Merge pull request #1318 from zbalkan/wazuh-logging

Added wazuh-agent as a remote syslog capability
This commit is contained in:
Michael Boelen 2024-05-14 08:29:19 +02:00 committed by GitHub
commit 52139773f3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 33 additions and 0 deletions

View File

@ -28,6 +28,7 @@
METALOG_RUNNING=0 METALOG_RUNNING=0
RFC3195D_RUNNING=0 RFC3195D_RUNNING=0
RSYSLOG_RUNNING=0 RSYSLOG_RUNNING=0
WAZUH_AGENT_RUNNING=0
SOLARIS_LOGHOST="" SOLARIS_LOGHOST=""
SOLARIS_LOGHOST_FOUND=0 SOLARIS_LOGHOST_FOUND=0
SOLARIS_LOGHOST_LOCALHOST=0 SOLARIS_LOGHOST_LOCALHOST=0
@ -220,6 +221,23 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : LOGG-2144
# Description : Check for wazuh-agent presence on Linux systems
Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: Searching for wazuh-agent instances in the process list"
if IsRunning "wazuh-agent"; then
LogText "Result: Found wazuh-agent in process list"
Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN
WAZUH_AGENT_RUNNING=1
else
LogText "Result: wazuh-agent NOT found in process list"
Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
# #
# Test : LOGG-2146 # Test : LOGG-2146
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
@ -446,6 +464,21 @@
fi fi
fi fi
# Test wazuh-agent configuration for syslog configuration
if [ ${WAZUH_AGENT_RUNNING} ]; then
WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf"
fi
if [ -f ${WAZUH_AGENT_CONF} ]; then
LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding"
FIND=$(${EGREPBINARY} '<location>/var/log/syslog</location>' ${WAZUH_AGENT_CONF})
if [ "${FIND}" ]; then
DESTINATION=$(${EGREPBINARY} -o '<address>([A-Za-z0-9\.\-\_]*)</address>' ${WAZUH_AGENT_CONF} | sed 's/<address>//' | sed 's/<\/address>//')
LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh"
REMOTE_LOGGING_ENABLED=1
fi
fi
# Show result # Show result
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
Report "remote_syslog_configured=0" Report "remote_syslog_configured=0"