Release 4.10.0 - Alpha 2 - E2E UX tests - GCP integration #26420

juliamagan · 2024-10-21T07:49:27Z

End-to-End (E2E) Testing Guideline

Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-pyserver team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

🟢 All checks passed
🟡 Found a known issue
🔴 Found a new error

Issue delivery and completion

Initial delivery: The issue's assignee must complete the testing and deliver the results by Oct 22, 2024 and notify the @wazuh/devel-pyserver team via Slack using the c-release channel
Review: The @wazuh/devel-pyserver team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Oct 23, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
Auditor: The QA team must audit, validate the results, and close the issue by Oct 24, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Amazon Machine Images (AMI)	-	-
Server	Amazon Machine Images (AMI)	-	-
Dashboard	Amazon Machine Images (AMI)	-	-
Agent	Installing Wazuh agents	-	CentOS 7 x86_64

Test description

Configure the GCP integration in a Wazuh Manager and a Wazuh Agent.
Try both Pub/Sub and Storage integrations.
Follow the use cases from blog post section "Cloud security posture management simulation" and ensure the alerts are correctly displayed on the GCP dashboard. Make sure you follow the infrastructure and configuration details from the documentation below and not the blog one.

Documentation: https://documentation-dev.wazuh.com/v4.10.0-alpha2/cloud-security/gcp/index.html

Known issues

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status	Test	Failure Type	Notes
🟢	install gcp integration prerequisites on Centos7		Recommended packages are not available on this OS version since it is no more supported (User needs to have prior knowledge on how to install python from source on this OS version )
🟢	Creating Google cloud credentials	-	Works fine
🟢	Pub/Sub integration on Wazuh Server	-	Works fine
🟢	Bucket integration on Wazuh Server	-	Works fine
🟢	Use Cases with Wazuh Server	-	Works fine
🟢	Pub/Sub Integration on Wazuh Agent		Works fine
🟢	Bucket Integration on Wazuh Agent		Works fine
🟢	Use case on wazuh agent	-	Works fine

Feedback

We value your feedback. Please provide insights on your testing experience.

Was the testing guideline clear? Were there any ambiguities?
- **The testing guideline was clear **
Did you face any challenges not covered by the guideline?
- Installing gcloud dependencies on deprecated versions of CentOS
Suggestions for improvement:
- Make integration tests with Operating systems that are still supported, Provide the users with knowledge on how to install python latest packages on this OS

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

@juliamagan
@wazuh/devel-pyserver

The text was updated successfully, but these errors were encountered:

octopus237 · 2024-10-22T00:37:47Z

Environment

The environment has been provided by the devops team, specs of the different OS and Wazuh version running are shown below:

Wazuh Server

Wazuh Agent

Wazuh Dashboard

GCP Integration Prerequisites 🔴

Installation of dependencies on wazuh-agent (Centos 7)🔴

Following: these steps

The screenshot below shows results after running the command yum update && yum install python3.
Wazuh recommends Python 3.8–3.12 but the command provided in the documentation installs Python 3.6 on Centos 7 endpoints.

The screenshot below shows results after running the commands yum update && yum install python3-pip and pip3 install --upgrade pip

Google Cloud pip dependencies

sudo pip3 install google-cloud-core==1.7.1 google-cloud-pubsub==2.7.1 google-cloud-storage==1.39.0 pytz==2020.1 setuptools==68.0.0

Following the provided steps, the installation of setuptools==68.0.0 fails

Installing other pip dependencies

[root@ip-172-31-72-7 ~]# pip3 install google-cloud-core==1.7.1 google-cloud-pubsub==2.7.1 google-cloud-storage==1.39.0 pytz==2020.1
WARNING: pip is being invoked by an old script wrapper. This will fail in a future version of pip.
Please see https://github.com/pypa/pip/issues/5599 for advice on fixing the underlying issue.
To avoid this problem you can invoke Python with '-m pip' instead of running pip directly.
Collecting google-cloud-core==1.7.1
  Using cached google_cloud_core-1.7.1-py2.py3-none-any.whl (28 kB)
Collecting google-cloud-pubsub==2.7.1
  Using cached google_cloud_pubsub-2.7.1-py2.py3-none-any.whl (217 kB)
Collecting google-cloud-storage==1.39.0
  Using cached google_cloud_storage-1.39.0-py2.py3-none-any.whl (103 kB)
Requirement already satisfied: pytz==2020.1 in /usr/local/lib/python3.6/site-packages (2020.1)
Collecting six>=1.12.0
  Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting google-auth<2.0dev,>=1.24.0
  Using cached google_auth-1.35.0-py2.py3-none-any.whl (152 kB)
Collecting google-api-core<2.0.0dev,>=1.21.0
  Downloading google_api_core-1.32.0-py2.py3-none-any.whl (93 kB)
     |████████████████████████████████| 93 kB 2.3 MB/s
Collecting packaging>=14.3
  Downloading packaging-21.3-py3-none-any.whl (40 kB)
     |████████████████████████████████| 40 kB 7.7 MB/s
Collecting google-api-core[grpc]<3.0.0dev,>=1.26.0
  Using cached google_api_core-2.8.2-py3-none-any.whl (114 kB)
Collecting libcst>=0.3.10
  Downloading libcst-0.4.1-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.7 MB)
     |████████████████████████████████| 2.7 MB 36.8 MB/s
Collecting grpcio<2.0dev,>=1.38.1
  Downloading grpcio-1.48.2-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.6 MB)
     |████████████████████████████████| 4.6 MB 35.7 MB/s
Collecting grpc-google-iam-v1<0.13dev,>=0.12.3
  Downloading grpc_google_iam_v1-0.12.4-py2.py3-none-any.whl (26 kB)
Collecting proto-plus>=1.7.1
  Downloading proto_plus-1.23.0-py3-none-any.whl (48 kB)
     |████████████████████████████████| 48 kB 9.7 MB/s
Collecting requests<3.0.0dev,>=2.18.0
  Downloading requests-2.27.1-py2.py3-none-any.whl (63 kB)
     |████████████████████████████████| 63 kB 3.3 MB/s
Collecting google-resumable-media<2.0dev,>=1.3.0
  Using cached google_resumable_media-1.3.3-py2.py3-none-any.whl (75 kB)
Collecting googleapis-common-protos<2.0dev,>=1.6.0
  Downloading googleapis_common_protos-1.56.3-py2.py3-none-any.whl (211 kB)
     |████████████████████████████████| 211 kB 56.7 MB/s
Collecting protobuf<4.0.0dev,>=3.12.0
  Downloading protobuf-3.19.6-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.1 MB)
     |████████████████████████████████| 1.1 MB 48.2 MB/s
Collecting setuptools>=40.3.0
  Using cached setuptools-59.6.0-py3-none-any.whl (952 kB)
Collecting google-api-core[grpc]<3.0.0dev,>=1.26.0
  Using cached google_api_core-2.8.1-py3-none-any.whl (114 kB)
  Using cached google_api_core-2.8.0-py3-none-any.whl (114 kB)
  Using cached google_api_core-2.7.3-py3-none-any.whl (114 kB)
  Using cached google_api_core-2.7.2-py3-none-any.whl (114 kB)
  Using cached google_api_core-2.7.1-py3-none-any.whl (114 kB)
  Using cached google_api_core-2.7.0-py3-none-any.whl (114 kB)
  Using cached google_api_core-2.6.1-py3-none-any.whl (114 kB)
  Using cached google_api_core-2.6.0-py2.py3-none-any.whl (114 kB)
  Using cached google_api_core-2.5.0-py2.py3-none-any.whl (111 kB)
  Using cached google_api_core-2.4.0-py2.py3-none-any.whl (111 kB)
  Using cached google_api_core-2.3.2-py2.py3-none-any.whl (109 kB)
  Using cached google_api_core-2.3.0-py2.py3-none-any.whl (109 kB)
  Using cached google_api_core-2.2.2-py2.py3-none-any.whl (95 kB)
  Using cached google_api_core-2.2.1-py2.py3-none-any.whl (95 kB)
  Using cached google_api_core-2.2.0-py2.py3-none-any.whl (95 kB)
  Using cached google_api_core-2.1.1-py2.py3-none-any.whl (95 kB)
  Using cached google_api_core-2.1.0-py2.py3-none-any.whl (94 kB)
  Using cached google_api_core-2.0.1-py2.py3-none-any.whl (92 kB)
  Using cached google_api_core-2.0.0-py2.py3-none-any.whl (92 kB)
Collecting cachetools<5.0,>=2.0.0
  Using cached cachetools-4.2.4-py3-none-any.whl (10 kB)
Collecting rsa<5,>=3.1.4
  Using cached rsa-4.9-py3-none-any.whl (34 kB)
Collecting pyasn1-modules>=0.2.1
  Downloading pyasn1_modules-0.3.0-py2.py3-none-any.whl (181 kB)
     |████████████████████████████████| 181 kB 37.4 MB/s
Collecting google-crc32c<2.0dev,>=1.0
  Downloading google_crc32c-1.3.0-cp36-cp36m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (37 kB)
Collecting typing-inspect>=0.4.0
  Downloading typing_inspect-0.9.0-py3-none-any.whl (8.8 kB)
Collecting pyyaml>=5.2
  Downloading PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (677 kB)
     |████████████████████████████████| 677 kB 51.4 MB/s
Collecting dataclasses>=0.6.0
  Downloading dataclasses-0.8-py3-none-any.whl (19 kB)
Collecting typing-extensions>=3.7.4.2
  Downloading typing_extensions-4.1.1-py3-none-any.whl (26 kB)
Collecting pyparsing!=3.0.5,>=2.0.2
  Downloading pyparsing-3.1.4-py3-none-any.whl (104 kB)
     |████████████████████████████████| 104 kB 59.4 MB/s
Collecting urllib3<1.27,>=1.21.1
  Downloading urllib3-1.26.20-py2.py3-none-any.whl (144 kB)
     |████████████████████████████████| 144 kB 61.9 MB/s
Collecting certifi>=2017.4.17
  Using cached certifi-2024.8.30-py3-none-any.whl (167 kB)
Collecting charset-normalizer~=2.0.0
  Downloading charset_normalizer-2.0.12-py3-none-any.whl (39 kB)
Collecting idna<4,>=2.5
  Using cached idna-3.10-py3-none-any.whl (70 kB)
Collecting pyasn1<0.6.0,>=0.4.6
  Downloading pyasn1-0.5.1-py2.py3-none-any.whl (84 kB)
     |████████████████████████████████| 84 kB 5.1 MB/s
Collecting mypy-extensions>=0.3.0
  Downloading mypy_extensions-1.0.0-py3-none-any.whl (4.7 kB)
Installing collected packages: pyasn1, urllib3, six, setuptools, rsa, pyparsing, pyasn1-modules, protobuf, idna, charset-normalizer, certifi, cachetools, typing-extensions, requests, packaging, mypy-extensions, grpcio, googleapis-common-protos, google-auth, typing-inspect, pyyaml, google-crc32c, google-api-core, dataclasses, proto-plus, libcst, grpc-google-iam-v1, google-resumable-media, google-cloud-core, google-cloud-storage, google-cloud-pubsub
  Attempting uninstall: setuptools
    Found existing installation: setuptools 39.2.0
    Uninstalling setuptools-39.2.0:
      Successfully uninstalled setuptools-39.2.0
  WARNING: The scripts pyrsa-decrypt, pyrsa-encrypt, pyrsa-keygen, pyrsa-priv2pub, pyrsa-sign and pyrsa-verify are installed in '/usr/local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  WARNING: The script normalizer is installed in '/usr/local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed cachetools-4.2.4 certifi-2024.8.30 charset-normalizer-2.0.12 dataclasses-0.8 google-api-core-1.32.0 google-auth-1.35.0 google-cloud-core-1.7.1 google-cloud-pubsub-2.7.1 google-cloud-storage-1.39.0 google-crc32c-1.3.0 google-resumable-media-1.3.3 googleapis-common-protos-1.56.3 grpc-google-iam-v1-0.12.4 grpcio-1.48.2 idna-3.10 libcst-0.4.1 mypy-extensions-1.0.0 packaging-21.3 proto-plus-1.23.0 protobuf-3.19.6 pyasn1-0.5.1 pyasn1-modules-0.3.0 pyparsing-3.1.4 pyyaml-6.0.1 requests-2.27.1 rsa-4.9 setuptools-59.6.0 six-1.16.0 typing-extensions-4.1.1 typing-inspect-0.9.0 urllib3-1.26.20
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
[root@ip-172-31-72-7 ~]# /var/ossec/wodles/gcloud/gcloud --help
usage: usage: gcloud [options]

Wazuh wodle for monitoring Google Cloud

optional arguments:
  -h, --help            show this help message and exit
  -T INTEGRATION_TYPE, --integration_type INTEGRATION_TYPE
                        Supported integration types: ('pubsub', 'access_logs')
  -p PROJECT, --project PROJECT
                        Project ID
  -s SUBSCRIPTION_ID, --subscription_id SUBSCRIPTION_ID
                        Subscription name
  -c CREDENTIALS_FILE, --credentials_file CREDENTIALS_FILE
                        Path to credentials file
  -m MAX_MESSAGES, --max_messages MAX_MESSAGES
                        Number of maximum messages pulled in each iteration
  -l LOG_LEVEL, --log_level LOG_LEVEL
                        Log level
  -b BUCKET_NAME, --bucket_name BUCKET_NAME
                        The name of the bucket to read the logs from
  -P PREFIX, --prefix PREFIX
                        The relative path to the logs
  -r, --remove          Remove processed blobs from the GCS bucket
  -o ONLY_LOGS_AFTER, --only_logs_after ONLY_LOGS_AFTER
                        Only parse logs after this date - format YYYY-MMM-DD
  -t N_THREADS, --num_threads N_THREADS
                        Number of threads
  --reparse             Parse the log, even if its been parsed before

Pip packages present

Installation of recommended python versions

I tried installing recommended python versions and pip packages by installing from source but i faced multiple issues ahead, i ended up by deleting those versions and reverting to python 3.6.8

issues faced with python installed from source

[centos@ip-172-31-72-7 ~]$ sudo tail -f /var/ossec/logs/ossec.log | grep  -i gcp
2024/10/23 16:54:58 wazuh-modulesd:gcp-pubsub: WARNING: Command returned exit code 1
2024/10/23 16:55:57 wazuh-modulesd:gcp-pubsub: WARNING: Command returned exit code 1
2024/10/23 16:56:57 wazuh-modulesd:gcp-pubsub: WARNING: Command returned exit code 1
2024/10/23 16:57:57 wazuh-modulesd:gcp-pubsub: WARNING: Command returned exit code 1


Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2

====
[root@ip-172-31-72-7 gcloud]# ./gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max
_messages 100 --num_threads 1 --log_level 2
Traceback (most recent call last):
  File "./gcloud", line 15, in <module>
    from buckets.access_logs import GCSAccessLogs
  File "/var/ossec/wodles/gcloud/buckets/access_logs.py", line 15, in <module>
    from bucket import WazuhGCloudBucket
  File "/var/ossec/wodles/gcloud/buckets/bucket.py", line 10, in <module>
    import sqlite3
  File "/usr/local/lib/python3.8/sqlite3/__init__.py", line 23, in <module>
    from sqlite3.dbapi2 import *
  File "/usr/local/lib/python3.8/sqlite3/dbapi2.py", line 27, in <module>
    from _sqlite3 import *
ModuleNotFoundError: No module named '_sqlite3'

====

[root@ip-172-31-72-7 gcloud]# ./gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max
_messages 100 --num_threads 1 --log_level 2
Traceback (most recent call last):
  File "/var/ossec/wodles/gcloud/buckets/bucket.py", line 23, in <module>
    from google.cloud import storage
  File "/usr/local/lib/python3.8/site-packages/google/cloud/storage/__init__.py", line 35, in <module>
    from google.cloud.storage.batch import Batch
  File "/usr/local/lib/python3.8/site-packages/google/cloud/storage/batch.py", line 26, in <module>
    import requests
  File "/usr/local/lib/python3.8/site-packages/requests/__init__.py", line 43, in <module>
    import urllib3
  File "/usr/local/lib/python3.8/site-packages/urllib3/__init__.py", line 42, in <module>
    raise ImportError(
ImportError: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.0.2k-fips  26 Jan 2017'. See: https://github.com/urllib3/urllib3/issues/2168

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./gcloud", line 15, in <module>
    from buckets.access_logs import GCSAccessLogs
  File "/var/ossec/wodles/gcloud/buckets/access_logs.py", line 15, in <module>
    from bucket import WazuhGCloudBucket
  File "/var/ossec/wodles/gcloud/buckets/bucket.py", line 27, in <module>
    raise exceptions.WazuhIntegrationException(errcode=1003, package=e.name)
  File "/var/ossec/wodles/gcloud/exceptions.py", line 28, in __init__
    info = self.__class__.ERRORS[errcode]
AttributeError: type object 'WazuhIntegrationException' has no attribute 'ERRORS'

[root@ip-172-31-72-7 gcloud]# ./gcloud
Traceback (most recent call last):
  File "/var/ossec/wodles/gcloud/./gcloud", line 11, in <module>
    import tools
  File "/var/ossec/wodles/gcloud/tools.py", line 16, in <module>
    from pytz import UTC
ModuleNotFoundError: No module named 'pytz'
[root@ip-172-31-72-7 gcloud]# pip3 install google-cloud-core==1.7.1 google-cloud-pubsub==2.7.1 google-cloud-storage==1.39.0 pytz==2020.1 setuptools==68.0.0
WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/google-cloud-core/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/google-cloud-core/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/google-cloud-core/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/google-cloud-core/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/google-cloud-core/
Could not fetch URL https://pypi.org/simple/google-cloud-core/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/google-cloud-core/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
ERROR: Could not find a version that satisfies the requirement google-cloud-core==1.7.1 (from versions: none)
ERROR: No matching distribution found for google-cloud-core==1.7.1

Python versions installed from source

Creating Google Cloud credentials 🟢

Following: these steps

Account Details

Attach roles

Creating a credentials file for the service account

The json file was later copied to the directory /var/ossec/wodles/gcloud on wazuh agent and server using scp command.

octopus237 · 2024-10-22T03:02:24Z

On Wazuh Server 🟢

Pub/Sub Configuration

Following: These steps

Creation of Topic and Subscription

Configuring the Wazuh module for Google Cloud Pub/Sub

Configuration on Wazuh server

<ossec_config>
  <gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>1m</interval>
    <project_id>sunlit-************-a1</project_id>
    <subscription_name>wazuh-pubsub-sub</subscription_name>
    <credentials_file>/var/ossec/wodles/gcloud/gcp.json</credentials_file>
  </gcp-pubsub>
</ossec_config>

Export logs via sink

Results

Cloud Storage buckets Config

Setting up log delivery

Following: these steps

Create a bucket and enable logging

ossec.conf

<gcp-bucket>
   <run_on_start>yes</run_on_start>
   <interval>1m</interval>
   <bucket type="access_logs">
       <name>wazuh-alpha2-testing</name>
       <credentials_file>/var/ossec/wodles/gcloud/gcp.json></credentials_file>
   </bucket>
</gcp-bucket>

systemctl restart wazuh-manager

Result

CSPM

Network misconfigurations

Following: These steps

Enabling Compute Engine API

Verybad Firewall rule creation

Verybad Firewall rule deletion

Identity and access management anomalous activity

Results on Wazuh Dashboard
A different rule has been triggered on dashboard

octopus237 · 2024-10-22T11:01:11Z

On Wazuh Agent 🔴

Pub/Sub Configuration

Following: These steps

Configuring the Wazuh module for Google Cloud Pub/Sub

Configuration on Wazuh Agent

<ossec_config>
  <gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>1m</interval>
    <project_id>sunlit-************-a1</project_id>
    <subscription_name>wazuh-pubsub-sub</subscription_name>
    <credentials_file>/var/ossec/wodles/gcloud/gcp.json</credentials_file>
  </gcp-pubsub>
</ossec_config>

systemctl restart wazuh-agent

Results

Pub/Sub integration details

[root@ip-172-31-72-7 ~]# /var/ossec/wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-4*****-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
:gcloud_wodle: - INFO - Working with Google Cloud Pub/Sub
:gcloud_wodle: - DEBUG - Setting 1 thread to pull 100 messages in total
:gcloud_wodle: - DEBUG - Checking credentials
:gcloud_wodle: - DEBUG - Processing event: {"integration": "gcp", "gcp": {"insertId":"ix07gze27j3a","labels":{"compute.googleapis.com/root_trigger_id":"85ea0a6e-ddcf-4fff-97aa-2c602a0b7753"},"logName":"projects/sunlit-utility-439322-a1/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1729698533900-62526d2ae81bc-6e5e6a24-5c7172d6","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"joresttankoua@gmail.com"},"authorizationInfo":[{"granted":true,"permission":"compute.firewalls.delete","permissionType":"ADMIN_WRITE","resource":"projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","resourceAttributes":{"name":"projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","service":"compute","type":"compute.firewalls"}},{"granted":true,"permission":"compute.networks.updatePolicy","permissionType":"ADMIN_WRITE","resource":"projects/sunlit-utility-439322-a1/global/networks/default","resourceAttributes":{"name":"projects/sunlit-utility-439322-a1/global/networks/default","service":"compute","type":"compute.networks"}}],"methodName":"v1.compute.firewalls.delete","request":{"@type":"type.googleapis.com/compute.firewalls.delete"},"requestMetadata":{"callerIp":"102.244.45.196","callerSuppliedUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"reason":"8uSywAYQGg5Db2xpc2V1bSBGbG93cw","time":"2024-10-23T15:48:54.342954Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","resourceOriginalState":{"@type":"compute.googleapis.com/delete.state","alloweds":[{"IPProtocol":"all"}],"creationTimestamp":"2024-10-23T08:43:56.448-07:00","description":"","direction":"INGRESS","disabled":false,"enableLogging":false,"id":"673005066113034067","logConfig":{"enable":false},"name":"verybadrule","network":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/networks/default","priority":"1000","selfLink":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/firewalls/673005066113034067","sourceRanges":["0.0.0.0/0"]},"response":{"@type":"type.googleapis.com/operation","id":"5315622713156740105","insertTime":"2024-10-23T08:48:54.103-07:00","name":"operation-1729698533900-62526d2ae81bc-6e5e6a24-5c7172d6","operationType":"delete","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/operations/operation-1729698533900-62526d2ae81bc-6e5e6a24-5c7172d6","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/operations/5315622713156740105","startTime":"2024-10-23T08:48:54.108-07:00","status":"RUNNING","targetId":"673005066113034067","targetLink":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","user":"joresttankoua@gmail.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2024-10-23T15:48:55.027266217Z","resource":{"labels":{"firewall_rule_id":"673005066113034067","project_id":"sunlit-utility-439322-a1"},"type":"gce_firewall_rule"},"severity":"NOTICE","timestamp":"2024-10-23T15:48:53.950085Z"}} :gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"insertId":"ix07gze27j3a","labels":{"compute.googleapis.com/root_trigger_id":"85ea0a6e-ddcf-4fff-97aa-2c602a0b7753"},"logName":"projects/sunlit-utility-439322-a1/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1729698533900-62526d2ae81bc-6e5e6a24-5c7172d6","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"joresttankoua@gmail.com"},"authorizationInfo":[{"granted":true,"permission":"compute.firewalls.delete","permissionType":"ADMIN_WRITE","resource":"projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","resourceAttributes":{"name":"projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","service":"compute","type":"compute.firewalls"}},{"granted":true,"permission":"compute.networks.updatePolicy","permissionType":"ADMIN_WRITE","resource":"projects/sunlit-utility-439322-a1/global/networks/default","resourceAttributes":{"name":"projects/sunlit-utility-439322-a1/global/networks/default","service":"compute","type":"compute.networks"}}],"methodName":"v1.compute.firewalls.delete","request":{"@type":"type.googleapis.com/compute.firewalls.delete"},"requestMetadata":{"callerIp":"102.244.45.196","callerSuppliedUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"reason":"8uSywAYQGg5Db2xpc2V1bSBGbG93cw","time":"2024-10-23T15:48:54.342954Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","resourceOriginalState":{"@type":"compute.googleapis.com/delete.state","alloweds":[{"IPProtocol":"all"}],"creationTimestamp":"2024-10-23T08:43:56.448-07:00","description":"","direction":"INGRESS","disabled":false,"enableLogging":false,"id":"673005066113034067","logConfig":{"enable":false},"name":"verybadrule","network":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/networks/default","priority":"1000","selfLink":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/firewalls/673005066113034067","sourceRanges":["0.0.0.0/0"]},"response":{"@type":"type.googleapis.com/operation","id":"5315622713156740105","insertTime":"2024-10-23T08:48:54.103-07:00","name":"operation-1729698533900-62526d2ae81bc-6e5e6a24-5c7172d6","operationType":"delete","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/operations/operation-1729698533900-62526d2ae81bc-6e5e6a24-5c7172d6","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/operations/5315622713156740105","startTime":"2024-10-23T08:48:54.108-07:00","status":"RUNNING","targetId":"673005066113034067","targetLink":"https://www.googleapis.com/compute/v1/projects/sunlit-utility-439322-a1/global/firewalls/verybadrule","user":"joresttankoua@gmail.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2024-10-23T15:48:55.027266217Z","resource":{"labels":{"firewall_rule_id":"673005066113034067","project_id":"sunlit-utility-439322-a1"},"type":"gce_firewall_rule"},"severity":"NOTICE","timestamp":"2024-10-23T15:48:53.950085Z"}}'"

Cloud Storage buckets Config

Setting up log delivery

Following: these steps

ossec.conf

<gcp-bucket>
   <run_on_start>yes</run_on_start>
   <interval>1m</interval>
   <bucket type="access_logs">
       <name>wazuh-alpha2-testing</name>
       <credentials_file>/var/ossec/wodles/gcloud/gcp.json</credentials_file>
       <only_logs_after>2024-OCT-24</only_logs_after>
   </bucket>
</gcp-bucket>

systemctl restart wazuh-manager

Testing manually gcloud integration with buckets worked but no log with data.gcp.resource.type is gcs_bucket is visible on dashboard

testing manually

[root@ip-172-31-72-7 ossec]# wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --log_level 2 -o  2024-oct-20
:gcloud_wodle: - INFO - Working with Google Cloud Access Logs
:gcloud_wodle: - DEBUG - Checking credentials
:gcloud_wodle: - INFO - Processing wazuh-alpha2-testing_usage_2024_10_22_20_00_00_10bd8f52672f899739_v0
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630312242831", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "26", "time_taken_micros": "23000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1LQtQoot-cKIq_nU1E8afY6husVA5xG91gIzn6OIC--9UfQHXf-8CX48uxqicyVm8jLoc", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630071801732", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "26", "time_taken_micros": "24000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY2keIVL-GNPI2LQikpckGNitwwON-HMi7g-2B3yzykMqP-FsX5oR3djdvB1iHWADBUXTNK7vFONCQ", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - INFO - Processing wazuh-alpha2-testing_usage_2024_10_22_20_00_00_11bd8f52672f899739_v0
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630672321148", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "26", "time_taken_micros": "23000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0UjODqfoM48N-s3yev98svM9W7YxbH7zshH4DLYaKWkVm0K4FnF6zkvqJHHX2L87N3zn-46Teesw", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630552640015", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "26", "time_taken_micros": "22000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0OEV6KNQC-1P_-mJnfGkwZS4vHTcgUWOndUQ0A6NfNTTaB6eSCKz-3srLHTcBavoLYs7okCFodBQ", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630071771407", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "20000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY2Wdp5YuS9f1_3yIAENJZvlRNcBf774JU7YOYcfkS8ALrfjdkIqvBlhwauHaddbmOd-nWPUlSW-Tg", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729629952058083", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "19000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1LaA5IbPUBkX5gAcOn9hPO_a-ZvXUNPdqXyfxov0zfv8oINwUmpVJzbWJ0aBblDNwTkqHdA6sLwQ", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - INFO - Processing wazuh-alpha2-testing_usage_2024_10_22_20_00_00_12bd8f52672f899739_v0
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630312213438", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "22000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY2Ee-haHbFK0sKb9cuNnCNuCuCx3x8n6cH1XJ2rRxVgBcsu3WV0_Iyez2cxXaToGgI6Pw8", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - INFO - Processing wazuh-alpha2-testing_usage_2024_10_22_20_00_00_13bd8f52672f899739_v0
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630792004931", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "20000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY3fNz7hRyciMBX3aP-nyqsxed0r2YFHwxUDl52Kl-dXwEXYND8OnLICR-3PBq0sBaeL2GA", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630612451226", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "21000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY38dfQSxpgbZtwHBBjPEm-OJ8WNc2UCux_Bvirydpq6h3Wc-vdRrrBnZHJ7PDUFAsS9vQ3myoPMNg", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630372076671", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "26", "time_taken_micros": "20000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0nnPb0LMs1biWdYLQLfc3fKKRxeTb5AQvm1v4ISrH2c_5XjHVLxKoqd_glUsPU91uyBw", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630192517512", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "21000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY25iB8m9N2WcFojhLUmXn8QDdj5EA39JJFgsP2vhBHcWZ843Z-uYYi2NTIeHuy1xE25xkdlS5WbfA", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - INFO - Processing wazuh-alpha2-testing_usage_2024_10_22_20_00_00_14bd8f52672f899739_v0
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630732188248", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "26", "time_taken_micros": "19000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY00WPalevN6v9a-qm0ng1uO_oqDErEP3bk6xnKlCrRG406hJ81-osHIC4U5mB_H2kOyuhmzKbnA1Q", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630491757419", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "19000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1VXwY3Pn7MlkeWUdXpkC9Eu4P2QUDwcUTojylTTRQJ3epy9YZXivXpEGy9YyMKWIION8hlpMK_Gw", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630372050116", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "18000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0sCd9dk0KNlANGjeYGms0S2_HqEcMKVfbnMa9FzLmoHyfL2zJta3DrTrJsXT7nW-yb_g", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630491787181", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "26", "time_taken_micros": "21000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY3gNbQhaY4vBC9PEAaCIBQbOAnD8VNFlwU6BmMmINhj2vI301m_i5TwSiYrPQZ4rqMhemPDpVssng", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - INFO - Processing wazuh-alpha2-testing_usage_2024_10_22_20_00_00_16bd8f52672f899739_v0
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729628627544185", "c_ip": "", "c_ip_type": "", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?userProject=stackdriver-confluence", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "860", "time_taken_micros": "20000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "Google-API-Java-Client/1.35.2 Google-HTTP-Java-Client/unknown-version (gzip)", "s_request_id": "AHmUCY14WMvSdE6MRNd-E0i1wIE_47rraiouusfIfVbeVEMI8ZOoHyvUlMbPAMVoyWoPomWgoYk", "cs_operation": "", "cs_bucket": "wazuh-alpha2-testing", "cs_object": "", "source": "gcp_bucket"}}'"
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729628709952256", "c_ip": "34.78.202.50", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?alt=json&projection=full", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "3115", "time_taken_micros": "37000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "google-cloud-sdk gcloud/496.0.0 command/gcloud.storage.buckets.describe invocation-id/83870038d70845abb6b7147c295dfb44 environment/devshell environment-version/None client-os/LINUX client-os-ver/6.1.100 client-pltf-arch/x86_64 interactive/True from-script/False python/3.11.9 term/screen (Linux 6.1.100+)", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0k-nuIm0zn2sECvO8ni-nFJune6bCv_iVXGcbsUgCZ_KpIukLXUFouClMGESWZaFL1eqyEOqKiDQ", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
:gcloud_wodle: - INFO - Processing wazuh-alpha2-testing_usage_2024_10_22_20_00_00_17bd8f52672f899739_v0
:gcloud_wodle: - DEBUG - Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729630612479520", "c_ip": "3.95.27.110", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "26", "time_taken_micros": "21000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.10.15 grpc/1.58.0 gax/1.30.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1tH8_4w4bhzc-C8PnQo-et3qqhdegaWvG-rW9OX0rBP5Y3YlkmEsr_F1VYE3CDKlfWsHkleM1T-w", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"

CSPM

Network misconfigurations

Following: These steps

Enabling Compute Engine API

Verybad Firewall rule creation

Verybad Firewall rule deletion

Identity and access management anomalous activity

Results on Wazuh Dashboard
A different rule has been triggered on dashboard

The intergration with Wazuh Agent on Centos7 is buggy due to unavailability of recommended python version and setuptools pacakge .
when checking the logs, the different integrations appear to be failing but running the same commands found in those logs actually worked and pull the logs (with Pub/Sub integration) then makes them accessible from Dashboard.

tail -f /var/ossec/logs/ossec.log | grep -i gcp

ossec.log

2024/10/24 03:41:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:41:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:42:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:42:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:42:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:42:59
2024/10/24 03:42:00 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:42:00 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:42:00 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:42:59
2024/10/24 03:42:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:42:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:42:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:42:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:42:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:42:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:42:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:42:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:42:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:42:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:43:59
2024/10/24 03:42:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:42:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:42:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:43:59


2024/10/24 03:43:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:43:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:43:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:43:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:43:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:43:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:43:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:43:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:43:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:43:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:44:59
2024/10/24 03:43:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:43:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:43:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:44:59
2024/10/24 03:44:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:44:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:44:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:44:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:44:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:44:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:44:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:44:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:44:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:44:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:45:59
2024/10/24 03:44:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:44:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:44:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:45:59
2024/10/24 03:45:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:45:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:45:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:45:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:45:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:45:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:45:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:45:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:45:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:45:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:46:59
2024/10/24 03:45:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:45:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:45:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:46:59
2024/10/24 03:46:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:46:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:46:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:46:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:46:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:46:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:46:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:46:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:46:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:46:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:47:59
2024/10/24 03:46:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:46:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:46:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:47:59
2024/10/24 03:47:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:47:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:47:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:47:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:47:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:47:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:47:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:48:00 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:48:00 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:48:00 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:48:59
2024/10/24 03:48:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:48:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:48:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:48:59
2024/10/24 03:48:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:48:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:48:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:48:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:48:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:48:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:48:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:48:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:48:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:48:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:49:59
2024/10/24 03:48:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:48:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:48:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:49:59
2024/10/24 03:49:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:49:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:49:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:49:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:49:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:49:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:49:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:49:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:49:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:49:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:50:59
2024/10/24 03:49:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:49:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:49:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:50:59


2024/10/24 03:50:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:50:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:50:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:50:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:50:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:50:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:50:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:50:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:50:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:50:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:51:59
2024/10/24 03:50:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:50:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:50:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:51:59
2024/10/24 03:51:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:51:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:51:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:51:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:51:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:51:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:51:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:51:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:51:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:51:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:52:59
2024/10/24 03:51:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:51:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:51:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:52:59
2024/10/24 03:52:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:52:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:52:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:52:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:52:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:52:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:52:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:52:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:52:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:52:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:53:59
2024/10/24 03:52:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:52:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:52:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:53:59
2024/10/24 03:53:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:188 at wm_gcp_bucket_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:53:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:220 at wm_gcp_bucket_main(): INFO: Executing Bucket Analysis: (Bucket: wazuh-alpha2-testing, Type: access_logs, Credentials file: /var/ossec/wodles/gcloud/gcp.json)
2024/10/24 03:53:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:381 at wm_gcp_bucket_run(): DEBUG: Create argument list
2024/10/24 03:53:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:424 at wm_gcp_bucket_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-alpha2-testing --credentials_file /var/ossec/wodles/gcloud/gcp.json --only_logs_after 2024-OCT-20 --log_level 2
2024/10/24 03:53:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 03:53:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 03:53:59 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2
2024/10/24 03:53:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:437 at wm_gcp_bucket_run(): WARNING: Command returned exit code 1
2024/10/24 03:53:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:225 at wm_gcp_bucket_main(): DEBUG: Fetching logs finished.
2024/10/24 03:53:59 wazuh-modulesd:gcp-bucket[19415] wm_gcp.c:184 at wm_gcp_bucket_main(): DEBUG: Sleeping until: 2024/10/24 03:54:59
2024/10/24 03:54:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:314 at wm_gcp_pubsub_run(): WARNING: Command returned exit code 1
2024/10/24 03:54:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 03:54:00 wazuh-modulesd:gcp-pubsub[19415] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 03:54:59

fdalmaup · 2024-10-24T14:05:35Z

Review

The errors shown in the issues faced with python installed from source section in this comment seem to be related to an incomplete Python installation from sources.
I recommend trying the steps shown in the Installed Python 3.9 and GCP dependencies section here and retrying the test of the module in the Wazuh Agent since the opened issue will not be related to the module itself but to an environment configuration problem.

octopus237 · 2024-10-24T17:19:49Z

On Wazuh Agent 🟢

Pub/Sub Configuration

Following: These steps

Configuring the Wazuh module for Google Cloud Pub/Sub

Configuration on Wazuh Agent

<ossec_config>
  <gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>1m</interval>
    <project_id>sunlit-************-a1</project_id>
    <subscription_name>wazuh-pubsub-sub</subscription_name>
    <credentials_file>/var/ossec/wodles/gcloud/gcp.json</credentials_file>
  </gcp-pubsub>
</ossec_config>

systemctl restart wazuh-agent

Results

Pub/Sub integration details

[centos@pokemon ~]$ sudo tail -f /var/ossec/logs/ossec.log | grep -i gcp
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"insertId":"9fv9f9e6emyt","logName":"projects/sunlit-utility-439322-a1/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"joresttankoua@gmail.com"},"authorizationInfo":[{"granted":true,"permission":"storage.buckets.setIamPolicy","resource":"projects/_/buckets/wazuh-alpha2-test","resourceAttributes":{}}],"methodName":"storage.setIamPermissions","requestMetadata":{"callerIp":"102.244.45.196","callerSuppliedUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2024-10-24T04:20:21.115686272Z"}},"resourceLocation":{"currentLocations":["us"]},"resourceName":"projects/_/buckets/wazuh-alpha2-test","serviceData":{"@type":"type.googleapis.com/google.iam.v1.logging.AuditData","policyDelta":{"bindingDeltas":[{"action":"ADD","member":"user:briceinno@gmail.com","role":"roles/cloudmigration.storageaccess"}]}},"serviceName":"storage.googleapis.com","status":{}},"receiveTimestamp":"2024-10-24T04:20:22.965280099Z","resource":{"labels":{"bucket_name":"wazuh-alpha2-test","location":"us","project_id":"sunlit-utility-439322-a1"},"type":"gcs_bucket"},"severity":"NOTICE","timestamp":"2024-10-24T04:20:21.032207476Z"}}'"
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Processing event: {"integration": "gcp", "gcp": {"insertId":"1vg8dnqd6aa7","logName":"projects/sunlit-utility-439322-a1/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"joresttankoua@gmail.com"},"authorizationInfo":[{"granted":true,"permission":"logging.sinks.create","permissionType":"ADMIN_WRITE","resource":"projects/sunlit-utility-439322-a1/sinks/bucket","resourceAttributes":{"name":"projects/sunlit-utility-439322-a1/sinks/bucket","service":"logging.googleapis.com","type":"logging.googleapis.com/LogSink"}}],"methodName":"google.logging.v2.ConfigServiceV2.CreateSink","request":{"@type":"type.googleapis.com/google.logging.v2.CreateSinkRequest","parent":"projects/sunlit-utility-439322-a1","sink":{"destination":"storage.googleapis.com/wazuh-alpha2-testing","name":"bucket"},"uniqueWriterIdentity":true},"requestMetadata":{"callerIp":"102.244.45.196","callerSuppliedUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2024-10-24T04:43:36.970657067Z"}},"resourceName":"projects/sunlit-utility-439322-a1/sinks/bucket","serviceName":"logging.googleapis.com","status":{}},"receiveTimestamp":"2024-10-24T04:43:39.409400225Z","resource":{"labels":{"destination":"","name":"bucket","project_id":"sunlit-utility-439322-a1"},"type":"logging_sink"},"severity":"NOTICE","timestamp":"2024-10-24T04:43:36.962595927Z"}}
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"insertId":"1vg8dnqd6aa7","logName":"projects/sunlit-utility-439322-a1/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"joresttankoua@gmail.com"},"authorizationInfo":[{"granted":true,"permission":"logging.sinks.create","permissionType":"ADMIN_WRITE","resource":"projects/sunlit-utility-439322-a1/sinks/bucket","resourceAttributes":{"name":"projects/sunlit-utility-439322-a1/sinks/bucket","service":"logging.googleapis.com","type":"logging.googleapis.com/LogSink"}}],"methodName":"google.logging.v2.ConfigServiceV2.CreateSink","request":{"@type":"type.googleapis.com/google.logging.v2.CreateSinkRequest","parent":"projects/sunlit-utility-439322-a1","sink":{"destination":"storage.googleapis.com/wazuh-alpha2-testing","name":"bucket"},"uniqueWriterIdentity":true},"requestMetadata":{"callerIp":"102.244.45.196","callerSuppliedUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2024-10-24T04:43:36.970657067Z"}},"resourceName":"projects/sunlit-utility-439322-a1/sinks/bucket","serviceName":"logging.googleapis.com","status":{}},"receiveTimestamp":"2024-10-24T04:43:39.409400225Z","resource":{"labels":{"destination":"","name":"bucket","project_id":"sunlit-utility-439322-a1"},"type":"logging_sink"},"severity":"NOTICE","timestamp":"2024-10-24T04:43:36.962595927Z"}}'"
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Processing event: {"integration": "gcp", "gcp": {"insertId":"yftcpsedkb80","logName":"projects/sunlit-utility-439322-a1/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"joresttankoua@gmail.com"},"authorizationInfo":[{"granted":true,"permission":"storage.buckets.setIamPolicy","resource":"projects/_/buckets/wazuh-alpha2-testing","resourceAttributes":{}}],"methodName":"storage.setIamPermissions","requestMetadata":{"callerIp":"102.244.45.196","callerSuppliedUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2024-10-24T04:43:37.860241775Z"}},"resourceLocation":{"currentLocations":["us"]},"resourceName":"projects/_/buckets/wazuh-alpha2-testing","serviceData":{"@type":"type.googleapis.com/google.iam.v1.logging.AuditData","policyDelta":{"bindingDeltas":[{"action":"ADD","member":"serviceAccount:service-349105655453@gcp-sa-logging.iam.gserviceaccount.com","role":"roles/storage.legacyBucketOwner"}]}},"serviceName":"storage.googleapis.com","status":{}},"receiveTimestamp":"2024-10-24T04:43:39.070690868Z","resource":{"labels":{"bucket_name":"wazuh-alpha2-testing","location":"us","project_id":"sunlit-utility-439322-a1"},"type":"gcs_bucket"},"severity":"NOTICE","timestamp":"2024-10-24T04:43:37.854360886Z"}}
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"insertId":"yftcpsedkb80","logName":"projects/sunlit-utility-439322-a1/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"joresttankoua@gmail.com"},"authorizationInfo":[{"granted":true,"permission":"storage.buckets.setIamPolicy","resource":"projects/_/buckets/wazuh-alpha2-testing","resourceAttributes":{}}],"methodName":"storage.setIamPermissions","requestMetadata":{"callerIp":"102.244.45.196","callerSuppliedUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2024-10-24T04:43:37.860241775Z"}},"resourceLocation":{"currentLocations":["us"]},"resourceName":"projects/_/buckets/wazuh-alpha2-testing","serviceData":{"@type":"type.googleapis.com/google.iam.v1.logging.AuditData","policyDelta":{"bindingDeltas":[{"action":"ADD","member":"serviceAccount:service-349105655453@gcp-sa-logging.iam.gserviceaccount.com","role":"roles/storage.legacyBucketOwner"}]}},"serviceName":"storage.googleapis.com","status":{}},"receiveTimestamp":"2024-10-24T04:43:39.070690868Z","resource":{"labels":{"bucket_name":"wazuh-alpha2-testing","location":"us","project_id":"sunlit-utility-439322-a1"},"type":"gcs_bucket"},"severity":"NOTICE","timestamp":"2024-10-24T04:43:37.854360886Z"}}'"
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Processing event: {"integration": "gcp", "gcp": {"insertId":"1f2h1dzdgk1p","jsonPayload":{"@type":"type.googleapis.com/google.cloud.networkanalyzer.logging.v1.Report","causeCode":"IP_UTILIZATION_IP_ALLOCATION_SUMMARY","firstReportTime":"2024-10-24T07:30:19.214157934Z","id":"sunlit-utility-439322-a1/ip_utilization/11872802522377032731","ipUtilizationInfo":{"subnetIpUtilization":[{"allocationRatio":0.00024437927663734115,"subnetUri":"//compute.googleapis.com/projects/sunlit-utility-439322-a1/regions/us-central1/subnetworks/default"}]},"location":"global","priority":"LOW","reportGroups":["VPC_NETWORK"],"resourceName":"//compute.googleapis.com/projects/sunlit-utility-439322-a1","status":"ACTIVE","type":"INFO"},"logName":"projects/sunlit-utility-439322-a1/logs/networkanalyzer.googleapis.com%2Fanalyzer_reports","receiveTimestamp":"2024-10-24T07:30:20.25690426Z","resource":{"labels":{"location":"global","project_id":"sunlit-utility-439322-a1"},"type":"networking.googleapis.com/Location"},"timestamp":"2024-10-24T07:30:19.214157934Z"}}
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"insertId":"1f2h1dzdgk1p","jsonPayload":{"@type":"type.googleapis.com/google.cloud.networkanalyzer.logging.v1.Report","causeCode":"IP_UTILIZATION_IP_ALLOCATION_SUMMARY","firstReportTime":"2024-10-24T07:30:19.214157934Z","id":"sunlit-utility-439322-a1/ip_utilization/11872802522377032731","ipUtilizationInfo":{"subnetIpUtilization":[{"allocationRatio":0.00024437927663734115,"subnetUri":"//compute.googleapis.com/projects/sunlit-utility-439322-a1/regions/us-central1/subnetworks/default"}]},"location":"global","priority":"LOW","reportGroups":["VPC_NETWORK"],"resourceName":"//compute.googleapis.com/projects/sunlit-utility-439322-a1","status":"ACTIVE","type":"INFO"},"logName":"projects/sunlit-utility-439322-a1/logs/networkanalyzer.googleapis.com%2Fanalyzer_reports","receiveTimestamp":"2024-10-24T07:30:20.25690426Z","resource":{"labels":{"location":"global","project_id":"sunlit-utility-439322-a1"},"type":"networking.googleapis.com/Location"},"timestamp":"2024-10-24T07:30:19.214157934Z"}}'"
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Received and acknowledged 5 messages
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:151 at wm_gcp_pubsub_main(): DEBUG: Fetching logs finished.
2024/10/24 16:49:53 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:143 at wm_gcp_pubsub_main(): DEBUG: Sleeping until: 2024/10/24 16:50:29
2024/10/24 16:50:29 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:147 at wm_gcp_pubsub_main(): DEBUG: Starting fetching of logs.
2024/10/24 16:50:29 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:248 at wm_gcp_pubsub_run(): DEBUG: Create argument list
2024/10/24 16:50:29 wazuh-modulesd:gcp-pubsub[9602] wm_gcp.c:301 at wm_gcp_pubsub_run(): DEBUG: Launching command: wodles/gcloud/gcloud --integration_type pubsub --project sunlit-utility-439322-a1 --subscription_id wazuh-pubsub-sub --credentials_file /var/ossec/wodles/gcloud/gcp.json --max_messages 100 --num_threads 1 --log_level 2

Cloud Storage buckets Config

Setting up log delivery

Following: these steps

ossec.conf

<gcp-bucket>
   <run_on_start>yes</run_on_start>
   <interval>1m</interval>
   <bucket type="access_logs">
       <name>wazuh-alpha2-testing</name>
       <credentials_file>/var/ossec/wodles/gcloud/gcp.json</credentials_file>
       <only_logs_after>2024-OCT-20</only_logs_after>
   </bucket>
</gcp-bucket>

systemctl restart wazuh-manager

Results

Bucket logs

2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Processing wazuh-alpha2-testing_usage_2024_10_24_02_00_00_1565f667c0fbe961a7_v0
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738754968588", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "89326", "time_taken_micros": "38000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.6.8 grpc/1.48.2 gax/1.32.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY041bCIZbpQMbWJehgRgjDJXIlJAJ4n3ViEzxMxVhH1iAyPCH5VAkOZXr6ZBhJXsIizykE", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Processing wazuh-alpha2-testing_usage_2024_10_24_02_00_00_1d65f667c0fbe961a7_v0
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738754917965", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "20000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.6.8 grpc/1.48.2 gax/1.32.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0_QSrAZcPZlcdqPSyWH2rb1pUF6pzFThq94hibfGyZW4wno0hfFf_P3Hq-QGXC_OzMZMQ", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Processing wazuh-alpha2-testing_usage_2024_10_24_03_00_00_10088cf4861e816e4e_v0
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738844726677", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_23_00_00_00_1b77e24951c86b66fb_v0?generation=1729678662418607&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "4829", "time_taken_micros": "130000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1kZGGK-XqtwnRm6M5yOqSaN2a8bi9ofPCXkcAc-_7oKm7DpM5UJwvgSRQuTK-95n6qFTldxI68fA", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_23_00_00_00_1b77e24951c86b66fb_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738840568966", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_22_00_00_1950ee173343438e5d_v0?generation=1729678666603575&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "3261", "time_taken_micros": "106000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1k_w2-9zcDDbisrFzp6RdGqiMVkQ7baD5RYs4mo36eCCV3ZDcD7YHC79MRWSXUr448d33bjfOVBw", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_22_00_00_1950ee173343438e5d_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738845748415", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_23_01_00_00_14f131c7be8fb1192f_v0?generation=1729695475410414&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "1737", "time_taken_micros": "104000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1TydWLl7CNlenkOhCBq4yk4fxII_djCZbvqOuZrSAaavbfTni8GxY_VtXPIbhOzk9ZAXPGLrxRvA", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_23_01_00_00_14f131c7be8fb1192f_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738842743451", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_23_00_00_1ca148b4e7845d9353_v0?generation=1729675977503785&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "1367", "time_taken_micros": "85000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0uBkUQo8iA4zUIEDpzuppK7gWCPuF5qx_eRLrzRuNOdyPo2zYlMGsrx4IE-WE6SxJc543RcLO-bw", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_23_00_00_1ca148b4e7845d9353_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738837817931", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_21_00_00_11a79fb03957544474_v0?generation=1729674993974339&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "2054", "time_taken_micros": "119000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY3qr_pBOsQ8nrpbIxiZ7lT4Ddp75GcbYye_mhjR1IzHDIHctQBfoQhIjrJPHua2MTdPfyzBDudpyQ", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_21_00_00_11a79fb03957544474_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738838854521", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_21_00_00_1aa79fb03957544474_v0?generation=1729678580227059&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "1715", "time_taken_micros": "93000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1HJnZrxiU7o5FPVwXi_LpaQa67jSRFBuTSVmgdUcDKFy2tQctziafRvlqerDm13vaduB6ZoAklAg", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_21_00_00_1aa79fb03957544474_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738843821451", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_23_00_00_00_1477e24951c86b66fb_v0?generation=1729676760418337&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "3216", "time_taken_micros": "91000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY20pLn2hqHT3DARtGrM8zIIcpHXJehvYifTU-vyIQvsX-om8YyfKuRJb5peMXiGXTcYOX-YHBqUvg", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_23_00_00_00_1477e24951c86b66fb_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Processing wazuh-alpha2-testing_usage_2024_10_24_03_00_00_11088cf4861e816e4e_v0
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738839572622", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_22_00_00_1050ee173343438e5d_v0?generation=1729675249210277&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "2844", "time_taken_micros": "88000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY2rCHhckPMyQYA0mepC5AnKBLDDYfTf6uiTPpLToa8F692hUSXbl8jjdD0Ey7P0VCl0ti04OFGZCQ", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_22_00_00_1050ee173343438e5d_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738846171271", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_23_01_00_00_18f131c7be8fb1192f_v0?generation=1729697244337009&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "2094", "time_taken_micros": "103000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0dsuXMdA8ehv3jdyJfZhFl3omLWi10rq5eKfx4MtHz35uMJxg3mYgM6cL0rwteyu5mjMm-J78cVQ", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_23_01_00_00_18f131c7be8fb1192f_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729741553981881", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing/o?projection=noAcl&prefix=&delimiter=%2F&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "89326", "time_taken_micros": "24000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.6.8 grpc/1.48.2 gax/1.32.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY2WiIQt9R5FZzg8v7chCtarcSbQyYsEN8gncFAsLq16SUykyQTd_XPxWgv7WX-tuUx8Mb8", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738841847983", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_23_00_00_13a148b4e7845d9353_v0?generation=1729676055562486&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "3313", "time_taken_micros": "158000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY3NBnSrgioHYO6qt-wCVtOA6hyIt_4uIibtmjMNyN3a-FWpx2o5fdYE9_0wbnWCQmTu8tICzxemCg", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_23_00_00_13a148b4e7845d9353_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729741553941792", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/storage/v1/b/wazuh-alpha2-testing?projection=noAcl&prettyPrint=false", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "717", "time_taken_micros": "16000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "gcloud-python/1.39.0  gl-python/3.6.8 grpc/1.48.2 gax/1.32.0 gccl/1.39.0", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1TIUBMt_BTgIs2b_WWQ1JsRhtXZ556o36xuxIGIrg3A1uxIr-u2WMRXMwhdDsZ44kO-4M", "cs_bucket": "", "cs_object": "wazuh-alpha2-testing", "null": [""], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738842881507", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_23_00_00_1da148b4e7845d9353_v0?generation=1729676520161985&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "2843", "time_taken_micros": "126000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1uXnoezmEvO1EXhG2PIO7EY_rNMdvHwvORDFL6iE3dj1OnrHrj_fy_myyGKiVf17hifWwZgB6SdQ", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_23_00_00_1da148b4e7845d9353_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738845843042", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_23_01_00_00_15f131c7be8fb1192f_v0?generation=1729694456132162&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "1707", "time_taken_micros": "85000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY1P1vQV4GZ4orbnHnBlIWGoAwEK8T-MJDC2RQr0G8IH_V22WV5St85glbqy1t3nLq-77ZvXdGn_Tg", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_23_01_00_00_15f131c7be8fb1192f_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738836935092", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_20_00_00_1abd8f52672f899739_v0?generation=1729674909266354&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "972", "time_taken_micros": "158000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0IbWyifpmNT9bXknWdfY460cvM7RgMS3ZbhnbEx91E2N9PJ13oTs24-Bq7BXhCb_eTaDOkQQDCZQ", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_20_00_00_1abd8f52672f899739_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738837021369", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_20_00_00_1bbd8f52672f899739_v0?generation=1729674607413794&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "602", "time_taken_micros": "74000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY0YDHd2Ue5xBbleOvC24Hb-AtLTOSTlQCeMayBHMTS_SZA8ly7jEZSk0Qh1rZWdqhjtGghenFzt-A", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_20_00_00_1bbd8f52672f899739_v0"], "source": "gcp_bucket"}}'"
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:352 at wm_gcp_parse_output(): INFO: Processing wazuh-alpha2-testing_usage_2024_10_24_03_00_00_12088cf4861e816e4e_v0
2024/10/24 17:03:11 wazuh-modulesd:gcp-bucket[10898] wm_gcp.c:346 at wm_gcp_parse_output(): DEBUG: Sending msg to analysisd: "b'1:Wazuh-GCloud:{"integration": "gcp", "gcp": {"time_micros": "1729738842466685", "c_ip": "3.236.28.66", "c_ip_type": "1", "c_ip_region": "", "cs_method": "GET", "cs_uri": "/download/storage/v1/b/wazuh-alpha2-testing/o/wazuh-alpha2-testing_usage_2024_10_22_23_00_00_19a148b4e7845d9353_v0?generation=1729677444344566&alt=media", "sc_status": "200", "cs_bytes": "0", "sc_bytes": "3200", "time_taken_micros": "109000", "cs_host": "storage.googleapis.com", "cs_referer": "", "cs_user_agent": "python-requests/2.27.1", "s_request_id": "gzip(gfe)", "cs_operation": "AHmUCY04JNpuOcvLVtDIEz1STPdVjmDwN2z3XnE3fpIq2TD0QuDTu_kKFpzisPbzveZmI63dtVSAOgPRdA", "cs_bucket": "storage.objects.get", "cs_object": "wazuh-alpha2-testing", "null": ["wazuh-alpha2-testing_usage_2024_10_22_23_00_00_19a148b4e7845d9353_v0"], "source": "gcp_bucket"}}'"

CSPM

Network misconfigurations

Following: These steps

Enabling Compute Engine API

Verybad Firewall rule creation

Verybad Firewall rule deletion

Identity and access management anomalous activity

Results on Wazuh Dashboard
A different rule has been triggered on dashboard

octopus237 · 2024-10-24T17:31:31Z

GCP Integration Prerequisites 🟢

Installation of dependencies on wazuh-agent (Centos 7)

Install wazuh-agent

[root@ip-172-31-72-7 ~]# WAZUH_MANAGER="172.31.71.84" yum install wazuh-agent
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
wazuh                                                           | 3.5 kB  00:00:00
wazuh/primary_db                                                | 555 kB  00:00:00
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.x86_64 0:4.10.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================
 Package                Arch              Version               Repository        Size
=======================================================================================
Installing:
 wazuh-agent            x86_64            4.10.0-1              wazuh            8.9 M

Transaction Summary
=======================================================================================
Install  1 Package

Total download size: 8.9 M
Installed size: 26 M
Is this ok [y/d/N]: y
Downloading packages:
wazuh-agent-4.10.0-1.x86_64.rpm                                 | 8.9 MB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.10.0-1.x86_64                                         1/1
  Verifying  : wazuh-agent-4.10.0-1.x86_64
 1/1
Installed:
  wazuh-agent.x86_64 0:4.10.0-1

Complete!
[root@ip-172-31-72-7 ~]# hostnamectl set-hostname pokemon
[root@ip-172-31-72-7 ~]# logout

[centos@pokemon ~]$ sudo -i
[root@pokemon ~]#
[root@pokemon ~]# systemctl daemon-reload
[root@pokemon ~]# systemctl enable wazuh-agent
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-agent.service to /usr/lib/systemd/system/wazuh-agent.service.
[root@pokemon ~]# systemctl start wazuh-agent

Install Python3 from source

Dependencies

sudo yum groupinstall "Development Tools"
sudo yum install openssl-devel bzip2-devel libffi-devel zlib-dev sqlite-devel

curl -O https://www.python.org/ftp/python/3.9.0/Python-3.9.0.tgz
tar -xvf Python-3.9.0.tgz
cd Python-3.9.0
./configure --prefix=/usr/local  --enable-loadable-sqlite-extensions
sudo make altinstall
pip3.9 install --update
/usr/local/bin/python3.9 -m pip install google google-cloud-storage google-cloud-pubsub pytz
/usr/local/bin/python3.9 -m pip uninstall urllib3 requests -y
/usr/local/bin/python3.9 -m pip install "urllib3<2" "requests<3"
# Update gcloud shebang to python3.9
sed -i '1s/$/.9/' /var/ossec/wodles/gcloud/gcloud

Agent on dashboard

fdalmaup · 2024-10-25T07:18:47Z

Review

LGTM

juliamagan added level/subtask type/test labels Oct 21, 2024

juliamagan mentioned this issue Oct 21, 2024

Release 4.10.0 - Alpha 2 - E2E UX tests #26424

Closed

wazuhci added this to Release 4.10.0 Oct 21, 2024

wazuhci moved this to Triage in Release 4.10.0 Oct 21, 2024

octopus237 self-assigned this Oct 21, 2024

wazuhci moved this from Triage to Backlog in Release 4.10.0 Oct 21, 2024

wazuhci moved this from Backlog to In progress in Release 4.10.0 Oct 23, 2024

octopus237 mentioned this issue Oct 24, 2024

GCP Integration is buggy on Centos7 agent #26517

Open

wazuhci moved this from In progress to Pending review in Release 4.10.0 Oct 24, 2024

wazuhci moved this from Pending review to On hold in Release 4.10.0 Oct 24, 2024

wazuhci moved this from On hold to Pending review in Release 4.10.0 Oct 25, 2024

wazuhci moved this from Pending review to Pending final review in Release 4.10.0 Oct 25, 2024

wazuhci moved this from Pending final review to In final review in Release 4.10.0 Oct 25, 2024

rauldpm closed this as completed Oct 25, 2024

wazuhci moved this from In final review to Done in Release 4.10.0 Oct 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release 4.10.0 - Alpha 2 - E2E UX tests - GCP integration #26420

Release 4.10.0 - Alpha 2 - E2E UX tests - GCP integration #26420

juliamagan commented Oct 21, 2024 •

edited by rauldpm

Loading

octopus237 commented Oct 22, 2024 •

edited

Loading

Installation of dependencies on wazuh-agent (Centos 7)🔴

Installation of recommended python versions

octopus237 commented Oct 22, 2024 •

edited

Loading

Network misconfigurations

Identity and access management anomalous activity

octopus237 commented Oct 22, 2024 •

edited

Loading

Network misconfigurations

Identity and access management anomalous activity

fdalmaup commented Oct 24, 2024

octopus237 commented Oct 24, 2024

Network misconfigurations

Identity and access management anomalous activity

octopus237 commented Oct 24, 2024 •

edited

Loading

Installation of dependencies on wazuh-agent (Centos 7)

fdalmaup commented Oct 25, 2024

Release 4.10.0 - Alpha 2 - E2E UX tests - GCP integration #26420

Release 4.10.0 - Alpha 2 - E2E UX tests - GCP integration #26420

Comments

juliamagan commented Oct 21, 2024 • edited by rauldpm Loading

End-to-End (E2E) Testing Guideline

Issue delivery and completion

Deployment requirements

Test description

Known issues

Conclusions

Feedback

Reviewers validation

octopus237 commented Oct 22, 2024 • edited Loading

Installation of dependencies on wazuh-agent (Centos 7)🔴

Installation of recommended python versions

octopus237 commented Oct 22, 2024 • edited Loading

On Wazuh Server 🟢

Network misconfigurations

Identity and access management anomalous activity

octopus237 commented Oct 22, 2024 • edited Loading

On Wazuh Agent 🔴

Network misconfigurations

Identity and access management anomalous activity

fdalmaup commented Oct 24, 2024

Review

octopus237 commented Oct 24, 2024

On Wazuh Agent 🟢

Network misconfigurations

Identity and access management anomalous activity

octopus237 commented Oct 24, 2024 • edited Loading

Installation of dependencies on wazuh-agent (Centos 7)

fdalmaup commented Oct 25, 2024

Review

juliamagan commented Oct 21, 2024 •

edited by rauldpm

Loading

octopus237 commented Oct 22, 2024 •

edited

Loading

octopus237 commented Oct 22, 2024 •

edited

Loading

octopus237 commented Oct 22, 2024 •

edited

Loading

octopus237 commented Oct 24, 2024 •

edited

Loading