From b2ed08b9ae0c482394a74cb58936229af77ba8fa Mon Sep 17 00:00:00 2001 From: Federico Rodriguez Date: Thu, 21 Mar 2024 17:32:14 +0100 Subject: [PATCH 1/2] Add macOS log collector tab --- .../configuration/logcollector-localfile.json | 130 +++++++++++++++-- .../log-collection-macosevents.js | 138 ++++++++++++++++++ .../log-collection/log-collection.js | 19 +++ .../configuration/log-collection/types.js | 4 +- 4 files changed, 277 insertions(+), 14 deletions(-) create mode 100644 plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js diff --git a/docker/imposter/agents/configuration/logcollector-localfile.json b/docker/imposter/agents/configuration/logcollector-localfile.json index 722426ff24..c61d46743d 100644 --- a/docker/imposter/agents/configuration/logcollector-localfile.json +++ b/docker/imposter/agents/configuration/logcollector-localfile.json @@ -1,12 +1,31 @@ { "data": { "localfile": [ + { + "logformat": "macos", + "query": { + "value": "(process == \"sudo\") or (process == \"sessionlogoutd\" and message contains \"logout is complete.\") or (process == \"sshd\") or (process == \"tccd\" and message contains \"Update Access Record\") or (message contains \"SessionAgentNotificationCenter\") or (process == \"screensharingd\" and message contains \"Authentication\") or (process == \"securityd\" and eventMessage contains \"Session\" and subsystem == \"com.apple.securityd\")", + "level": "info", + "type": [ + "log", + "activity", + "trace" + ] + }, + "ignore_binaries": "no", + "only-future-events": "yes", + "target": [ + "agent" + ] + }, { "logformat": "command", "command": "df -P", "alias": "df -P", "ignore_binaries": "no", - "target": ["agent"], + "target": [ + "agent" + ], "frequency": 360 }, { @@ -14,7 +33,9 @@ "command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d", "alias": "netstat listening ports", "ignore_binaries": "no", - "target": ["agent"], + "target": [ + "agent" + ], "frequency": 360 }, { @@ -22,7 +43,9 @@ "command": "last -n 20", "alias": "last -n 20", "ignore_binaries": "no", - "target": ["agent"], + "target": [ + "agent" + ], "frequency": 360 }, { @@ -30,58 +53,141 @@ "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", - "target": ["agent"] + "target": [ + "agent" + ] }, { "file": "/var/log/nginx/access.log", "logformat": "apache", "ignore_binaries": "no", "only-future-events": "yes", - "target": ["agent"] + "target": [ + "agent" + ] }, { "file": "/var/log/nginx/error.log", "logformat": "apache", "ignore_binaries": "no", "only-future-events": "yes", - "target": ["agent"] + "target": [ + "agent" + ] }, { "file": "/var/ossec/logs/active-responses.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", - "target": ["agent"] + "target": [ + "agent" + ] }, { "file": "/var/log/auth.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", - "target": ["agent"] + "target": [ + "agent" + ] }, { "file": "/var/log/syslog", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", - "target": ["agent"] + "target": [ + "agent" + ] }, { "file": "/var/log/dpkg.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", - "target": ["agent"] + "target": [ + "agent" + ] }, { "file": "/var/log/kern.log", "logformat": "syslog", "ignore_binaries": "no", "only-future-events": "yes", - "target": ["agent"] + "target": [ + "agent" + ] + }, + { + "channel": "Application", + "logformat": "eventlog", + "ignore_binaries": "no", + "target": [ + "agent" + ] + }, + { + "channel": "Security", + "logformat": "eventchannel", + "query": { + "value": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]" + }, + "ignore_binaries": "no", + "only-future-events": "yes", + "target": [ + "agent" + ], + "reconnect_time": 5 + }, + { + "channel": "System", + "logformat": "eventlog", + "ignore_binaries": "no", + "target": [ + "agent" + ] + }, + { + "file": "active-response\\active-responses.log", + "logformat": "syslog", + "ignore_binaries": "no", + "only-future-events": "yes", + "target": [ + "agent" + ] + }, + { + "channel": "Microsoft-Windows-Sysmon/Operational", + "logformat": "eventchannel", + "ignore_binaries": "no", + "only-future-events": "yes", + "target": [ + "agent" + ], + "reconnect_time": 5 + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "logformat": "eventchannel", + "ignore_binaries": "no", + "only-future-events": "yes", + "target": [ + "agent" + ], + "reconnect_time": 5 + }, + { + "file": "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex240321.log", + "logformat": "iis", + "ignore_binaries": "no", + "only-future-events": "yes", + "target": [ + "agent" + ] } ] }, "error": 0 -} +} \ No newline at end of file diff --git a/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js new file mode 100644 index 0000000000..4da73b7bcb --- /dev/null +++ b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js @@ -0,0 +1,138 @@ +/* + * Wazuh app - React component for show configuration of log collection - commands tab. + * Copyright (C) 2015-2022 Wazuh, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * Find more information about this on the LICENSE file. + */ + +import React, { Component, Fragment } from 'react'; + +import WzNoConfig from '../util-components/no-config'; +import WzConfigurationSettingsHeader from '../util-components/configuration-settings-header'; +import WzConfigurationListSelector from '../util-components/configuration-settings-list-selector'; +import { renderValueOrNoValue, isString } from '../utils/utils'; +import { settingsListBuilder } from '../utils/builders'; +import helpLinks from './help-links'; +import { + LOGCOLLECTOR_LOCALFILE_PROP, + LOCALFILE_MACOSEVENT_PROP, +} from './types'; + +/** + * Return input label based on logformat value + * + * @param {*} value => field value + * @param {*} item => settings item + * @param {*} config => all log data + * @returns string => value to show in Channel label + */ +const channelLabel = (value, item, config) => { + return config.logformat === 'eventlog' + ? 'Log' + : config.logformat === 'eventchannel' + ? 'Channel' + : 'Channel'; +}; + +/** + * + * @param {*} data => all log data + * @returns string => value to show in query input + */ +const queryValue = data => { + return typeof data === 'undefined' + ? '-' + : typeof data === 'object' + ? data.value + : data; +}; + +/** + * Returns targets array parsed in one string + * @param {*} item + * @returns string => target + */ +const renderTargetField = item => (item ? item.join(', ') : 'agent'); +/** + * Return panels title + * @param {*} item => log data + * @returns + */ +const panelsLabel = item => + !item.channel + ? `${item.logformat} - ${renderTargetField(item.target)}` + : `${item.channel} (${item.logformat})`; + +const mainSettings = [ + { field: 'logformat', label: 'Log format' }, + { + field: 'channel', + label: 'Channel', + render: renderValueOrNoValue, + renderLabel: channelLabel, + }, + { field: 'query', label: 'Query', render: queryValue }, + { + field: 'only-future-events', + label: 'Only future events', + render: renderValueOrNoValue, + }, + { + field: 'reconnect_time', + label: 'Reconnect Time', + render: renderValueOrNoValue, + }, +]; + +class WzConfigurationLogCollectionMacOSEvents extends Component { + constructor(props) { + super(props); + } + render() { + const { currentConfig } = this.props; + const items = currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[ + LOCALFILE_MACOSEVENT_PROP + ] + ? settingsListBuilder( + currentConfig[LOGCOLLECTOR_LOCALFILE_PROP][LOCALFILE_MACOSEVENT_PROP], + panelsLabel, + ) + : []; + return ( + + {isString(currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]) && ( + + )} + {!currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[ + LOCALFILE_MACOSEVENT_PROP + ]?.length ? ( + + ) : null} + {currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[ + LOCALFILE_MACOSEVENT_PROP + ]?.length ? ( + + + + ) : null} + + ); + } +} + +export default WzConfigurationLogCollectionMacOSEvents; diff --git a/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection.js b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection.js index 4cdb32b286..52c0ee029a 100644 --- a/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection.js +++ b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection.js @@ -18,6 +18,7 @@ import WzTabSelector, { import WzConfigurationLogCollectionLogs from './log-collection-logs'; import WzConfigurationLogCollectionCommands from './log-collection-commands'; import WzConfigurationLogCollectionWindowsEvents from './log-collection-windowsevents'; +import WzConfigurationLogCollectionMacOSEvents from './log-collection-macosevents'; import WzConfigurationLogCollectionSockets from './log-collection-sockets'; import withWzConfig from '../util-hocs/wz-config'; import { isString } from '../utils/utils'; @@ -26,6 +27,7 @@ import { LOCALFILE_LOGS_PROP, LOCALFILE_WINDOWSEVENT_PROP, LOGCOLLECTOR_LOCALFILE_PROP, + LOCALFILE_MACOSEVENT_PROP, } from './types'; class WzConfigurationLogCollection extends Component { @@ -51,6 +53,9 @@ class WzConfigurationLogCollection extends Component { item.logformat === 'eventchannel' || item.logformat === 'eventlog', ), + [LOCALFILE_MACOSEVENT_PROP]: currentConfig[ + LOGCOLLECTOR_LOCALFILE_PROP + ].localfile.filter(item => item.logformat === 'macos'), [LOCALFILE_COMMANDS_PROP]: currentConfig[ LOGCOLLECTOR_LOCALFILE_PROP ].localfile.filter( @@ -92,6 +97,20 @@ class WzConfigurationLogCollection extends Component { ), }, + { + condition: + currentConfig[LOGCOLLECTOR_LOCALFILE_PROP] && + currentConfig[LOGCOLLECTOR_LOCALFILE_PROP][LOCALFILE_MACOSEVENT_PROP] + .length > 0, + component: ( + + + + ), + }, { condition: currentConfig[LOGCOLLECTOR_LOCALFILE_PROP] && diff --git a/plugins/main/public/controllers/management/components/management/configuration/log-collection/types.js b/plugins/main/public/controllers/management/components/management/configuration/log-collection/types.js index 27e32f111c..57d22b9412 100644 --- a/plugins/main/public/controllers/management/components/management/configuration/log-collection/types.js +++ b/plugins/main/public/controllers/management/components/management/configuration/log-collection/types.js @@ -1,7 +1,7 @@ - export const LOGCOLLECTOR_LOCALFILE_PROP = 'logcollector-localfile'; export const LOGCOLLECTOR_SOCKET_PROP = 'logcollector-socket'; export const LOCALFILE_LOGS_PROP = 'localfile-logs'; export const LOCALFILE_WINDOWSEVENT_PROP = 'localfile-windowsevent'; -export const LOCALFILE_COMMANDS_PROP = 'localfile-commands'; \ No newline at end of file +export const LOCALFILE_COMMANDS_PROP = 'localfile-commands'; +export const LOCALFILE_MACOSEVENT_PROP = 'localfile-macosevent'; From 18686a65fe3921d44ab97987d76b196c5f66358d Mon Sep 17 00:00:00 2001 From: Federico Rodriguez Date: Fri, 22 Mar 2024 13:24:05 +0100 Subject: [PATCH 2/2] Change macOS fields displayed --- CHANGELOG.md | 1 + .../log-collection-macosevents.js | 50 ++++++++----------- 2 files changed, 21 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e03809bb52..6604f8abfc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ All notable changes to the Wazuh app project will be documented in this file. - Added edit agent groups and upgrade agents actions to Endpoints Summary [#6250](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6250) [#6476](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6476) [#6274](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6274) [#6501](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6501) - Added propagation of updates from the table to dashboard visualizations in Endpoints summary [#6460](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6460) - Handle index pattern selector on new discover [#6499](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6499) +- Added macOS log collector tab [#6545](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6545) ### Changed diff --git a/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js index 4da73b7bcb..ebb7bb14dd 100644 --- a/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js +++ b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js @@ -15,6 +15,7 @@ import React, { Component, Fragment } from 'react'; import WzNoConfig from '../util-components/no-config'; import WzConfigurationSettingsHeader from '../util-components/configuration-settings-header'; import WzConfigurationListSelector from '../util-components/configuration-settings-list-selector'; +import WzConfigurationSettingsGroup from '../util-components/configuration-settings-group'; import { renderValueOrNoValue, isString } from '../utils/utils'; import { settingsListBuilder } from '../utils/builders'; import helpLinks from './help-links'; @@ -23,22 +24,6 @@ import { LOCALFILE_MACOSEVENT_PROP, } from './types'; -/** - * Return input label based on logformat value - * - * @param {*} value => field value - * @param {*} item => settings item - * @param {*} config => all log data - * @returns string => value to show in Channel label - */ -const channelLabel = (value, item, config) => { - return config.logformat === 'eventlog' - ? 'Log' - : config.logformat === 'eventchannel' - ? 'Channel' - : 'Channel'; -}; - /** * * @param {*} data => all log data @@ -57,36 +42,32 @@ const queryValue = data => { * @param {*} item * @returns string => target */ -const renderTargetField = item => (item ? item.join(', ') : 'agent'); +const renderTargetField = item => + Array.isArray(item) ? item.join(', ') : 'agent'; + /** * Return panels title * @param {*} item => log data * @returns */ const panelsLabel = item => - !item.channel - ? `${item.logformat} - ${renderTargetField(item.target)}` - : `${item.channel} (${item.logformat})`; + `${item.logformat} - ${renderTargetField(item.target)}`; const mainSettings = [ { field: 'logformat', label: 'Log format' }, + { field: 'query', label: 'Query value', render: queryValue }, + { field: 'query.level', label: 'Query level', render: renderValueOrNoValue }, + { field: 'query.type', label: 'Query type', render: renderValueOrNoValue }, { - field: 'channel', - label: 'Channel', + field: 'ignore_binaries', + label: 'Ignore binaries', render: renderValueOrNoValue, - renderLabel: channelLabel, }, - { field: 'query', label: 'Query', render: queryValue }, { field: 'only-future-events', label: 'Only future events', render: renderValueOrNoValue, }, - { - field: 'reconnect_time', - label: 'Reconnect Time', - render: renderValueOrNoValue, - }, ]; class WzConfigurationLogCollectionMacOSEvents extends Component { @@ -103,6 +84,7 @@ class WzConfigurationLogCollectionMacOSEvents extends Component { panelsLabel, ) : []; + return ( {isString(currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]) && ( @@ -118,7 +100,7 @@ class WzConfigurationLogCollectionMacOSEvents extends Component { ) : null} {currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[ LOCALFILE_MACOSEVENT_PROP - ]?.length ? ( + ]?.length > 1 ? ( ) : null} + {currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[ + LOCALFILE_MACOSEVENT_PROP + ]?.length === 1 ? ( + + ) : null} ); }