Documentation
¶
Overview ¶
see: https://documentation.wazuh.com/4.0/development/message-format.html
Index ¶
- Constants
- func PKCS7Padding(ciphertext []byte, blockSize int) []byte
- func PKCS7UnPadding(origData []byte) []byte
- type AgentKey
- type AgentKeyMap
- type AgentOption
- func WithAgentAllowedIPs(allowedIPs string) AgentOption
- func WithAgentIP(agentIP string) AgentOption
- func WithBasePath(basePath string) AgentOption
- func WithClientName(clientName string) AgentOption
- func WithClientVersion(clientVersion string) AgentOption
- func WithContext(ctx context.Context) AgentOption
- func WithEncryptionMethod(encryptionMethod EncryptionMethod) AgentOption
- func WithPort(port uint16) AgentOption
- func WithTCP(tcp bool) AgentOption
- func WithUDP(udp bool) AgentOption
- func WithZapLogger(logger *zap.Logger) AgentOption
- type AgentShutDownEvent
- type Client
- func (a *Client) AgentLoop(ctx context.Context, closeOnError bool) (chan *QueuePosting, chan interface{}, error)
- func (a *Client) Close() error
- func (a *Client) Connect(isStartup bool) error
- func (a *Client) IsConencted() bool
- func (a *Client) NewHardware() *Hardware
- func (a *Client) NewOS() *OS
- func (a *Client) NewProcess() *Process
- func (a *Client) NewSysinfo(typ string, data interface{}) *Sysinfo
- func (a *Client) PingServer() error
- func (a *Client) PostSysinfo(input chan *QueuePosting)
- func (a *Client) ReadServerResponse(timeout time.Duration) error
- func (a *Client) ReportIntegrity() error
- func (a *Client) SendMessage(msg string, readTimeout time.Duration) error
- func (a *Client) WriteMessage(msg string) error
- type ClientConfig
- type ConvertibleBoolean
- type CorruptMessage
- type EncryptionMethod
- type EnrollmentConfig
- type Event
- type FileUpdatedEvent
- type FimData
- type FimMessage
- type Hardware
- type InitInfo
- type IntegrationEvent
- type IntegrationMeta
- type LocalConfig
- type Network
- type OS
- type Package
- type Port
- type Process
- type Queue
- type QueueError
- type QueueOption
- type QueuePosting
- type RemoteFileInfo
- type Sysinfo
- type WithLoggin
Constants ¶
View Source
const ( // EncryptionMethodBlowFish use BlowFish for transprot encryption EncryptionMethodBlowFish = EncryptionMethod(0) // EncryptionMethodAES use AES for transprot encryption EncryptionMethodAES = EncryptionMethod(1) // maximum number of messages that can be send ber second (500 is the hard limit on the server - be gentle ) SendRateLimit = 450 // time between server pings PingIntervall = 10 SysinfoIntervall = 60 // each 60th ping -> 1/h )
View Source
const ( CONTROL_HEADER = "#!-" EXECD_HEADER = "execd " FILE_UPDATE_HEADER = CONTROL_HEADER + "up file " FILE_CLOSE_HEADER = CONTROL_HEADER + "close file " HC_STARTUP = "agent startup " HC_ACK = CONTROL_HEADER + "agent ack " HC_SK_DB_COMPLETED = "syscheck-db-completed" HC_SK_RESTART = "syscheck restart" HC_REQUEST = "req " HC_FIM_DB_SFS = "fim-db-start-first-scan" HC_FIM_DB_EFS = "fim-db-end-first-scan" HC_FIM_DB_SS = "fim-db-start-scan" HC_FIM_DB_ES = "fim-db-end-scan" CFGA_DB_DUMP = "sca-dump" HC_SK = "syscheck " HC_FIM_FILE = "fim_file " HC_FIM_REGISTRY = "fim_registry " LOCALFILE_MQ = '1' SYSLOG_MQ = '2' HOSTINFO_MQ = '3' SECURE_MQ = '4' DBSYNC_MQ = '5' SYSCHECK_MQ = '8' ROOTCHECK_MQ = '9' MYSQL_MQ = 'a' POSTGRESQL_MQ = 'b' AUTH_MQ = 'c' SYSCOLLECTOR_MQ = 'd' WM_SYS_LOCATION = "syscollector" ReadWaitTimeout = time.Duration(30 * time.Second) ReadImmediateTimeout = time.Duration(1 * time.Second) )
View Source
const ( TYPE_OS = "OS" TYPE_HARDWARE = "hardware" TYPE_PROCESS = "process" TYPE_PROCESS_END = "process_end" )
Variables ¶
This section is empty.
Functions ¶
func PKCS7Padding ¶
Use PKCS7 to fill, IOS is also 7
func PKCS7UnPadding ¶
Types ¶
type AgentKey ¶
type AgentKey struct {
AgentID string
AgentName string
AgentKey string
AgentHashedKey string
AgentAllowedIPs string
AgentIP string
}
AgentKey a single key entry
func ParseAgentKey ¶
ParseAgentKey parse a single key entry line
func RegisterAgent ¶
func RegisterAgent(cfg *EnrollmentConfig) (*AgentKey, error)
RegisterAgent register an agent via the AuthD Service
func (*AgentKey) WriteAgentKey ¶
type AgentKeyMap ¶
AgentKeyMap map of agents in agents key file
func GetAgentKeyMap ¶
func GetAgentKeyMap(filename string) (AgentKeyMap, error)
GetAgentKeyMap read from Environment and if not found there, try default file
func LoadAgentKeyMap ¶
func LoadAgentKeyMap(filename string) (AgentKeyMap, error)
LoadAgentKeyMap read all agent infos from a file (/var/ossec/etc/client.keys)
type AgentOption ¶
AgentOption allows setting custom parameters during construction
func WithAgentAllowedIPs ¶
func WithAgentAllowedIPs(allowedIPs string) AgentOption
WithAgentAllowedIPs which IPs are allwed
func WithAgentIP ¶
func WithAgentIP(agentIP string) AgentOption
WithAgentIP use specific Agent IP in messages
func WithBasePath ¶
func WithBasePath(basePath string) AgentOption
WithBasePath use specific where to cache downloaded files
func WithClientName ¶
func WithClientName(clientName string) AgentOption
WithClientName use a custom client name
func WithClientVersion ¶
func WithClientVersion(clientVersion string) AgentOption
WithClientVersion use a custom client version
func WithContext ¶
func WithContext(ctx context.Context) AgentOption
WithContext use a custom context
func WithEncryptionMethod ¶
func WithEncryptionMethod(encryptionMethod EncryptionMethod) AgentOption
WithEncryptionMethod specify encryption method to use
func WithZapLogger ¶
func WithZapLogger(logger *zap.Logger) AgentOption
WithZapLogger use a custom logger
type AgentShutDownEvent ¶
type AgentShutDownEvent struct {
}
type Client ¶
type Client struct {
*AgentKey
Server string
Port uint16
UDP bool
EncryptionMethod EncryptionMethod
ClientName string
ClientVersion string
RemoteFiles map[string]RemoteFileInfo
CurrentRemoteFile *RemoteFileInfo
// contains filtered or unexported fields
}
Client allowes to handshake with the server to reach a pending state (which allowes the agent to become a group member)
func NewAgent ¶
func NewAgent(server string, agentID string, agentName string, agentKey string, opts ...AgentOption) (*Client, error)
NewAgent create a new Agent for the target server
func (*Client) AgentLoop ¶
func (a *Client) AgentLoop(ctx context.Context, closeOnError bool) (chan *QueuePosting, chan interface{}, error)
AgentLoop Process messages and keep track of connection status
func (*Client) Close ¶
Close closes the connection. Any blocked Read or Write operations will be unblocked and return errors.
func (*Client) IsConencted ¶
func (*Client) NewHardware ¶
func (*Client) NewProcess ¶
func (*Client) NewSysinfo ¶
func (*Client) PingServer ¶
PingServer send a single ping to the server
func (*Client) PostSysinfo ¶
func (a *Client) PostSysinfo(input chan *QueuePosting)
func (*Client) ReadServerResponse ¶
ReadServerResponse read next message
func (*Client) SendMessage ¶
SendMessage send a message and wait for an answer
func (*Client) WriteMessage ¶
WriteMessage without waiting for an answerr a message and wait for an answer
type ClientConfig ¶
type ClientConfig struct {
XMLName xml.Name `xml:"client"`
// Address specifies the IP address or the hostname of the Wazuh manager.
Address string `xml:"server>address,omitempty"`
// Port sSpecifies the port to send events to on the manager. This must match the associated listening port configured on the Wazuh manager.
Port uint16 `xml:"server>port,omitempty"`
// Protocol specifies the protocol to use when connecting to the manager.
Protocol string `xml:"server>protocol,omitempty"`
// MaxRetries number of connection retries.
MaxRetries uint16 `xml:"server>max_retries,omitempty"`
// RetryInterval Time interval between connection attempts (seconds).
RetryInterval uint16 `xml:"server>retry_interval,omitempty"`
// ConfigProfile specifies the agent.conf profile(s) to be used by the agent.
ConfigProfile string `xml:"config-profile,omitempty"`
// NotifyTime specifies the time in seconds between agent checkins to the manager. More frequent checkins speed up dissemination of an updated agent.conf file to the agents, but may also put an undo load on the manager if there are a large number of agents.
NotifyTime uint16 `xml:"notify_time,omitempty"`
// TimeReconnect specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time parameter.
TimeReconnect uint16 `xml:"time-reconnect,omitempty"`
// LocalIP specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces.
LocalIP string `xml:"local_ip,omitempty"`
// AutoRestart toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.
AutoRestart ConvertibleBoolean `xml:"auto_restart,omitempty"`
// CryptoMethod choose the encryption of the messages that the agent sends to the manager.
CryptoMethod string `xml:"crypto_method,omitempty"`
}
ClientConfig see: https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/client.html
func LoadClientConfig ¶
func LoadClientConfig(filename string) (*ClientConfig, error)
LoadClientConfig Load the client configuration from a fole
func NewClientConfig ¶
func NewClientConfig() *ClientConfig
NewClientConfig new client config with default values set
type ConvertibleBoolean ¶
type ConvertibleBoolean bool
ConvertibleBoolean xml bool values (0,no,false / 1,yes,true)
func (*ConvertibleBoolean) UnmarshalText ¶
func (bit *ConvertibleBoolean) UnmarshalText(data []byte) error
UnmarshalJSON convert string to boolean
type CorruptMessage ¶
type CorruptMessage struct {
// contains filtered or unexported fields
}
func NewCorruptMessage ¶
func NewCorruptMessage(typ string) CorruptMessage
func (CorruptMessage) Error ¶
func (cme CorruptMessage) Error() string
type EnrollmentConfig ¶
type EnrollmentConfig struct {
// Manager's direction or ip address
ManagerName string
// Port Manager's port
Port int
// (optional) Name of the agent. In case of NULL enrollment message will send local hostname
AgentName string
AgentID string
AgentIP string
// IP address or CIDR of the agent. In case of null the manager will use the source ip
SenderIP string
// Forces manager to use source ip
UseSrcIP bool
// password verification
AuthPass string
// Agent Key (null if not used)
AgentKey string
// Agent Certificate
AgentCert stringMap
// CA Certificate to verify server (null if not used)
CACert string
Groups []string
// contains filtered or unexported fields
}
EnrollmentConfig enrolment configuration
func NewEnrollmentConfig ¶
func NewEnrollmentConfig() (*EnrollmentConfig, error)
NewEnrollmentConfig initialize new enrolment config
func (*EnrollmentConfig) SetLogger ¶
func (c *EnrollmentConfig) SetLogger(logger *zap.Logger)
type Event ¶
type Event struct {
IntegrationEvent
Event string `json:"Wodle event,omitempty"`
}
Event static structured event data user, srcip, dstip, srcport, dstport, protocol, action, id, url, data, extra_data, status, system_name https://documentation.wazuh.com/4.0/user-manual/ruleset/dynamic-fields.html https://github.com/wazuh/wazuh/blob/master/src/analysisd/decoders/plugins/json_decoder.c
type FileUpdatedEvent ¶
type FileUpdatedEvent struct {
FileInfo *RemoteFileInfo
}
type FimMessage ¶
type FimMessage struct {
Component string `json:"component,omitempty"`
Type string `json:"type"`
Data FimData `json:"data"`
}
func NewFimMessage ¶
func NewFimMessage() (*FimMessage, error)
type Hardware ¶
type Hardware struct {
// R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
*Sysinfo
BoardSerial string `json:"board_serial,omitempty"`
CPUName string `json:"cpu_name,omitempty"`
CPUCores int `json:"cpu_cores,omitempty"`
CPUMhz float64 `json:"cpu_mhz,omitempty"`
RamFree uint64 `json:"ram_free,omitempty"`
RamTotal uint64 `json:"ram_total,omitempty"`
RamUsage float64 `json:"ram_usage,omitempty"`
}
type InitInfo ¶
type InitInfo struct {
Directory string `json:"Directory"`
Name string `json:"Name"`
Version *semver.Version `json:"Version"`
Revision uint `json:"Revision"`
Date time.Time `json:"Date"`
Type string `json:"Type"`
// contains filtered or unexported fields
}
InitInfo information gathered from ossec-init.conf
var LocalInitInfo *InitInfo
LocalInitInfo contains the init info of the locally installed OSSEC
func NewInitInfo ¶
NewInitInfo read InitInfo from default location
func ReadInitInfo ¶
ReadInitInfo read InitInfo from file
type IntegrationEvent ¶
type IntegrationEvent struct {
Integration string `json:"integration,omitempty"`
Meta IntegrationMeta `json:"meta,omitempty"`
}
IntegrationEvent basic integration message
type IntegrationMeta ¶
type IntegrationMeta struct {
// InputType string `json:"input>type,omitempty"`
// DecoderName string `json:"decoder>name,omitempty"`
ID string `json:"id,omitempty"`
URL string `json:"url,omitempty"`
User string `json:"user,omitempty"`
SourceUser string `json:"srcuser,omitempty"`
SourceIP *net.IP `json:"srcip,omitempty"`
SourcePort *uint `json:"srcport,omitempty"`
DestinationIP *net.IP `json:"dstip,omitempty"`
DestinationGeoIP string `json:"dstgeoip,omitempty"`
DestinationUser string `json:"dstuser,omitempty"`
DestinationPort *uint `json:"dstport,omitempty"`
Protocol string `json:"protocol,omitempty"`
Action string `json:"action,omitempty"`
Status string `json:"status,omitempty"`
SystemName string `json:"systemname,omitempty"`
ExtraData interface{} `json:"extra_data,omitempty"`
}
IntegrationMeta standard metadata
type LocalConfig ¶
type LocalConfig struct {
XMLName xml.Name `xml:"ossec_config"`
ClientConfig ClientConfig `xml:"client"`
}
LocalConfig see https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/index.html
type OS ¶
type OS struct {
// R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
*Sysinfo
ScanTime string `json:"scan_time,omitempty"`
OSName string `json:"os_name,omitempty"`
OSMajor string `json:"os_major,omitempty"`
OSMinor string `json:"os_minor,omitempty"`
OSBuild string `json:"os_build,omitempty"`
OSVersion string `json:"os_version,omitempty"`
Hostname string `json:"hostname,omitempty"`
OSRelease string `json:"os_release,omitempty"`
Architecture string `json:"architecture,omitempty"`
}
type Package ¶
type Package struct {
*Sysinfo
Architecture string `json:"architecture,omitempty"`
Group string `json:"group,omitempty"`
Name string `json:"name,omitempty"`
Priority string `json:"priority,omitempty"`
Size string `json:"size,omitempty"`
Source string `json:"source,omitempty"`
Version string `json:"version,omitempty"`
OSPatch string `json:"os_patch,omitempty"`
Hotfix string `json:"hotfix,omitempty"`
}
R"([{"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":"411","source":"xorg","version":"1:7.7+19ubuntu14","os_patch":""},{"hotfix":"KB4586786"}])")));
type Port ¶
type Port struct {
// R"({"ports":[{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}]})")));
*Sysinfo
}
type Process ¶
type Process struct {
*Sysinfo
Name string `json:"name,omitempty"`
EGroup string `json:"egroup,omitempty"`
EUser string `json:"euser,omitempty"`
FGroup string `json:"fgroup,omitempty"`
RGroup string `json:"rgroup,omitempty"`
RUser string `json:"ruser,omitempty"`
SGroup string `json:"sgroup,omitempty"`
SUser string `json:"suser,omitempty"`
State string `json:"state,omitempty"`
Nice int `json:"nice,omitempty"`
NLWP int `json:"nlwp,omitempty"`
PGrp int `json:"pgrp,omitempty"`
PID int `json:"pid,omitempty"`
PPID int `json:"ppid,omitempty"`
Priority int `json:"priority,omitempty"`
Processor int `json:"processor,omitempty"`
Resident int `json:"resident,omitempty"`
Session int `json:"session,omitempty"`
Size int `json:"size,omitempty"`
STime int `json:"stime,omitempty"`
TGID int `json:"tgid,omitempty"`
TTY int `json:"tty,omitempty"`
UTime int `json:"utime,omitempty"`
VMSize int `json:"vm_size,omitempty"`
}
type Queue ¶
type Queue struct {
TargetQueue rune
AgentName string
Type string
QueuePath string
InitInfo *InitInfo
Logger *zap.Logger
// contains filtered or unexported fields
}
Queue helper to create a custom wodle
func NewQueue ¶
func NewQueue(typ string, opts ...QueueOption) (*Queue, error)
NewQueue create new wodle
func (*Queue) AgentLoop ¶
func (w *Queue) AgentLoop(ctx context.Context, closeOnError bool) (chan *QueuePosting, chan interface{}, error)
AgentLoop process incoming messages
func (*Queue) DebugMessage ¶
DebugMessage send a debug event
type QueueError ¶
func NewQueueError ¶
func NewQueueError(operation string, innerError error) QueueError
func (QueueError) Error ¶
func (m QueueError) Error() string
type QueueOption ¶
QueueOption allows setting custom parameters during construction
func WithInitInfo ¶
func WithInitInfo(initInfo *InitInfo) QueueOption
WithInitInfo use a custom context
func WithQueueLogger ¶
func WithQueueLogger(logger *zap.Logger) QueueOption
WithQueueLogger use a custom logger
func WithQueuePath ¶
func WithQueuePath(path string) QueueOption
WithQueuePath use a custom queue path
func WithTargetQueue ¶
func WithTargetQueue(queue rune) QueueOption
WithTargetQueue use a custom target queue
type QueuePosting ¶
type QueuePosting struct {
Location string `json:"location"`
ProgramName string `json:"program"`
TargetQueue rune `json:"queue"`
Timestamp time.Time `json:"timestamp,omitempty"`
Raw interface{} `json:"raw,omitempty"`
}
QueuePosting a massage for the queue
type RemoteFileInfo ¶
type WithLoggin ¶
type WithLoggin struct {
}
Source Files
Click to show internal directories.
Click to hide internal directories.