can't get my sca check to work

[MikeV]

Hi Wazuh team,

Trying to understand what is wrong in check that I am trying to create

- c:sqlcmd -h-1 -Q "EXECUTE xp_loginconfig 'audit level'" -> r:audit level\s+failure

manual execution of SQL command gives me one line as output:

audit level               failure

regex check says that what I wrote as a check shall search for exactly such line, but in Wazuh manager I still see check status as Failed (condition set to All, this is the only check)

could you please advise what I am doing wrong?

[Tomas Benitez Vescio]

Hi,

Thanks for using Wazuh!

I would recommend for you to check out the following Wazuh related SCA documentations: Security Configuration Assessment, How SCA works and How to configure SCA. From what you have shared i don't see anything wrong particularly, maybe its a matter of the regex engine used by Wazuh that is not working the same way you expected, you can change as mentioned in Policy Section.

Regards.

[MikeV]

Hi, is there a way to debug exact test deeply? like raw output, how wazuh "sees" output of my sql expression before comparing it with regex?
I tried to set analysisd.debug to 2 and agent.debug to 2 but it did not help much 

вторник, 19 марта 2024 г. в 15:48:30 UTC+3, Tomas Benitez Vescio:

[Tomas Benitez Vescio]

At the moment there is no direct way of achieving what you are mentioning as the closest thing to it is to set a debug level to the analysisd module (something you have already done), if you believe this is something that you be possible to do feel free to open an issue. In the meantime, and just to be sure, the logs doesn't appear to contain any error logs right? You can check this by running: 

• cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
  
• cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"