Skip to content

Restore bookmark storage in Windows Eventchannel collector#3485

Merged
vikman90 merged 3 commits into3.9from
3.9-fix-bookmarks-3475
Jun 18, 2019
Merged

Restore bookmark storage in Windows Eventchannel collector#3485
vikman90 merged 3 commits into3.9from
3.9-fix-bookmarks-3475

Conversation

@vikman90
Copy link
Member

@vikman90 vikman90 commented Jun 6, 2019
edited
Loading

Related issue
#3475

Description

Fix

Since that function was removed accidentally in Wazuh 3.8.0, the solution is copying that function and its call exactly from v3.7.2:

  1. Restore the definition of function update_bookmark(): https://github.com/wazuh/wazuh/blob/v3.7.2/src/logcollector/read_win_event_channel.c#L361-L468
  2. Put back the call to that function at send_channel_event(): https://github.com/wazuh/wazuh/blob/v3.7.2/src/logcollector/read_win_event_channel.c#L669-L671

Tests

Functional requirement test

  • Windows Server 2019.
  • Windows Server 2012.

Settings

<localfile>
 <log_format>eventchannel</log_format>
 <location>Security</location>
  <only-future-events>yes</only-future-events>

Steps

  1. Stop the agent.
  2. Log off.
  3. Log in.
  4. Start the agent.

Expected result

The result of those actions depend on the option <only-future-events>: the log-off and log-in alerts must appear in the manager if and only if <only-future-events> is no.

** Alert 1559832886.172620: - windows, windows_security,pci_dss_10.2.5,gdpr_IV_32.2,
2019 Jun 06 16:54:46 (WIN-21GEGK6RAC3) 192.168.33.1->EventChannel
Rule: 60137 (level 3) -> 'Windows User Logoff'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4647","version":"0","level":"0","task":"12545","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-06-06T14:55:09.215790400Z","eventRecordID":"1628","processID":"604","threadID":"340","channel":"Security","computer":"WIN-21GEGK6RAC3","severityValue":"AUDIT_SUCCESS","message":"User initiated logoff:"},"eventdata":{"targetUserSid":"S-1-5-21-1645777427-241849594-3390699525-500","targetUserName":"Administrator","targetDomainName":"WIN-21GEGK6RAC3","targetLogonId":"0x24b00"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d}
win.system.eventID: 4647
win.system.version: 0
win.system.level: 0
win.system.task: 12545
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2019-06-06T14:55:09.215790400Z
win.system.eventRecordID: 1628
win.system.processID: 604
win.system.threadID: 340
win.system.channel: Security
win.system.computer: WIN-21GEGK6RAC3
win.system.severityValue: AUDIT_SUCCESS
win.system.message: User initiated logoff:
win.eventdata.targetUserSid: S-1-5-21-1645777427-241849594-3390699525-500
win.eventdata.targetUserName: Administrator
win.eventdata.targetDomainName: WIN-21GEGK6RAC3
win.eventdata.targetLogonId: 0x24b00

Notes

Since we have only copied the lost code back into the Eventchannel collector, the bookmarking feature shall work wherever it worked until v3.7.2.

Standard tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Package installation
  • Package upgrade
  • DrMemory report for affected components
  • QA templates contemplate the added capabilities: wazuh/wazuh-qa@edc6e5b

@vikman90 vikman90 added type/bug Something isn't working module/logcollector platform/windows type/bug/regression Breaks functionality known to work in previous releases labels Jun 6, 2019
@vikman90 vikman90 requested a review from snaow June 6, 2019 15:32
@vikman90 vikman90 self-assigned this Jun 6, 2019
@vikman90 vikman90 marked this pull request as ready for review June 6, 2019 17:01
@vikman90 vikman90 changed the base branch from master to 3.9 June 6, 2019 17:17
@vikman90
Let configuration parser overwrite option "only-future-events"
a9b2ca1 
Allow and apply both values "yes" and "no".
@vikman90
Copy link
Member Author

vikman90 commented Jun 10, 2019

The configuration parser code (localfile-config.c:92) suggests that setting <only-future-events> to no would not apply:

<only-future-events>no</only-future-events>

On the other hand, the current documentation does not state the default value of this option, that is no: (localfile.rst).

@vikman90
Copy link
Member Author

vikman90 commented Jun 10, 2019

PR wazuh/wazuh-documentation#1273 documents the default option of <only-future-events>

snaow
snaow suggested changes Jun 14, 2019
View reviewed changes
Copy link
Member

@snaow snaow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, set the only-future-events option to default yes.
It won't appear on the default ossec.conf template.
Remember to update Wazuh docs.
Thanks.

@vikman90 vikman90 mentioned this pull request Jun 17, 2019
Merged
@vikman90 vikman90 merged commit 87ca11e into 3.9 Jun 18, 2019
@vikman90 vikman90 deleted the 3.9-fix-bookmarks-3475 branch June 18, 2019 08:21
@cristgl cristgl mentioned this pull request Oct 14, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@snaow snaow snaow approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vikman90 vikman90

Labels

module/logcollector platform/windows type/bug/regression Breaks functionality known to work in previous releases type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vikman90 @snaow