def callback_file_limit(): """Create a callback to detect if logcollector is monitoring a file. Returns: callable: callback to detect this event. """ msg = f'File limit has been reached' return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def check_agent_received_message(message_queue, search_pattern, timeout=5, update_position=True, error_message='', escape=False): """Allow to monitor the agent received messages to search a pattern regex. Args: message_queue (monitoring.Queue): Queue containing the messages received in the agent. search_pattern (str): Regex to search in agent received messages. timeout (int): Maximum time in seconds to search the event. update_position (boolean): True to search in the entire queue, False to search in the current position of the queue. error_message (string): Message to explain the exception. escape (bool): Flag to escape special characters in the pattern Raises: TimeoutError: if search pattern is not found in agent received messages queue in the expected time. """ queue_monitor = monitoring.QueueMonitor(message_queue) queue_monitor.start(timeout=timeout, callback=monitoring.make_callback( search_pattern, '.*', escape), update_position=update_position, error_message=error_message)
def dbg_reading_command(command, alias, log_format): """Check if the (previously known) output of a command ("echo") is displayed correctly. It also checks if the "alias" option is working correctly. Args: command (str): Command to be monitored. alias (str): An alternate name for the command. log_format (str): Format of the log to be read ("command" or "full_command"). Raises: TimeoutError: If the command monitoring callback is not generated. """ prefix = LOG_COLLECTOR_DETECTOR_PREFIX output = check_output(command, universal_newlines=True, shell=True).strip() if log_format == 'full_command': msg = fr"^{output}'" prefix = '' else: msg = fr"DEBUG: Reading command message: 'ossec: output: '{alias}': {output}'" wazuh_log_monitor.start( timeout=global_parameters.default_timeout, callback=monitoring.make_callback(pattern=msg, prefix=prefix), error_message=logcollector.GENERIC_CALLBACK_ERROR_COMMAND_MONITORING)
def callback_detect_example_archives_event(): """Create a callback to detect the example message in the archives.log Returns: callable: callback to detect this event """ return monitoring.make_callback(pattern=fr".*{EXAMPLE_MESSAGE_PATTERN}.*", prefix=None)
def callback_warning_secure_ipv6(): """Create a callback to detect if warning message is created when ipv6 is used along with secure connection. Returns: callable: callback to detect this event. """ msg = r"WARNING: \(\d+\): Secure connection does not support IPv6. IPv4 will be used instead." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_getting_protocol(): """Create a callback to detect if warning message is created when no valid protocol is provided. Returns: callable: callback to detect this event. """ msg = r"WARNING: \(\d+\): Error getting protocol. Default value \(TCP\) will be used." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_bind_port(): """Create a callback to detect if critical error is created when invalid local ip value is provided. Returns: callable: callback to detect this event. """ msg = r"CRITICAL: \(\d+\): Unable to Bind port '1514' due to \[\(\d+\)\-\(Cannot assign requested address\)\]" return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_queue_size_syslog(): """Create a callback to detect if error is created when queue_size is used along with syslog connection. Returns: callable: callback to detect this event. """ msg = r"ERROR: Invalid option \<queue_size\> for Syslog remote connection." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_excluded_file(file): """Create a callback to detect if logcollector is excluding files. Args: file (str): Name with absolute path of the analyzed file. Returns: callable: callback to detect this event. """ msg = fr"File excluded: '{file}'." return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_queue_size_too_big(): """Create a callback to detect if warning message is created when queue_size is too big. Returns: callable: callback to detect this event. """ msg = r"WARNING: Queue size is very high. The application may run out of memory." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_duplicated_file(file): """Create a callback to detect if logcollector configuration is duplicated. Args: file (str): Name with absolute path of the analyzed file. Returns: callable: callback to detect this event. """ msg = fr"Log file '{file}' is duplicated." return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_non_existent_file(file): """Create a callback to detect if logcollector is showing an error when the file does not exist. Args: file (str): Name with absolute path of the analyzed file. Returns: callable: callback to detect this event. """ msg = fr"ERROR: (1103): Could not open file '{file}'" return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_match_pattern_file(file_pattern, file): """Create a callback to detect if logcollector is monitoring a file with wildcard. Args: file_pattern (str): Location pattern. file (str): Name with absolute path of the analyzed file. Returns: callable: callback to detect this event. """ msg = fr"New file that matches the '{file_pattern}' pattern: '{file}'." return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_info_no_allowed_ips(): """Create a callback to detect if error message is syslog server is disabled when no allowed ips is provided. Returns: callable: callback to detect this event. """ msg = r"INFO: \(\d+\): IP or network must be present in syslog access list \(allowed-ips\). " msg += "Syslog server disabled." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_ignoring_file(location_file): """Create a callback to detect if specified file was ignored due to modification time. Args: location_file: File absolute path. Returns: callable: callback to detect this event. """ msg = fr"DEBUG: Ignoring file '{location_file}' due to modification time" return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_eventchannel_bad_format(event_location): """Create a callback to detect if logcollector inform about bad formatted eventchannel location. Args: event_location (str): Eventchannel location. Returns: callable: callback to detect this event. """ msg = fr"ERROR: Could not EvtSubscribe() for ({event_location}) which returned \(\d+\)" return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_command_alias_output(alias): """Create a callback to detect if logcollector is monitoring a command with an assigned alias. Args: alias (str): Command alias. Returns: callable: callback to detect this event. """ msg = fr"Reading command message: 'ossec: output: '{alias}':" return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_reading_syslog_message(message): """Create a callback to detect if syslog message has been read. Args: message (str): Syslog message. Returns: callable: callback to detect this event. """ msg = fr"DEBUG: Reading syslog message: '{message}'" return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_warning_syslog_tcp_udp(): """Create a callback to detect if warning message is created when multiple protocol are provided using syslog. Returns: callable: callback to detect this event. """ msg = r"WARNING: \(\d+\): Only secure connection supports TCP and UDP at the same time. " \ r"Default value \(TCP\) will be used." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_invalid_location_pattern(location): """Create a callback to detect if invalid location pattern has been used. Args: location (str): Location pattern Returns: callable: callback to detect this event. """ msg = fr"Glob error. Invalid pattern: '{location}' or no files found." return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_eventchannel_analyzing(event_location): """Create a callback to detect if logcollector is monitoring a event log. Args: event_location (str): Event log location. Returns: callable: callback to detect this event. """ msg = fr"INFO: \(\d+\): Analyzing event log: '{event_location}'" return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_error_invalid_ip(ip): """Create a callback to detect if error is created when invalid local ip value is provided. Args: ip (str): IP address. Returns: callable: callback to detect this event. """ msg = fr"ERROR: \(\d+\): Invalid ip address: '{ip}'." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_monitoring_djb_multilog(program_name, multilog_file): """Create a callback to detect if logcollector is monitoring a djb multilog file. Args: program_name (str): Program name of multilog file. multilog_file (str): Multilog file name. Returns: callable: callback to detect this event. """ msg = fr"INFO: Using program name '{program_name}' for DJB multilog file: '{multilog_file}'." return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_socket_target(location, socket_name): """Create a callback to detect if logcollector has assign a socket to a monitored file. Args: location (str): Name with the analyzed file. socket_name (str): Socket name. Returns: callable: callback to detect this event. """ msg = fr"DEBUG: Socket target for '{location}' -> {socket_name}" return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_detect_syslog_event(message): """Create a callback to detect the syslog messages in the archives.log. Args: message (str): syslog message sent through the socket. Returns: callable: callback to detect this event. """ return monitoring.make_callback(pattern=message, prefix=r".*->\d+\.\d+\.\d+\.\d+\s", escape=True)
def callback_ignored_invalid_protocol(protocol): """Create a callback to detect invalid protocol. Args: protocol (str): Wazuh manager protocol. Returns: callable: callback to detect this event. """ msg = fr"WARNING: \(\d+\): Ignored invalid value '{protocol}' for 'protocol'" return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_invalid_port(port): """Create a callback to detect invalid port.callback_detect_remoted_started Args: port (str): Wazuh manager port. Returns: callable: callback to detect this event. """ msg = fr"ERROR: \(\d+\): Invalid port number: '{port}'." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_reconnect_eventchannel(location): """Create a callback to detect if specified channel has been reconnected successfully. Args: location (str): Location channel. Returns: callable: callback to detect this event. """ log_format_message = f"INFO: '{location}' channel has been reconnected succesfully." return monitoring.make_callback(pattern=log_format_message, prefix=monitoring.AGENT_DETECTOR_PREFIX)
def callback_detect_syslog_denied_ips(syslog_ips): """Create a callback to detect syslog denied-ips. Args: syslog_ips (str): syslog denied-ips. Returns: callable: callback to detect this event. """ msg = fr"Message from \'{syslog_ips}\' not allowed. Cannot find the ID of the agent." return monitoring.make_callback(pattern=msg, prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_invalid_value_for(option, prefix): """Create a callback to detect invalid values in ossec.conf file. Args: option (str): Wazuh manager configuration option. prefix (str): Daemon that generates the error log. Returns: callable: callback to detect this event. """ msg = fr"WARNING: \(\d+\): Invalid value '.*' in '{option}' option. Default value will be used." return monitoring.make_callback(pattern=msg, prefix=prefix)