-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create buffer in whodata syscheck to store audit logs #16200
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Feb 16, 2023
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
3 times, most recently
from
February 23, 2023 11:03
ba94723
to
c39b2cc
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
3 times, most recently
from
February 23, 2023 11:52
db7c484
to
70c562a
Compare
3 tasks
This was referenced Feb 23, 2023
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
February 24, 2023 10:07
70c562a
to
7af55ce
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
March 6, 2023 13:30
6d8a28f
to
e91c525
Compare
chemamartinez
previously approved these changes
Mar 13, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
chemamartinez
force-pushed
the
13920-audit-logs-buffer
branch
from
March 22, 2023 14:17
e91c525
to
b13ac6e
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
2 times, most recently
from
April 19, 2023 07:30
ac8ffcc
to
dc47c3d
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
May 15, 2023 10:01
dc47c3d
to
8075605
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
June 1, 2023 09:28
8075605
to
158756f
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
June 26, 2023 16:23
158756f
to
99ff8bd
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
2 times, most recently
from
July 3, 2023 13:27
499e134
to
cae2644
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
July 11, 2023 12:51
cae2644
to
7ab8696
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
2 times, most recently
from
August 3, 2023 16:13
78440cd
to
6d6e354
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
2 times, most recently
from
September 1, 2023 07:45
3cc131f
to
77add2d
Compare
3 tasks
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
September 18, 2023 09:52
77add2d
to
4b113ac
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
September 27, 2023 08:07
4b113ac
to
86a6146
Compare
Wazuh CI / Unit tests: cmocka winagentCause: The issue above is not related to the changes in this PR. |
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
October 23, 2023 08:57
86a6146
to
742724d
Compare
jotacarma90
force-pushed
the
13920-audit-logs-buffer
branch
from
October 27, 2023 11:47
742724d
to
09b943d
Compare
vikman90
approved these changes
Oct 31, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Hi team, in this PR we are going to implement a queue in the syscheck module, to store the logs that we receive from the audit dispatcher.
In this way, we avoid blocking the same thread that receives those logs while we process them, as this is generating problems in the system when there is a large number of events.
I have created a separate thread that pulls logs from that queue and processes them.
Configuration options
Logs/Alerts example
2023/02/23 11:39:52 wazuh-syscheckd: INFO: (6046): Internal audit queue size set to '16384'
2023/02/23 11:41:26 wazuh-syscheckd: WARNING: (6955): Internal audit queue is full. Some events may be lost. Next scheduled scan will recover lost data.
Tests