diff --git a/common/src/database/postgres.rs b/common/src/database/postgres.rs index 2238091..9868850 100644 --- a/common/src/database/postgres.rs +++ b/common/src/database/postgres.rs @@ -155,8 +155,8 @@ impl PostgresDatabase { client .query( format!( - r#"SELECT * - FROM heartbeats + r#"SELECT * + FROM heartbeats JOIN subscriptions ON subscriptions.uuid = heartbeats.subscription WHERE {} = $1 AND subscription = $2"#, @@ -170,8 +170,8 @@ impl PostgresDatabase { client .query( format!( - r#"SELECT * - FROM heartbeats + r#"SELECT * + FROM heartbeats JOIN subscriptions ON subscriptions.uuid = heartbeats.subscription WHERE {} = $1"#, field @@ -572,7 +572,7 @@ impl Database for PostgresDatabase { .await? .query( r#" - SELECT * + SELECT * FROM subscriptions "#, &[], @@ -596,7 +596,7 @@ impl Database for PostgresDatabase { .get() .await? .query_opt( - r#"SELECT * + r#"SELECT * FROM subscriptions WHERE uuid = $1 OR name = $1"#, &[&identifier], @@ -626,7 +626,7 @@ impl Database for PostgresDatabase { ignore_channel_error, princs_filter_op, princs_filter_value, outputs, locale, data_locale) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20) - ON CONFLICT (uuid) DO UPDATE SET + ON CONFLICT (uuid) DO UPDATE SET version = excluded.version, revision = excluded.revision, name = excluded.name, diff --git a/common/src/database/sqlite.rs b/common/src/database/sqlite.rs index 74bd6f3..e105b66 100644 --- a/common/src/database/sqlite.rs +++ b/common/src/database/sqlite.rs @@ -3,19 +3,19 @@ // license (MIT), we include below its copyright notice and permission notice: // // The MIT License (MIT) -// +// // Copyright (c) 2015 Skyler Lipthay -// +// // Permission is hereby granted, free of charge, to any person obtaining a copy // of this software and associated documentation files (the "Software"), to deal // in the Software without restriction, including without limitation the rights // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell // copies of the Software, and to permit persons to whom the Software is // furnished to do so, subject to the following conditions: -// +// // The above copyright notice and this permission notice shall be included in all // copies or substantial portions of the Software. -// +// // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -125,7 +125,7 @@ impl SQLiteDatabase { )?; let rows = statement.query_and_then(&[(":field_value", &field_value), (":subscription", &value)], row_to_heartbeat)?; - let mut heartbeats = Vec::new(); + let mut heartbeats = Vec::new(); for heartbeat in rows { heartbeats.push(heartbeat?); } @@ -134,7 +134,7 @@ impl SQLiteDatabase { let mut statement = conn.prepare( format!( r#"SELECT * - FROM heartbeats + FROM heartbeats JOIN subscriptions ON subscriptions.uuid = heartbeats.subscription WHERE {} = :field_value"#, field @@ -142,7 +142,7 @@ impl SQLiteDatabase { .as_str() )?; let rows = statement.query_and_then(&[(":field_value", &field_value)], row_to_heartbeat)?; - let mut heartbeats = Vec::new(); + let mut heartbeats = Vec::new(); for heartbeat in rows { heartbeats.push(heartbeat?); } @@ -321,12 +321,12 @@ impl Database for SQLiteDatabase { (None, None) => { client.interact(move |conn| { conn.execute("DELETE FROM bookmarks", []) - }).await + }).await } }; future.map_err(|err| anyhow!(format!("{}", err)))??; Ok(()) - + } async fn get_heartbeats_by_machine( @@ -469,7 +469,7 @@ impl Database for SQLiteDatabase { for (key, value) in heartbeats_cloned { match value.last_event_seen { Some(last_event_seen) => { - query_with_event + query_with_event .execute( params![ &key.machine, @@ -561,7 +561,7 @@ impl Database for SQLiteDatabase { :max_time, :max_envelope_size, :enabled, :read_existing_events, :content_format, :ignore_channel_error, :princs_filter_op, :princs_filter_value, :outputs, :locale, :data_locale) - ON CONFLICT (uuid) DO UPDATE SET + ON CONFLICT (uuid) DO UPDATE SET version = excluded.version, revision = excluded.revision, name = excluded.name, @@ -776,7 +776,7 @@ impl Database for SQLiteDatabase { .interact(move |conn| { conn.query_row( r#"SELECT COUNT(machine) - FROM heartbeats + FROM heartbeats WHERE subscription = :subscription"#, &[(":subscription", &subscription_owned)], |row| row.get(0), diff --git a/common/src/models/config.rs b/common/src/models/config.rs index 52a3e3c..2c44018 100644 --- a/common/src/models/config.rs +++ b/common/src/models/config.rs @@ -361,7 +361,7 @@ enabled = true [outputs.config] base = "/tmp/" -split_on_addr_index = 2 +split_on_addr_index = 2 append_node_name = true filename = "courgette" diff --git a/doc/subscription.md b/doc/subscription.md index 192c7fe..235cd95 100644 --- a/doc/subscription.md +++ b/doc/subscription.md @@ -1,6 +1,6 @@ # Subscription -A subscription enables a Windows Event Collector to retrieve a set of events from a set of machines using a dedicated configuration. +A subscription enables a Windows Event Collector to retrieve a set of events from a set of machines using a dedicated configuration. The set of events is defined by a list of XPath filter queries. For example, here is a query list composed of a single query which retrieves all event logs within channels `Application`, `Security`, `Setup` and `System`: ```xml @@ -24,7 +24,7 @@ In addition, each subscription is identified by a GUID called `uuid`, which is n Each Windows machine configured to contact a Windows Event Collector server will send an `Enumerate` request to get a list of subscriptions. It will then create locally these subscriptions and fullfill them. -## Parameters +## Parameters Subscriptions and their parameters are not defined in OpenWEC configuration file but in OpenWEC database. Therefore, you **must** use `openwec` cli to edit them. You should **never update subscription parameters directly in database**. @@ -123,7 +123,7 @@ To use configuration files, edit them and then run `openwec subscriptions load`. ### Revisions -When using the `openwec subscriptions load` command, you can use the `--revision` flag to specify a revision string that represents the configuration version. For example, you can use the output of `git rev-parse --short HEAD` if your configuration files are versioned using `git`. +When using the `openwec subscriptions load` command, you can use the `--revision` flag to specify a revision string that represents the configuration version. For example, you can use the output of `git rev-parse --short HEAD` if your configuration files are versioned using `git`. When a client retrieves its subscriptions, it also receives the associated revision strings. Later, when pushing events or sending heartbeats, the revision string is included as metadata. The revision string received by OpenWEC within events is called `ClientRevision` because it represents the revision "used" by the client at that time. The revision string is not used to compute the subscription version that clients use to determine whether the subscription has been updated since their last `Refresh`. This is because some configuration updates may only affect "server" parameters (i.e. outputs), and we do not want all clients to refresh the subscription unnecessarily. However, if the configuration update affects "client" parameters (such as query), the subscription version is updated and clients will retrieve the new version of the subscription configuration with the new revision string on the next `Refresh`. @@ -147,7 +147,7 @@ You can disable all cli commands that edit subscriptions using the OpenWEC setti List subscriptions in a "short" format. Each line represents a subscription, with its status (enabled or not), its name and its URI. -#### Usage +#### Usage ``` $ openwec subscriptions @@ -156,7 +156,7 @@ $ openwec subscriptions [+] Subscription-toto (/toto) ``` -There are 3 subscriptions: +There are 3 subscriptions: - A subscription named `Old subscription`, disabled with no URI defined. - A subscription named `My-new-subscription`, enabled with no URI defined. - A subscription named `Subscription-toto`, enabled with a URI set to `/toto`. @@ -167,7 +167,7 @@ Otherwise, if a Windows machine sends an Enumerate request using URI `/toto`, it ### `openwec subscriptions new` (deprecated) > [!WARNING] -> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. +> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. This command enables you to create a new subscription. @@ -191,7 +191,7 @@ You may add some using `openwec subscriptions output`, which is detailed in [Out ### `openwec subscriptions edit` (deprecated) > [!WARNING] -> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. +> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. This command enables you to edit an already existing subscription. @@ -238,7 +238,7 @@ Subscription my-super-subscription ContentFormat: Raw IgnoreChannelError: true Principal filter: Not configured - Outputs: Not configured + Outputs: Not configured Enabled: false Event filter query: @@ -256,7 +256,7 @@ Event filter query: ### `openwec subscriptions duplicate` (deprecated) > [!WARNING] -> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. +> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. This command duplicates an existing subscription. @@ -303,7 +303,7 @@ Event filter query: ### `openwec subscriptions export` (deprecated) > [!WARNING] -> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. +> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. This command exports the currently configured subscriptions in a `json` format. You may export only one subscription using `--subscription `. @@ -322,7 +322,7 @@ $ openwec subscriptions export ### `openwec subscriptions import` (deprecated) > [!WARNING] -> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. +> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. This command imports subscriptions from a file. Two formats are supported: * `openwec`: the format generated by `openwec subscriptions export`. **Importing subscriptions exported from another openwec version might not work.** @@ -340,7 +340,7 @@ $ openwec subscriptions import -f windows windows-subscription.xml ### `openwec subscriptions delete` (deprecated) > [!WARNING] -> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. +> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. This command deletes subscriptions, and all associated bookmarks and heartbeats. There is no way to undo this action (unless you backup your database, and **you should definitely do it**). @@ -375,7 +375,7 @@ $ openwec subscriptions machines my-super-subscription ### `openwec subscriptions enable` (deprecated) > [!WARNING] -> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. +> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. This command enables one or many subscriptions. You may also want to enable all configured subscriptions without listing them using `--all`. @@ -394,7 +394,7 @@ $ openwec subscriptions enable my-super-subscription this-is-a-clone ### `openwec subscriptions disable` (deprecated) > [!WARNING] -> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. +> Using commands to manage subscriptions and there outputs is **deprecated** and will be removed in future releases. Use subscription configuration files instead. This command disables one or many subscriptions. You may also want to disable all configured subscriptions without listing them using `--all`.