def callback_file_limit():
"""Create a callback to detect if logcollector is monitoring a file.
Returns:
callable: callback to detect this event.
"""
msg = f'File limit has been reached'
return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def check_agent_received_message(message_queue,
search_pattern,
timeout=5,
update_position=True,
error_message='',
escape=False):
"""Allow to monitor the agent received messages to search a pattern regex.
Args:
message_queue (monitoring.Queue): Queue containing the messages received in the agent.
search_pattern (str): Regex to search in agent received messages.
timeout (int): Maximum time in seconds to search the event.
update_position (boolean): True to search in the entire queue, False to search in the current position of the
queue.
error_message (string): Message to explain the exception.
escape (bool): Flag to escape special characters in the pattern
Raises:
TimeoutError: if search pattern is not found in agent received messages queue in the expected time.
"""
queue_monitor = monitoring.QueueMonitor(message_queue)
queue_monitor.start(timeout=timeout,
callback=monitoring.make_callback(
search_pattern, '.*', escape),
update_position=update_position,
error_message=error_message)
def dbg_reading_command(command, alias, log_format):
"""Check if the (previously known) output of a command ("echo") is displayed correctly.
It also checks if the "alias" option is working correctly.
Args:
command (str): Command to be monitored.
alias (str): An alternate name for the command.
log_format (str): Format of the log to be read ("command" or "full_command").
Raises:
TimeoutError: If the command monitoring callback is not generated.
"""
prefix = LOG_COLLECTOR_DETECTOR_PREFIX
output = check_output(command, universal_newlines=True, shell=True).strip()
if log_format == 'full_command':
msg = fr"^{output}'"
prefix = ''
else:
msg = fr"DEBUG: Reading command message: 'ossec: output: '{alias}': {output}'"
wazuh_log_monitor.start(
timeout=global_parameters.default_timeout,
callback=monitoring.make_callback(pattern=msg, prefix=prefix),
error_message=logcollector.GENERIC_CALLBACK_ERROR_COMMAND_MONITORING)
def callback_detect_example_archives_event():
"""Create a callback to detect the example message in the archives.log
Returns:
callable: callback to detect this event
"""
return monitoring.make_callback(pattern=fr".*{EXAMPLE_MESSAGE_PATTERN}.*",
prefix=None)
def callback_warning_secure_ipv6():
"""Create a callback to detect if warning message is created when ipv6 is used along with secure connection.
Returns:
callable: callback to detect this event.
"""
msg = r"WARNING: \(\d+\): Secure connection does not support IPv6. IPv4 will be used instead."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_getting_protocol():
"""Create a callback to detect if warning message is created when no valid protocol is provided.
Returns:
callable: callback to detect this event.
"""
msg = r"WARNING: \(\d+\): Error getting protocol. Default value \(TCP\) will be used."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_bind_port():
"""Create a callback to detect if critical error is created when invalid local ip value is provided.
Returns:
callable: callback to detect this event.
"""
msg = r"CRITICAL: \(\d+\): Unable to Bind port '1514' due to \[\(\d+\)\-\(Cannot assign requested address\)\]"
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_queue_size_syslog():
"""Create a callback to detect if error is created when queue_size is used along with syslog connection.
Returns:
callable: callback to detect this event.
"""
msg = r"ERROR: Invalid option \<queue_size\> for Syslog remote connection."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_excluded_file(file):
"""Create a callback to detect if logcollector is excluding files.
Args:
file (str): Name with absolute path of the analyzed file.
Returns:
callable: callback to detect this event.
"""
msg = fr"File excluded: '{file}'."
return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_queue_size_too_big():
"""Create a callback to detect if warning message is created when queue_size is too big.
Returns:
callable: callback to detect this event.
"""
msg = r"WARNING: Queue size is very high. The application may run out of memory."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_duplicated_file(file):
"""Create a callback to detect if logcollector configuration is duplicated.
Args:
file (str): Name with absolute path of the analyzed file.
Returns:
callable: callback to detect this event.
"""
msg = fr"Log file '{file}' is duplicated."
return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_non_existent_file(file):
"""Create a callback to detect if logcollector is showing an error when the file does not exist.
Args:
file (str): Name with absolute path of the analyzed file.
Returns:
callable: callback to detect this event.
"""
msg = fr"ERROR: (1103): Could not open file '{file}'"
return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_match_pattern_file(file_pattern, file):
"""Create a callback to detect if logcollector is monitoring a file with wildcard.
Args:
file_pattern (str): Location pattern.
file (str): Name with absolute path of the analyzed file.
Returns:
callable: callback to detect this event.
"""
msg = fr"New file that matches the '{file_pattern}' pattern: '{file}'."
return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_info_no_allowed_ips():
"""Create a callback to detect if error message is syslog server is disabled when no allowed ips is provided.
Returns:
callable: callback to detect this event.
"""
msg = r"INFO: \(\d+\): IP or network must be present in syslog access list \(allowed-ips\). "
msg += "Syslog server disabled."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_ignoring_file(location_file):
"""Create a callback to detect if specified file was ignored due to modification time.
Args:
location_file: File absolute path.
Returns:
callable: callback to detect this event.
"""
msg = fr"DEBUG: Ignoring file '{location_file}' due to modification time"
return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_eventchannel_bad_format(event_location):
"""Create a callback to detect if logcollector inform about bad formatted eventchannel location.
Args:
event_location (str): Eventchannel location.
Returns:
callable: callback to detect this event.
"""
msg = fr"ERROR: Could not EvtSubscribe() for ({event_location}) which returned \(\d+\)"
return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_command_alias_output(alias):
"""Create a callback to detect if logcollector is monitoring a command with an assigned alias.
Args:
alias (str): Command alias.
Returns:
callable: callback to detect this event.
"""
msg = fr"Reading command message: 'ossec: output: '{alias}':"
return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_reading_syslog_message(message):
"""Create a callback to detect if syslog message has been read.
Args:
message (str): Syslog message.
Returns:
callable: callback to detect this event.
"""
msg = fr"DEBUG: Reading syslog message: '{message}'"
return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_warning_syslog_tcp_udp():
"""Create a callback to detect if warning message is created when multiple protocol are provided using syslog.
Returns:
callable: callback to detect this event.
"""
msg = r"WARNING: \(\d+\): Only secure connection supports TCP and UDP at the same time. " \
r"Default value \(TCP\) will be used."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_invalid_location_pattern(location):
"""Create a callback to detect if invalid location pattern has been used.
Args:
location (str): Location pattern
Returns:
callable: callback to detect this event.
"""
msg = fr"Glob error. Invalid pattern: '{location}' or no files found."
return monitoring.make_callback(pattern=msg, prefix=prefix, escape=True)
def callback_eventchannel_analyzing(event_location):
"""Create a callback to detect if logcollector is monitoring a event log.
Args:
event_location (str): Event log location.
Returns:
callable: callback to detect this event.
"""
msg = fr"INFO: \(\d+\): Analyzing event log: '{event_location}'"
return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_error_invalid_ip(ip):
"""Create a callback to detect if error is created when invalid local ip value is provided.
Args:
ip (str): IP address.
Returns:
callable: callback to detect this event.
"""
msg = fr"ERROR: \(\d+\): Invalid ip address: '{ip}'."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_monitoring_djb_multilog(program_name, multilog_file):
"""Create a callback to detect if logcollector is monitoring a djb multilog file.
Args:
program_name (str): Program name of multilog file.
multilog_file (str): Multilog file name.
Returns:
callable: callback to detect this event.
"""
msg = fr"INFO: Using program name '{program_name}' for DJB multilog file: '{multilog_file}'."
return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_socket_target(location, socket_name):
"""Create a callback to detect if logcollector has assign a socket to a monitored file.
Args:
location (str): Name with the analyzed file.
socket_name (str): Socket name.
Returns:
callable: callback to detect this event.
"""
msg = fr"DEBUG: Socket target for '{location}' -> {socket_name}"
return monitoring.make_callback(pattern=msg, prefix=prefix)
def callback_detect_syslog_event(message):
"""Create a callback to detect the syslog messages in the archives.log.
Args:
message (str): syslog message sent through the socket.
Returns:
callable: callback to detect this event.
"""
return monitoring.make_callback(pattern=message,
prefix=r".*->\d+\.\d+\.\d+\.\d+\s",
escape=True)
def callback_ignored_invalid_protocol(protocol):
"""Create a callback to detect invalid protocol.
Args:
protocol (str): Wazuh manager protocol.
Returns:
callable: callback to detect this event.
"""
msg = fr"WARNING: \(\d+\): Ignored invalid value '{protocol}' for 'protocol'"
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_invalid_port(port):
"""Create a callback to detect invalid port.callback_detect_remoted_started
Args:
port (str): Wazuh manager port.
Returns:
callable: callback to detect this event.
"""
msg = fr"ERROR: \(\d+\): Invalid port number: '{port}'."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_reconnect_eventchannel(location):
"""Create a callback to detect if specified channel has been reconnected successfully.
Args:
location (str): Location channel.
Returns:
callable: callback to detect this event.
"""
log_format_message = f"INFO: '{location}' channel has been reconnected succesfully."
return monitoring.make_callback(pattern=log_format_message,
prefix=monitoring.AGENT_DETECTOR_PREFIX)
def callback_detect_syslog_denied_ips(syslog_ips):
"""Create a callback to detect syslog denied-ips.
Args:
syslog_ips (str): syslog denied-ips.
Returns:
callable: callback to detect this event.
"""
msg = fr"Message from \'{syslog_ips}\' not allowed. Cannot find the ID of the agent."
return monitoring.make_callback(pattern=msg,
prefix=monitoring.REMOTED_DETECTOR_PREFIX)
def callback_error_invalid_value_for(option, prefix):
"""Create a callback to detect invalid values in ossec.conf file.
Args:
option (str): Wazuh manager configuration option.
prefix (str): Daemon that generates the error log.
Returns:
callable: callback to detect this event.
"""
msg = fr"WARNING: \(\d+\): Invalid value '.*' in '{option}' option. Default value will be used."
return monitoring.make_callback(pattern=msg, prefix=prefix)
