-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Windows Logcollector Module #206
Comments
Update 7/10/2024 and 8/10/2024Analysis and comparisson of libraries:
First ApproachSome basic design and tentative approach on how can this be achieved, this should be double checked based on the different libraries limitations and needs: Class Diagram: classDiagram
class EventChannelQuerySystem {
- Session session
- Provider provider
- Consumer consumer
-BookmarkManager bookmarkMgr
-QueryBuilder queryBuilder
+initialize()
+startQuery(channelName, queryString)
+stopQuery()
+getResults()
+setReconnectTime(time)
+rotateLog()
}
class Session {
-sessionName
-sessionProperties
+open()
+close()
+enableProvider(provider)
}
class Provider {
}
class Consumer {
-eventCallback
+processEvent(event)
+setEventCallback(callback)
}
class BookmarkManager {
-bookmarks
+createBookmark(event)
+getBookmark(id)
+saveBookmarks()
+loadBookmarks()
}
class QueryBuilder {
+buildQuery(channelName, conditions)
+addWildcardMatch(field, pattern)
}
EventChannelQuerySystem -- Session
EventChannelQuerySystem -- Provider
EventChannelQuerySystem -- Consumer
EventChannelQuerySystem -- BookmarkManager
EventChannelQuerySystem -- QueryBuilder
Flow chart:
graph TD
A[init] --> B[Initialize - ETWQuerySystem]
B --> C[Open - ETWSession]
C --> D[Enable - ETWProvider]
D --> E[Set up - ETWConsumer]
E --> F[Load Bookmarks -> store]
E --> W[(Store)]
F --> G[Build N Queries]
G --> H[run]
H --> I{While Event Received?}
I -->|Yes| J[Process Event]
J --> K[Update Bookmark]
K --> I
I -->|No| N{Query Stopped or shutdown signal ?}
N -->|Yes| O[Save Bookmarks]
O --> P[Close Session]
P --> Q[End]
N -->|No| R{Reconnect Needed?}
R -->|Yes| S[Reconnect]
S --> I
R -->|No| I
|
Update 9/10/2024
|
Update 10/10/2024
|
Update 14/10/2024Seccond ApproachBecause we're using krabsetw and it needs to create a thread for each provider, this is the rework of the design: Class Diagram:
classDiagram
class EventChannelQuerySystem {
- Provider provider
- Consumer consumer
-BookmarkManager bookmarkMgr
-QueryBuilder queryBuilder
+initialize()
+setEventCallback(callback)
+start()
+qttyOfResults()
+setReconnectTime(time)
+rotateLog()
}
class Provider {
-channel
-providerName
}
class Consumer {
-eventCallback
-queryString
+processEvent(event)
}
class BookmarkManager {
-bookmarks
+createBookmark(event)
+getBookmark(id)
+saveBookmarks()
+loadBookmarks()
}
class QueryBuilder {
+buildQuery(channelName, conditions)
+addWildcardMatch(field, pattern)
}
EventChannelQuerySystem -- Session
EventChannelQuerySystem -- Provider
EventChannelQuerySystem -- Consumer
EventChannelQuerySystem -- BookmarkManager
EventChannelQuerySystem -- QueryBuilder
Flow chart Changes:
Details
flowchart TD
A["init"] --> C["Initialize Channel / Provider"]
C --> E["Initialice Trace Session"]
E --> F["Load Bookmarks"] & W[("Store")]
F --> G["Build / Check Queries"]
G --> H["Start Provider Thread"]
H --> I{"Receiveing events"} & B["Next Provider"]
I -- Yes --> J["Process Event"]
J --> K["Update Bookmark"]
K --> I
I -- No --> N{"Stopped ?"}
N -- Yes --> O["Save Bookmarks"]
O --> P["Close Session"]
P --> Q["End"]
N -- No --> R{"Reconnection?"}
R -- Yes --> S["Reconnect"]
S --> I
R -- No --> I
B --> A
I --> n1["Untitled Node"]
Example of reading Application events -> void EventLogApplication::start()
{
// While Adminstrator is sufficent to view the Security EventLog,
// SYSTEM is required for the Microsoft-Windows-Security-Auditing provider.
char user_name[128] = { 0 };
DWORD user_name_length = 128;
if (!GetUserNameA(user_name, &user_name_length) || !strcmp(user_name, "SYSTEM") == 0)
{
std::wcout << L"Microsoft-Windows-Security-Auditing can only be traced by SYSTEM" << std::endl;
return;
}
krabs::user_trace trace(L"EventLog-Application");
krabs::provider<> provider(L"Microsoft-Windows-Security-SPP");
provider.any((ULONGLONG)-1);
provider.add_on_event_callback([](const EVENT_RECORD &record, const krabs::trace_context &trace_context) {
krabs::schema schema(record, trace_context.schema_locator);
std::wcout << L"Event " << schema.event_id();
std::wcout << L"(" << schema.event_name() << L") received." << std::endl;
if (schema.event_id() == 4703) {
krabs::parser parser(schema);
std::wstring enabled_privilege_list = parser.parse<std::wstring>(L"EnabledPrivilegeList");
std::wstring disabled_privilege_list = parser.parse<std::wstring>(L"DisabledPrivilegeList");
std::wcout << L"\tEnabledPrivilegeList=" << enabled_privilege_list << std::endl;
std::wcout << L"\tDisabledPrivilegeList=" << disabled_privilege_list << std::endl;
}
});
trace.enable(provider);
trace.start();
}
|
Update 15/10/2024
|
Update 16/10/2024
|
Update 17/10/2024
|
Update 18/10/2024
|
Moved to on hold until the release testing stage is completed. |
Description
This issue is a section of #201, focuses on implementing the Windows Logcollector module in the Wazuh Agent 5.0.0. The Windows collector will utilize the Event Channel (eventchannel) API to gather system logs, ensuring seamless integration and log management on Windows platforms.
Functional Requirements
Non-functional Requirements
Deliverables
Acceptance Criteria
The text was updated successfully, but these errors were encountered: