OTel Agent Testing

For testing the OpenTelemetry Collector on Windows or Linux, you can generate specific log activities if required, otherwise use the default activity generated on the respective machines.

Windows

Here are some Powershell commands to force Windows Security and System logs to be generated to test the Full Raw or Receiver OTel Configurations (if activities need to be generated).

Windows Security Logs

To generate security logs using PowerShell, various activities can be performed that trigger specific security events. The type of log generated depends on the activity and the configured audit policies on the system.

Examples of activities that generate security logs:

  1. Using Write-EventLog (for classic event logs) The Write-EventLog cmdlet can write events to classic event logs like "Security", "System", or custom logs you've created.

    # First, ensure your event source is registered (run as administrator)
New-EventLog -LogName "Security" -Source "MySecurityTest"

# Loop to write multiple security events
for ($i = 1; $i -le 10; $i++) {
    Write-EventLog -LogName "Security" -Source "MySecurityTest" -EventId 5001 -EntryType FailureAudit -Message "Test security event number $i"
    Start-Sleep -Seconds 1 # Optional: Add a delay between events
}

  2. Generating Multiple Security Events To generate multiple instances of a specific security event such as a failed logon attempt, an account lockout, a script can be used to repeatedly perform the action that triggers the desired event. Example: Generating Failed Logon Attempts (Event ID 4625):

    # This script will attempt to log on with invalid credentials, generating failed logon events.
# Replace 'InvalidUser' and 'InvalidPassword' with actual invalid credentials.
# Replace 'TargetComputer' with the name of the computer where the event should be generated.
$username = "InvalidUser"
$password = "InvalidPassword"
# Or use $env:COMPUTERNAME for the local machine
$targetComputer = "TargetComputer"


# Loop to generate multiple failed logon attempts
for ($i = 0; $i -lt 10; $i++) { # Generates 10 failed logon attempts
    try {
    # Attempt a network logon with invalid credentials
    # This will typically generate Event ID 4625 (An account failed to log on)
    $null = New-Object System.Net.NetworkCredential($username, $password)
    $null = [System.Security.Principal.WindowsIdentity]::Impersonate($null)
} catch {
    # Catching the error to prevent script termination, as the logon is expected to fail.
    Write-Host "Attempt $i failed as expected."
}
Start-Sleep -Seconds 1 # Pause to avoid overwhelming the system or event log
}

  3. Failed Logon Attempts: Attempting to log in with incorrect credentials will generate a security event (Event ID 4625 for failed logons).

    # This command will intentionally fail to authenticate, generating a failed logon event
New-PSSession -ComputerName localhost -Credential (Get-Credential) -Authentication Negotiate

  4. When prompted, enter incorrect credentials: Accessing Audited Files/Folders: If auditing is enabled on specific files or folders, attempting to access them will generate security events such as Event ID 4663 for object access.

    # Create a dummy file
New-Item -Path C:\Temp\TestFile.txt -ItemType File -Value "This is a test."

# Attempt to read the file (after enabling object access auditing on C:\Temp)
Get-Content C:\Temp\TestFile.txt

    Note: Enabling object access auditing requires configuring Group Policy or local security policy settings.

  5. Modifying Security Policy: Changes to security policies, such as audit policies or user rights assignments, will generate security events such as Event ID 4719 for system audit policy changes.

    # This command modifies a local security setting, potentially triggering a log
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "FullPrivilegeAuditing" -Value 1

  6. Running PowerShell Commands (with Script Block Logging Enabled): If PowerShell Script Block Logging is enabled (Event ID 4104), executing PowerShell commands will generate logs detailing the script content.

    # This command will be logged if Script Block Logging is enabled
Get-Process | Where-Object {$_.CPU -gt 10}

    Note: Script Block Logging needs to be enabled via Group Policy or local policy settings.

  7. Creating or Modifying Scheduled Tasks: Actions related to scheduled tasks can generate security logs such as Event ID 4698 for a new scheduled task).

    # This command creates a new scheduled task, which can generate a security event
Register-ScheduledTask -TaskName "MyTestTask" -Action (New-ScheduledTaskAction -Execute "notepad.exe") -Trigger (New-ScheduledTaskTrigger -Once -At "3:00 PM")

  8. Creating and managing local user accounts Creating new local user accounts using the New-LocalUser cmdlet will generate security logs. These logs can be helpful in tracking changes to user accounts and identifying suspicious activity.

    New-LocalUser -Name "TestUser" -Description "User for testing" -NoPassword

  9. Managing file and folder access

  • Enabling auditing on files and folders will cause events to be logged when those files or folders are accessed, modified, or deleted.

  • PowerShell scripts can be used to set up and manage these audit settings on individual files and folders, or on entire network shares.Example (to view audit flags):

    $folderListFile = ".\\folder_list.txt"
$folderList = Get-Content $folderListFile
foreach ($folderPath in $folderList) {
    $auditFlags = (Get-Acl $folderPath).Audit
    Write-Output "Folder Path: $folderPath"
    Write-Output "Audit Flags: $($auditFlags.AuditToString())"
}

  1. Changing computer state Actions like locking the workstation or restarting the computer can be performed using PowerShell commands and will be recorded in the security logs.Example (locking a computer):

    rundll32.exe user32.dll,LockWorkStation

Windows Systems Logs

To generate security logs using PowerShell, various activities can be performed that trigger specific system events.

Any execution of a PowerShell command or script will generate events in the "Windows PowerShell" event log. This includes starting and stopping the PowerShell engine, loading providers, and, if enabled, details of executed commands or script blocks.

# Example: A simple command that will be logged
 Get-Process | Select-Object -First 5

Modifying System Settings Using PowerShell to modify system settings, such as registry changes, service configurations, or network settings, can trigger events in the System or Security event logs, depending on the nature of the change and the auditing policies in place.

# Example: Changing a registry value (requires elevated privileges)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MyTestApp" -Value "C:\Path\To\MyTestApp.exe"

Managing Services Starting, stopping, or configuring Windows services using PowerShell will generate events in the System event log.

 # Example: Stopping and starting a service
 Stop-Service -Name "Spooler" -Force
 Start-Service -Name "Spooler"

Windows Application Logs

To generate security logs using PowerShell, various activities can be performed that trigger specific system events.

New-EventLog -LogName Application -Source "TestApp"Write-EventLog -LogName Application -Source "TestApp" -EventId 1001 -EntryType Information -Message "OTel Test Event"

for ($i = 1; $i -le 100; $i++) {
    Write-EventLog -LogName Application -Source "TestApp" -EventId 1001 -EntryType Information -Message "OTel Test Event $i"
}

Check Windows Time Zone

This helps to ensure timestamp consistent during your testing:

Linux

See: Linux Security Logs: Complete Guide for DevOps and SysAdmins.

Here are the main approaches for generating test security and system logs on Linux:

Using logger command

# Generate syslog entries
logger "Test security event: Failed login attempt"
logger -p auth.warning "Suspicious authentication activity detected"
logger -p daemon.error "Service failure simulation"

Manual log entries

# Write directly to log files (as root)
echo "$(date): Test security alert - Unauthorized access attempt" >> /var/log/auth.log
echo "$(date) kernel: Test system error message" >> /var/log/syslog

Security Logs

Here are some Linux security testing capabilities.

SSH brute force simulation

# Generate failed SSH login attempts
for i in {1..5}; do
    logger -p auth.warning "sshd[$$]: Failed password for testuser from 192.168.1.100 port 22 ssh2"
done

Sudo violations logger -p auth.alert "sudo: testuser : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/cat /etc/shadow"

System Logs

Here are some Linux system testing capabilities.

Service failures logger -p daemon.err "systemd[1]: test-service.service: Failed with result 'exit-code'" logger -p kern.crit "kernel: Out of memory: Kill process 1234 (test-process)"

Automated Log Generation

Here are some Linux log generation testing capabilities.

Script for continuous test logs

#!/bin/bash
while true; do
    logger -p security.info "Test event: User login from $(shuf -i 1-255 -n 1).$(shuf -i 1-255 -n 1).$(shuf -i 1-255 -n 1).$(shuf -i 1-255 -n 1)"
    sleep 30
done

Log Rotation Testing

Here are some Linux log rotation testing capabilities.

Force log rotation to test monitoring systems:

logrotate -f /etc/logrotate.conf

These methods create realistic test data for security monitoring, SIEM systems, and log analysis tools without compromising actual system security.

macOS

This section is reserved for macOS. Updates will follow based on available macOS functionality.

Resources

For additional guidance and detailed information, refer to the following resources:

Tools for Testing and Validation

PreviousOTel Config ExamplesNextAlerts & Channels

Last updated

Was this helpful?