Skip to content

Discrepancies between \\ and / in Linux paths between WazuhDB and global-queries #29147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pro-akim opened this issue Apr 9, 2025 · 9 comments · May be fixed by #29154
Open

Discrepancies between \\ and / in Linux paths between WazuhDB and global-queries #29147

pro-akim opened this issue Apr 9, 2025 · 9 comments · May be fixed by #29154
Assignees
@GabrielEValenzuela
Labels
level/task type/bug Something isn't working

Comments

@pro-akim
Copy link
Member

pro-akim commented Apr 9, 2025

Wazuh version Component Install type Install method Platform
v4.13.0-alpha0 Wazuh component Manager Packages Any

Performing tests of the functionality under development, I find that:

In WazuhDB

/etc/systemd/system/dev-virtio\\x2dports-org.qemu.guest_agent.0.device.wants/qemu-guest-agent.service

In GlobalQueries

/etc/systemd/system/dev-virtio/x2dports-org.qemu.guest_agent.0.device.wants/qemu-guest-agent.service

Related to:

wazuh/src/wazuh_modules/inventory_harvester/src/fimInventory/fimContext.hpp

Line 657 in d75983b

Utils::replaceAll(m_pathSanitized, "\\", "/");

Steps to reproduce

  1. Create the infrastructure with manager, filebeat, agents, and agent using packages found in packages.dev in the wqa1198 directory.
  2. Once the core components are connected, run the keystore inclusion.
  3. Obtain indexed files using sqlite3 in the WazuhDB table, fim_entry column, file.
  4. Perform GQ using the query:
    curl -k -u <indexer_user>:<indexer_pass> https://<indexer_ip>:9200/wazuh-states-files-wazuh/_search?size=10000
  5. Check the difference of \ vs / in the paths
@pro-akim pro-akim added type/bug Something isn't working level/task and removed type/bug Something isn't working labels Apr 9, 2025
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 4.13.0 Apr 9, 2025
@GabrielEValenzuela GabrielEValenzuela self-assigned this Apr 9, 2025
@GabrielEValenzuela GabrielEValenzuela added the type/bug Something isn't working label Apr 9, 2025
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 4.13.0 Apr 9, 2025
@GabrielEValenzuela GabrielEValenzuela linked a pull request Apr 10, 2025 that will close this issue
Open
@GabrielEValenzuela GabrielEValenzuela linked a pull request Apr 10, 2025 that will close this issue
Improve _id generation for FIM in Inventory Harvester #29154
Open
@GabrielEValenzuela
Copy link
Member

GabrielEValenzuela commented Apr 10, 2025
edited
Loading

Update

Implement function logic and UT to coverage cases. Pending to validate with the team this approach. Integration test fails due the Opensearch constrain of the ID field.

@GabrielEValenzuela
Copy link
Member

Update

Adjust UT and leave the issue on hold until we validate this approach

@wazuhci wazuhci moved this from In progress to On hold in XDR+SIEM/Release 4.13.0 Apr 10, 2025
@wazuhci wazuhci moved this from On hold to Blocked in XDR+SIEM/Release 4.13.0 Apr 11, 2025
@GabrielEValenzuela GabrielEValenzuela linked a pull request Apr 12, 2025 that will close this issue
Fix special characters in reflectiveJson #29207
Merged
@GabrielEValenzuela GabrielEValenzuela removed a link to a pull request Apr 12, 2025
Fix special characters in reflectiveJson #29207
Merged
@GabrielEValenzuela
Copy link
Member

Update

The new approach is make a hash of the path to SHA256, due compilation errors of the branch I'm not able to push the change proposal, that restore all previous states and implement the new design discussed with @Dwordcito

@wazuhci wazuhci moved this from Blocked to On hold in XDR+SIEM/Release 4.13.0 Apr 16, 2025
@pereyra-m
Copy link
Member

Hi, I just want to give an example for Windows.
If this isn't related, it can be fixed in another issue.

But a registry entry with an URL is getting modified, we are replacing // for /

Image

@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 4.13.0 Apr 21, 2025
@GabrielEValenzuela
Copy link
Member

Update

Implement hashing solution and UT. Make rebase of the branch

@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 4.13.0 Apr 21, 2025
@wazuhci wazuhci moved this from Pending review to In final review in XDR+SIEM/Release 4.13.0 Apr 22, 2025
@wazuhci wazuhci moved this from In final review to On hold in XDR+SIEM/Release 4.13.0 Apr 22, 2025
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 4.13.0 Apr 22, 2025
@GabrielEValenzuela
Copy link
Member

GabrielEValenzuela commented Apr 22, 2025
edited
Loading

Update

Fix path entry
Remove replaceAll normalization

@wazuhci wazuhci moved this from In progress to Pending final review in XDR+SIEM/Release 4.13.0 Apr 22, 2025
@wazuhci wazuhci moved this from Pending final review to In progress in XDR+SIEM/Release 4.13.0 Apr 22, 2025
@pro-akim
Copy link
Member Author

Update

Working on Windows Registries I could find the following differences:

{
    "agent1": {
        "only_wdb": [
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/Connection/http://www.microsoft.com/provisioning/eaptlsconnectionpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/Connection/http://www.microsoft.com/provisioning/mschapv2connectionpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/Connection/http://www.microsoft.com/provisioning/mspeapconnectionpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/User/http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/User/http://www.microsoft.com/provisioning/mschapv2userpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/User/http://www.microsoft.com/provisioning/mspeapuserpropertiesv1"
            ]
        ],
        "only_indices": [
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/Connection/http:/www.microsoft.com/provisioning/eaptlsconnectionpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/Connection/http:/www.microsoft.com/provisioning/mschapv2connectionpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/Connection/http:/www.microsoft.com/provisioning/mspeapconnectionpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/User/http:/www.microsoft.com/provisioning/eaptlsuserpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/User/http:/www.microsoft.com/provisioning/mschapv2userpropertiesv1"
            ],
            [
                "HKLM",
                "System/CurrentControlSet/Services/xmlprov/Parameters/SchemaGroups/User/http:/www.microsoft.com/provisioning/mspeapuserpropertiesv1"
            ]
        ]
    }
}

In this case the difference is between http:/ and http:// in Windows

@wazuhci wazuhci moved this from In progress to Pending final review in XDR+SIEM/Release 4.13.0 Apr 22, 2025
@GabrielEValenzuela GabrielEValenzuela mentioned this issue Apr 23, 2025
Open
4 tasks
@GabrielEValenzuela
Copy link
Member

Update

Change approach to use index aka full_path.
Add missing arch to registry value

@wazuhci wazuhci moved this from Pending final review to In progress in XDR+SIEM/Release 4.13.0 Apr 24, 2025
@wazuhci wazuhci moved this from In progress to Pending final review in XDR+SIEM/Release 4.13.0 Apr 24, 2025
@wazuhci wazuhci moved this from Pending final review to Pending review in XDR+SIEM/Release 4.13.0 Apr 25, 2025
@wazuhci wazuhci moved this from Pending review to In final review in XDR+SIEM/Release 4.13.0 Apr 28, 2025
@GabrielEValenzuela
Copy link
Member

Update

Fix index field for agents prior 4.6

@wazuhci wazuhci moved this from In final review to Pending review in XDR+SIEM/Release 4.13.0 Apr 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GabrielEValenzuela GabrielEValenzuela

Labels
level/task type/bug Something isn't working
Projects
XDR+SIEM/Release 4.13.0
Status: Pending review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve _id generation for FIM in Inventory Harvester wazuh/wazuh
3 participants
@GabrielEValenzuela @pereyra-m @pro-akim