Add macOS log collector tab (#6545)

* Add macOS log collector tab * Change macOS fields displayed
wazuh · Mar 27, 2024 · 202d43b · 202d43b
1 parent ef51ca4
commit 202d43b
Show file tree

Hide file tree

Showing 5 changed files with 268 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ All notable changes to the Wazuh app project will be documented in this file.
 - Improve fleet management by adding 'Edit Agent Groups' and 'Upgrade Agents' actions, as well as a filter to show only outdated agents [#6250](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6250) [#6476](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6476) [#6274](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6274) [#6501](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6501) [#6529](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6529)
 - Added propagation of updates from the table to dashboard visualizations in Endpoints summary [#6460](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6460)
 - Handle index pattern selector on new discover [#6499](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6499)
+- Added macOS log collector tab [#6545](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6545)
 
 ### Changed
 

diff --git a/docker/imposter/agents/configuration/logcollector-localfile.json b/docker/imposter/agents/configuration/logcollector-localfile.json
@@ -1,87 +1,193 @@
 {
   "data": {
     "localfile": [
+      {
+        "logformat": "macos",
+        "query": {
+          "value": "(process == \"sudo\") or (process == \"sessionlogoutd\" and message contains \"logout is complete.\") or (process == \"sshd\") or (process == \"tccd\" and message contains \"Update Access Record\") or (message contains \"SessionAgentNotificationCenter\") or (process == \"screensharingd\" and message contains \"Authentication\") or (process == \"securityd\" and eventMessage contains \"Session\" and subsystem == \"com.apple.securityd\")",
+          "level": "info",
+          "type": [
+            "log",
+            "activity",
+            "trace"
+          ]
+        },
+        "ignore_binaries": "no",
+        "only-future-events": "yes",
+        "target": [
+          "agent"
+        ]
+      },
       {
         "logformat": "command",
         "command": "df -P",
         "alias": "df -P",
         "ignore_binaries": "no",
-        "target": ["agent"],
+        "target": [
+          "agent"
+        ],
         "frequency": 360
       },
       {
         "logformat": "full_command",
         "command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d",
         "alias": "netstat listening ports",
         "ignore_binaries": "no",
-        "target": ["agent"],
+        "target": [
+          "agent"
+        ],
         "frequency": 360
       },
       {
         "logformat": "full_command",
         "command": "last -n 20",
         "alias": "last -n 20",
         "ignore_binaries": "no",
-        "target": ["agent"],
+        "target": [
+          "agent"
+        ],
         "frequency": 360
       },
       {
         "file": "/var/log/test.log",
         "logformat": "syslog",
         "ignore_binaries": "no",
         "only-future-events": "yes",
-        "target": ["agent"]
+        "target": [
+          "agent"
+        ]
       },
       {
         "file": "/var/log/nginx/access.log",
         "logformat": "apache",
         "ignore_binaries": "no",
         "only-future-events": "yes",
-        "target": ["agent"]
+        "target": [
+          "agent"
+        ]
       },
       {
         "file": "/var/log/nginx/error.log",
         "logformat": "apache",
         "ignore_binaries": "no",
         "only-future-events": "yes",
-        "target": ["agent"]
+        "target": [
+          "agent"
+        ]
       },
       {
         "file": "/var/ossec/logs/active-responses.log",
         "logformat": "syslog",
         "ignore_binaries": "no",
         "only-future-events": "yes",
-        "target": ["agent"]
+        "target": [
+          "agent"
+        ]
       },
       {
         "file": "/var/log/auth.log",
         "logformat": "syslog",
         "ignore_binaries": "no",
         "only-future-events": "yes",
-        "target": ["agent"]
+        "target": [
+          "agent"
+        ]
       },
       {
         "file": "/var/log/syslog",
         "logformat": "syslog",
         "ignore_binaries": "no",
         "only-future-events": "yes",
-        "target": ["agent"]
+        "target": [
+          "agent"
+        ]
       },
       {
         "file": "/var/log/dpkg.log",
         "logformat": "syslog",
         "ignore_binaries": "no",
         "only-future-events": "yes",
-        "target": ["agent"]
+        "target": [
+          "agent"
+        ]
       },
       {
         "file": "/var/log/kern.log",
         "logformat": "syslog",
         "ignore_binaries": "no",
         "only-future-events": "yes",
-        "target": ["agent"]
+        "target": [
+          "agent"
+        ]
+      },
+      {
+        "channel": "Application",
+        "logformat": "eventlog",
+        "ignore_binaries": "no",
+        "target": [
+          "agent"
+        ]
+      },
+      {
+        "channel": "Security",
+        "logformat": "eventchannel",
+        "query": {
+          "value": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]"
+        },
+        "ignore_binaries": "no",
+        "only-future-events": "yes",
+        "target": [
+          "agent"
+        ],
+        "reconnect_time": 5
+      },
+      {
+        "channel": "System",
+        "logformat": "eventlog",
+        "ignore_binaries": "no",
+        "target": [
+          "agent"
+        ]
+      },
+      {
+        "file": "active-response\\active-responses.log",
+        "logformat": "syslog",
+        "ignore_binaries": "no",
+        "only-future-events": "yes",
+        "target": [
+          "agent"
+        ]
+      },
+      {
+        "channel": "Microsoft-Windows-Sysmon/Operational",
+        "logformat": "eventchannel",
+        "ignore_binaries": "no",
+        "only-future-events": "yes",
+        "target": [
+          "agent"
+        ],
+        "reconnect_time": 5
+      },
+      {
+        "channel": "Microsoft-Windows-Windows Defender/Operational",
+        "logformat": "eventchannel",
+        "ignore_binaries": "no",
+        "only-future-events": "yes",
+        "target": [
+          "agent"
+        ],
+        "reconnect_time": 5
+      },
+      {
+        "file": "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex240321.log",
+        "logformat": "iis",
+        "ignore_binaries": "no",
+        "only-future-events": "yes",
+        "target": [
+          "agent"
+        ]
       }
     ]
   },
   "error": 0
-}
+}
diff --git a/...nagement/components/management/configuration/log-collection/log-collection-macosevents.js b/...nagement/components/management/configuration/log-collection/log-collection-macosevents.js
@@ -0,0 +1,128 @@
+/*
+ * Wazuh app - React component for show configuration of log collection - commands tab.
+ * Copyright (C) 2015-2022 Wazuh, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Find more information about this on the LICENSE file.
+ */
+
+import React, { Component, Fragment } from 'react';
+
+import WzNoConfig from '../util-components/no-config';
+import WzConfigurationSettingsHeader from '../util-components/configuration-settings-header';
+import WzConfigurationListSelector from '../util-components/configuration-settings-list-selector';
+import WzConfigurationSettingsGroup from '../util-components/configuration-settings-group';
+import { renderValueOrNoValue, isString } from '../utils/utils';
+import { settingsListBuilder } from '../utils/builders';
+import helpLinks from './help-links';
+import {
+  LOGCOLLECTOR_LOCALFILE_PROP,
+  LOCALFILE_MACOSEVENT_PROP,
+} from './types';
+
+/**
+ *
+ * @param {*} data => all log data
+ * @returns string => value to show in query input
+ */
+const queryValue = data => {
+  return typeof data === 'undefined'
+    ? '-'
+    : typeof data === 'object'
+    ? data.value
+    : data;
+};
+
+/**
+ * Returns targets array parsed in one string
+ * @param {*} item
+ * @returns string => target
+ */
+const renderTargetField = item =>
+  Array.isArray(item) ? item.join(', ') : 'agent';
+
+/**
+ * Return panels title
+ * @param {*} item => log data
+ * @returns
+ */
+const panelsLabel = item =>
+  `${item.logformat} - ${renderTargetField(item.target)}`;
+
+const mainSettings = [
+  { field: 'logformat', label: 'Log format' },
+  { field: 'query', label: 'Query value', render: queryValue },
+  { field: 'query.level', label: 'Query level', render: renderValueOrNoValue },
+  { field: 'query.type', label: 'Query type', render: renderValueOrNoValue },
+  {
+    field: 'ignore_binaries',
+    label: 'Ignore binaries',
+    render: renderValueOrNoValue,
+  },
+  {
+    field: 'only-future-events',
+    label: 'Only future events',
+    render: renderValueOrNoValue,
+  },
+];
+
+class WzConfigurationLogCollectionMacOSEvents extends Component {
+  constructor(props) {
+    super(props);
+  }
+  render() {
+    const { currentConfig } = this.props;
+    const items = currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[
+      LOCALFILE_MACOSEVENT_PROP
+    ]
+      ? settingsListBuilder(
+          currentConfig[LOGCOLLECTOR_LOCALFILE_PROP][LOCALFILE_MACOSEVENT_PROP],
+          panelsLabel,
+        )
+      : [];
+
+    return (
+      <Fragment>
+        {isString(currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]) && (
+          <WzNoConfig
+            error={currentConfig[LOGCOLLECTOR_LOCALFILE_PROP]}
+            help={helpLinks}
+          />
+        )}
+        {!currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[
+          LOCALFILE_MACOSEVENT_PROP
+        ]?.length ? (
+          <WzNoConfig error='not-present' help={helpLinks} />
+        ) : null}
+        {currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[
+          LOCALFILE_MACOSEVENT_PROP
+        ]?.length > 1 ? (
+          <WzConfigurationSettingsHeader
+            title='macOS events logs'
+            description='List of macOS logs that will be processed'
+            help={helpLinks}
+          >
+            <WzConfigurationListSelector
+              items={items}
+              settings={mainSettings}
+            />
+          </WzConfigurationSettingsHeader>
+        ) : null}
+        {currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[
+          LOCALFILE_MACOSEVENT_PROP
+        ]?.length === 1 ? (
+          <WzConfigurationSettingsGroup
+            config={items[0].data}
+            items={mainSettings}
+          />
+        ) : null}
+      </Fragment>
+    );
+  }
+}
+
+export default WzConfigurationLogCollectionMacOSEvents;
diff --git a/...ntrollers/management/components/management/configuration/log-collection/log-collection.js b/...ntrollers/management/components/management/configuration/log-collection/log-collection.js
@@ -18,6 +18,7 @@ import WzTabSelector, {
 import WzConfigurationLogCollectionLogs from './log-collection-logs';
 import WzConfigurationLogCollectionCommands from './log-collection-commands';
 import WzConfigurationLogCollectionWindowsEvents from './log-collection-windowsevents';
+import WzConfigurationLogCollectionMacOSEvents from './log-collection-macosevents';
 import WzConfigurationLogCollectionSockets from './log-collection-sockets';
 import withWzConfig from '../util-hocs/wz-config';
 import { isString } from '../utils/utils';
@@ -26,6 +27,7 @@ import {
   LOCALFILE_LOGS_PROP,
   LOCALFILE_WINDOWSEVENT_PROP,
   LOGCOLLECTOR_LOCALFILE_PROP,
+  LOCALFILE_MACOSEVENT_PROP,
 } from './types';
 
 class WzConfigurationLogCollection extends Component {
@@ -51,6 +53,9 @@ class WzConfigurationLogCollection extends Component {
                   item.logformat === 'eventchannel' ||
                   item.logformat === 'eventlog',
               ),
+              [LOCALFILE_MACOSEVENT_PROP]: currentConfig[
+                LOGCOLLECTOR_LOCALFILE_PROP
+              ].localfile.filter(item => item.logformat === 'macos'),
               [LOCALFILE_COMMANDS_PROP]: currentConfig[
                 LOGCOLLECTOR_LOCALFILE_PROP
               ].localfile.filter(
@@ -92,6 +97,20 @@ class WzConfigurationLogCollection extends Component {
           </WzTabSelectorTab>
         ),
       },
+      {
+        condition:
+          currentConfig[LOGCOLLECTOR_LOCALFILE_PROP] &&
+          currentConfig[LOGCOLLECTOR_LOCALFILE_PROP][LOCALFILE_MACOSEVENT_PROP]
+            .length > 0,
+        component: (
+          <WzTabSelectorTab label='macOS Events'>
+            <WzConfigurationLogCollectionMacOSEvents
+              currentConfig={currentConfig}
+              agent={agent}
+            />
+          </WzTabSelectorTab>
+        ),
+      },
       {
         condition:
           currentConfig[LOGCOLLECTOR_LOCALFILE_PROP] &&