# Evidence Collector

This project includes modules for collecting evidence regarding Wazuh and VAT.

## Wazuh evidence collector

Wazuh evidence collector uses [Wazuh's API](https://documentation.wazuh.com/current/user-manual/api/reference.html) to access information about manager's and agents' system informations and configurations. As an additional measure to ensure correct configuration of [ClamAV](https://www.clamav.net/) (if installed on machine) we also make use of [Elasticsearch's API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search.html) to dirrectly access collected logs - Elastic stack is one of the Wazuh's required components (usually installed on the same machine as Wazuh server, but can be stand alone as well).

## Installation & use

### Using docker:

1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.

2. Clone this repository.

3. Build Docker image:

```
docker build -t evidence-collector .
```

4. Run the image:

```
docker run evidence-collector
```

> Note: Current simple image runs code from `test.py`. If you wish to test anything else, change this file or edit `Dockerfile`.

### Local environment:

1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.

2. Clone this repository.

3. Install dependencies:

```
pip install -r requirements.txt
```

4. Run `test.py`:

```
python3 test.py
```

> Note: This repository consists of multiple modules. When running code manually, use of `-m` flag might be necessary.

### API User authentication

Current implementation has disabled SSL certificate verification & uses simple username/password verification (defined inside `/constants/constants.py`). Production version should change this with cert verification.

### Manual Elasticsearch API testin with cURL

Example command for testing the API via CLI: 

```
curl --user admin:changeme --insecure -X GET "https://192.168.33.10:9200/wazuh-alerts*/_search?pretty" -H 'Content-Type: application/json' -d'
{"query": {
  "bool": {
    "must": [{"match": {"predecoder.program_name": "clamd"}},
             {"match": {"rule.description": "Clamd restarted"}},
             {"match": {"agent.id": "001"}}]
    }
  }
}'
```

## Known issues

### Python Elasticsearch library problems with ODFE

Latest versions (`7.14.0` & `7.15.0`) of Python Elasticsearch library have problems connecting to Open Distro for Elasticsearch and produce the following error when trying to do so: 

```
elasticsearch.exceptions.UnsupportedProductError: The client noticed that the server is not a supported distribution of Elasticsearch
```

To resolve this, downgrade to older package version: 

```
pip install 'elasticsearch<7.14.0'
```