From 0d48210f3e18b07dc807bdf5ca35f5eca0243f2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antonio=20David=20Guti=C3=A9rrez?=
 <antonio.gutierrez@wazuh.com>
Date: Tue, 10 May 2022 13:18:12 +0200
Subject: [PATCH 1/2] fix(logtest): Enhance the output of the Ruleset Test
 (wazuh-logtest)   - Remove the logging of the specific fields   - Replicate
 the output of the `wazuh-logtest` utility:     - Add tabulations     - Fix
 phase text     - Wrap the values in single quotes     - Displays the fields
 that are defined

---
 .../wz-logtest/components/logtest.tsx         | 111 ++++++++++++------
 1 file changed, 77 insertions(+), 34 deletions(-)

diff --git a/public/directives/wz-logtest/components/logtest.tsx b/public/directives/wz-logtest/components/logtest.tsx
index 39e45b4ad3..6e20a31f11 100644
--- a/public/directives/wz-logtest/components/logtest.tsx
+++ b/public/directives/wz-logtest/components/logtest.tsx
@@ -46,6 +46,7 @@ import {
 import { UI_LOGGER_LEVELS } from '../../../../common/constants';
 import { getErrorOrchestrator } from '../../../react-services/common-services';
 import { WzFlyout } from '../../../components/common/flyouts';
+import _ from 'lodash';
 
 type LogstestProps = {
   openCloseFlyout: () => {};
@@ -69,41 +70,83 @@ export const Logtest = compose(
     setEvents(e.target.value.split('\n').filter((item) => item));
   };
 
+  // Format the result of the Wazuh API response to an output similar one to the `wazuh-logtest` utility
   const formatResult = (result, alert) => {
-    let returnedDataFormatted =
-      `**Phase 1: Completed pre-decoding. \n    ` +
-      `full event:  ${result.full_log || '-'}  \n    ` +
-      `timestamp: ${(result.predecoder || '').timestamp || '-'} \n    ` +
-      `hostname: ${(result.predecoder || '').hostname || '-'} \n    ` +
-      `program_name: ${(result.predecoder || '').program_name || '-'} \n\n` +
-      `**Phase 2: Completed decoding. \n    ` +
-      `name: ${(result.decoder || '').name || '-'} \n    ` +
-      `${(result.decoder || '').parent ? `parent: ${(result.decoder || '').parent} \n    ` : ''}` +
-      `data: ${JSON.stringify(result.data || '-', null, 6).replace('}', '    }')} \n\n`;
+    // How to the `wazuh-logtest` utility logs the output:
+    // https://github.com/wazuh/wazuh/blob/master/framework/scripts/wazuh-logtest.py#L359-L397
 
-    result.rule &&
-      (returnedDataFormatted +=
-        `**Phase 3: Completed filtering (rules). \n    ` +
-        `id: ${(result.rule || '').id || '-'} \n    ` +
-        `level: ${(result.rule || '').level || '-'} \n    ` +
-        `description: ${(result.rule || '').description || '-'} \n    ` +
-        `groups: ${JSON.stringify((result.rule || '').groups || '-')} \n    ` +
-        `firedtimes: ${(result.rule || '').firedtimes || '-'} \n    ` +
-        `gdpr: ${JSON.stringify((result.rule || '').gdpr || '-')} \n    ` +
-        `gpg13: ${JSON.stringify((result.rule || '').gpg13 || '-')} \n    ` +
-        `hipaa: ${JSON.stringify((result.rule || '').hipaa || '-')} \n    ` +
-        `mail: ${JSON.stringify((result.rule || '').mail || '-')} \n    ` +
-        `mitre.id: ${JSON.stringify((result.rule || '').mitre || ''.id || '-')} \n    ` +
-        `mitre.technique: ${JSON.stringify(
-          (result.rule || '').mitre || ''.technique || '-'
-        )} \n    ` +
-        `nist_800_53: ${JSON.stringify((result.rule || '').nist_800_53 || '-')} \n    ` +
-        `pci_dss: ${JSON.stringify((result.rule || '').pci_dss || '-')} \n    ` +
-        `tsc: ${JSON.stringify((result.rule || '').tsc || '-')} \n`);
 
-    returnedDataFormatted += `${alert ? `**Alert to be generated. \n\n\n` : '\n\n'}`;
-    return returnedDataFormatted;
-  };
+    const logging = [];
+    
+    const showFieldInfo = (item, path, label = '') => {
+      _.has(item, path) && logging.push(
+        `\t${label || path}: '${Array.isArray(_.get(item, path))
+          ? JSON.stringify(_.get(item, path))
+          : _.get(item, path)}'`
+        );
+    };
+
+    const showPhaseInfo = (item, showFirst = [], prefix = '') => {
+      showFirst && showFirst.forEach(field => {
+        showFieldInfo(item, field, prefix+field);
+        _.unset(item, field);
+      });
+      typeof item === 'object' && Object.keys(item).sort().forEach((field) => {
+        if(typeof item[field] === 'object' && !Array.isArray(item[field])){
+          showPhaseInfo(item[field],[], prefix + field + '.');
+        }else{
+          showFieldInfo(item, field, prefix+field);
+        };
+      });
+    }
+
+    // Pre-decoding phase
+    logging.push('**Phase 1: Completed pre-decoding.');
+    // Check in case rule has no_full_log attribute
+    if(result.full_log){
+      showFieldInfo(result, 'full_log', 'full event');
+    };
+
+    if(result.predecoder){
+      showPhaseInfo(result.predecoder, ['timestamp', 'hostname', 'program_name']);
+    }
+
+    // Decoding phase
+    logging.push('');
+    logging.push('**Phase 2: Completed decoding.');
+
+    if(result.decoder && Object.keys(result.decoder).length > 0){
+      showPhaseInfo(result.decoder, ['name', 'parent']);
+      if(result.data){
+        showPhaseInfo(result.data, []);
+      };
+    }else{
+      logging.push('\tNo decoder matched.')
+    }
+
+    // Rule phase
+
+    // Rule debugging
+    // The output has data if the utility is ran in verbose mode: `wazuh-logtest -v`.
+    // At this moment, the Wazuh API doesn't let run in verbose mode.
+    if(result.rules_debug){
+      logging.push('');
+      logging.push('**Rule debugging:');
+      result.rules_debug.forEach(debugMessage => logging.push(`${debugMessage[0] === '*' ? '\t\t' : '\t'}${debugMessage}`));
+    };
+    
+    if(result.rule){
+      logging.push('');
+      logging.push('**Phase 3: Completed filtering (rules).');
+      showPhaseInfo(result.rule, ['id', 'level', 'description', 'groups', 'firedtimes']);
+    };
+
+    if(alert){
+      logging.push('**Alert to be generated.');
+    };
+
+    return logging.join('\n');
+  };  
 
   const runAllTests = async () => {
     setTestResult('');
@@ -129,8 +172,8 @@ export const Logtest = compose(
       const testResults = responses.map((response) => {
         return response.data.data.output || ''
           ? formatResult(response.data.data.output, response.data.data.alert)
-          : `No result found for: ${response.data.data.output.full_log} \n\n\n`;
-      });
+          : `No result found for: ${response.data.data.output.full_log}`;
+      }).join('\n\n');
       setTestResult(testResults);
     } finally {
       setTesting(false);

From e6cbc27b065e4aa92365ad25ce259a5099c0d1b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antonio=20David=20Guti=C3=A9rrez?=
 <antonio.gutierrez@wazuh.com>
Date: Tue, 10 May 2022 14:20:02 +0200
Subject: [PATCH 2/2] changelog: Add PR entry to the changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 964619b2e9..b575d2f74c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to the Wazuh app project will be documented in this file.
 
+## Wazuh v4.3.0 - Kibana 7.10.2 , 7.16.x, 7.17.x - Revision 4302
+
+### Fixed
+
+- Fixed the falsy values are displayed as not defined and enhanced the output of `Ruleset Test` [#4141](https://github.com/wazuh/wazuh-kibana-app/pull/4141)
+
 ## Wazuh v4.3.0 - Kibana 7.10.2 , 7.16.x, 7.17.x - Revision 4301
 
 ### Added