Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

FIM System tests: 0207 Use of report changes #523

Closed
15 tasks done
rshad opened this issue Feb 24, 2020 · 3 comments · Fixed by #546
Closed
15 tasks done

FIM System tests: 0207 Use of report changes #523

rshad opened this issue Feb 24, 2020 · 3 comments · Fixed by #546
Assignees
@rshad
Milestone
Sprint 107 - DevOps

Comments

@rshad
Copy link
Contributor

rshad commented Feb 24, 2020
edited
Loading

Hi!

In this issue, we will comment on all the related activities to complete the design and the implementation of the scenario Use of report_changes for FIM system tests.

Configuration

  • Related branch: feature-523-scenario-report-changes.
  • wazuh-manager ossec.conf
  • Linux wazuh-agent ossec.conf file: Enable report_changes in Syscheck.
  • Windows wazuh-agent ossec.conf file: Enable report_changes in Syscheck.
    All of them can be found in
    • wazuh-qa/tests/system/fim/scenarios/207_use_of_report_changes/config/

Tasks

  • Create the corresponding ossec.conf with the scenario specifications.

    • wazuh-agent config.
      • Linux.
      • Windows.

  • Apply the required changes on the corresponding scripts.

    • create_files.py
    • modify_files.py
    • alerts.json verification script.
    • ES verification scripts.

  • Adapt actions tasks in Ansible format which will import required actions from common_tasks folder, so it takes into account the newly added parameters for each action script.

    • create_files.yml
    • modify_files.yml
    • delete_files.yml
    • ../vars/main.yml

  • Done in Add extra parameters variable #530

  • Create master playbook launch_test_scenario.yml which will import the scenario's tasks and launch them.

Actions

  • Created 5010 text file in both agents Linux and Windows.
  • Modified all 5010 files by adding a text sentence after the last line.

Tests

  • Checked the expected alerts for added event, using the corresponding scripts and manually. ✔️
  • Checked the expected alerts for mdofied event and the diff text in the diff field, using the corresponding scripts and manually. Timeout with files of 11MB

Note: Between almost 15 execution, in 1 of them, the alerts from Windows took more time to reach the usual in reaching alerts.json or Elasticsearch index. From my perspective was lead due to the low performance of the host where Windows is running, because no errors were detected. Pending of testing with higher dedicated RAM memory for such host. ❌

Conclusions

The tests applied on this scenario have been passed successfully. All changes made on the target files were reported by syscheck:report_changes. But we detected the issue of taking a long time to run the diff in Windows.

Note: The description may be updated in the future if needed.

Kr,

Rshad
@rshad rshad added this to the Sprint 107 - DevOps milestone Feb 24, 2020
@rshad rshad self-assigned this Feb 24, 2020
@jm404 jm404 mentioned this issue Feb 24, 2020
Closed
15 tasks
@rshad
Copy link
Contributor Author

rshad commented Feb 25, 2020

Hi all!

Here we comment on some details about the essential changes we applied to reach this issue goals.

- Adapted generate_files.yml:
Adapted this script to differentiate two possible types of files to be created, both binary and text files. We needed the text files because syscheck:report_changes it's only valid with text files.

wazuh-qa/tests/system/fim/common_tasks/generate_files.py

Lines 165 to 167 in cf3678a

parser.add_argument("-t", '--text-mode', default=False, action="store_true",
dest="text_mode", help="Create text files instead of binary"
" (default is False)")

- Adapted modify_files.yml:
Adapted this script to receive a new argument -t or --text-mode used to modify text files and not binary ones.

wazuh-qa/tests/system/fim/common_tasks/modify_files.py

Lines 110 to 112 in cf3678a

parser.add_argument("-t", '--text-mode', default=False, action="store_true",
dest="text_mode", help="Modify text files instead of binary"
" (default is False)")

In this case, added a new function to add a new sentence at the beginning of the target file, so the difference between the file before and after the change would be printable in the generated alert. as Syscheck will print the whole document in case of inserting the new text at the end of the file and in case of passing over x bytes of length, Syscheck will print Line x changed, More Changes ... and then our tests will not be applicable.

def modify_file_text_content(filepath, sentence):
    """
    Modify file content by adding sentence at the end of filepath
    in a new line.

    :param str filepath: The path of the file to modify
    :param str sentence: A setnence of 1 or more words.
    """
    with open(filepath, 'r+') as file:
        content = file.read()
        file.seek(0, 0)
        file.write(sentence.rstrip('\r\n') + '\n' + content)

- Adapted verify_alerts_json.yml:

Added a new argument "-d", "--diff" to receive the text to be added into the target file with the purpose to cause a syscheck:report_changes kind alert.

        parser.add_argument("-d", "--diff", type=str, required=False, dest='diff_string',
                            help="When syscheck:report_changes enabled, represents the diff text")
        args = parser.parse_args()

As you can see, in the function alerts_prune we added a new conditional check for the case of testing syscheck:report_changes alerts.

def alerts_prune(path, target_event, diff_statement=None):
.
.
                   if (diff_statement is not None) and \
                       ('diff' in data['syscheck']) and \
                       (diff_statement not in data['syscheck']['diff']):
                            add_path = False
                    if add_path:
                        alerts_list.append(data)
                    add_path = True
.
.

- Adapted verify_alerts_elasticsearch.yml:
Here, we also adapted the script to check the field diff in case of syscheck:report_changes alerts.

    diff_statement = args.diff_string

    with open(args.files, 'r') as file_list:
.
.
            for line in file_list:
                query['query']['bool']['filter'][0]['term']['syscheck.path'] =\
                    line.rstrip()

                query_result = makeQuery(query, es, index_name)

                if query_result['hits']['total']['value'] == 1:

                    if (diff_statement is not None) and \
                       ('diff' in query_result['syscheck']) and \
                       (diff_statement not in query_result['syscheck']['diff']):
                        success_ = False

                    if success_:
                        success += 1
                    success_ = True
.
.

Kr,

Rshad

@rshad
Copy link
Contributor Author

rshad commented Feb 26, 2020
edited
Loading

Hi all!

Regarding the issue on Windows host, where the alerts of syscheck:modified are taking a lot of time to be sent to the manager, almost 8 alerts per minute only. ❌

CPU and RAM memory are not related

We decided to repeat the experiment with higher RAM memory and CPU.

Default Machine Characteristics

  • 1 GB of RAM memory.
  • 1 Core.

Custom Machine Characteristics

  • 2 GB of RAM memory.
  • 2 Cores.

Windows Images

  • Windows Server 2016.
  • Windows Server 2012.

But nothing has been changed, the alert still taking a long time to be sent with the same amount (~8 alerts per minute).

After checking the Windows machine RAM and CPU behavior we found that there is no leak of RAM memory or CPU, as you can check on the following capture.

image

We can clearly see that the process of wazuh-agent is consuming only ~ 10 MB of RAM and nothing of CPU. but we also can notice the process DOS 5 File Compare Utility (32 bit) which is the background process used by wazuh-agent to run the diff for Syscheck and it's consuming almost half of the available CPU. This process seems to be running so slowly.

Syscheck modified - report_changes alert is different between Linux and Windows

After checking the format of the modified is different in Windows from the one coming from Linux agent. In Windows more file content is printed.

Linux wazuh-agent alert

{
  "timestamp": "2020-02-26T10:19:03.975+0000",
  "rule": {
    "level": 7,
    "description": "Integrity checksum changed.",
    "id": "550",
    "firedtimes": 17,
    "mail": false,
    "groups": [
      "ossec",
      "syscheck"
    ],
    "pci_dss": [
      "11.5"
    ],
    "gpg13": [
      "4.11"
    ],
    "gdpr": [
      "II_5.1.f"
    ],
    "hipaa": [
      "164.312.c.1",
      "164.312.c.2"
    ],
    "nist_800_53": [
      "SI.7"
    ]
  },
  "agent": {
    "id": "002",
    "name": "Centos",
    "ip": "10.0.2.15"
  },
  "manager": {
    "name": "serv-test-manager-centos-1"
  },
  "id": "1582712343.14471979",
  "full_log": "File '/opt/fim_testing/uajtd/dglgwdie' modified\nMode: real-time\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '10257' to '10269'\nOld modification time was: '1582711921', now it is '1582712342'\nOld md5sum was: '27a99e7758a0ac1130212548ca346da1'\nNew md5sum is : 'e5b3f8aa3dfc64ea7b35a032058fe505'\nOld sha1sum was: 'fda41b6a597c4e53774f20079b61f19b3b8013de'\nNew sha1sum is : '300de55516a228748d0faf8bb0cb52833d017757'\nOld sha256sum was: '59fe17de107a5dc55f16635cba05c9f0aebe51fb2d76dd002635ddfef046945c'\nNew sha256sum is : '2fb1bbd4c99a285318b5f61f0ec165d86b9683bee054d3c711fb43fb0e9e1e35'\n",
  "syscheck": {
    "path": "/opt/fim_testing/uajtd/dglgwdie",
    "size_before": "10257",
    "size_after": "10269",
    "perm_after": "rw-r--r--",
    "uid_after": "0",
    "gid_after": "0",
    "md5_before": "27a99e7758a0ac1130212548ca346da1",
    "md5_after": "e5b3f8aa3dfc64ea7b35a032058fe505",
    "sha1_before": "fda41b6a597c4e53774f20079b61f19b3b8013de",
    "sha1_after": "300de55516a228748d0faf8bb0cb52833d017757",
    "sha256_before": "59fe17de107a5dc55f16635cba05c9f0aebe51fb2d76dd002635ddfef046945c",
    "sha256_after": "2fb1bbd4c99a285318b5f61f0ec165d86b9683bee054d3c711fb43fb0e9e1e35",
    "uname_after": "root",
    "gname_after": "root",
    "mtime_before": "2020-02-26T10:12:01",
    "mtime_after": "2020-02-26T10:19:02",
    "inode_after": 67165478,
    "diff": "0a1\n> Hello World\n",
    "changed_attributes": [
      "size",
      "mtime",
      "md5",
      "sha1",
      "sha256"
    ],
    "event": "modified"
  },
  "decoder": {
    "name": "syscheck_integrity_changed"
  },
  "location": "syscheck"
}

Windows wazuh-agent alert

{
  "timestamp": "2020-02-26T10:01:01.914+0000",
  "rule": {
    "level": 7,
    "description": "Integrity checksum changed.",
    "id": "550",
    "firedtimes": 20,
    "mail": false,
    "groups": [
      "ossec",
      "syscheck"
    ],
    "pci_dss": [
      "11.5"
    ],
    "gpg13": [
      "4.11"
    ],
    "gdpr": [
      "II_5.1.f"
    ],
    "hipaa": [
      "164.312.c.1",
      "164.312.c.2"
    ],
    "nist_800_53": [
      "SI.7"
    ]
  },
  "agent": {
    "id": "001",
    "name": "Windows",
    "ip": "10.0.2.15"
  },
  "manager": {
    "name": "serv-test-manager-centos-1"
  },
  "id": "1582711261.33578",
  "full_log": "File 'c:\\fim_testing\\ovxxj\\cykjj\\obujmeee' modified\nMode: scheduled\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '10258' to '10271'\nOld modification time was: '1582709728', now it is '1582710810'\nOld md5sum was: '319b9fcd86079b32f461c137e6d149de'\nNew md5sum is : '499efb8b9186766492dcdc5b91d214c0'\nOld sha1sum was: '417cb6656c60338cf6303daa831cef4a37f39920'\nNew sha1sum is : '9b72ad950e42d42cc2a317ec0ccba7d7c2da200e'\nOld sha256sum was: '6a76f6fbf3f0eaf4d20ad0cd1313f31e964546d22fb09e5bcb14608dcee2de48'\nNew sha256sum is : '69e6436bab6c28e73325ff525bda0fe86201cc6eb0aebd5ddbd40f2972af22de'\n",
  "syscheck": {
    "path": "c:\\fim_testing\\ovxxj\\cykjj\\obujmeee",
    "size_before": "10258",
    "size_after": "10271",
    "win_perm_after": [
      {
        "name": "SYSTEM",
        "allowed": [
          "DELETE",
          "READ_CONTROL",
          "WRITE_DAC",
          "WRITE_OWNER",
          "SYNCHRONIZE",
          "READ_DATA",
          "WRITE_DATA",
          "APPEND_DATA",
          "READ_EA",
          "WRITE_EA",
          "EXECUTE",
          "READ_ATTRIBUTES",
          "WRITE_ATTRIBUTES"
        ]
      },
      {
        "name": "Administrators",
        "allowed": [
          "DELETE",
          "READ_CONTROL",
          "WRITE_DAC",
          "WRITE_OWNER",
          "SYNCHRONIZE",
          "READ_DATA",
          "WRITE_DATA",
          "APPEND_DATA",
          "READ_EA",
          "WRITE_EA",
          "EXECUTE",
          "READ_ATTRIBUTES",
          "WRITE_ATTRIBUTES"
        ]
      },
      {
        "name": "Users",
        "allowed": [
          "READ_CONTROL",
          "SYNCHRONIZE",
          "READ_DATA",
          "READ_EA",
          "EXECUTE",
          "READ_ATTRIBUTES"
        ]
      }
    ],
    "uid_after": "S-1-5-32-544",
    "md5_before": "319b9fcd86079b32f461c137e6d149de",
    "md5_after": "499efb8b9186766492dcdc5b91d214c0",
    "sha1_before": "417cb6656c60338cf6303daa831cef4a37f39920",
    "sha1_after": "9b72ad950e42d42cc2a317ec0ccba7d7c2da200e",
    "sha256_before": "6a76f6fbf3f0eaf4d20ad0cd1313f31e964546d22fb09e5bcb14608dcee2de48",
    "sha256_after": "69e6436bab6c28e73325ff525bda0fe86201cc6eb0aebd5ddbd40f2972af22de",
    "attrs_after": [
      "ARCHIVE"
    ],
    "uname_after": "Administrators",
    "mtime_before": "2020-02-26T09:35:28",
    "mtime_after": "2020-02-26T09:53:30",
    "diff": "< 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n< 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n---\n> Hello World\n> 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n---\n< 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n< 00000000000000000000000000000000000000000000000000000000000000000000000000000000hgnhldiksllswusx\n---\n> 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n> 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n> 00000000000000000000000000000000000000000000000000000000000000000000000000000000hgnhldiksllswusx\n",
    "changed_attributes": [
      "size",
      "mtime",
      "md5",
      "sha1",
      "sha256"
    ],
    "event": "modified"
  },
  "decoder": {
    "name": "syscheck_integrity_changed"
  },
  "location": "syscheck"
}

Failed Verification Tests

The alerts.json verification test has failed for Windows agent's related alerts. This is was produced when reaching a moment in which the alerts list received by the agent, was not growing anymore.

 "msg": "non-zero return code"
 "rc": 1
 "stderr": "Shared connection to 172.16.0.111 closed.\r\n"
 "stderr_lines": ["Shared connection to 172.16.0.111 closed."]
 "stdout": "Hello World\r\n2020-02-26 10:23:24
269 [INFO] alerts.json verification started\r\n2020-02-26 10:23:26
854 [INFO] Filelist related alerts aren't growing (0) ...\r\n2020-02-26 10:24:26
875 [INFO] Elapsed time: ~ 62 seconds \r\n\r\n2020-02-26 10:25:29
349 [INFO] Elapsed time: ~ 125 seconds \r\n\r\n2020-02-26 10:26:32
080 [INFO] Elapsed time: ~ 187 seconds \r\n\r\n2020-02-26 10:27:34
666 [INFO] Elapsed time: ~ 250 seconds \r\n\r\n2020-02-26 10:28:37
187 [INFO] Elapsed time: ~ 312 seconds \r\n\r\n2020-02-26 10:29:39
398 [INFO] Elapsed time: ~ 375 seconds \r\n\r\n2020-02-26 10:30:42
490 [INFO] Elapsed time: ~ 438 seconds \r\n\r\n2020-02-26 10:31:45
042 [INFO] Elapsed time: ~ 500 seconds \r\n\r\n2020-02-26 10:32:47
435 [INFO] Elapsed time: ~ 563 seconds \r\n\r\n2020-02-26 10:33:49
844 [INFO] Elapsed time: ~ 625 seconds \r\n\r\n2020-02-26 10:34:52
658 [INFO] Elapsed time: ~ 688 seconds \r\n\r\n2020-02-26 10:34:55
270 [INFO] Filelist related alerts aren't growing (0) ...\r\n2020-02-26 10:35:55
317 [INFO] Elapsed time: ~ 751 seconds \r\n\r\n2020-02-26 10:35:58
180 [INFO] Filelist related alerts aren't growing (1) ...\r\n2020-02-26 10:36:58
221 [INFO] Elapsed time: ~ 813 seconds \r\n\r\n2020-02-26 10:37:01
152 [INFO] Filelist related alerts aren't growing (2) ...\r\n2020-02-26 10:38:01
214 [INFO] Elapsed time: ~ 876 seconds \r\n\r\n2020-02-26 10:38:04
374 [INFO] Filelist related alerts aren't growing (3) ...\r\n2020-02-26 10:39:04
414 [INFO] Elapsed time: ~ 940 seconds \r\n\r\n2020-02-26 10:39:07
280 [INFO] Filelist related alerts aren't growing (4) ...\r\n2020-02-26 10:40:07
330 [INFO] Elapsed time: ~ 1003 seconds \r\n\r\n2020-02-26 10:40:10
388 [WARNING] Verify alerts test - NOT OK. 4880 alerts are missing.\r\n\r\n2020-02-26 10:40:10
402 [WARNING] 4880 missing alerts.\r\n\r\n"
 "stdout_lines": ["Hello World"
 "2020-02-26 10:23:24
269 [INFO] alerts.json verification started"
 "2020-02-26 10:23:26
854 [INFO] Filelist related alerts aren't growing (0) ..."
 "2020-02-26 10:24:26
875 [INFO] Elapsed time: ~ 62 seconds "
 ""
 "2020-02-26 10:25:29
349 [INFO] Elapsed time: ~ 125 seconds "
 ""
 "2020-02-26 10:26:32
080 [INFO] Elapsed time: ~ 187 seconds "
 ""
 "2020-02-26 10:27:34
666 [INFO] Elapsed time: ~ 250 seconds "
 ""
 "2020-02-26 10:28:37
187 [INFO] Elapsed time: ~ 312 seconds "
 ""
 "2020-02-26 10:29:39
398 [INFO] Elapsed time: ~ 375 seconds "
 ""
 "2020-02-26 10:30:42
490 [INFO] Elapsed time: ~ 438 seconds "
 ""
 "2020-02-26 10:31:45
042 [INFO] Elapsed time: ~ 500 seconds "
 ""
 "2020-02-26 10:32:47
435 [INFO] Elapsed time: ~ 563 seconds "
 ""
 "2020-02-26 10:33:49
844 [INFO] Elapsed time: ~ 625 seconds "
 ""
 "2020-02-26 10:34:52
658 [INFO] Elapsed time: ~ 688 seconds "
 ""
 "2020-02-26 10:34:55
270 [INFO] Filelist related alerts aren't growing (0) ..."
 "2020-02-26 10:35:55
317 [INFO] Elapsed time: ~ 751 seconds "
 ""
 "2020-02-26 10:35:58
180 [INFO] Filelist related alerts aren't growing (1) ..."
 "2020-02-26 10:36:58
221 [INFO] Elapsed time: ~ 813 seconds "
 ""
 "2020-02-26 10:37:01
152 [INFO] Filelist related alerts aren't growing (2) ..."
 "2020-02-26 10:38:01
214 [INFO] Elapsed time: ~ 876 seconds "
 ""
 "2020-02-26 10:38:04
374 [INFO] Filelist related alerts aren't growing (3) ..."
 "2020-02-26 10:39:04
414 [INFO] Elapsed time: ~ 940 seconds "
 ""
 "2020-02-26 10:39:07
280 [INFO] Filelist related alerts aren't growing (4) ..."
 "2020-02-26 10:40:07
330 [INFO] Elapsed time: ~ 1003 seconds "
 ""
 "2020-02-26 10:40:10
388 [WARNING] Verify alerts test - NOT OK. 4880 alerts are missing."
 ""
 "2020-02-26 10:40:10
402 [WARNING] 4880 missing alerts."
 ""]}

Kr,

Rshad

@rshad
Copy link
Contributor Author

rshad commented Feb 26, 2020
edited
Loading

Hi all!

It's clear that Windows is taking a long time to run the diff process of each file, but to know what time it exactly takes depending on each group of files of a determined size, we estimated the time between the first received alert and the last one, testing with the different files groups depending on the file size, separately.

Time refers to "Time needed till all the alerts are received".

File Size Number of Files Time (min) Average time/alert (sec) Test State
11 KB 4000 ~11 ~0.165 ✔️
513KB 500 ~150 ~18 ✔️
1.1M 500 ~633 ~76 ✔️
11M 10 ~140 ~840 = (14 min)

Notes

  • The test in the case of files of 11MB, fails as the alert list does grow very slowly.

    • Error Log
failed: [172.16.0.111] (item={u'rusr': True, u'uid': 1000, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1582723442.384, u'gr_name': u'vagrant', u'path': u'/opt/agents_files_output/modified/files_modified.txt-172.16.0.141', u'xusr': False, u'atime': 1582723464.83989, u'inode': 4919557, u'isgid': False, u'size': 352, u'isdir': False, u'ctime': 1582723464.84089, u'isblk': False, u'wgrp': False, u'xgrp': False, u'isuid': False, u'dev': 2049, u'roth': True, u'isreg': True, u'isfifo': False, u'mode': u'0644', u'pw_name': u'vagrant', u'gid': 1000, u'ischr': False, u'wusr': True}) => {"ansible_loop_var": "item", "changed": true, "item": {"atime": 1582723464.83989, "ctime": 1582723464.84089, "dev": 2049, "gid": 1000, "gr_name": "vagrant", "inode": 4919557, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0644", "mtime": 1582723442.384, "nlink": 1, "path": "/opt/agents_files_output/modified/files_modified.txt-172.16.0.141", "pw_name": "vagrant", "rgrp": true, "roth": true, "rusr": true, "size": 352, "uid": 1000, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "non-zero return code", "rc": 1, "stderr": "Shared connection to 172.16.0.111 closed.\r\n", "stderr_lines": ["Shared connection to 172.16.0.111 closed."], "stdout": "Hello World\r\n2020-02-26 13:24:42,612 [INFO] alerts.json verification started\r\n2020-02-26 13:24:42,649 [INFO] Filelist related alerts aren't growing (0) ...\r\n2020-02-26 13:25:42,704 [INFO] Elapsed time: ~ 60 seconds \r\n\r\n2020-02-26 13:25:42,741 [INFO] Filelist related alerts aren't growing (1) ...\r\n2020-02-26 13:26:42,802 [INFO] Elapsed time: ~ 120 seconds \r\n\r\n2020-02-26 13:26:42,858 [INFO] Filelist related alerts aren't growing (2) ...\r\n2020-02-26 13:27:42,908 [INFO] Elapsed time: ~ 180 seconds \r\n\r\n2020-02-26 13:27:42,950 [INFO] Filelist related alerts aren't growing (3) ...\r\n2020-02-26 13:28:42,993 [INFO] Elapsed time: ~ 240 seconds \r\n\r\n2020-02-26 13:28:43,074 [INFO] Filelist related alerts aren't growing (4) ...\r\n2020-02-26 13:29:43,096 [INFO] Elapsed time: ~ 300 seconds \r\n\r\n2020-02-26 13:29:43,137 [WARNING] Verify alerts test - NOT OK. 10 alerts are missing.\r\n\r\n2020-02-26 13:29:43,139 [WARNING] 10 missing alerts.\r\n\r\n", "stdout_lines": ["Hello World", "2020-02-26 13:24:42,612 [INFO] alerts.json verification started", "2020-02-26 13:24:42,649 [INFO] Filelist related alerts aren't growing (0) ...", "2020-02-26 13:25:42,704 [INFO] Elapsed time: ~ 60 seconds ", "", "2020-02-26 13:25:42,741 [INFO] Filelist related alerts aren't growing (1) ...", "2020-02-26 13:26:42,802 [INFO] Elapsed time: ~ 120 seconds ", "", "2020-02-26 13:26:42,858 [INFO] Filelist related alerts aren't growing (2) ...", "2020-02-26 13:27:42,908 [INFO] Elapsed time: ~ 180 seconds ", "", "2020-02-26 13:27:42,950 [INFO] Filelist related alerts aren't growing (3) ...", "2020-02-26 13:28:42,993 [INFO] Elapsed time: ~ 240 seconds ", "", "2020-02-26 13:28:43,074 [INFO] Filelist related alerts aren't growing (4) ...", "2020-02-26 13:29:43,096 [INFO] Elapsed time: ~ 300 seconds ", "", "2020-02-26 13:29:43,137 [WARNING] Verify alerts test - NOT OK. 10 alerts are missing.", "", "2020-02-26 13:29:43,139 [WARNING] 10 missing alerts.", ""]}
  • Also the process DOS 5 File Compare Utility (32 bit) responsible about running the diff in Syscheck, died after sending the first alert of the file of 11MB.

Kr,

Rshad

@rshad rshad mentioned this issue Feb 26, 2020
Merged
@rshad rshad changed the title FIM System tests: 0207: Use of report changes FIM System tests: 0207 Use of report changes Feb 26, 2020
@jm404 jm404 linked a pull request Mar 2, 2020 that will close this issue
FIM System tests: Scenario 0207 report changes #546
Merged
@jm404 jm404 closed this as completed Mar 2, 2020
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@rshad rshad

Labels
None yet
Projects
None yet
Milestone
Sprint 107 - DevOps
Development

Successfully merging a pull request may close this issue.

FIM System tests: Scenario 0207 report changes wazuh/wazuh-qa
2 participants
@rshad @jm404