Documentation
¶
Overview ¶
see: https://documentation.wazuh.com/4.0/development/message-format.html
Index ¶
- Constants
- type AgentKey
- type AgentKeyMap
- type AgentOption
- func WithAgentAllowedIPs(allowedIPs string) AgentOption
- func WithAgentIP(agentIP string) AgentOption
- func WithContext(ctx context.Context) AgentOption
- func WithEncryptionMethod(encryptionMethod EncryptionMethod) AgentOption
- func WithPort(port uint16) AgentOption
- func WithTCP(tcp bool) AgentOption
- func WithUDP(udp bool) AgentOption
- func WithZapLogger(logger *zap.Logger) AgentOption
- type Client
- func (a *Client) AgentLoop() error
- func (a *Client) Close() error
- func (a *Client) Connect(isStartup bool) error
- func (a *Client) PingServer() error
- func (a *Client) ReadMessage(timeout time.Duration) (string, error)
- func (a *Client) SendMessage(msg string) (string, error)
- func (a *Client) WriteMessage(msg string) error
- type ClientConfig
- type ConvertibleBoolean
- type EncryptionMethod
- type EnrollmentConfig
- type Event
- type InitInfo
- type IntegrationEvent
- type IntegrationMeta
- type LocalConfig
- type Queue
- type QueueOption
- type QueuePosting
- type WithLoggin
Constants ¶
const ( // EncryptionMethodBlowFish use BlowFish for transprot encryption EncryptionMethodBlowFish = EncryptionMethod(0) // EncryptionMethodAES use AES for transprot encryption EncryptionMethodAES = EncryptionMethod(1) )
const ( CONTROL_HEADER = "#!-" EXECD_HEADER = "execd " FILE_UPDATE_HEADER = "up file " FILE_CLOSE_HEADER = "close file " HC_STARTUP = "agent startup " HC_ACK = "agent ack " HC_SK_DB_COMPLETED = "syscheck-db-completed" HC_SK_RESTART = "syscheck restart" HC_REQUEST = "req " HC_FIM_DB_SFS = "fim-db-start-first-scan" HC_FIM_DB_EFS = "fim-db-end-first-scan" HC_FIM_DB_SS = "fim-db-start-scan" HC_FIM_DB_ES = "fim-db-end-scan" CFGA_DB_DUMP = "sca-dump" HC_SK = "syscheck " HC_FIM_FILE = "fim_file " HC_FIM_REGISTRY = "fim_registry " LOCALFILE_MQ = '1' SYSLOG_MQ = '2' HOSTINFO_MQ = '3' SECURE_MQ = '4' SYSCHECK_MQ = '8' ROOTCHECK_MQ = '9' ReadWaitTimeout = time.Duration(30 * time.Second) ReadImmediateTimeout = time.Duration(1 * time.Second) )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AgentKey ¶
type AgentKey struct {
AgentID string
AgentName string
AgentKey string
AgentHashedKey string
AgentAllowedIPs string
AgentIP string
}
AgentKey a single key entry
func ParseAgentKey ¶
ParseAgentKey parse a single key entry line
func RegisterAgent ¶ added in v0.3.0
func RegisterAgent(cfg *EnrollmentConfig) (*AgentKey, error)
RegisterAgent register an agent via the AuthD Service
type AgentKeyMap ¶
AgentKeyMap map of agents in agents key file
func LoadAgentKeyMap ¶
func LoadAgentKeyMap(filename string) (AgentKeyMap, error)
LoadAgentKeyMap read all agent infos from a file (/var/ossec/etc/client.keys)
type AgentOption ¶
AgentOption allows setting custom parameters during construction
func WithAgentAllowedIPs ¶
func WithAgentAllowedIPs(allowedIPs string) AgentOption
WithAgentAllowedIPs which IPs are allwed
func WithAgentIP ¶
func WithAgentIP(agentIP string) AgentOption
WithAgentIP use specific Agent IP in messages
func WithContext ¶
func WithContext(ctx context.Context) AgentOption
WithContext use a custom context
func WithEncryptionMethod ¶
func WithEncryptionMethod(encryptionMethod EncryptionMethod) AgentOption
WithEncryptionMethod specify encryption method to use
func WithZapLogger ¶
func WithZapLogger(logger *zap.Logger) AgentOption
WithZapLogger use a custom logger
type Client ¶
type Client struct {
*AgentKey
Server string
Port uint16
UDP bool
EncryptionMethod EncryptionMethod
// contains filtered or unexported fields
}
Client allowes to handshake with the server to reach a pending state (which allowes the agent to become a group member)
func NewAgent ¶
func NewAgent(server string, agentID string, agentName string, agentKey string, opts ...AgentOption) (*Client, error)
NewAgent create a new Agent for the target server
func (*Client) Close ¶
Close closes the connection. Any blocked Read or Write operations will be unblocked and return errors.
func (*Client) PingServer ¶
PingServer send a single ping to the server
func (*Client) ReadMessage ¶
ReadMessage read next message
func (*Client) SendMessage ¶
SendMessage send a message and wait for an answer
func (*Client) WriteMessage ¶
WriteMessage without waiting for an answerr a message and wait for an answer
type ClientConfig ¶
type ClientConfig struct {
XMLName xml.Name `xml:"client"`
// Address specifies the IP address or the hostname of the Wazuh manager.
Address string `xml:"address,omitempty"`
// Port sSpecifies the port to send events to on the manager. This must match the associated listening port configured on the Wazuh manager.
Port uint16 `xml:"port,omitempty"`
// Protocol specifies the protocol to use when connecting to the manager.
Protocol string `xml:"protocol,omitempty"`
// MaxRetries number of connection retries.
MaxRetries uint16 `xml:"max_retries,omitempty"`
// RetryInterval Time interval between connection attempts (seconds).
RetryInterval uint16 `xml:"retry_interval,omitempty"`
// ConfigProfile specifies the agent.conf profile(s) to be used by the agent.
ConfigProfile string `xml:"config-profile,omitempty"`
// NotifyTime specifies the time in seconds between agent checkins to the manager. More frequent checkins speed up dissemination of an updated agent.conf file to the agents, but may also put an undo load on the manager if there are a large number of agents.
NotifyTime uint16 `xml:"notify_time,omitempty"`
// TimeReconnect specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time parameter.
TimeReconnect uint16 `xml:"time-reconnect,omitempty"`
// LocalIP specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces.
LocalIP string `xml:"local_ip,omitempty"`
// AutoRestart toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.
AutoRestart ConvertibleBoolean `xml:"auto_restart,omitempty"`
// CryptoMethod choose the encryption of the messages that the agent sends to the manager.
CryptoMethod string `xml:"crypto_method,omitempty"`
}
ClientConfig see: https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/client.html
func LoadClientConfig ¶
func LoadClientConfig(filename string) (*ClientConfig, error)
LoadClientConfig Load the client configuration from a fole
func NewClientConfig ¶
func NewClientConfig() *ClientConfig
NewClientConfig new client config with default values set
type ConvertibleBoolean ¶
type ConvertibleBoolean bool
ConvertibleBoolean xml bool values (0,no,false / 1,yes,true)
func (*ConvertibleBoolean) UnmarshalJSON ¶
func (bit *ConvertibleBoolean) UnmarshalJSON(data []byte) error
UnmarshalJSON convert string to boolean
type EnrollmentConfig ¶ added in v0.3.0
type EnrollmentConfig struct {
// Manager's direction or ip address
ManagerName string
// Port Manager's port
Port int
// (optional) Name of the agent. In case of NULL enrollment message will send local hostname
AgentName string
AgentID string
AgentIP string
// IP adress or CIDR of the agent. In case of null the manager will use the source ip
SenderIP string
// Forces manager to use source ip
UseSrcIP bool
// password verification
AuthPass string
// Agent Key (null if not used)
AgentKey string
// Agent Certificate
AgentCert stringMap
// CA Certificate to verify server (null if not used)
CACert string
Groups []string
// contains filtered or unexported fields
}
EnrollmentConfig enrolment configuration
func NewEnrollmentConfig ¶ added in v0.3.0
func NewEnrollmentConfig() (*EnrollmentConfig, error)
NewEnrollmentConfig initialize new enrolment config
type Event ¶
type Event struct {
IntegrationEvent
Event string `json:"Wodle event,omitempty"`
}
Event static structured event data user, srcip, dstip, srcport, dstport, protocol, action, id, url, data, extra_data, status, system_name https://documentation.wazuh.com/4.0/user-manual/ruleset/dynamic-fields.html https://github.com/wazuh/wazuh/blob/master/src/analysisd/decoders/plugins/json_decoder.c
type InitInfo ¶
type InitInfo struct {
Directory string `json:"Directory"`
Name string `json:"Name"`
Version *semver.Version `json:"Version"`
Revision uint `json:"Revision"`
Date time.Time `json:"Date"`
Type string `json:"Type"`
// contains filtered or unexported fields
}
InitInfo information gathered from ossec-init.conf
var LocalInitInfo *InitInfo
LocalInitInfo contains the init info of the locally installed OSSEC
func DefaultInintInfo ¶ added in v0.3.1
func DefaultInintInfo() *InitInfo
DefaultInintInfo Create a default Info
func NewInitInfo ¶
NewInitInfo read InitInfo from default location
func ReadInitInfo ¶
ReadInitInfo read InitInfo from file
type IntegrationEvent ¶
type IntegrationEvent struct {
Integration string `json:"integration,omitempty"`
Meta IntegrationMeta `json:"meta,omitempty"`
}
IntegrationEvent basic integration message
type IntegrationMeta ¶
type IntegrationMeta struct {
// InputType string `json:"input>type,omitempty"`
// DecoderName string `json:"decoder>name,omitempty"`
ID string `json:"id,omitempty"`
URL string `json:"url,omitempty"`
User string `json:"user,omitempty"`
SourceUser string `json:"srcuser,omitempty"`
SourceIP *net.IP `json:"srcip,omitempty"`
SourcePort *uint `json:"srcport,omitempty"`
DestinationIP *net.IP `json:"dstip,omitempty"`
DestinationGeoIP string `json:"dstgeoip,omitempty"`
DestinationUser string `json:"dstuser,omitempty"`
DestinationPort *uint `json:"dstport,omitempty"`
Protocol string `json:"protocol,omitempty"`
Action string `json:"action,omitempty"`
Status string `json:"status,omitempty"`
SystemName string `json:"systemname,omitempty"`
Data interface{} `json:"webhook,omitempty"`
ExtraData interface{} `json:"extra_data,omitempty"`
}
IntegrationMeta standard metadata
type LocalConfig ¶
type LocalConfig struct {
XMLName xml.Name `xml:"oss_agent"`
ClientConfig ClientConfig `xml:"client"`
}
LocalConfig see https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/index.html
type Queue ¶
type Queue struct {
TargetQueue rune
AgentName string
Type string
QueuePath string
InitInfo *InitInfo
Logger *zap.Logger
// contains filtered or unexported fields
}
Queue helper to create a custom wodle
func NewQueue ¶
func NewQueue(typ string, opts ...QueueOption) (*Queue, error)
NewQueue create new wodle
func (*Queue) AgentLoop ¶
func (w *Queue) AgentLoop(closeOnError bool) (chan *QueuePosting, chan error)
AgentLoop process incoming messages
func (*Queue) DebugMessage ¶
DebugMessage send a debug event
type QueueOption ¶
QueueOption allows setting custom parameters during construction
func WithInitInfo ¶
func WithInitInfo(initInfo *InitInfo) QueueOption
WithInitInfo use a custom context
func WithQueueLogger ¶
func WithQueueLogger(logger *zap.Logger) QueueOption
WithQueueLogger use a custom logger
func WithQueuePath ¶
func WithQueuePath(path string) QueueOption
WithQueuePath use a custom queue path
func WithTargetQueue ¶
func WithTargetQueue(queue rune) QueueOption
WithTargetQueue use a custom target queue
type QueuePosting ¶
QueuePosting a massage for the queue
type WithLoggin ¶
type WithLoggin struct {
}
Source Files