From 3140a245da2c709e379c34ca6f3495428f0c7e5e Mon Sep 17 00:00:00 2001 From: Zafer Balkan Date: Fri, 5 Aug 2022 15:45:35 +0300 Subject: [PATCH] Added wazuh-agent as a remote syslog capability --- include/tests_logging | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/include/tests_logging b/include/tests_logging index b6acdbe5..ed87ff17 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -28,6 +28,7 @@ METALOG_RUNNING=0 RFC3195D_RUNNING=0 RSYSLOG_RUNNING=0 + WAZUH_AGENT_RUNNING=0 SOLARIS_LOGHOST="" SOLARIS_LOGHOST_FOUND=0 SOLARIS_LOGHOST_LOCALHOST=0 @@ -220,6 +221,23 @@ fi # ################################################################################# +# + # Test : LOGG-2144 + # Description : Check for wazuh-agent presence on Linux systems + Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Result: Searching for wazuh-agent instances in the process list" + if IsRunning "wazuh-agent"; then + LogText "Result: Found wazuh-agent in process list" + Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN + WAZUH_AGENT_RUNNING=1 + else + LogText "Result: wazuh-agent NOT found in process list" + Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE + fi + fi +# +################################################################################# # # Test : LOGG-2146 # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) @@ -446,6 +464,21 @@ fi fi + # Test wazuh-agent configuration for syslog configuration + if [ ${WAZUH_AGENT_RUNNING} ]; then + WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf" + fi + + if [ -f ${WAZUH_AGENT_CONF} ]; then + LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding" + FIND=$(${EGREPBINARY} '/var/log/syslog' ${WAZUH_AGENT_CONF}) + if [ "${FIND}" ]; then + DESTINATION=$(${EGREPBINARY} -o '
([A-Za-z0-9\.\-\_]*)
' ${WAZUH_AGENT_CONF} | sed 's/
//' | sed 's/<\/address>//') + LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh" + REMOTE_LOGGING_ENABLED=1 + fi + fi + # Show result if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then Report "remote_syslog_configured=0"