -from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX, AGENT_DETECTOR_PREFIX from wazuh_testing.modules.logcollector import event_monitor as evm from wazuh_testing.modules import logcollector as lc @@ -91,7 +90,7 @@ t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) -prefix = AGENT_DETECTOR_PREFIX if sys.platform == 'win32' else LOG_COLLECTOR_DETECTOR_PREFIX +prefix = lc.LOG_COLLECTOR_PREFIX # Tests @@ -99,7 +98,7 @@ @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) -def test_restrict_default(configuration, metadata, new_file_path, truncate_monitored_files, +def test_restrict_default(configuration, metadata, new_file_path, create_file, truncate_monitored_files, local_internal_options, set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): ''' @@ -129,6 +128,9 @@ def test_restrict_default(configuration, metadata, new_file_path, truncate_monit - local_internal_options type: dict brief: Contains the options to configure in local_internal_options + - create_file: + type: fixture + brief: Create an empty file for logging - truncate_monitored_files: type: fixture brief: Truncate all the log files and json alerts files before and after the test execution. @@ -178,7 +180,7 @@ def test_restrict_default(configuration, metadata, new_file_path, truncate_monit @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) -def test_restrict_regex_type_values(configuration, metadata, new_file_path, truncate_monitored_files, +def test_restrict_regex_type_values(configuration, metadata, new_file_path, create_file, truncate_monitored_files, local_internal_options, set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): ''' @@ -208,6 +210,9 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, trun - local_internal_options type: dict brief: Contains the options to configure in local_internal_options + - create_file: + type: fixture + brief: Create an empty file for logging - truncate_monitored_files: type: fixture brief: Truncate all the log files and json alerts files before and after the test execution. From 62f2498c5e9c4a890f414064b49914fe1e5c7cb0 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 11 Nov 2022 15:51:36 -0300 Subject: [PATCH 12/34] fix(#3480): fix imports --- .../wazuh_testing/modules/logcollector/__init__.py | 6 ++++-- .../wazuh_testing/modules/logcollector/event_monitor.py | 6 ++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py index ecaf5a5be2..74f3dc2a7c 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py @@ -1,13 +1,15 @@ import sys +from wazuh_testing.tools.monitoring import LOG_COLLECTOR_DETECTOR_PREFIX, AGENT_DETECTOR_PREFIX -LOG_COLLECTOR_PREFIX = r'.*wazuh-logcollector.*' +# Variables +LOG_COLLECTOR_PREFIX = AGENT_DETECTOR_PREFIX if sys.platform == 'win32' else LOG_COLLECTOR_DETECTOR_PREFIX WINDOWS_AGENT_PREFIX = r'.*wazuh-agent.*' MAILD_PREFIX = r'.*wazuh-maild.*' -GENERIC_CALLBACK_ERROR_COMMAND_MONITORING = 'The expected command monitoring log has not been produced' # Error Messages +GENERIC_CALLBACK_ERROR_COMMAND_MONITORING = 'The expected command monitoring log has not been produced' ERR_MSG_UNEXPECTED_IGNORE_EVENT = "Found unexpected 'Ignoring the log... due to ignore/restrict config' event" diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py index 703494161d..acb6bc9868 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py @@ -1,9 +1,8 @@ import re -from wazuh_testing import T_30, T_10 +from wazuh_testing import T_30, T_10, LOG_FILE_PATH from wazuh_testing.modules.logcollector import LOG_COLLECTOR_PREFIX from wazuh_testing.tools.monitoring import FileMonitor -from wazuh_testing import LOG_FILE_PATH def make_logcollector_callback(pattern, prefix=LOG_COLLECTOR_PREFIX, escape=False): @@ -27,7 +26,6 @@ def make_logcollector_callback(pattern, prefix=LOG_COLLECTOR_PREFIX, escape=Fals else: pattern = r'\s+'.join(pattern.split()) regex = re.compile(r'{}{}'.format(prefix, pattern)) - print("REGEX------------" + str(regex)) return lambda line: regex.match(line) is not None @@ -67,7 +65,7 @@ def check_analyzing_file(file, prefix, error_message=None, file_monitor=None): file_monitor (FileMonitor): Log monitor. """ if error_message is None: - error_message = f"Did not receive the expected 'Analizing file: {file}' event" + error_message = f"Did not receive the expected 'Analyzing file: {file}' event" check_logcollector_event(file_monitor=file_monitor, timeout=T_30, callback=fr".*Analyzing file: '{file}'.*", From 24c492c81f09c5dd80ba9f556229b7dfeac4eef1 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 11 Nov 2022 15:55:43 -0300 Subject: [PATCH 13/34] style(#3480): fix indentation --- .../test_options/test_ignore_regex.py | 5 ++-- .../test_options_state_interval.py | 24 +++++++++---------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py index 2e985ab809..19c1a06e31 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -97,8 +97,9 @@ @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) -def test_ignore_default(configuration, metadata, new_file_path, create_file, truncate_monitored_files, local_internal_options, - set_wazuh_configuration_with_local_internal_options, restart_wazuh_function): +def test_ignore_default(configuration, metadata, new_file_path, create_file, truncate_monitored_files, + local_internal_options, set_wazuh_configuration_with_local_internal_options, + restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a given log file. diff --git a/tests/integration/test_logcollector/test_options/test_options_state_interval.py b/tests/integration/test_logcollector/test_options/test_options_state_interval.py index 6d8e5c9f12..4fcfd2377d 100644 --- a/tests/integration/test_logcollector/test_options/test_options_state_interval.py +++ b/tests/integration/test_logcollector/test_options/test_options_state_interval.py @@ -143,16 +143,16 @@ def test_options_state_interval(get_local_internal_options, file_monitoring): error_message=f"The message: 'Invalid definition for " f"logcollector.state_interval: {interval}.' didn't appear") else: - control_service('restart') - sleep(state_interval_update_timeout) - logcollector.wait_statistics_file(timeout=interval + 5) - previous_modification_time = os.path.getmtime(LOGCOLLECTOR_STATISTICS_FILE) + control_service('restart') + sleep(state_interval_update_timeout) + logcollector.wait_statistics_file(timeout=interval + 5) + previous_modification_time = os.path.getmtime(LOGCOLLECTOR_STATISTICS_FILE) + last_modification_time = os.path.getmtime(LOGCOLLECTOR_STATISTICS_FILE) + while last_modification_time == previous_modification_time: + sleep(elapsed_time_modification) last_modification_time = os.path.getmtime(LOGCOLLECTOR_STATISTICS_FILE) - while last_modification_time == previous_modification_time: - sleep(elapsed_time_modification) - last_modification_time = os.path.getmtime(LOGCOLLECTOR_STATISTICS_FILE) - elapsed = last_modification_time - previous_modification_time - if sys.platform == 'win32': - assert interval - 30 < elapsed < interval + 30 - else: - assert interval - 1 < elapsed < interval + 1 \ No newline at end of file + elapsed = last_modification_time - previous_modification_time + if sys.platform == 'win32': + assert interval - 30 < elapsed < interval + 30 + else: + assert interval - 1 < elapsed < interval + 1 From 1c6a11377b5a7ef65d7c86dc221902a67a09758b Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 14 Nov 2022 12:37:34 -0300 Subject: [PATCH 14/34] fix(#3480): update callbacks and tests for windows --- .../modules/logcollector/__init__.py | 2 +- .../modules/logcollector/event_monitor.py | 22 ++++++++++++------- .../test_options/test_ignore_regex.py | 18 +++++++++++---- .../test_restrict_ignore_regex.py | 10 +++++++-- .../test_options/test_restrict_regex.py | 17 +++++++++++--- 5 files changed, 51 insertions(+), 18 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py index 74f3dc2a7c..078f8dfdf5 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py @@ -24,4 +24,4 @@ 'logcollector.debug': '2', 'monitord.rotate_log': '0', 'agent.debug': '0', - } \ No newline at end of file + } diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py index acb6bc9868..edd81697ac 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py @@ -1,5 +1,5 @@ import re - +import sys from wazuh_testing import T_30, T_10, LOG_FILE_PATH from wazuh_testing.modules.logcollector import LOG_COLLECTOR_PREFIX from wazuh_testing.tools.monitoring import FileMonitor @@ -50,8 +50,8 @@ def check_logcollector_event(file_monitor=None, callback='', error_message=None, error_message result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, - callback=make_logcollector_callback(callback, prefix, escape), - error_message=error_message).result() + callback=make_logcollector_callback(callback, prefix, escape), + error_message=error_message).result() return result @@ -66,7 +66,7 @@ def check_analyzing_file(file, prefix, error_message=None, file_monitor=None): """ if error_message is None: error_message = f"Did not receive the expected 'Analyzing file: {file}' event" - + check_logcollector_event(file_monitor=file_monitor, timeout=T_30, callback=fr".*Analyzing file: '{file}'.*", error_message=error_message, prefix=prefix) @@ -84,13 +84,16 @@ def check_syslog_messages(message, prefix, error_message=None, file_monitor=None """ if error_message is None: error_message = f"Did not receive the expected 'Reading syslog message: {message}' event" - callback_msg = fr"DEBUG: Reading syslog message: '{message}'" + if sys.platform == 'win32': + callback_msg = fr".*DEBUG: Reading syslog message: ''{message}' '.*" + else: + callback_msg = fr".*DEBUG: Reading syslog message: '{message}'.*" check_logcollector_event(file_monitor=file_monitor, timeout=timeout, callback=callback_msg, error_message=error_message, prefix=prefix, escape=escape) -def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=None, file_monitor=None, timeout=T_10, +def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=None, file_monitor=None, timeout=T_10, escape=False): """Create a callback to detect "DEBUG: Ignoring the log ... due to config" debug line. Args: @@ -105,7 +108,10 @@ def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=No """ if error_message is None: error_message = f"Did not receive the expected 'Ignoring the log line: {message} due to {tag} config' event" - callback_msg = fr"Ignoring the log line '{message}' due to {tag} config: '{regex}'" + if sys.platform == 'win32': + callback_msg = fr"Ignoring the log line ''{message}' ' due to {tag} config: '{regex}'" + else: + callback_msg = fr"Ignoring the log line '{message}' due to {tag} config: '{regex}'" - return check_logcollector_event(file_monitor=file_monitor, timeout=timeout, callback=callback_msg, + return check_logcollector_event(file_monitor=file_monitor, timeout=timeout, callback=callback_msg, error_message=error_message, prefix=prefix, escape=escape) diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py index 19c1a06e31..96590b4490 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -53,9 +53,9 @@ - logcollector_options ''' import os +import re import sys import pytest -import time from wazuh_testing.tools import PREFIX from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data @@ -76,7 +76,7 @@ t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_type_values.yaml') # Test configurations -test_file = os.path.join(PREFIX, 'test.log') +test_file = os.path.join(PREFIX, 'test') t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) for count, value in enumerate(t1_configuration_parameters): @@ -156,8 +156,13 @@ def test_ignore_default(configuration, metadata, new_file_path, create_file, tru log = metadata['log_sample'] command = f"echo '{log}' >> {test_file}" + if sys.platform == 'win32': + file = re.escape(test_file) + else: + file = test_file + # Check log file is being analyzed - evm.check_analyzing_file(file=test_file, prefix=prefix) + evm.check_analyzing_file(file=file, prefix=prefix) # Insert log run_local_command_returning_output(command) @@ -239,8 +244,13 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, create log = metadata['log_sample'] command = f"echo '{log}' >> {test_file}" + if sys.platform == 'win32': + file = re.escape(test_file) + else: + file = test_file + # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=prefix) + evm.check_analyzing_file(file=file, prefix=prefix) # Insert log run_local_command_returning_output(command) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py index d548e631e4..e114ddda0c 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py @@ -54,6 +54,7 @@ ''' import os import sys +import re import pytest from wazuh_testing.tools import PREFIX @@ -73,7 +74,7 @@ cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_ignore_regex_values.yaml') # Test configurations -test_file = os.path.join(PREFIX, 'test.log') +test_file = os.path.join(PREFIX, 'test') configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) for count, value in enumerate(configuration_parameters): @@ -146,8 +147,13 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr log = metadata['log_sample'] command = f"echo '{log}' >> {test_file}" + if sys.platform == 'win32': + file = re.escape(test_file) + else: + file = test_file + # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=prefix) + evm.check_analyzing_file(file=file, prefix=prefix) # Insert log run_local_command_returning_output(command) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_regex.py index 942bc8ec4a..bddbc2d7ba 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_regex.py @@ -54,6 +54,7 @@ ''' import os import sys +import re import pytest from wazuh_testing.tools import PREFIX @@ -76,7 +77,7 @@ t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_type_values.yaml') # Test configurations -test_file = os.path.join(PREFIX, 'test.log') +test_file = os.path.join(PREFIX, 'test') t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) for count, value in enumerate(t1_configuration_parameters): @@ -157,8 +158,13 @@ def test_restrict_default(configuration, metadata, new_file_path, create_file, t log = metadata['log_sample'] command = f"echo '{log}' >> {test_file}" + if sys.platform == 'win32': + file = re.escape(test_file) + else: + file = test_file + # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=prefix) + evm.check_analyzing_file(file=file, prefix=prefix) # Insert log run_local_command_returning_output(command) @@ -239,8 +245,13 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea log = metadata['log_sample'] command = f"echo '{log}' >> {test_file}" + if sys.platform == 'win32': + file = re.escape(test_file) + else: + file = test_file + # Check log file is being analized - evm.check_analyzing_file(file=test_file, prefix=prefix) + evm.check_analyzing_file(file=file, prefix=prefix) # Insert log run_local_command_returning_output(command) From 16752ad6891d1d8e7d92cf3c4e6765f5d20a1175 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Tue, 15 Nov 2022 11:18:50 -0300 Subject: [PATCH 15/34] fix(#3480): remove quotes and space from command --- .../modules/logcollector/event_monitor.py | 12 ++++-------- .../test_options/test_ignore_regex.py | 4 ++-- .../test_options/test_restrict_ignore_regex.py | 2 +- .../test_options/test_restrict_regex.py | 4 ++-- 4 files changed, 9 insertions(+), 13 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py index edd81697ac..83de662337 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py @@ -84,10 +84,8 @@ def check_syslog_messages(message, prefix, error_message=None, file_monitor=None """ if error_message is None: error_message = f"Did not receive the expected 'Reading syslog message: {message}' event" - if sys.platform == 'win32': - callback_msg = fr".*DEBUG: Reading syslog message: ''{message}' '.*" - else: - callback_msg = fr".*DEBUG: Reading syslog message: '{message}'.*" + + callback_msg = fr".*DEBUG: Reading syslog message: '{message}'.*" check_logcollector_event(file_monitor=file_monitor, timeout=timeout, callback=callback_msg, error_message=error_message, prefix=prefix, escape=escape) @@ -108,10 +106,8 @@ def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=No """ if error_message is None: error_message = f"Did not receive the expected 'Ignoring the log line: {message} due to {tag} config' event" - if sys.platform == 'win32': - callback_msg = fr"Ignoring the log line ''{message}' ' due to {tag} config: '{regex}'" - else: - callback_msg = fr"Ignoring the log line '{message}' due to {tag} config: '{regex}'" + + callback_msg = fr"Ignoring the log line '{message}' due to {tag} config: '{regex}'" return check_logcollector_event(file_monitor=file_monitor, timeout=timeout, callback=callback_msg, error_message=error_message, prefix=prefix, escape=escape) diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py index 96590b4490..ac05268833 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -154,7 +154,7 @@ def test_ignore_default(configuration, metadata, new_file_path, create_file, tru - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" ''' log = metadata['log_sample'] - command = f"echo '{log}' >> {test_file}" + command = f"echo {log}>> {test_file}" if sys.platform == 'win32': file = re.escape(test_file) @@ -242,7 +242,7 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, create - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" ''' log = metadata['log_sample'] - command = f"echo '{log}' >> {test_file}" + command = f"echo {log}>> {test_file}" if sys.platform == 'win32': file = re.escape(test_file) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py index e114ddda0c..56c8a5ecb6 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py @@ -145,7 +145,7 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" ''' log = metadata['log_sample'] - command = f"echo '{log}' >> {test_file}" + command = f"echo {log}>> {test_file}" if sys.platform == 'win32': file = re.escape(test_file) diff --git a/tests/integration/test_logcollector/test_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_regex.py index bddbc2d7ba..252bc2feb7 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_regex.py @@ -156,7 +156,7 @@ def test_restrict_default(configuration, metadata, new_file_path, create_file, t - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" ''' log = metadata['log_sample'] - command = f"echo '{log}' >> {test_file}" + command = f"echo {log}>> {test_file}" if sys.platform == 'win32': file = re.escape(test_file) @@ -243,7 +243,7 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" ''' log = metadata['log_sample'] - command = f"echo '{log}' >> {test_file}" + command = f"echo {log}>> {test_file}" if sys.platform == 'win32': file = re.escape(test_file) From 3af7be8fa4ea7e3e81f6052471de296811608add Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Tue, 15 Nov 2022 16:30:46 -0300 Subject: [PATCH 16/34] fix(#3480): change escape flag to fix regex --- .../test_only_future_events.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py b/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py index da498d1f53..5bdb78ce51 100644 --- a/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py +++ b/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py @@ -80,7 +80,7 @@ temp_dir = tempfile.gettempdir() log_test_path = os.path.join(temp_dir, 'wazuh-testing', 'test.log') -LOG_LINE = 'Jan 1 00:00:00 localhost test[0]: line=' +LOG_LINE = 'Jan 1 00:00:00 localhost test: line=' prefix = LOG_COLLECTOR_PREFIX local_internal_options = {'logcollector.vcheck_files': '5', 'logcollector.debug': '2', 'windows.debug': '2'} @@ -210,7 +210,7 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, message = f"{LOG_LINE}{last_line}" evm.check_syslog_messages(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_10, escape=True) + timeout=T_10, escape=False) # Stop logcollector daemon control_service('stop', daemon=LOGCOLLECTOR_DAEMON) @@ -227,12 +227,12 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, message = f"{LOG_LINE}{first_next_line}" evm.check_syslog_messages(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_20, escape=True) + timeout=T_20, escape=False) # Check last log line message = f"{LOG_LINE}{current_line + 1}" evm.check_syslog_messages(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_20, escape=True) + timeout=T_20, escape=False) # if only_future_events yes, logcollector should NOT detect the log lines written while it was stopped else: message = f"{LOG_LINE}{first_next_line}" @@ -241,7 +241,7 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, message = f"{LOG_LINE}{first_next_line}" evm.check_syslog_messages(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_10, escape=True) + timeout=T_10, escape=False) # Check that the last written line is not read with pytest.raises(TimeoutError): @@ -249,7 +249,7 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, message = f"{LOG_LINE}{current_line + 1}" evm.check_syslog_messages(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_10, escape=True) + timeout=T_10, escape=False) # Check that if we write new data when the daemon is turned on, it is read normally current_line = logcollector.add_log_data(log_path=metadata['location'], log_line_message=LOG_LINE, @@ -257,4 +257,4 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, message = f"{LOG_LINE}{current_line + 1}" evm.check_syslog_messages(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_10, escape=True) + timeout=T_10, escape=False) From edbbb9fe88eab53596a51f3640af030a68980e14 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 16 Nov 2022 08:48:55 -0300 Subject: [PATCH 17/34] fix(#3480): fix only_future_events on windows --- .../test_only_future_events/test_only_future_events.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py b/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py index 5bdb78ce51..4ce8e5ca69 100644 --- a/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py +++ b/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py @@ -54,6 +54,7 @@ - logcollector_only_future_events ''' import os +import re import tempfile import sys import pytest @@ -197,8 +198,13 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, current_line = 0 log_monitor = setup_log_monitor + if sys.platform == 'win32': + file = re.escape(log_test_path) + else: + file = log_test_path + # Ensure that the file is being analyzed - evm.check_analyzing_file(file_monitor=log_monitor, file=log_test_path, + evm.check_analyzing_file(file_monitor=log_monitor, file=file, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix) # Add n log lines corresponding to 1KB From b926ea462e71409a85520179e957285ebfc75965 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 16 Nov 2022 08:57:15 -0300 Subject: [PATCH 18/34] style(#3480): fix spacing --- tests/integration/conftest.py | 2 +- .../test_logcollector/test_options/test_ignore_regex.py | 1 + .../test_options/test_options_state_interval.py | 1 + .../test_options/test_restrict_ignore_regex.py | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index b84465df75..5b68b7de7d 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -1052,7 +1052,7 @@ def set_local_internal_options(local_internal_options): @pytest.fixture(scope='function') def truncate_monitored_files(): """Truncate all the log files and json alerts files before and after the test execution""" - + if 'agent' in get_service(): log_files = [LOG_FILE_PATH] else: diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_ignore_regex.py index ac05268833..7298599117 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_ignore_regex.py @@ -92,6 +92,7 @@ prefix = lc.LOG_COLLECTOR_PREFIX + # Tests @pytest.mark.tier(level=0) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) diff --git a/tests/integration/test_logcollector/test_options/test_options_state_interval.py b/tests/integration/test_logcollector/test_options/test_options_state_interval.py index 4fcfd2377d..9aa0b8593a 100644 --- a/tests/integration/test_logcollector/test_options/test_options_state_interval.py +++ b/tests/integration/test_logcollector/test_options/test_options_state_interval.py @@ -76,6 +76,7 @@ wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) state_interval_update_timeout = 10 + # Fixtures @pytest.fixture(scope="module", params=state_interval) def get_local_internal_options(request): diff --git a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py index 56c8a5ecb6..289122bb8a 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py @@ -82,6 +82,7 @@ configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) prefix = lc.LOG_COLLECTOR_PREFIX + # Tests @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) From 34b4314291daffa12530c2dd9c5aebdfff929618 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 18 Nov 2022 11:58:37 -0300 Subject: [PATCH 19/34] docs(#3480): fix indentation and test ids --- tests/integration/conftest.py | 34 +------------- .../configuration_ignore_regex_default.yaml | 0 ...onfiguration_ignore_regex_type_values.yaml | 0 ...guration_restrict_ignore_regex_values.yaml | 0 .../configuration_restrict_regex_default.yaml | 0 ...figuration_restrict_regex_type_values.yaml | 0 .../wazuh_configuration.yaml | 13 ++++++ .../cases_ignore_regex_default.yaml | 4 +- .../cases_ignore_regex_type_values.yaml | 24 +++++----- .../cases_restrict_ignore_regex_values.yaml | 46 +++++++++---------- .../cases_restrict_regex_default.yaml | 4 +- .../cases_restrict_regex_type_values.yaml | 12 ++--- .../test_ignore_regex.py | 35 +++++++------- .../test_restrict_ignore_regex.py | 24 +++++----- .../test_restrict_regex.py | 39 ++++++++-------- 15 files changed, 106 insertions(+), 129 deletions(-) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/configuration_template/configuration_ignore_regex_default.yaml (100%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/configuration_template/configuration_ignore_regex_type_values.yaml (100%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/configuration_template/configuration_restrict_ignore_regex_values.yaml (100%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/configuration_template/configuration_restrict_regex_default.yaml (100%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/configuration_template/configuration_restrict_regex_type_values.yaml (100%) create mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/wazuh_configuration.yaml rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/test_cases/cases_ignore_regex_default.yaml (79%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/test_cases/cases_ignore_regex_type_values.yaml (62%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/test_cases/cases_restrict_ignore_regex_values.yaml (85%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/test_cases/cases_restrict_regex_default.yaml (80%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/data/test_cases/cases_restrict_regex_type_values.yaml (82%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/test_ignore_regex.py (89%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/test_restrict_ignore_regex.py (90%) rename tests/integration/test_logcollector/{test_options => test_log_filter_options}/test_restrict_regex.py (89%) diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index 5b68b7de7d..9a18725fdf 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -1017,39 +1017,7 @@ def set_wazuh_configuration(configuration): conf.write_wazuh_conf(backup_config) -@pytest.fixture(scope='function') -def set_wazuh_configuration_with_local_internal_options(configuration, set_wazuh_configuration, - set_local_internal_options, local_internal_options): - """Set wazuh configuration - Args: - configuration (dict): Configuration template data to write in the ossec.conf. - local_internal_options(dict): Object containing the local_internal_options_values to be configured. - set_wazuh_configuration (fixture): Set the wazuh configuration according to the configuration data. - set_local_internal_options (fixture): Set the local_internal_options.conf file. - """ - yield - - -@pytest.fixture(scope='function') -def set_local_internal_options(local_internal_options): - """Fixture to configure the local internal options file. - Args: - local_internal_options(dict): Object containing the local_internal_options_values to be configured. - """ - - # Backup the old local internal options - backup_local_internal_options = conf.get_wazuh_local_internal_options() - - # Set the new local internal options configuration - conf.set_wazuh_local_internal_options(conf.create_local_internal_options(local_internal_options)) - - yield - - # Backup the old local internal options cofiguration - conf.set_wazuh_local_internal_options(backup_local_internal_options) - - -@pytest.fixture(scope='function') +@pytest.fixture() def truncate_monitored_files(): """Truncate all the log files and json alerts files before and after the test execution""" diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_default.yaml similarity index 100% rename from tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_default.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_default.yaml diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_type_values.yaml similarity index 100% rename from tests/integration/test_logcollector/test_options/data/configuration_template/configuration_ignore_regex_type_values.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_type_values.yaml diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml similarity index 100% rename from tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_ignore_regex_values.yaml diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_default.yaml similarity index 100% rename from tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_default.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_default.yaml diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_type_values.yaml similarity index 100% rename from tests/integration/test_logcollector/test_options/data/configuration_template/configuration_restrict_regex_type_values.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_type_values.yaml diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/wazuh_configuration.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/wazuh_configuration.yaml new file mode 100644 index 0000000000..2d27149430 --- /dev/null +++ b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/wazuh_configuration.yaml @@ -0,0 +1,13 @@ +- tags: + - test_options + apply_to_modules: + - test_options_state_interval_no_file + sections: + - section: localfile + attributes: + - name: testing files + elements: + - log_format: + value: syslog + - location: + value: LOCATION diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml similarity index 79% rename from tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml index 0b620af602..0fee684eb4 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_default.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml @@ -1,4 +1,4 @@ -- name: Test Ignore Default - Match +- name: Test Ignore tag - Default engine - Log Matches description: Test Ignore with default regex, with matching log configuration_parameters: REGEX: .+test @@ -7,7 +7,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Ignore Default - Does not Match +- name: Test Ignore tag - Default engine - Log does not Match description: Test Ignore with default regex, with not matching log configuration_parameters: REGEX: .+test diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml similarity index 62% rename from tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml index 13cb592c98..e5877f1279 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_ignore_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml @@ -1,5 +1,5 @@ -- name: Test Ignore PCRE2 - Match - description: Test Ignore with PCRE2 regex, with matching log +- name: Test Ignore tag - PCRE2 engine - log match + description: Test Ignore tag tag with PCRE2 regex, with matching log configuration_parameters: REGEX: .*test REGEX_TYPE: PCRE2 @@ -9,8 +9,8 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Ignore PCRE2 - Does not Match - description: Test Ignore with PCRE2 regex, with not matching log +- name: Test Ignore tag - PCRE2 engine - log does not match + description: Test Ignore tag with PCRE2 regex, with not matching log configuration_parameters: REGEX: .*test REGEX_TYPE: PCRE2 @@ -20,8 +20,8 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: false -- name: Test Ignore osmatch - Match - description: Test Ignore with osmatch regex, with matching log +- name: Test Ignore tag - osmatch engine - log match + description: Test Ignore tag with osmatch regex, with matching log configuration_parameters: REGEX: test$ REGEX_TYPE: osmatch @@ -31,8 +31,8 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Ignore osmatch - Does not Match - description: Test Ignore with osmatch regex, with not matching log +- name: Test Ignore tag - osmatch engine - log does not match + description: Test Ignore tag with osmatch regex, with not matching log configuration_parameters: REGEX: test$ REGEX_TYPE: osmatch @@ -42,8 +42,8 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: false -- name: Test Ignore osregex - Match - description: Test Ignore with osregex regex, with matching log +- name: Test Ignore tag - osregex engine - log match + description: Test Ignore tag with osregex regex, with matching log configuration_parameters: REGEX: \.test REGEX_TYPE: osregex @@ -53,8 +53,8 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Ignore osregex - Does not Match - description: Test Ignore with osregex regex, with not matching log +- name: Test Ignore tag - osregex engine - log does not match + description: Test Ignore tag with osregex regex, with not matching log configuration_parameters: REGEX: \.test REGEX_TYPE: osregex diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml similarity index 85% rename from tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml index 3b03db21c0..f53e8d5b69 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml @@ -1,5 +1,5 @@ # Test PCRE2 -- name: Test Restrict+Ignore - Matches Restrict +- name: Test Restrict+Ignore - Both PCRE2 - Matches Restrict only description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches restrict configuration_parameters: RESTRICT_REGEX: .*restrict @@ -12,7 +12,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Matches Ignore Only +- name: Test Restrict+Ignore - Both PCRE2 - Matches Ignore Only description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches ignore configuration_parameters: RESTRICT_REGEX: .*restrict @@ -25,7 +25,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Matches Both +- name: Test Restrict+Ignore - Both PCRE2- Matches Both description: Test Restrict + Ignore tags both with pcre2 regex. Log matches both configuration_parameters: RESTRICT_REGEX: .*restrict @@ -38,7 +38,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Matches None +- name: Test Restrict+Ignore - Both PCRE2 - Matches None description: Test Restrict + Ignore tags both with pcre2 regex. Log matches None configuration_parameters: RESTRICT_REGEX: .*restrict @@ -52,7 +52,7 @@ matches: None # Test osregex -- name: Test Restrict+Ignore - Matches Restrict +- name: Test Restrict+Ignore - Both osregex - Matches Restrict only description: Test Restrict + Ignore tags both with osregex regex. Log matches restrict configuration_parameters: RESTRICT_REGEX: \.restrict @@ -65,7 +65,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Matches Ignore Only +- name: Test Restrict+Ignore - Both osregex - Matches Ignore Only description: Test Restrict + Ignore tags both with osregex regex. Log matches ignore configuration_parameters: RESTRICT_REGEX: \.restrict @@ -78,7 +78,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Matches Both +- name: Test Restrict+Ignore - Both osregex - Matches Both description: Test Restrict + Ignore tags both with osregex regex. Log matches both configuration_parameters: RESTRICT_REGEX: \.restrict @@ -91,7 +91,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Matches None +- name: Test Restrict+Ignore - Both osregex - Matches None description: Test Restrict + Ignore tags both with osregex regex. Log matches None configuration_parameters: RESTRICT_REGEX: \.restrict @@ -105,7 +105,7 @@ matches: None # Test osmatch -- name: Test Restrict+Ignore - Matches Restrict +- name: Test Restrict+Ignore - Both osmatch - Matches Restrict description: Test Restrict + Ignore tags both with osmatch regex. Log matches restrict configuration_parameters: RESTRICT_REGEX: restrict$ @@ -118,7 +118,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Matches Ignore Only +- name: Test Restrict+Ignore - Both osmatch - Matches Ignore Only description: Test Restrict + Ignore tags both with osmatch regex. Log matches ignore configuration_parameters: RESTRICT_REGEX: restrict$ @@ -131,7 +131,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Matches Both +- name: Test Restrict+Ignore - Both osmatch - Matches Both description: Test Restrict + Ignore tags both with osmatch regex. Log matches both configuration_parameters: RESTRICT_REGEX: restrict$ @@ -144,7 +144,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Matches None +- name: Test Restrict+Ignore - Both osmatch - Matches None description: Test Restrict + Ignore tags both with osmatch regex. Log matches None configuration_parameters: RESTRICT_REGEX: restrict$ @@ -158,7 +158,7 @@ matches: None # Test pcre2 + osregex -- name: Test Restrict+Ignore - Matches Restrict +- name: Test Restrict+Ignore - pcre2+osregex engine - Matches Restrict description: Test Restrict + Ignore tags (pcre2+osregex). Log matches restrict configuration_parameters: RESTRICT_REGEX: .*restrict @@ -171,7 +171,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Matches Ignore Only +- name: Test Restrict+Ignore - pcre2+osregex engine - Matches Ignore Only description: Test Restrict + Ignore tags (pcre2+osregex). Log matches ignore configuration_parameters: RESTRICT_REGEX: .*restrict @@ -184,7 +184,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Matches Both +- name: Test Restrict+Ignore - pcre2+osregex engine - Matches Both description: Test Restrict + Ignore tags (pcre2+osregex). Log matches both configuration_parameters: RESTRICT_REGEX: .*restrict @@ -197,7 +197,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Matches None +- name: Test Restrict+Ignore - pcre2+osregex engine - Matches None description: Test Restrict + Ignore tags (pcre2+osregex). Log matches None configuration_parameters: RESTRICT_REGEX: .*restrict @@ -211,7 +211,7 @@ matches: None # Test pcre2 + osmatch -- name: Test Restrict+Ignore - Matches Restrict +- name: Test Restrict+Ignore - pcre2+osmatch engine - Matches Restrict description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches restrict configuration_parameters: RESTRICT_REGEX: .*restrict @@ -224,7 +224,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Matches Ignore Only +- name: Test Restrict+Ignore - pcre2+osmatch engine - Matches Ignore Only description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches ignore configuration_parameters: RESTRICT_REGEX: .*restrict @@ -237,7 +237,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Matches Both +- name: Test Restrict+Ignore - pcre2+osmatch engine - Matches Both description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches both configuration_parameters: RESTRICT_REGEX: .*restrict @@ -264,7 +264,7 @@ matches: None # Test osmatch + osregex -- name: Test Restrict+Ignore - Matches Restrict +- name: Test Restrict+Ignore - osregex+osmatch engine - Matches Restrict description: Test Restrict + Ignore tags (osregex+osmatch). Log matches restrict configuration_parameters: RESTRICT_REGEX: \.restrict @@ -277,7 +277,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Matches Ignore Only +- name: Test Restrict+Ignore - osregex+osmatch engine - Matches Ignore Only description: Test Restrict + Ignore tags (osregex+osmatch). Log matches ignore configuration_parameters: RESTRICT_REGEX: \.restrict @@ -290,7 +290,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Matches Both +- name: Test Restrict+Ignore - osregex+osmatch engine - Matches Both description: Test Restrict + Ignore tags (osregex+osmatch). Log matches both configuration_parameters: RESTRICT_REGEX: \.restrict @@ -303,7 +303,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Matches None +- name: Test Restrict+Ignore - osregex+osmatch engine - Matches None description: Test Restrict + Ignore tags (osregex+osmatch). Log matches None configuration_parameters: RESTRICT_REGEX: \.restrict diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml similarity index 80% rename from tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml index 6e8cba8940..fbef53ea80 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_default.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml @@ -1,4 +1,4 @@ -- name: Test Restrict Default - Match +- name: Test Restrict tag - Default engine - Log Matches description: Test Restrict with default regex, with matching log configuration_parameters: REGEX: .+test @@ -7,7 +7,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Restrict Default - Does not Match +- name: Test Restrict tag - Default engine - Log Matches description: Test Restrict with default regex, with not matching log configuration_parameters: REGEX: .+test diff --git a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml similarity index 82% rename from tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml rename to tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml index b4fbfb0f5d..df4be4b4ff 100644 --- a/tests/integration/test_logcollector/test_options/data/test_cases/cases_restrict_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml @@ -1,4 +1,4 @@ -- name: Test Restrict PCRE2 - Match +- name: Test Restrict tag - PCRE2 engine - log matches description: Test Restrict with PCRE2 regex, with matching log configuration_parameters: REGEX: .*test @@ -9,7 +9,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Restrict PCRE2 - Does not Match +- name: Test Restrict tag - PCRE2 engine - log does not match description: Test Restrict with PCRE2 regex, with not matching log configuration_parameters: REGEX: .*test @@ -20,7 +20,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: false -- name: Test Restrict osmatch - Match +- name: Test Restrict tag - osmatch engine - log match description: Test Restrict with osmatch regex, with matching log configuration_parameters: REGEX: test$ @@ -31,7 +31,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Restrict osmatch - Does not Match +- name: Test Restrict tag - osmatch engine - log does not match description: Test Restrict with osmatch regex, with not matching log configuration_parameters: REGEX: test$ @@ -42,7 +42,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: false -- name: Test Restrict osregex - Match +- name: Test Restrict tag - osregex engine - log match description: Test Restrict with osregex regex, with matching log configuration_parameters: REGEX: \.test @@ -53,7 +53,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Restrict osregex - Does not Match +- name: Test Restrict tag - osregex engine - log does not match description: Test Restrict with osregex regex, with not matching log configuration_parameters: REGEX: \.test diff --git a/tests/integration/test_logcollector/test_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py similarity index 89% rename from tests/integration/test_logcollector/test_options/test_ignore_regex.py rename to tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index 7298599117..0f896c5df1 100644 --- a/tests/integration/test_logcollector/test_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -16,7 +16,7 @@ components: - logcollector -suite: options +suite: log_filter_options targets: - agent @@ -91,19 +91,17 @@ t2_configuration_metadata) prefix = lc.LOG_COLLECTOR_PREFIX - +local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS # Tests @pytest.mark.tier(level=0) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) def test_ignore_default(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - local_internal_options, set_wazuh_configuration_with_local_internal_options, - restart_wazuh_function): + set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a - given log file. + given log file. test_phases: - Set a custom Wazuh configuration. @@ -128,15 +126,15 @@ def test_ignore_default(configuration, metadata, new_file_path, create_file, tru - create_file: type: fixture brief: Create an empty file for logging - - local_internal_options - type: dict - brief: Contains the options to configure in local_internal_options - truncate_monitored_files: type: fixture brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration_with_local_internal_options: + - set_wazuh_configuration: + type: fixture + brief: Set the wazuh configuration according to the configuration data. + - configure_local_internal_options: type: fixture - brief: Set the wazuh configuration according to the configuration data and local_internal_options. + brief: Configure the local_internal_options file. - restart_wazuh_function: type: fixture brief: Restart wazuh. @@ -184,14 +182,13 @@ def test_ignore_default(configuration, metadata, new_file_path, create_file, tru @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) def test_ignore_regex_type_values(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - local_internal_options, set_wazuh_configuration_with_local_internal_options, + set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a - given log file, , with each configured value for the ignore 'type' attribute value configured. + given log file, , with each configured value for the ignore 'type' attribute value configured. test_phases: - Set a custom Wazuh configuration. @@ -216,15 +213,15 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, create - create_file: type: fixture brief: Create an empty file for logging - - local_internal_options - type: dict - brief: Contains the options to configure in local_internal_options - truncate_monitored_files: type: fixture brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration_with_local_internal_options: + - set_wazuh_configuration: + type: fixture + brief: Set the wazuh configuration according to the configuration data. + - configure_local_internal_options: type: fixture - brief: Set the wazuh configuration according to the configuration data and local_internal_options. + brief: Configure the local_internal_options file. - restart_wazuh_function: type: fixture brief: Restart wazuh. diff --git a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py similarity index 90% rename from tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py rename to tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py index 289122bb8a..1975dfd243 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py @@ -16,7 +16,7 @@ components: - logcollector -suite: options +suite: log_filter_options targets: - agent @@ -81,15 +81,15 @@ configuration_parameters[count]['LOCATION'] = test_file configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) prefix = lc.LOG_COLLECTOR_PREFIX +local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS # Tests @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - local_internal_options, set_wazuh_configuration_with_local_internal_options, + set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the restrict and @@ -119,15 +119,15 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr - create_file: type: fixture brief: Create an empty file for logging - - local_internal_options - type: dict - brief: Contains the options to configure in local_internal_options - truncate_monitored_files: type: fixture brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration_with_local_internal_options: + - set_wazuh_configuration: + type: fixture + brief: Set the wazuh configuration according to the configuration data. + - configure_local_internal_options: type: fixture - brief: Set the wazuh configuration according to the configuration data and local_internal_options. + brief: Configure the local_internal_options file. - restart_wazuh_function: type: fixture brief: Restart wazuh. @@ -137,8 +137,8 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr - Check that logs are ignored when they do not match with configured regex input_description: - - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. - - The `cases_ignore_regex_default` file provides the test cases. + - The `configuration_restrict_ignore_regex_values.yaml` file provides the module configuration for this test. + - The `cases_restrict_ignore_regex_values` file provides the test cases. expected_output: - r".*wazuh-logcollector.*Analizing file: '{file}'.*" @@ -172,6 +172,7 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + # If matches with restrict, it should not be ignored due to restrict config elif metadata['matches'] == 'restrict': log_found = False @@ -184,8 +185,9 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + + # If it matches with None, the log should be ignored due to restrict config and not due to ignore config else: - # If it matches with None, the log should be ignored due to restrict config and not due to ignore config log_found = False with pytest.raises(TimeoutError): log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', diff --git a/tests/integration/test_logcollector/test_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py similarity index 89% rename from tests/integration/test_logcollector/test_options/test_restrict_regex.py rename to tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index 252bc2feb7..c8c4d674f2 100644 --- a/tests/integration/test_logcollector/test_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -16,7 +16,7 @@ components: - logcollector -suite: options +suite: log_filter_options targets: - agent @@ -92,19 +92,17 @@ t2_configuration_metadata) prefix = lc.LOG_COLLECTOR_PREFIX - +local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS # Tests -@pytest.mark.tier(level=1) +@pytest.mark.tier(level=0) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) def test_restrict_default(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - local_internal_options, set_wazuh_configuration_with_local_internal_options, - restart_wazuh_function): + set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the restrict tag for a - given log file. + given log file. test_phases: - Set a custom Wazuh configuration. @@ -114,7 +112,7 @@ def test_restrict_default(configuration, metadata, new_file_path, create_file, t wazuh_min_version: 4.5.0 - tier: 1 + tier: 0 parameters: - configuration: @@ -126,18 +124,18 @@ def test_restrict_default(configuration, metadata, new_file_path, create_file, t - new_file_path: type: str brief: path for the log file to be created and deleted after the test. - - local_internal_options - type: dict - brief: Contains the options to configure in local_internal_options - create_file: type: fixture brief: Create an empty file for logging - truncate_monitored_files: type: fixture brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration_with_local_internal_options: + - set_wazuh_configuration: type: fixture - brief: Set the wazuh configuration according to the configuration data and local_internal_options. + brief: Set the wazuh configuration according to the configuration data. + - configure_local_internal_options: + type: fixture + brief: Configure the local_internal_options file. - restart_wazuh_function: type: fixture brief: Restart wazuh. @@ -184,14 +182,13 @@ def test_restrict_default(configuration, metadata, new_file_path, create_file, t @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('local_internal_options,', [lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) def test_restrict_regex_type_values(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - local_internal_options, set_wazuh_configuration_with_local_internal_options, + set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): ''' description: Check if logcollector reads or ignores a log according to a regex configured in the restrict tag for a - given log file, with each configured value for the restrict 'type' attribute value configured. + given log file, with each configured value for the restrict 'type' attribute value configured. test_phases: - Set a custom Wazuh configuration. @@ -213,18 +210,18 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea - new_file_path: type: str brief: path for the log file to be created and deleted after the test. - - local_internal_options - type: dict - brief: Contains the options to configure in local_internal_options - create_file: type: fixture brief: Create an empty file for logging - truncate_monitored_files: type: fixture brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration_with_local_internal_options: + - set_wazuh_configuration: + type: fixture + brief: Set the wazuh configuration according to the configuration data. + - configure_local_internal_options: type: fixture - brief: Set the wazuh configuration according to the configuration data and local_internal_options. + brief: Configure the local_internal_options file. - restart_wazuh_function: type: fixture brief: Restart wazuh. From 61d5a35a31c1e479870d23437774200c5217732a Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 18 Nov 2022 12:01:10 -0300 Subject: [PATCH 20/34] docs(#3480): fix indentation and test ids --- .../wazuh_testing/modules/logcollector/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py index 078f8dfdf5..fb325ecaaf 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py @@ -10,7 +10,7 @@ # Error Messages GENERIC_CALLBACK_ERROR_COMMAND_MONITORING = 'The expected command monitoring log has not been produced' -ERR_MSG_UNEXPECTED_IGNORE_EVENT = "Found unexpected 'Ignoring the log... due to ignore/restrict config' event" +ERR_MSG_UNEXPECTED_IGNORE_EVENT = "Found unexpected 'Ignoring the log due to ignore/restrict config' event" # Local_internal_options From 6064931b36f11cda1b9c35827ffea220a0c956ef Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 18 Nov 2022 16:06:26 -0300 Subject: [PATCH 21/34] style(#3480): fix style and spacing --- .../wazuh_testing/modules/logcollector/__init__.py | 2 +- .../configuration_template/wazuh_configuration.yaml | 13 ------------- .../cases_restrict_ignore_regex_values.yaml | 2 +- .../test_log_filter_options/test_ignore_regex.py | 1 + .../test_restrict_ignore_regex.py | 2 +- .../test_log_filter_options/test_restrict_regex.py | 1 + 6 files changed, 5 insertions(+), 16 deletions(-) delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/wazuh_configuration.yaml diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py index fb325ecaaf..356620f0a8 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/__init__.py @@ -10,7 +10,7 @@ # Error Messages GENERIC_CALLBACK_ERROR_COMMAND_MONITORING = 'The expected command monitoring log has not been produced' -ERR_MSG_UNEXPECTED_IGNORE_EVENT = "Found unexpected 'Ignoring the log due to ignore/restrict config' event" +ERR_MSG_UNEXPECTED_IGNORE_EVENT = "Found unexpected 'Ignoring the log due to ignore/restrict config' event" # Local_internal_options diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/wazuh_configuration.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/wazuh_configuration.yaml deleted file mode 100644 index 2d27149430..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/wazuh_configuration.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- tags: - - test_options - apply_to_modules: - - test_options_state_interval_no_file - sections: - - section: localfile - attributes: - - name: testing files - elements: - - log_format: - value: syslog - - location: - value: LOCATION diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml index f53e8d5b69..f489a01426 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml @@ -52,7 +52,7 @@ matches: None # Test osregex -- name: Test Restrict+Ignore - Both osregex - Matches Restrict only +- name: Test Restrict+Ignore - Both osregex - Matches Restrict only description: Test Restrict + Ignore tags both with osregex regex. Log matches restrict configuration_parameters: RESTRICT_REGEX: \.restrict diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index 0f896c5df1..a419656b69 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -93,6 +93,7 @@ prefix = lc.LOG_COLLECTOR_PREFIX local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS + # Tests @pytest.mark.tier(level=0) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py index 1975dfd243..76dc9f3f9b 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py @@ -185,7 +185,7 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=prefix) assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT - + # If it matches with None, the log should be ignored due to restrict config and not due to ignore config else: log_found = False diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index c8c4d674f2..e297b9e9ba 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -94,6 +94,7 @@ prefix = lc.LOG_COLLECTOR_PREFIX local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS + # Tests @pytest.mark.tier(level=0) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) From f2274404ea2970de62ceabab78d45e3c74a58574 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 24 Nov 2022 15:27:15 -0300 Subject: [PATCH 22/34] style(#3480): fix comments and case names --- .../test_cases/cases_restrict_ignore_regex_values.yaml | 10 +++++----- .../test_log_filter_options/test_ignore_regex.py | 8 ++++---- .../test_log_filter_options/test_restrict_regex.py | 8 ++++---- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml index f489a01426..ef2dc6235d 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml @@ -250,7 +250,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Matches None +- name: No log match - Ignore and restrict tags with pcre2 and osmatch regex description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches None configuration_parameters: RESTRICT_REGEX: .*restrict @@ -264,7 +264,7 @@ matches: None # Test osmatch + osregex -- name: Test Restrict+Ignore - osregex+osmatch engine - Matches Restrict +- name: Matches with restrict tag - Ignore and restrict tags with osregex and osmatch regex description: Test Restrict + Ignore tags (osregex+osmatch). Log matches restrict configuration_parameters: RESTRICT_REGEX: \.restrict @@ -277,7 +277,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - osregex+osmatch engine - Matches Ignore Only +- name: Matches with ignore tag - Ignore and restrict tags with osregex and osmatch regex description: Test Restrict + Ignore tags (osregex+osmatch). Log matches ignore configuration_parameters: RESTRICT_REGEX: \.restrict @@ -290,7 +290,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - osregex+osmatch engine - Matches Both +- name: Log match - Ignore and restrict tags with osregex and osmatch regex description: Test Restrict + Ignore tags (osregex+osmatch). Log matches both configuration_parameters: RESTRICT_REGEX: \.restrict @@ -303,7 +303,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - osregex+osmatch engine - Matches None +- name: No log match - Ignore and restrict tags with osregex and osmatch regex description: Test Restrict + Ignore tags (osregex+osmatch). Log matches None configuration_parameters: RESTRICT_REGEX: \.restrict diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index a419656b69..75322f5e91 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -163,7 +163,7 @@ def test_ignore_default(configuration, metadata, new_file_path, create_file, tru # Check log file is being analyzed evm.check_analyzing_file(file=file, prefix=prefix) - # Insert log + # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file @@ -232,8 +232,8 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, create - Check that logs are ignored when they match with configured regex input_description: - - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. - - The `cases_ignore_regex_default` file provides the test cases. + - The `configuration_ignore_regex_values.yaml` file provides the module configuration for this test. + - The `cases_ignore_regex_values` file provides the test cases. expected_output: - r".*wazuh-logcollector.*Analizing file: '{file}'.*" @@ -250,7 +250,7 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, create # Check log file is being analized evm.check_analyzing_file(file=file, prefix=prefix) - # Insert log + # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index e297b9e9ba..07f9f58bec 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -165,7 +165,7 @@ def test_restrict_default(configuration, metadata, new_file_path, create_file, t # Check log file is being analized evm.check_analyzing_file(file=file, prefix=prefix) - # Insert log + # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file evm.check_syslog_messages(message=log, prefix=prefix) @@ -232,8 +232,8 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea - Check that logs are ignored when they do not match with configured regex input_description: - - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. - - The `cases_ignore_regex_default` file provides the test cases. + - The `configuration_ignore_regex_values.yaml` file provides the module configuration for this test. + - The `cases_ignore_regex_values` file provides the test cases. expected_output: - r".*wazuh-logcollector.*Analizing file: '{file}'.*" @@ -251,7 +251,7 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea # Check log file is being analized evm.check_analyzing_file(file=file, prefix=prefix) - # Insert log + # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file evm.check_syslog_messages(message=log, prefix=prefix) From 1f0dc096a621230218ae8fc6b39a14057779304a Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 24 Nov 2022 15:35:19 -0300 Subject: [PATCH 23/34] docs(#3480): fixed docu typos --- .../test_log_filter_options/test_restrict_regex.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index 07f9f58bec..690b5ca508 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -146,8 +146,8 @@ def test_restrict_default(configuration, metadata, new_file_path, create_file, t - Check that logs are ignored when they do not match with configured regex input_description: - - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. - - The `cases_ignore_regex_default` file provides the test cases. + - The `configuration_restrict_regex_default.yaml` file provides the module configuration for this test. + - The `cases_restrict_regex_default` file provides the test cases. expected_output: - r".*wazuh-logcollector.*Analizing file: '{file}'.*" @@ -232,8 +232,8 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea - Check that logs are ignored when they do not match with configured regex input_description: - - The `configuration_ignore_regex_values.yaml` file provides the module configuration for this test. - - The `cases_ignore_regex_values` file provides the test cases. + - The `configuration_restrict_regex_values.yaml` file provides the module configuration for this test. + - The `cases_restrict_regex_values` file provides the test cases. expected_output: - r".*wazuh-logcollector.*Analizing file: '{file}'.*" From cc0a08891ec7dfb15bd173cf15762be3a78583b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Carmelo=20Micalizzi?= Date: Thu, 24 Nov 2022 15:50:51 -0300 Subject: [PATCH 24/34] docs(#3480): update cases names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Dámaris --- .../cases_ignore_regex_default.yaml | 4 +- .../cases_ignore_regex_type_values.yaml | 12 +++--- .../cases_restrict_ignore_regex_values.yaml | 38 +++++++++---------- .../cases_restrict_regex_default.yaml | 4 +- .../cases_restrict_regex_type_values.yaml | 12 +++--- .../test_restrict_ignore_regex.py | 4 +- 6 files changed, 37 insertions(+), 37 deletions(-) diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml index 0fee684eb4..98d89434a6 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml @@ -1,4 +1,4 @@ -- name: Test Ignore tag - Default engine - Log Matches +- name: Log match - Default regex and ignore tag description: Test Ignore with default regex, with matching log configuration_parameters: REGEX: .+test @@ -7,7 +7,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Ignore tag - Default engine - Log does not Match +- name: No log match - Default regex and ignore tag description: Test Ignore with default regex, with not matching log configuration_parameters: REGEX: .+test diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml index e5877f1279..f902174278 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml @@ -1,4 +1,4 @@ -- name: Test Ignore tag - PCRE2 engine - log match +- name: Log match - PCRE2 regex and ignore tag description: Test Ignore tag tag with PCRE2 regex, with matching log configuration_parameters: REGEX: .*test @@ -9,7 +9,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Ignore tag - PCRE2 engine - log does not match +- name: No log match - PCRE2 regex and ignore tag description: Test Ignore tag with PCRE2 regex, with not matching log configuration_parameters: REGEX: .*test @@ -20,7 +20,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: false -- name: Test Ignore tag - osmatch engine - log match +- name: Log match - osmatch regex and ignore tag description: Test Ignore tag with osmatch regex, with matching log configuration_parameters: REGEX: test$ @@ -31,7 +31,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Ignore tag - osmatch engine - log does not match +- name: No log match - osmatch regex and ignore tag description: Test Ignore tag with osmatch regex, with not matching log configuration_parameters: REGEX: test$ @@ -42,7 +42,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: false -- name: Test Ignore tag - osregex engine - log match +- name: Log match - osregex regex and ignore tag description: Test Ignore tag with osregex regex, with matching log configuration_parameters: REGEX: \.test @@ -53,7 +53,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Ignore tag - osregex engine - log does not match +- name: No log match - osregex regex and ignore tag description: Test Ignore tag with osregex regex, with not matching log configuration_parameters: REGEX: \.test diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml index ef2dc6235d..804073eeb3 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml @@ -1,5 +1,5 @@ # Test PCRE2 -- name: Test Restrict+Ignore - Both PCRE2 - Matches Restrict only +- name: Matches with restrict tag - Ignore and restrict tags with PCRE2 regex description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches restrict configuration_parameters: RESTRICT_REGEX: .*restrict @@ -12,7 +12,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Both PCRE2 - Matches Ignore Only +- name: Matches with ignore tag - Ignore and restrict tags with PCRE2 regex description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches ignore configuration_parameters: RESTRICT_REGEX: .*restrict @@ -25,7 +25,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Both PCRE2- Matches Both +- name: Log match - PCRE2 regex, ignore and restrict tags description: Test Restrict + Ignore tags both with pcre2 regex. Log matches both configuration_parameters: RESTRICT_REGEX: .*restrict @@ -38,7 +38,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Both PCRE2 - Matches None +- name: No log match - Ignore and restrict tags with PCRE2 regex description: Test Restrict + Ignore tags both with pcre2 regex. Log matches None configuration_parameters: RESTRICT_REGEX: .*restrict @@ -52,7 +52,7 @@ matches: None # Test osregex -- name: Test Restrict+Ignore - Both osregex - Matches Restrict only +- name: Matches with restrict tag - Ignore and restrict tags with osregex regex description: Test Restrict + Ignore tags both with osregex regex. Log matches restrict configuration_parameters: RESTRICT_REGEX: \.restrict @@ -65,7 +65,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Both osregex - Matches Ignore Only +- name: Matches with ignore tag - Ignore and restrict tags with osregex regex description: Test Restrict + Ignore tags both with osregex regex. Log matches ignore configuration_parameters: RESTRICT_REGEX: \.restrict @@ -78,7 +78,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Both osregex - Matches Both +- name: Log match - Ignore and restrict tags with osregex regex description: Test Restrict + Ignore tags both with osregex regex. Log matches both configuration_parameters: RESTRICT_REGEX: \.restrict @@ -91,7 +91,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Both osregex - Matches None +- name: No log match - Ignore and restrict tags with osregex regex description: Test Restrict + Ignore tags both with osregex regex. Log matches None configuration_parameters: RESTRICT_REGEX: \.restrict @@ -105,7 +105,7 @@ matches: None # Test osmatch -- name: Test Restrict+Ignore - Both osmatch - Matches Restrict +- name: Matches with restrict tag - Ignore and restrict tags with osmatch regex description: Test Restrict + Ignore tags both with osmatch regex. Log matches restrict configuration_parameters: RESTRICT_REGEX: restrict$ @@ -118,7 +118,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - Both osmatch - Matches Ignore Only +- name: Matches with ignore tag - Ignore and restrict tags with osmatch regex description: Test Restrict + Ignore tags both with osmatch regex. Log matches ignore configuration_parameters: RESTRICT_REGEX: restrict$ @@ -131,7 +131,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - Both osmatch - Matches Both +- name: Log match - Ignore and restrict tags with osmatch regex description: Test Restrict + Ignore tags both with osmatch regex. Log matches both configuration_parameters: RESTRICT_REGEX: restrict$ @@ -144,7 +144,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - Both osmatch - Matches None +- name: No log match - Ignore and restrict tags with osmatch regex description: Test Restrict + Ignore tags both with osmatch regex. Log matches None configuration_parameters: RESTRICT_REGEX: restrict$ @@ -158,7 +158,7 @@ matches: None # Test pcre2 + osregex -- name: Test Restrict+Ignore - pcre2+osregex engine - Matches Restrict +- name: Matches with restrict tag - Ignore and restrict tags with pcre2 and osregex regex description: Test Restrict + Ignore tags (pcre2+osregex). Log matches restrict configuration_parameters: RESTRICT_REGEX: .*restrict @@ -171,7 +171,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - pcre2+osregex engine - Matches Ignore Only +- name: Matches with ignore tag - Ignore and restrict tags with pcre2 and osregex regex description: Test Restrict + Ignore tags (pcre2+osregex). Log matches ignore configuration_parameters: RESTRICT_REGEX: .*restrict @@ -184,7 +184,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - pcre2+osregex engine - Matches Both +- name: Log match - Ignore and restrict tags with pcre2 and osregex regex description: Test Restrict + Ignore tags (pcre2+osregex). Log matches both configuration_parameters: RESTRICT_REGEX: .*restrict @@ -197,7 +197,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: Test Restrict+Ignore - pcre2+osregex engine - Matches None +- name: No log match - Ignore and restrict tags with pcre2 and osregex regex description: Test Restrict + Ignore tags (pcre2+osregex). Log matches None configuration_parameters: RESTRICT_REGEX: .*restrict @@ -211,7 +211,7 @@ matches: None # Test pcre2 + osmatch -- name: Test Restrict+Ignore - pcre2+osmatch engine - Matches Restrict +- name: Matches with restrict tag - Ignore and restrict tags with pcre2 and osmatch regex description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches restrict configuration_parameters: RESTRICT_REGEX: .*restrict @@ -224,7 +224,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Test Restrict+Ignore - pcre2+osmatch engine - Matches Ignore Only +- name: Matches with ignore tag - Ignore and restrict tags with pcre2 and osmatch regex description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches ignore configuration_parameters: RESTRICT_REGEX: .*restrict @@ -237,7 +237,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Test Restrict+Ignore - pcre2+osmatch engine - Matches Both +- name: Log match - Ignore and restrict tags with pcre2 and osmatch regex description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches both configuration_parameters: RESTRICT_REGEX: .*restrict diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml index fbef53ea80..0495f4cd83 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml @@ -1,4 +1,4 @@ -- name: Test Restrict tag - Default engine - Log Matches +- name: Log match - Default regex and restrict tag description: Test Restrict with default regex, with matching log configuration_parameters: REGEX: .+test @@ -7,7 +7,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Restrict tag - Default engine - Log Matches +- name: No log match - Default regex and restrict tag description: Test Restrict with default regex, with not matching log configuration_parameters: REGEX: .+test diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml index df4be4b4ff..d5d09fd9a6 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml @@ -1,4 +1,4 @@ -- name: Test Restrict tag - PCRE2 engine - log matches +- name: Log match - PCRE2 regex and restrict tag description: Test Restrict with PCRE2 regex, with matching log configuration_parameters: REGEX: .*test @@ -9,7 +9,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Restrict tag - PCRE2 engine - log does not match +- name: No log match - PCRE2 regex and restrict tag description: Test Restrict with PCRE2 regex, with not matching log configuration_parameters: REGEX: .*test @@ -20,7 +20,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: false -- name: Test Restrict tag - osmatch engine - log match +- name: Log match - osmatch regex and restrict tag description: Test Restrict with osmatch regex, with matching log configuration_parameters: REGEX: test$ @@ -31,7 +31,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Restrict tag - osmatch engine - log does not match +- name: No log match - osmatch regex and restrict tag description: Test Restrict with osmatch regex, with not matching log configuration_parameters: REGEX: test$ @@ -42,7 +42,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" matches: false -- name: Test Restrict tag - osregex engine - log match +- name: Log match - osregex regex and restrict tag description: Test Restrict with osregex regex, with matching log configuration_parameters: REGEX: \.test @@ -53,7 +53,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: Test Restrict tag - osregex engine - log does not match +- name: No log match - osregex regex and restrict tag description: Test Restrict with osregex regex, with not matching log configuration_parameters: REGEX: \.test diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py index 76dc9f3f9b..bc14dc27fb 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py @@ -138,7 +138,7 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr input_description: - The `configuration_restrict_ignore_regex_values.yaml` file provides the module configuration for this test. - - The `cases_restrict_ignore_regex_values` file provides the test cases. + - The `cases_restrict_ignore_regex_values.yaml` file provides the test cases. expected_output: - r".*wazuh-logcollector.*Analizing file: '{file}'.*" @@ -156,7 +156,7 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr # Check log file is being analized evm.check_analyzing_file(file=file, prefix=prefix) - # Insert log + # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file evm.check_syslog_messages(message=log, prefix=prefix) From a268b3c1f1c434b48be5bc236d074db97e83b8c4 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 24 Nov 2022 16:33:57 -0300 Subject: [PATCH 25/34] refactor(#3480): extract block into event_monitor --- .../modules/logcollector/event_monitor.py | 18 +++++++++++- .../test_ignore_regex.py | 13 ++------- .../test_restrict_ignore_regex.py | 28 ++++++------------- .../test_restrict_regex.py | 14 +++------- 4 files changed, 32 insertions(+), 41 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py index 83de662337..cde8f913ae 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py @@ -1,7 +1,8 @@ import re import sys +import pytest from wazuh_testing import T_30, T_10, LOG_FILE_PATH -from wazuh_testing.modules.logcollector import LOG_COLLECTOR_PREFIX +from wazuh_testing.modules.logcollector import LOG_COLLECTOR_PREFIX, ERR_MSG_UNEXPECTED_IGNORE_EVENT from wazuh_testing.tools.monitoring import FileMonitor @@ -111,3 +112,18 @@ def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=No return check_logcollector_event(file_monitor=file_monitor, timeout=timeout, callback=callback_msg, error_message=error_message, prefix=prefix, escape=escape) + + +def check_ignore_restrict_message_not_found(message, regex, tag, prefix): + '''Check that an unexpected "Ignoring the log line..." event does not appear and a log is not ignored when it + does not match the regex. + Args: + message (str): Message to be monitored. + regex (str): regex pattern configured to ignore or restrict to. + tag (str): string with the configured tag. Values: 'ignore' or 'restrict' + prefix (str): Daemon that generates the error log. + ''' + log_found = False + with pytest.raises(TimeoutError): + log_found = check_ignore_restrict_messages(message=message, regex=regex, tag=tag, prefix=prefix) + assert log_found is False, ERR_MSG_UNEXPECTED_IGNORE_EVENT diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index 75322f5e91..410da24e49 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -171,11 +171,8 @@ def test_ignore_default(configuration, metadata, new_file_path, create_file, tru # Check response if metadata['matches'] is not True: - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=prefix) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex'], tag='ignore', prefix=prefix) + else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', prefix=prefix) @@ -258,11 +255,7 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, create # Check response if metadata['matches'] is not True: - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=prefix) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex'], tag='ignore', prefix=prefix) else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', prefix=prefix) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py index bc14dc27fb..a6483cabf7 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py @@ -167,31 +167,19 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=prefix) if 'restrict' in metadata['matches']: - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], - tag='restrict', prefix=prefix) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['restrict_regex'], tag='restrict', + prefix=prefix) # If matches with restrict, it should not be ignored due to restrict config elif metadata['matches'] == 'restrict': - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], - tag='restrict', prefix=prefix) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], - tag='ignore', prefix=prefix) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['restrict_regex'], tag='restrict', + prefix=prefix) + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['ignore_regex'], tag='ignore', + prefix=prefix) # If it matches with None, the log should be ignored due to restrict config and not due to ignore config else: - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', - prefix=prefix) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['ignore_regex'], tag='ignore', + prefix=prefix) evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', prefix=prefix) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index 690b5ca508..7bcdbb8037 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -171,11 +171,8 @@ def test_restrict_default(configuration, metadata, new_file_path, create_file, t evm.check_syslog_messages(message=log, prefix=prefix) # Check response if metadata['matches']: - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', - prefix=prefix) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex'], tag='restrict', + prefix=prefix) else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=prefix) @@ -257,11 +254,8 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea evm.check_syslog_messages(message=log, prefix=prefix) # Check response if metadata['matches']: - log_found = False - with pytest.raises(TimeoutError): - log_found = evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', - prefix=prefix) - assert log_found is False, lc.ERR_MSG_UNEXPECTED_IGNORE_EVENT + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex'], + tag='restrict', prefix=prefix) else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=prefix) From 8195edb47f945fa8721f334fe8b1556ef94e5338 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 24 Nov 2022 16:39:34 -0300 Subject: [PATCH 26/34] style(#3480): remove whitespaces --- .../data/test_cases/cases_ignore_regex_default.yaml | 2 +- .../data/test_cases/cases_restrict_ignore_regex_values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml index 98d89434a6..777c2f1bea 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml @@ -7,7 +7,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" matches: true -- name: No log match - Default regex and ignore tag +- name: No log match - Default regex and ignore tag description: Test Ignore with default regex, with not matching log configuration_parameters: REGEX: .+test diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml index 804073eeb3..e6a0056c26 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml @@ -25,7 +25,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Log match - PCRE2 regex, ignore and restrict tags +- name: Log match - PCRE2 regex, ignore and restrict tags description: Test Restrict + Ignore tags both with pcre2 regex. Log matches both configuration_parameters: RESTRICT_REGEX: .*restrict From 93132650a1b454f617cba037f5fdf1c95e570cc5 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 28 Nov 2022 10:43:00 -0300 Subject: [PATCH 27/34] feat(#3480): add new test cases --- .../configuration_ignore_multiple_regex.yaml | 33 +++++ ...configuration_restrict_multiple_regex.yaml | 33 +++++ .../cases_ignore_multiple_regex.yaml | 43 +++++++ .../cases_restrict_multiple_regex.yaml | 43 +++++++ .../test_ignore_regex.py | 110 +++++++++++++++-- .../test_restrict_regex.py | 115 ++++++++++++++++-- 6 files changed, 363 insertions(+), 14 deletions(-) create mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_multiple_regex.yaml create mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_multiple_regex.yaml create mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_multiple_regex.yaml create mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_multiple_regex.yaml diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_multiple_regex.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_multiple_regex.yaml new file mode 100644 index 0000000000..64228cb91e --- /dev/null +++ b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_multiple_regex.yaml @@ -0,0 +1,33 @@ +- sections: + - section: localfile + elements: + - log_format: + value: syslog + - location: + value: LOCATION + - ignore: + value: REGEX_1 + - ignore: + value: REGEX_2 + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: syscheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_multiple_regex.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_multiple_regex.yaml new file mode 100644 index 0000000000..8202777005 --- /dev/null +++ b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_multiple_regex.yaml @@ -0,0 +1,33 @@ +- sections: + - section: localfile + elements: + - log_format: + value: syslog + - location: + value: LOCATION + - restrict: + value: REGEX_1 + - restrict: + value: REGEX_2 + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: syscheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_multiple_regex.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_multiple_regex.yaml new file mode 100644 index 0000000000..5f747e9644 --- /dev/null +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_multiple_regex.yaml @@ -0,0 +1,43 @@ +- name: Log match - Two ignore tags - Match first tag + description: Test two Ignore tags, with matching log first tag + configuration_parameters: + REGEX_1: .+regex1 + REGEX_2: .+regex2 + metadata: + regex1: .+regex1 + regex2: .+regex2 + log_sample: "Nov 10 12:19:04 localhost sshd: log matches regex1" + matches: regex1 + +- name: Log match - Two ignore tags - Match both tags + description: Test two Ignore tags, with matching log both tags + configuration_parameters: + REGEX_1: .+regex1 + REGEX_2: .+regex2 + metadata: + regex1: .+regex1 + regex2: .+regex2 + log_sample: "Nov 10 12:19:04 localhost sshd: log matches regex1 regex2" + matches: regex1 regex2 + +- name: Log match - Two ignore tags - Match second tag + description: Test two Ignore tags, with matching log second tag + configuration_parameters: + REGEX_1: .+regex1 + REGEX_2: .+regex2 + metadata: + regex1: .+regex1 + regex2: .+regex2 + log_sample: "Nov 10 12:19:04 localhost sshd: log matches regex2" + matches: regex2 + +- name: No match - Two ignore tags + description: Test two Ignore tags, with no matches + configuration_parameters: + REGEX_1: .+regex1 + REGEX_2: .+regex2 + metadata: + regex1: .+regex1 + regex2: .+regex2 + log_sample: "Nov 10 12:19:04 localhost sshd: log does not matches" + matches: no match \ No newline at end of file diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_multiple_regex.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_multiple_regex.yaml new file mode 100644 index 0000000000..217783d6fd --- /dev/null +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_multiple_regex.yaml @@ -0,0 +1,43 @@ +- name: Log match - Two Restrict tags - Match first tag + description: Test two Restrict tags, with matching first tag + configuration_parameters: + REGEX_1: .+regex1 + REGEX_2: .+regex2 + metadata: + regex1: .+regex1 + regex2: .+regex2 + log_sample: "Nov 10 12:19:04 localhost sshd: log matches regex1" + matches: regex1 + +- name: Log match - Two Restrict tags - Match both tags + description: Test twoRestrict tags, with log matching both tags + configuration_parameters: + REGEX_1: .+regex1 + REGEX_2: .+regex2 + metadata: + regex1: .+regex1 + regex2: .+regex2 + log_sample: "Nov 10 12:19:04 localhost sshd: log matches regex1 regex2" + matches: regex1 regex2 + +- name: Log match - Two Restrict tags - Match second tag + description: Test two Restrict tags, with matching first tag + configuration_parameters: + REGEX_1: .+regex1 + REGEX_2: .+regex2 + metadata: + regex1: .+regex1 + regex2: .+regex2 + log_sample: "Nov 10 12:19:04 localhost sshd: log matches regex2" + matches: regex2 + +- name: No match - Two Restrict tags + description: Test two Restrict, log does not match + configuration_parameters: + REGEX_1: .+regex1 + REGEX_2: .+regex2 + metadata: + regex1: .+regex1 + regex2: .+regex2 + log_sample: "Nov 10 12:19:04 localhost sshd: log does not matches" + matches: no match \ No newline at end of file diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index 410da24e49..cf9ee5b336 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -68,28 +68,38 @@ CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') -# Configuration and cases data +# Test configurations and cases data +test_file = os.path.join(PREFIX, 'test') +#---------------------------------TEST_IGNORE_DEFAULT-------------------------------------------- t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_default.yaml') t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_default.yaml') -t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_type_values.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_type_values.yaml') - -# Test configurations -test_file = os.path.join(PREFIX, 'test') - t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) for count, value in enumerate(t1_configuration_parameters): t1_configuration_parameters[count]['LOCATION'] = test_file t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) +#---------------------------------TEST_IGNORE_REGEX_TYPE_VALUES-------------------------------------- +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_type_values.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_type_values.yaml') + t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) for count, value in enumerate(t2_configuration_parameters): t2_configuration_parameters[count]['LOCATION'] = test_file t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) +#---------------------------------TEST_IGNORE_MULTIPLE_REGEX------------------------------------------- +t3_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_multiple_regex.yaml') +t3_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_multiple_regex.yaml') + +t3_configuration_parameters, t3_configuration_metadata, t3_case_ids = get_test_cases_data(t3_cases_path) +for count, value in enumerate(t3_configuration_parameters): + t3_configuration_parameters[count]['LOCATION'] = test_file +t3_configurations = load_configuration_template(t3_configurations_path, t3_configuration_parameters, + t3_configuration_metadata) + prefix = lc.LOG_COLLECTOR_PREFIX local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS @@ -259,3 +269,89 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, create else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', prefix=prefix) + + +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) +@pytest.mark.parametrize('configuration, metadata', zip(t3_configurations, t3_configuration_metadata), ids=t3_case_ids) +def test_ignore_multiple_regex(configuration, metadata, new_file_path, create_file, truncate_monitored_files, + set_wazuh_configuration, configure_local_internal_options_function, + restart_wazuh_function): + ''' + description: Check if logcollector behavior when two ignore tags are added. + + test_phases: + - Set a custom Wazuh configuration. + - Restart monitord. + - Insert the log message. + - Check expected response. + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. + - metadata: + type: dict + brief: Wazuh configuration metadata + - new_file_path: + type: str + brief: path for the log file to be created and deleted after the test. + - create_file: + type: fixture + brief: Create an empty file for logging + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - set_wazuh_configuration: + type: fixture + brief: Set the wazuh configuration according to the configuration data. + - configure_local_internal_options: + type: fixture + brief: Configure the local_internal_options file. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh. + + assertions: + - Check that logcollector is analyzing the log file. + - Check that logs are ignored when they match with configured regex + + input_description: + - The `configuration_ignore_multiple_regex.yaml` file provides the module configuration for this test. + - The `cases_ignore_multiple_regex` file provides the test cases. + + expected_output: + - r".*wazuh-logcollector.*Analizing file: '{file}'.*" + - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" + - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" + ''' + log = metadata['log_sample'] + command = f"echo {log}>> {test_file}" + + if sys.platform == 'win32': + file = re.escape(test_file) + else: + file = test_file + + # Check log file is being analized + evm.check_analyzing_file(file=file, prefix=prefix) + # Insert log + run_local_command_returning_output(command) + + # Check the log is read from the monitored file + evm.check_syslog_messages(message=log, prefix=prefix) + + # Check response + if 'regex1' in metadata['matches']: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='ignore',prefix=prefix) + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='ignore', prefix=prefix) + elif metadata['matches'] == 'regex2': + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex2'], tag='ignore',prefix=prefix) + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) + else: + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='ignore', prefix=prefix) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index 7bcdbb8037..328cf70683 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -69,28 +69,39 @@ CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') -# Configuration and cases data +# Test configurations and cases data +test_file = os.path.join(PREFIX, 'test') + +#---------------------------------TEST_DEFAULT_REGEX-------------------------------------------------- t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') -t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_type_values.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_type_values.yaml') - -# Test configurations -test_file = os.path.join(PREFIX, 'test') - t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) for count, value in enumerate(t1_configuration_parameters): t1_configuration_parameters[count]['LOCATION'] = test_file t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) +#---------------------------------TEST_IGNORE_REGEX_TYPE_VALUES-------------------------------------- +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_type_values.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_type_values.yaml') + t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) for count, value in enumerate(t2_configuration_parameters): t2_configuration_parameters[count]['LOCATION'] = test_file t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) + +#---------------------------------TEST_RESTRICT_MULTIPLE_REGEX------------------------------------------- +t3_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_multiple_regex.yaml') +t3_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_multiple_regex.yaml') + +t3_configuration_parameters, t3_configuration_metadata, t3_case_ids = get_test_cases_data(t3_cases_path) +for count, value in enumerate(t3_configuration_parameters): + t3_configuration_parameters[count]['LOCATION'] = test_file +t3_configurations = load_configuration_template(t3_configurations_path, t3_configuration_parameters, + t3_configuration_metadata) prefix = lc.LOG_COLLECTOR_PREFIX local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS @@ -259,3 +270,93 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea else: evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', prefix=prefix) + + +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) +@pytest.mark.parametrize('configuration, metadata', zip(t3_configurations, t3_configuration_metadata), ids=t3_case_ids) +def test_restrict_multiple_regex(configuration, metadata, new_file_path, create_file, truncate_monitored_files, + set_wazuh_configuration, configure_local_internal_options_function, + restart_wazuh_function): + ''' + description: Check if logcollector behavior when two restrict tags are added. + + test_phases: + - Set a custom Wazuh configuration. + - Restart monitord. + - Insert the log message. + - Check expected response. + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. + - metadata: + type: dict + brief: Wazuh configuration metadata + - new_file_path: + type: str + brief: path for the log file to be created and deleted after the test. + - create_file: + type: fixture + brief: Create an empty file for logging + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - set_wazuh_configuration: + type: fixture + brief: Set the wazuh configuration according to the configuration data. + - configure_local_internal_options: + type: fixture + brief: Configure the local_internal_options file. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh. + + assertions: + - Check that logcollector is analyzing the log file. + - Check that logs are ignored when they match with configured regex + + input_description: + - The `configuration_restrict_multiple_regex.yaml` file provides the module configuration for this test. + - The `cases_restrict_multiple_regex` file provides the test cases. + + expected_output: + - r".*wazuh-logcollector.*Analizing file: '{file}'.*" + - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" + - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" + ''' + log = metadata['log_sample'] + command = f"echo {log}>> {test_file}" + + if sys.platform == 'win32': + file = re.escape(test_file) + else: + file = test_file + + # Check log file is being analized + evm.check_analyzing_file(file=file, prefix=prefix) + # Insert log + run_local_command_returning_output(command) + + # Check the log is read from the monitored file + evm.check_syslog_messages(message=log, prefix=prefix) + + # Check response + if 'regex1' in metadata['matches']: + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex1'], tag='restrict', + prefix=prefix) + if 'regex2' in metadata['matches']: + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='restrict', + prefix=prefix) + else: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex2'], tag='restrict',prefix=prefix) + elif metadata['matches'] == 'regex2': + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='restrict', prefix=prefix) + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='restrict',prefix=prefix) + else: + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='restrict',prefix=prefix) From 71219c72a419f3ac9885cbd888efc48113f257c4 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 28 Nov 2022 10:59:16 -0300 Subject: [PATCH 28/34] style(#3480): fix indentation and spacing --- .../cases_ignore_multiple_regex.yaml | 2 +- .../cases_restrict_multiple_regex.yaml | 4 ++-- .../test_ignore_regex.py | 14 ++++++------- .../test_restrict_regex.py | 21 ++++++++++--------- 4 files changed, 21 insertions(+), 20 deletions(-) diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_multiple_regex.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_multiple_regex.yaml index 5f747e9644..2b8ae0542d 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_multiple_regex.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_multiple_regex.yaml @@ -40,4 +40,4 @@ regex1: .+regex1 regex2: .+regex2 log_sample: "Nov 10 12:19:04 localhost sshd: log does not matches" - matches: no match \ No newline at end of file + matches: no match diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_multiple_regex.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_multiple_regex.yaml index 217783d6fd..0c12dbade4 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_multiple_regex.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_multiple_regex.yaml @@ -31,7 +31,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches regex2" matches: regex2 -- name: No match - Two Restrict tags +- name: No match - Two Restrict tags description: Test two Restrict, log does not match configuration_parameters: REGEX_1: .+regex1 @@ -40,4 +40,4 @@ regex1: .+regex1 regex2: .+regex2 log_sample: "Nov 10 12:19:04 localhost sshd: log does not matches" - matches: no match \ No newline at end of file + matches: no match diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index cf9ee5b336..55f31e81b2 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -70,7 +70,7 @@ # Test configurations and cases data test_file = os.path.join(PREFIX, 'test') -#---------------------------------TEST_IGNORE_DEFAULT-------------------------------------------- +# --------------------------------TEST_IGNORE_DEFAULT-------------------------------------------- t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_default.yaml') t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_default.yaml') @@ -80,7 +80,7 @@ t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) -#---------------------------------TEST_IGNORE_REGEX_TYPE_VALUES-------------------------------------- +# --------------------------------TEST_IGNORE_REGEX_TYPE_VALUES-------------------------------------- t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_type_values.yaml') t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_type_values.yaml') @@ -90,7 +90,7 @@ t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, t2_configuration_metadata) -#---------------------------------TEST_IGNORE_MULTIPLE_REGEX------------------------------------------- +# --------------------------------TEST_IGNORE_MULTIPLE_REGEX------------------------------------------- t3_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_multiple_regex.yaml') t3_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_multiple_regex.yaml') @@ -275,8 +275,8 @@ def test_ignore_regex_type_values(configuration, metadata, new_file_path, create @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t3_configurations, t3_configuration_metadata), ids=t3_case_ids) def test_ignore_multiple_regex(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - set_wazuh_configuration, configure_local_internal_options_function, - restart_wazuh_function): + set_wazuh_configuration, configure_local_internal_options_function, + restart_wazuh_function): ''' description: Check if logcollector behavior when two ignore tags are added. @@ -347,10 +347,10 @@ def test_ignore_multiple_regex(configuration, metadata, new_file_path, create_fi # Check response if 'regex1' in metadata['matches']: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='ignore',prefix=prefix) + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='ignore', prefix=prefix) elif metadata['matches'] == 'regex2': - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex2'], tag='ignore',prefix=prefix) + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex2'], tag='ignore', prefix=prefix) evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) else: evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index 328cf70683..54b431e8bd 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -72,7 +72,7 @@ # Test configurations and cases data test_file = os.path.join(PREFIX, 'test') -#---------------------------------TEST_DEFAULT_REGEX-------------------------------------------------- +# --------------------------------TEST_DEFAULT_REGEX-------------------------------------------------- t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') @@ -82,7 +82,7 @@ t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) -#---------------------------------TEST_IGNORE_REGEX_TYPE_VALUES-------------------------------------- +# --------------------------------TEST_IGNORE_REGEX_TYPE_VALUES-------------------------------------- t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_type_values.yaml') t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_type_values.yaml') @@ -93,7 +93,7 @@ t2_configuration_metadata) -#---------------------------------TEST_RESTRICT_MULTIPLE_REGEX------------------------------------------- +# --------------------------------TEST_RESTRICT_MULTIPLE_REGEX------------------------------------------- t3_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_multiple_regex.yaml') t3_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_multiple_regex.yaml') @@ -276,8 +276,8 @@ def test_restrict_regex_type_values(configuration, metadata, new_file_path, crea @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) @pytest.mark.parametrize('configuration, metadata', zip(t3_configurations, t3_configuration_metadata), ids=t3_case_ids) def test_restrict_multiple_regex(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - set_wazuh_configuration, configure_local_internal_options_function, - restart_wazuh_function): + set_wazuh_configuration, configure_local_internal_options_function, + restart_wazuh_function): ''' description: Check if logcollector behavior when two restrict tags are added. @@ -349,14 +349,15 @@ def test_restrict_multiple_regex(configuration, metadata, new_file_path, create_ # Check response if 'regex1' in metadata['matches']: evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex1'], tag='restrict', - prefix=prefix) + prefix=prefix) if 'regex2' in metadata['matches']: evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='restrict', prefix=prefix) else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex2'], tag='restrict',prefix=prefix) + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex2'], tag='restrict', prefix=prefix) elif metadata['matches'] == 'regex2': - evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='restrict', prefix=prefix) - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='restrict',prefix=prefix) + evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='restrict', + prefix=prefix) + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='restrict', prefix=prefix) else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='restrict',prefix=prefix) + evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='restrict', prefix=prefix) From b195b8bb4350ec9ec206dc89f081b3d6b0c36879 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Carmelo=20Micalizzi?= Date: Fri, 2 Dec 2022 10:57:11 -0300 Subject: [PATCH 29/34] docs(#3480): change comment --- .../test_log_filter_options/test_restrict_regex.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index 54b431e8bd..b5149f0f0f 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -82,7 +82,7 @@ t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, t1_configuration_metadata) -# --------------------------------TEST_IGNORE_REGEX_TYPE_VALUES-------------------------------------- +# --------------------------------TEST_RESTRICT_REGEX_TYPE_VALUES-------------------------------------- t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_type_values.yaml') t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_type_values.yaml') From 4a1ea691a7e9092c9f2239f148847667830d53e2 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Tue, 13 Dec 2022 17:01:13 -0300 Subject: [PATCH 30/34] style(#3480): change yaml end of line characters --- .../wazuh_configuration.yaml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml b/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml index 2d27149430..2ef9b5befc 100644 --- a/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml +++ b/tests/integration/test_logcollector/test_options/data/configuration_template/wazuh_configuration.yaml @@ -1,13 +1,13 @@ -- tags: - - test_options - apply_to_modules: - - test_options_state_interval_no_file - sections: - - section: localfile - attributes: - - name: testing files - elements: - - log_format: - value: syslog - - location: - value: LOCATION +- tags: + - test_options + apply_to_modules: + - test_options_state_interval_no_file + sections: + - section: localfile + attributes: + - name: testing files + elements: + - log_format: + value: syslog + - location: + value: LOCATION From b80219b3124d37fc4ca52d3aa63a2c08e03dfe9a Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 15 Dec 2022 16:27:26 -0300 Subject: [PATCH 31/34] refactor(#3480): remove unnecesary test cases --- .../configuration_ignore_regex_default.yaml | 31 --- ...onfiguration_ignore_regex_type_values.yaml | 33 --- .../configuration_restrict_regex_default.yaml | 31 --- ...figuration_restrict_regex_type_values.yaml | 33 --- .../cases_ignore_regex_default.yaml | 17 -- .../cases_ignore_regex_type_values.yaml | 65 ----- .../cases_restrict_ignore_regex_values.yaml | 234 ------------------ .../cases_restrict_regex_default.yaml | 17 -- .../cases_restrict_regex_type_values.yaml | 65 ----- .../test_ignore_regex.py | 206 +-------------- .../test_restrict_ignore_regex.py | 6 +- .../test_restrict_regex.py | 204 +-------------- 12 files changed, 20 insertions(+), 922 deletions(-) delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_default.yaml delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_type_values.yaml delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_default.yaml delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_type_values.yaml delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml delete mode 100644 tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_default.yaml deleted file mode 100644 index 4a3ac56944..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_default.yaml +++ /dev/null @@ -1,31 +0,0 @@ -- sections: - - section: localfile - elements: - - log_format: - value: syslog - - location: - value: LOCATION - - ignore: - value: REGEX - - - section: sca - elements: - - enabled: - value: 'no' - - - section: rootcheck - elements: - - disabled: - value: 'yes' - - - section: syscheck - elements: - - disabled: - value: 'yes' - - - section: wodle - attributes: - - name: syscollector - elements: - - disabled: - value: 'yes' diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_type_values.yaml deleted file mode 100644 index 72fa5efc85..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_ignore_regex_type_values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -- sections: - - section: localfile - elements: - - log_format: - value: syslog - - location: - value: LOCATION - - ignore: - value: REGEX - attributes: - - type: REGEX_TYPE - - - section: sca - elements: - - enabled: - value: 'no' - - - section: rootcheck - elements: - - disabled: - value: 'yes' - - - section: syscheck - elements: - - disabled: - value: 'yes' - - - section: wodle - attributes: - - name: syscollector - elements: - - disabled: - value: 'yes' diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_default.yaml deleted file mode 100644 index 29f730cf20..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_default.yaml +++ /dev/null @@ -1,31 +0,0 @@ -- sections: - - section: localfile - elements: - - log_format: - value: syslog - - location: - value: LOCATION - - restrict: - value: REGEX - - - section: sca - elements: - - enabled: - value: 'no' - - - section: rootcheck - elements: - - disabled: - value: 'yes' - - - section: syscheck - elements: - - disabled: - value: 'yes' - - - section: wodle - attributes: - - name: syscollector - elements: - - disabled: - value: 'yes' diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_type_values.yaml deleted file mode 100644 index 5b5179c23c..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/configuration_template/configuration_restrict_regex_type_values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -- sections: - - section: localfile - elements: - - log_format: - value: syslog - - location: - value: LOCATION - - restrict: - value: REGEX - attributes: - - type: REGEX_TYPE - - - section: sca - elements: - - enabled: - value: 'no' - - - section: rootcheck - elements: - - disabled: - value: 'yes' - - - section: syscheck - elements: - - disabled: - value: 'yes' - - - section: wodle - attributes: - - name: syscollector - elements: - - disabled: - value: 'yes' diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml deleted file mode 100644 index 777c2f1bea..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_default.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Log match - Default regex and ignore tag - description: Test Ignore with default regex, with matching log - configuration_parameters: - REGEX: .+test - metadata: - regex: .+test - log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: true - -- name: No log match - Default regex and ignore tag - description: Test Ignore with default regex, with not matching log - configuration_parameters: - REGEX: .+test - metadata: - regex: .+test - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: false diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml deleted file mode 100644 index f902174278..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_ignore_regex_type_values.yaml +++ /dev/null @@ -1,65 +0,0 @@ -- name: Log match - PCRE2 regex and ignore tag - description: Test Ignore tag tag with PCRE2 regex, with matching log - configuration_parameters: - REGEX: .*test - REGEX_TYPE: PCRE2 - metadata: - regex: .*test - regex_type: PCRE2 - log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: true - -- name: No log match - PCRE2 regex and ignore tag - description: Test Ignore tag with PCRE2 regex, with not matching log - configuration_parameters: - REGEX: .*test - REGEX_TYPE: PCRE2 - metadata: - regex: .*test - regex_type: PCRE2 - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: false - -- name: Log match - osmatch regex and ignore tag - description: Test Ignore tag with osmatch regex, with matching log - configuration_parameters: - REGEX: test$ - REGEX_TYPE: osmatch - metadata: - regex: test\$ - regex_type: osmatch - log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: true - -- name: No log match - osmatch regex and ignore tag - description: Test Ignore tag with osmatch regex, with not matching log - configuration_parameters: - REGEX: test$ - REGEX_TYPE: osmatch - metadata: - regex: test\$ - regex_type: osmatch - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: false - -- name: Log match - osregex regex and ignore tag - description: Test Ignore tag with osregex regex, with matching log - configuration_parameters: - REGEX: \.test - REGEX_TYPE: osregex - metadata: - regex: \\.test - regex_type: osregex - log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: true - -- name: No log match - osregex regex and ignore tag - description: Test Ignore tag with osregex regex, with not matching log - configuration_parameters: - REGEX: \.test - REGEX_TYPE: osregex - metadata: - regex: \\.test - regex_type: osregex - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: false diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml index e6a0056c26..ec5f28a86c 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml +++ b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_ignore_regex_values.yaml @@ -12,59 +12,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Matches with ignore tag - Ignore and restrict tags with PCRE2 regex - description: Test Restrict + Ignore tags both with PCRE2 regex. Log matches ignore - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: .*ignore - RESTRICT_TYPE: PCRE2 - IGNORE_TYPE: PCRE2 - metadata: - restrict_regex: .*restrict - ignore_regex: .*ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" - matches: ignore - -- name: Log match - PCRE2 regex, ignore and restrict tags - description: Test Restrict + Ignore tags both with pcre2 regex. Log matches both - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: .*ignore - RESTRICT_TYPE: PCRE2 - IGNORE_TYPE: PCRE2 - metadata: - restrict_regex: .*restrict - ignore_regex: .*ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" - matches: ignore - restrict - -- name: No log match - Ignore and restrict tags with PCRE2 regex - description: Test Restrict + Ignore tags both with pcre2 regex. Log matches None - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: .*ignore - RESTRICT_TYPE: PCRE2 - IGNORE_TYPE: PCRE2 - metadata: - restrict_regex: .*restrict - ignore_regex: .*ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: None - # Test osregex -- name: Matches with restrict tag - Ignore and restrict tags with osregex regex - description: Test Restrict + Ignore tags both with osregex regex. Log matches restrict - configuration_parameters: - RESTRICT_REGEX: \.restrict - IGNORE_REGEX: \.ignore - RESTRICT_TYPE: osregex - IGNORE_TYPE: osregex - metadata: - restrict_regex: \\.restrict - ignore_regex: \\.ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" - matches: restrict - - name: Matches with ignore tag - Ignore and restrict tags with osregex regex description: Test Restrict + Ignore tags both with osregex regex. Log matches ignore configuration_parameters: @@ -78,59 +26,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Log match - Ignore and restrict tags with osregex regex - description: Test Restrict + Ignore tags both with osregex regex. Log matches both - configuration_parameters: - RESTRICT_REGEX: \.restrict - IGNORE_REGEX: \.ignore - RESTRICT_TYPE: osregex - IGNORE_TYPE: osregex - metadata: - restrict_regex: \\.restrict - ignore_regex: \\.ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" - matches: ignore - restrict - -- name: No log match - Ignore and restrict tags with osregex regex - description: Test Restrict + Ignore tags both with osregex regex. Log matches None - configuration_parameters: - RESTRICT_REGEX: \.restrict - IGNORE_REGEX: \.ignore - RESTRICT_TYPE: osregex - IGNORE_TYPE: osregex - metadata: - restrict_regex: \\.restrict - ignore_regex: \\.ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: None - # Test osmatch -- name: Matches with restrict tag - Ignore and restrict tags with osmatch regex - description: Test Restrict + Ignore tags both with osmatch regex. Log matches restrict - configuration_parameters: - RESTRICT_REGEX: restrict$ - IGNORE_REGEX: ignore - RESTRICT_TYPE: osmatch - IGNORE_TYPE: osmatch - metadata: - restrict_regex: restrict\$ - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" - matches: restrict - -- name: Matches with ignore tag - Ignore and restrict tags with osmatch regex - description: Test Restrict + Ignore tags both with osmatch regex. Log matches ignore - configuration_parameters: - RESTRICT_REGEX: restrict$ - IGNORE_REGEX: ignore - RESTRICT_TYPE: osmatch - IGNORE_TYPE: osmatch - metadata: - restrict_regex: restrict\$ - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" - matches: ignore - - name: Log match - Ignore and restrict tags with osmatch regex description: Test Restrict + Ignore tags both with osmatch regex. Log matches both configuration_parameters: @@ -144,19 +40,6 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict -- name: No log match - Ignore and restrict tags with osmatch regex - description: Test Restrict + Ignore tags both with osmatch regex. Log matches None - configuration_parameters: - RESTRICT_REGEX: restrict$ - IGNORE_REGEX: ignore - RESTRICT_TYPE: osmatch - IGNORE_TYPE: osmatch - metadata: - restrict_regex: restrict\$ - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: None - # Test pcre2 + osregex - name: Matches with restrict tag - Ignore and restrict tags with pcre2 and osregex regex description: Test Restrict + Ignore tags (pcre2+osregex). Log matches restrict @@ -171,59 +54,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" matches: restrict -- name: Matches with ignore tag - Ignore and restrict tags with pcre2 and osregex regex - description: Test Restrict + Ignore tags (pcre2+osregex). Log matches ignore - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: \.ignore - RESTRICT_TYPE: pcre2 - IGNORE_TYPE: osregex - metadata: - restrict_regex: .*restrict - ignore_regex: \\.ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" - matches: ignore - -- name: Log match - Ignore and restrict tags with pcre2 and osregex regex - description: Test Restrict + Ignore tags (pcre2+osregex). Log matches both - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: \.ignore - RESTRICT_TYPE: pcre2 - IGNORE_TYPE: osregex - metadata: - restrict_regex: .*restrict - ignore_regex: \\.ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" - matches: ignore - restrict - -- name: No log match - Ignore and restrict tags with pcre2 and osregex regex - description: Test Restrict + Ignore tags (pcre2+osregex). Log matches None - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: \.ignore - RESTRICT_TYPE: pcre2 - IGNORE_TYPE: osregex - metadata: - restrict_regex: .*restrict - ignore_regex: \\.ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: None - # Test pcre2 + osmatch -- name: Matches with restrict tag - Ignore and restrict tags with pcre2 and osmatch regex - description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches restrict - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: ignore - RESTRICT_TYPE: pcre2 - IGNORE_TYPE: osmatch - metadata: - restrict_regex: .*restrict - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" - matches: restrict - - name: Matches with ignore tag - Ignore and restrict tags with pcre2 and osmatch regex description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches ignore configuration_parameters: @@ -237,59 +68,7 @@ log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" matches: ignore -- name: Log match - Ignore and restrict tags with pcre2 and osmatch regex - description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches both - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: ignore - RESTRICT_TYPE: pcre2 - IGNORE_TYPE: osmatch - metadata: - restrict_regex: .*restrict - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" - matches: ignore - restrict - -- name: No log match - Ignore and restrict tags with pcre2 and osmatch regex - description: Test Restrict + Ignore tags (pcre2+osmatch). Log matches None - configuration_parameters: - RESTRICT_REGEX: .*restrict - IGNORE_REGEX: ignore - RESTRICT_TYPE: pcre2 - IGNORE_TYPE: osmatch - metadata: - restrict_regex: .*restrict - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: None - # Test osmatch + osregex -- name: Matches with restrict tag - Ignore and restrict tags with osregex and osmatch regex - description: Test Restrict + Ignore tags (osregex+osmatch). Log matches restrict - configuration_parameters: - RESTRICT_REGEX: \.restrict - IGNORE_REGEX: ignore - RESTRICT_TYPE: osregex - IGNORE_TYPE: osmatch - metadata: - restrict_regex: \\.restrict - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches restrict" - matches: restrict - -- name: Matches with ignore tag - Ignore and restrict tags with osregex and osmatch regex - description: Test Restrict + Ignore tags (osregex+osmatch). Log matches ignore - configuration_parameters: - RESTRICT_REGEX: \.restrict - IGNORE_REGEX: ignore - RESTRICT_TYPE: osregex - IGNORE_TYPE: osmatch - metadata: - restrict_regex: \\.restrict - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore" - matches: ignore - - name: Log match - Ignore and restrict tags with osregex and osmatch regex description: Test Restrict + Ignore tags (osregex+osmatch). Log matches both configuration_parameters: @@ -302,16 +81,3 @@ ignore_regex: ignore log_sample: "Nov 10 12:19:04 localhost sshd: log matches ignore restrict" matches: ignore - restrict - -- name: No log match - Ignore and restrict tags with osregex and osmatch regex - description: Test Restrict + Ignore tags (osregex+osmatch). Log matches None - configuration_parameters: - RESTRICT_REGEX: \.restrict - IGNORE_REGEX: ignore - RESTRICT_TYPE: osregex - IGNORE_TYPE: osmatch - metadata: - restrict_regex: \\.restrict - ignore_regex: ignore - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: None diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml deleted file mode 100644 index 0495f4cd83..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_default.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Log match - Default regex and restrict tag - description: Test Restrict with default regex, with matching log - configuration_parameters: - REGEX: .+test - metadata: - regex: .+test - log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: true - -- name: No log match - Default regex and restrict tag - description: Test Restrict with default regex, with not matching log - configuration_parameters: - REGEX: .+test - metadata: - regex: .+test - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: false diff --git a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml b/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml deleted file mode 100644 index d5d09fd9a6..0000000000 --- a/tests/integration/test_logcollector/test_log_filter_options/data/test_cases/cases_restrict_regex_type_values.yaml +++ /dev/null @@ -1,65 +0,0 @@ -- name: Log match - PCRE2 regex and restrict tag - description: Test Restrict with PCRE2 regex, with matching log - configuration_parameters: - REGEX: .*test - REGEX_TYPE: PCRE2 - metadata: - regex: .*test - regex_type: PCRE2 - log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: true - -- name: No log match - PCRE2 regex and restrict tag - description: Test Restrict with PCRE2 regex, with not matching log - configuration_parameters: - REGEX: .*test - REGEX_TYPE: PCRE2 - metadata: - regex: .*test - regex_type: PCRE2 - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: false - -- name: Log match - osmatch regex and restrict tag - description: Test Restrict with osmatch regex, with matching log - configuration_parameters: - REGEX: test$ - REGEX_TYPE: osmatch - metadata: - regex: test\$ - regex_type: osmatch - log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: true - -- name: No log match - osmatch regex and restrict tag - description: Test Restrict with osmatch regex, with not matching log - configuration_parameters: - REGEX: test$ - REGEX_TYPE: osmatch - metadata: - regex: test\$ - regex_type: osmatch - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: false - -- name: Log match - osregex regex and restrict tag - description: Test Restrict with osregex regex, with matching log - configuration_parameters: - REGEX: \.test - REGEX_TYPE: osregex - metadata: - regex: \\.test - regex_type: osregex - log_sample: "Nov 10 12:19:04 localhost sshd: log matches test" - matches: true - -- name: No log match - osregex regex and restrict tag - description: Test Restrict with osregex regex, with not matching log - configuration_parameters: - REGEX: \.test - REGEX_TYPE: osregex - metadata: - regex: \\.test - regex_type: osregex - log_sample: "Nov 10 12:19:04 localhost sshd: log does not match" - matches: false diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index 55f31e81b2..bc1c5546dd 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -70,210 +70,25 @@ # Test configurations and cases data test_file = os.path.join(PREFIX, 'test') -# --------------------------------TEST_IGNORE_DEFAULT-------------------------------------------- -t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_default.yaml') -t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_default.yaml') - -t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) -for count, value in enumerate(t1_configuration_parameters): - t1_configuration_parameters[count]['LOCATION'] = test_file -t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, - t1_configuration_metadata) - -# --------------------------------TEST_IGNORE_REGEX_TYPE_VALUES-------------------------------------- -t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_regex_type_values.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_regex_type_values.yaml') - -t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) -for count, value in enumerate(t2_configuration_parameters): - t2_configuration_parameters[count]['LOCATION'] = test_file -t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, - t2_configuration_metadata) # --------------------------------TEST_IGNORE_MULTIPLE_REGEX------------------------------------------- -t3_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_multiple_regex.yaml') -t3_cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_multiple_regex.yaml') +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_ignore_multiple_regex.yaml') +cases_path = os.path.join(TEST_CASES_PATH, 'cases_ignore_multiple_regex.yaml') -t3_configuration_parameters, t3_configuration_metadata, t3_case_ids = get_test_cases_data(t3_cases_path) -for count, value in enumerate(t3_configuration_parameters): - t3_configuration_parameters[count]['LOCATION'] = test_file -t3_configurations = load_configuration_template(t3_configurations_path, t3_configuration_parameters, - t3_configuration_metadata) +configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) +for count, value in enumerate(configuration_parameters): + configuration_parameters[count]['LOCATION'] = test_file +configurations = load_configuration_template(configurations_path, configuration_parameters, + configuration_metadata) prefix = lc.LOG_COLLECTOR_PREFIX local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS # Tests -@pytest.mark.tier(level=0) -@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) -def test_ignore_default(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): - ''' - description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a - given log file. - - test_phases: - - Set a custom Wazuh configuration. - - Restart monitord. - - Insert the log message. - - Check expected response. - - wazuh_min_version: 4.5.0 - - tier: 0 - - parameters: - - configuration: - type: dict - brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. - - metadata: - type: dict - brief: Wazuh configuration metadata - - new_file_path: - type: str - brief: path for the log file to be created and deleted after the test. - - create_file: - type: fixture - brief: Create an empty file for logging - - truncate_monitored_files: - type: fixture - brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration: - type: fixture - brief: Set the wazuh configuration according to the configuration data. - - configure_local_internal_options: - type: fixture - brief: Configure the local_internal_options file. - - restart_wazuh_function: - type: fixture - brief: Restart wazuh. - - assertions: - - Check that logcollector is analyzing the log file. - - Check that logs are ignored when they match with configured regex - - input_description: - - The `configuration_ignore_regex_default.yaml` file provides the module configuration for this test. - - The `cases_ignore_regex_default` file provides the test cases. - - expected_output: - - r".*wazuh-logcollector.*Analizing file: '{file}'.*" - - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" - - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" - ''' - log = metadata['log_sample'] - command = f"echo {log}>> {test_file}" - - if sys.platform == 'win32': - file = re.escape(test_file) - else: - file = test_file - - # Check log file is being analyzed - evm.check_analyzing_file(file=file, prefix=prefix) - # Insert log - run_local_command_returning_output(command) - - # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=prefix) - - # Check response - if metadata['matches'] is not True: - evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex'], tag='ignore', prefix=prefix) - - else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=prefix) - - @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) -def test_ignore_regex_type_values(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - set_wazuh_configuration, configure_local_internal_options_function, - restart_wazuh_function): - ''' - description: Check if logcollector reads or ignores a log according to a regex configured in the ignored tag for a - given log file, , with each configured value for the ignore 'type' attribute value configured. - - test_phases: - - Set a custom Wazuh configuration. - - Restart monitord. - - Insert the log message. - - Check expected response. - - wazuh_min_version: 4.5.0 - - tier: 1 - - parameters: - - configuration: - type: dict - brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. - - metadata: - type: dict - brief: Wazuh configuration metadata - - new_file_path: - type: str - brief: path for the log file to be created and deleted after the test. - - create_file: - type: fixture - brief: Create an empty file for logging - - truncate_monitored_files: - type: fixture - brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration: - type: fixture - brief: Set the wazuh configuration according to the configuration data. - - configure_local_internal_options: - type: fixture - brief: Configure the local_internal_options file. - - restart_wazuh_function: - type: fixture - brief: Restart wazuh. - - assertions: - - Check that logcollector is analyzing the log file. - - Check that logs are ignored when they match with configured regex - - input_description: - - The `configuration_ignore_regex_values.yaml` file provides the module configuration for this test. - - The `cases_ignore_regex_values` file provides the test cases. - - expected_output: - - r".*wazuh-logcollector.*Analizing file: '{file}'.*" - - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" - - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" - ''' - log = metadata['log_sample'] - command = f"echo {log}>> {test_file}" - - if sys.platform == 'win32': - file = re.escape(test_file) - else: - file = test_file - - # Check log file is being analized - evm.check_analyzing_file(file=file, prefix=prefix) - # Insert log - run_local_command_returning_output(command) - - # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=prefix) - - # Check response - if metadata['matches'] is not True: - evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex'], tag='ignore', prefix=prefix) - else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='ignore', - prefix=prefix) - - -@pytest.mark.tier(level=1) -@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('configuration, metadata', zip(t3_configurations, t3_configuration_metadata), ids=t3_case_ids) +@pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) def test_ignore_multiple_regex(configuration, metadata, new_file_path, create_file, truncate_monitored_files, set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): @@ -332,10 +147,7 @@ def test_ignore_multiple_regex(configuration, metadata, new_file_path, create_fi log = metadata['log_sample'] command = f"echo {log}>> {test_file}" - if sys.platform == 'win32': - file = re.escape(test_file) - else: - file = test_file + file = re.escape(test_file) if sys.platform == 'win32' else test_file # Check log file is being analized evm.check_analyzing_file(file=file, prefix=prefix) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py index a6483cabf7..ea3c0e5e07 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py @@ -60,6 +60,7 @@ from wazuh_testing.tools import PREFIX from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data +from wazuh_testing.tools.services import get_service from wazuh_testing.modules.logcollector import event_monitor as evm from wazuh_testing.modules import logcollector as lc @@ -148,10 +149,7 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr log = metadata['log_sample'] command = f"echo {log}>> {test_file}" - if sys.platform == 'win32': - file = re.escape(test_file) - else: - file = test_file + file = re.escape(test_file) if sys.platform == 'win32' else test_file # Check log file is being analized evm.check_analyzing_file(file=file, prefix=prefix) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index b5149f0f0f..fdc9965fd5 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -72,209 +72,23 @@ # Test configurations and cases data test_file = os.path.join(PREFIX, 'test') -# --------------------------------TEST_DEFAULT_REGEX-------------------------------------------------- -t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_default.yaml') -t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_default.yaml') - -t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) -for count, value in enumerate(t1_configuration_parameters): - t1_configuration_parameters[count]['LOCATION'] = test_file -t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, - t1_configuration_metadata) - -# --------------------------------TEST_RESTRICT_REGEX_TYPE_VALUES-------------------------------------- -t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_regex_type_values.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_regex_type_values.yaml') - -t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) -for count, value in enumerate(t2_configuration_parameters): - t2_configuration_parameters[count]['LOCATION'] = test_file -t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, - t2_configuration_metadata) - - # --------------------------------TEST_RESTRICT_MULTIPLE_REGEX------------------------------------------- -t3_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_multiple_regex.yaml') -t3_cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_multiple_regex.yaml') - -t3_configuration_parameters, t3_configuration_metadata, t3_case_ids = get_test_cases_data(t3_cases_path) -for count, value in enumerate(t3_configuration_parameters): - t3_configuration_parameters[count]['LOCATION'] = test_file -t3_configurations = load_configuration_template(t3_configurations_path, t3_configuration_parameters, - t3_configuration_metadata) +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_restrict_multiple_regex.yaml') +cases_path = os.path.join(TEST_CASES_PATH, 'cases_restrict_multiple_regex.yaml') + +configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) +for count, value in enumerate(configuration_parameters): + configuration_parameters[count]['LOCATION'] = test_file +configurations = load_configuration_template(configurations_path, configuration_parameters, + configuration_metadata) prefix = lc.LOG_COLLECTOR_PREFIX local_internal_options = lc.LOGCOLLECTOR_DEFAULT_LOCAL_INTERNAL_OPTIONS # Tests -@pytest.mark.tier(level=0) -@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) -def test_restrict_default(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): - ''' - description: Check if logcollector reads or ignores a log according to a regex configured in the restrict tag for a - given log file. - - test_phases: - - Set a custom Wazuh configuration. - - Restart monitord. - - Insert the log message. - - Check expected response. - - wazuh_min_version: 4.5.0 - - tier: 0 - - parameters: - - configuration: - type: dict - brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. - - metadata: - type: dict - brief: Wazuh configuration metadata - - new_file_path: - type: str - brief: path for the log file to be created and deleted after the test. - - create_file: - type: fixture - brief: Create an empty file for logging - - truncate_monitored_files: - type: fixture - brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration: - type: fixture - brief: Set the wazuh configuration according to the configuration data. - - configure_local_internal_options: - type: fixture - brief: Configure the local_internal_options file. - - restart_wazuh_function: - type: fixture - brief: Restart wazuh. - - assertions: - - Check that logcollector is analyzing the log file. - - Check that logs are ignored when they do not match with configured regex - - input_description: - - The `configuration_restrict_regex_default.yaml` file provides the module configuration for this test. - - The `cases_restrict_regex_default` file provides the test cases. - - expected_output: - - r".*wazuh-logcollector.*Analizing file: '{file}'.*" - - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" - - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" - ''' - log = metadata['log_sample'] - command = f"echo {log}>> {test_file}" - - if sys.platform == 'win32': - file = re.escape(test_file) - else: - file = test_file - - # Check log file is being analized - evm.check_analyzing_file(file=file, prefix=prefix) - - # Insert log - run_local_command_returning_output(command) - # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=prefix) - # Check response - if metadata['matches']: - evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex'], tag='restrict', - prefix=prefix) - else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', - prefix=prefix) - - -@pytest.mark.tier(level=1) -@pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) -def test_restrict_regex_type_values(configuration, metadata, new_file_path, create_file, truncate_monitored_files, - set_wazuh_configuration, configure_local_internal_options_function, - restart_wazuh_function): - ''' - description: Check if logcollector reads or ignores a log according to a regex configured in the restrict tag for a - given log file, with each configured value for the restrict 'type' attribute value configured. - - test_phases: - - Set a custom Wazuh configuration. - - Restart monitord. - - Insert the log message. - - Check expected response. - - wazuh_min_version: 4.5.0 - - tier: 1 - - parameters: - - configuration: - type: dict - brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture. - - metadata: - type: dict - brief: Wazuh configuration metadata - - new_file_path: - type: str - brief: path for the log file to be created and deleted after the test. - - create_file: - type: fixture - brief: Create an empty file for logging - - truncate_monitored_files: - type: fixture - brief: Truncate all the log files and json alerts files before and after the test execution. - - set_wazuh_configuration: - type: fixture - brief: Set the wazuh configuration according to the configuration data. - - configure_local_internal_options: - type: fixture - brief: Configure the local_internal_options file. - - restart_wazuh_function: - type: fixture - brief: Restart wazuh. - - assertions: - - Check that logcollector is analyzing the log file. - - Check that logs are ignored when they do not match with configured regex - - input_description: - - The `configuration_restrict_regex_values.yaml` file provides the module configuration for this test. - - The `cases_restrict_regex_values` file provides the test cases. - - expected_output: - - r".*wazuh-logcollector.*Analizing file: '{file}'.*" - - r".*wazuh-logcollector.*DEBUG: Reading syslog '{message}'.*" - - r".*wazuh-logcollector.*DEBUG: Ignoring the log line '{message}' due to {tag} config: '{regex}'" - ''' - log = metadata['log_sample'] - command = f"echo {log}>> {test_file}" - - if sys.platform == 'win32': - file = re.escape(test_file) - else: - file = test_file - - # Check log file is being analized - evm.check_analyzing_file(file=file, prefix=prefix) - - # Insert log - run_local_command_returning_output(command) - # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=prefix) - # Check response - if metadata['matches']: - evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex'], - tag='restrict', prefix=prefix) - else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex'], tag='restrict', - prefix=prefix) - - @pytest.mark.tier(level=1) @pytest.mark.parametrize('new_file_path,', [test_file], ids=['']) -@pytest.mark.parametrize('configuration, metadata', zip(t3_configurations, t3_configuration_metadata), ids=t3_case_ids) +@pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) def test_restrict_multiple_regex(configuration, metadata, new_file_path, create_file, truncate_monitored_files, set_wazuh_configuration, configure_local_internal_options_function, restart_wazuh_function): From 16549a24c6fb60f09d71951f4b9c1c7b68894468 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 15 Dec 2022 16:58:47 -0300 Subject: [PATCH 32/34] style(#3480): fix function names and spacing --- .../modules/logcollector/event_monitor.py | 15 ++++++++++----- .../test_log_filter_options/test_ignore_regex.py | 6 +++--- .../test_restrict_ignore_regex.py | 6 +++--- .../test_restrict_regex.py | 8 ++++---- .../test_only_future_events.py | 12 ++++++------ 5 files changed, 26 insertions(+), 21 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py index cde8f913ae..7e87ab5159 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py @@ -73,8 +73,9 @@ def check_analyzing_file(file, prefix, error_message=None, file_monitor=None): error_message=error_message, prefix=prefix) -def check_syslog_messages(message, prefix, error_message=None, file_monitor=None, timeout=T_30, escape=False): +def check_syslog_message(message, prefix, error_message=None, file_monitor=None, timeout=T_30, escape=False): """Create a callback to detect "DEBUG: Read lines from command " debug line. + Args: message (str): Command to be monitored. error_message (str): Error message. @@ -92,9 +93,10 @@ def check_syslog_messages(message, prefix, error_message=None, file_monitor=None error_message=error_message, prefix=prefix, escape=escape) -def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=None, file_monitor=None, timeout=T_10, +def check_ignore_restrict_message(message, regex, tag, prefix, error_message=None, file_monitor=None, timeout=T_10, escape=False): """Create a callback to detect "DEBUG: Ignoring the log ... due to config" debug line. + Args: message (str): Command to be monitored. regex (str): regex pattern configured to ignore or restrict to. @@ -104,6 +106,8 @@ def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=No file_monitor (FileMonitor): Log monitor. timeout (int): Timeout to check the log. escape (bool): Flag to escape special characters in the pattern. + + Returns: True if the expected message has been found, False otherwise. """ if error_message is None: error_message = f"Did not receive the expected 'Ignoring the log line: {message} due to {tag} config' event" @@ -115,15 +119,16 @@ def check_ignore_restrict_messages(message, regex, tag, prefix, error_message=No def check_ignore_restrict_message_not_found(message, regex, tag, prefix): - '''Check that an unexpected "Ignoring the log line..." event does not appear and a log is not ignored when it + """Check that an unexpected "Ignoring the log line..." event does not appear and a log is not ignored when it does not match the regex. + Args: message (str): Message to be monitored. regex (str): regex pattern configured to ignore or restrict to. tag (str): string with the configured tag. Values: 'ignore' or 'restrict' prefix (str): Daemon that generates the error log. - ''' + """ log_found = False with pytest.raises(TimeoutError): - log_found = check_ignore_restrict_messages(message=message, regex=regex, tag=tag, prefix=prefix) + log_found = check_ignore_restrict_message(message=message, regex=regex, tag=tag, prefix=prefix) assert log_found is False, ERR_MSG_UNEXPECTED_IGNORE_EVENT diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index bc1c5546dd..8d1d7a8574 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -155,14 +155,14 @@ def test_ignore_multiple_regex(configuration, metadata, new_file_path, create_fi run_local_command_returning_output(command) # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=prefix) + evm.check_syslog_message(message=log, prefix=prefix) # Check response if 'regex1' in metadata['matches']: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) + evm.check_ignore_restrict_message(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='ignore', prefix=prefix) elif metadata['matches'] == 'regex2': - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex2'], tag='ignore', prefix=prefix) + evm.check_ignore_restrict_message(message=log, regex=metadata['regex2'], tag='ignore', prefix=prefix) evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) else: evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex1'], tag='ignore', prefix=prefix) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py index ea3c0e5e07..184eb9fe61 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py @@ -157,12 +157,12 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr # Insert log run_local_command_returning_output(command) # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=prefix) + evm.check_syslog_message(message=log, prefix=prefix) # Check responses # If it matches with ignore, it should ignore the log due to ignore config if 'ignore' in metadata['matches']: - evm.check_ignore_restrict_messages(message=log, regex=metadata['ignore_regex'], tag='ignore', + evm.check_ignore_restrict_message(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=prefix) if 'restrict' in metadata['matches']: evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['restrict_regex'], tag='restrict', @@ -179,5 +179,5 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr else: evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=prefix) - evm.check_ignore_restrict_messages(message=log, regex=metadata['restrict_regex'], tag='restrict', + evm.check_ignore_restrict_message(message=log, regex=metadata['restrict_regex'], tag='restrict', prefix=prefix) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index fdc9965fd5..bd034683ff 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -158,7 +158,7 @@ def test_restrict_multiple_regex(configuration, metadata, new_file_path, create_ run_local_command_returning_output(command) # Check the log is read from the monitored file - evm.check_syslog_messages(message=log, prefix=prefix) + evm.check_syslog_message(message=log, prefix=prefix) # Check response if 'regex1' in metadata['matches']: @@ -168,10 +168,10 @@ def test_restrict_multiple_regex(configuration, metadata, new_file_path, create_ evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='restrict', prefix=prefix) else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex2'], tag='restrict', prefix=prefix) + evm.check_ignore_restrict_message(message=log, regex=metadata['regex2'], tag='restrict', prefix=prefix) elif metadata['matches'] == 'regex2': evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['regex2'], tag='restrict', prefix=prefix) - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='restrict', prefix=prefix) + evm.check_ignore_restrict_message(message=log, regex=metadata['regex1'], tag='restrict', prefix=prefix) else: - evm.check_ignore_restrict_messages(message=log, regex=metadata['regex1'], tag='restrict', prefix=prefix) + evm.check_ignore_restrict_message(message=log, regex=metadata['regex1'], tag='restrict', prefix=prefix) diff --git a/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py b/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py index 4ce8e5ca69..3f00df1245 100644 --- a/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py +++ b/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py @@ -214,7 +214,7 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, # Check that the last written line has been read by logcollector last_line = current_line + 1 message = f"{LOG_LINE}{last_line}" - evm.check_syslog_messages(file_monitor=log_monitor, message=message, + evm.check_syslog_message(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, timeout=T_10, escape=False) # Stop logcollector daemon @@ -231,12 +231,12 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, if metadata['only_future_events'] == 'no': # Check first log line message = f"{LOG_LINE}{first_next_line}" - evm.check_syslog_messages(file_monitor=log_monitor, message=message, + evm.check_syslog_message(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, timeout=T_20, escape=False) # Check last log line message = f"{LOG_LINE}{current_line + 1}" - evm.check_syslog_messages(file_monitor=log_monitor, message=message, + evm.check_syslog_message(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, timeout=T_20, escape=False) # if only_future_events yes, logcollector should NOT detect the log lines written while it was stopped @@ -245,7 +245,7 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, # Check that the first written line is not read with pytest.raises(TimeoutError): message = f"{LOG_LINE}{first_next_line}" - evm.check_syslog_messages(file_monitor=log_monitor, message=message, + evm.check_syslog_message(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, timeout=T_10, escape=False) @@ -253,7 +253,7 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, with pytest.raises(TimeoutError): # Check last line message = f"{LOG_LINE}{current_line + 1}" - evm.check_syslog_messages(file_monitor=log_monitor, message=message, + evm.check_syslog_message(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, timeout=T_10, escape=False) @@ -261,6 +261,6 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, current_line = logcollector.add_log_data(log_path=metadata['location'], log_line_message=LOG_LINE, size_kib=1, line_start=current_line + 1, print_line_num=True) message = f"{LOG_LINE}{current_line + 1}" - evm.check_syslog_messages(file_monitor=log_monitor, message=message, + evm.check_syslog_message(file_monitor=log_monitor, message=message, error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, timeout=T_10, escape=False) From 8eab9a7e93967793d4ec38275bc03fdf1250296a Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 15 Dec 2022 17:04:36 -0300 Subject: [PATCH 33/34] style(#3480): fix indentation --- .../modules/logcollector/event_monitor.py | 10 ++++---- .../test_restrict_ignore_regex.py | 4 ++-- .../test_only_future_events.py | 24 +++++++++---------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py index 7e87ab5159..2bb0b87fc8 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/logcollector/event_monitor.py @@ -75,7 +75,7 @@ def check_analyzing_file(file, prefix, error_message=None, file_monitor=None): def check_syslog_message(message, prefix, error_message=None, file_monitor=None, timeout=T_30, escape=False): """Create a callback to detect "DEBUG: Read lines from command " debug line. - + Args: message (str): Command to be monitored. error_message (str): Error message. @@ -94,9 +94,9 @@ def check_syslog_message(message, prefix, error_message=None, file_monitor=None, def check_ignore_restrict_message(message, regex, tag, prefix, error_message=None, file_monitor=None, timeout=T_10, - escape=False): + escape=False): """Create a callback to detect "DEBUG: Ignoring the log ... due to config" debug line. - + Args: message (str): Command to be monitored. regex (str): regex pattern configured to ignore or restrict to. @@ -106,7 +106,7 @@ def check_ignore_restrict_message(message, regex, tag, prefix, error_message=Non file_monitor (FileMonitor): Log monitor. timeout (int): Timeout to check the log. escape (bool): Flag to escape special characters in the pattern. - + Returns: True if the expected message has been found, False otherwise. """ if error_message is None: @@ -121,7 +121,7 @@ def check_ignore_restrict_message(message, regex, tag, prefix, error_message=Non def check_ignore_restrict_message_not_found(message, regex, tag, prefix): """Check that an unexpected "Ignoring the log line..." event does not appear and a log is not ignored when it does not match the regex. - + Args: message (str): Message to be monitored. regex (str): regex pattern configured to ignore or restrict to. diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py index 184eb9fe61..6ec1bd88e2 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py @@ -163,7 +163,7 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr # If it matches with ignore, it should ignore the log due to ignore config if 'ignore' in metadata['matches']: evm.check_ignore_restrict_message(message=log, regex=metadata['ignore_regex'], tag='ignore', - prefix=prefix) + prefix=prefix) if 'restrict' in metadata['matches']: evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['restrict_regex'], tag='restrict', prefix=prefix) @@ -180,4 +180,4 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr evm.check_ignore_restrict_message_not_found(message=log, regex=metadata['ignore_regex'], tag='ignore', prefix=prefix) evm.check_ignore_restrict_message(message=log, regex=metadata['restrict_regex'], tag='restrict', - prefix=prefix) + prefix=prefix) diff --git a/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py b/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py index 3f00df1245..f96bb1052d 100644 --- a/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py +++ b/tests/integration/test_logcollector/test_only_future_events/test_only_future_events.py @@ -215,8 +215,8 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, last_line = current_line + 1 message = f"{LOG_LINE}{last_line}" evm.check_syslog_message(file_monitor=log_monitor, message=message, - error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_10, escape=False) + error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, + timeout=T_10, escape=False) # Stop logcollector daemon control_service('stop', daemon=LOGCOLLECTOR_DAEMON) @@ -232,13 +232,13 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, # Check first log line message = f"{LOG_LINE}{first_next_line}" evm.check_syslog_message(file_monitor=log_monitor, message=message, - error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_20, escape=False) + error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, + timeout=T_20, escape=False) # Check last log line message = f"{LOG_LINE}{current_line + 1}" evm.check_syslog_message(file_monitor=log_monitor, message=message, - error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_20, escape=False) + error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, + timeout=T_20, escape=False) # if only_future_events yes, logcollector should NOT detect the log lines written while it was stopped else: message = f"{LOG_LINE}{first_next_line}" @@ -246,21 +246,21 @@ def test_only_future_events(configuration, metadata, set_wazuh_configuration, with pytest.raises(TimeoutError): message = f"{LOG_LINE}{first_next_line}" evm.check_syslog_message(file_monitor=log_monitor, message=message, - error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_10, escape=False) + error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, + timeout=T_10, escape=False) # Check that the last written line is not read with pytest.raises(TimeoutError): # Check last line message = f"{LOG_LINE}{current_line + 1}" evm.check_syslog_message(file_monitor=log_monitor, message=message, - error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_10, escape=False) + error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, + timeout=T_10, escape=False) # Check that if we write new data when the daemon is turned on, it is read normally current_line = logcollector.add_log_data(log_path=metadata['location'], log_line_message=LOG_LINE, size_kib=1, line_start=current_line + 1, print_line_num=True) message = f"{LOG_LINE}{current_line + 1}" evm.check_syslog_message(file_monitor=log_monitor, message=message, - error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, - timeout=T_10, escape=False) + error_message=GENERIC_CALLBACK_ERROR_COMMAND_MONITORING, prefix=prefix, + timeout=T_10, escape=False) From 51386cf575df408432ac4c69f308c77477006e9e Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 22 Dec 2022 09:46:37 -0300 Subject: [PATCH 34/34] docs(#3480): update test_phases section --- .../test_log_filter_options/test_ignore_regex.py | 16 ++++++++++++---- .../test_restrict_ignore_regex.py | 16 ++++++++++++---- .../test_restrict_regex.py | 16 ++++++++++++---- 3 files changed, 36 insertions(+), 12 deletions(-) diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py index 8d1d7a8574..f83b572aed 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_ignore_regex.py @@ -96,10 +96,18 @@ def test_ignore_multiple_regex(configuration, metadata, new_file_path, create_fi description: Check if logcollector behavior when two ignore tags are added. test_phases: - - Set a custom Wazuh configuration. - - Restart monitord. - - Insert the log message. - - Check expected response. + - Setup: + - Create file to monitor logs + - Truncate ossec.log file + - Set ossec.conf and local_internal_options.conf + - Restart the wazuh daemon + - Test: + - Insert the log message. + - Check expected response. + - Teardown: + - Delete the monitored file + - Restore ossec.conf and local_internal_options.conf + - Stop Wazuh wazuh_min_version: 4.5.0 diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py index 6ec1bd88e2..2d9347bb19 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_ignore_regex.py @@ -98,10 +98,18 @@ def test_restrict_ignore_regex_values(configuration, metadata, new_file_path, cr value configured. test_phases: - - Set a custom Wazuh configuration. - - Restart monitord. - - Insert the log message. - - Check expected response. + - Setup: + - Create file to monitor logs + - Truncate ossec.log file + - Set ossec.conf and local_internal_options.conf + - Restart the wazuh daemon + - Test: + - Insert the log message. + - Check expected response. + - Teardown: + - Delete the monitored file + - Restore ossec.conf and local_internal_options.conf + - Stop Wazuh wazuh_min_version: 4.5.0 diff --git a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py index bd034683ff..6aace6b990 100644 --- a/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py +++ b/tests/integration/test_logcollector/test_log_filter_options/test_restrict_regex.py @@ -96,10 +96,18 @@ def test_restrict_multiple_regex(configuration, metadata, new_file_path, create_ description: Check if logcollector behavior when two restrict tags are added. test_phases: - - Set a custom Wazuh configuration. - - Restart monitord. - - Insert the log message. - - Check expected response. + - Setup: + - Create file to monitor logs + - Truncate ossec.log file + - Set ossec.conf and local_internal_options.conf + - Restart the wazuh daemon + - Test: + - Insert the log message. + - Check expected response. + - Teardown: + - Delete the monitored file + - Restore ossec.conf and local_internal_options.conf + - Stop Wazuh wazuh_min_version: 4.5.0