Hello and thanks Jesus, I've read the documentation, however I do not use the forked wazuh version of OSSEC so i'm not sure that the integrator applies? What I want to clarify regarding my issue, so I do not misunderstand the approach. The OSSEC server (host) is the one responsible for sending the slack notifications reading from the *alerts.log(?).*
The communication between the host and agent works, as my host alerts.log is getting populated with alerts regarding the agent. The issue seem to be that the slack script does not catch these, or do I need to specify anything at the agent side for the host to send its alerts or vice versa? Kind regards Den måndag 22 maj 2017 kl. 18:33:54 UTC+2 skrev Jesus Linares: > > Hi Fredrik, > > check out the documentation about *integrator*: > https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-integration.html > > I hope it helps. > Regards. > > On Monday, May 22, 2017 at 4:53:56 PM UTC+2, Fredrik Hilmersson wrote: >> >> Hello Miguelangel! >> >> I do not see any new rows regarding the agent-ossec.com (within the host >> active-response.log, only in the alerts.log). >> >> Here's what you asked for from the ../etc/ossec.conf (server host) >> >> <command> >> >> <name>ossec-slack</name> >> >> <executable>ossec-slack.sh</executable> >> >> <expect></expect> <!-- no expect args required --> >> >> <timeout_allowed>no</timeout_allowed> >> >> </command> >> >> >> <active-response> >> >> <command>ossec-slack</command> >> >> <location>local</location> >> >> <level>7</level> >> >> </active-response> >> >> Kind regards, >> Fredrik >> >> Den måndag 22 maj 2017 kl. 16:47:54 UTC+2 skrev Miguelangel Freitas: >>> >>> Hi Fredrik, >>> >>> Can you see in logs/active-responses.log any new row regarding ( >>> agent-ossec.com)? >>> >>> Could you share <command></command> and >>> <active-response></active-response> from etc/ossec.conf regarding slack >>> notification?, >>> thanks. >>> >>> Regards, >>> >>> On Sun, May 21, 2017 at 4:18 PM, Fredrik Hilmersson < >>> f.hilm...@worldclearing.org> wrote: >>> >>>> I set up a OSSEC server along with an remote agent. The alert log file >>>> is populated with alerts regarding both the host and the agent. However, >>>> the integrated slack notification script only send reports regarding the >>>> host. The only difference within the log is how the hostnames are >>>> displayed, e.g., 2017-05-10, host-ossec.com.. and 2017-05-10, ( >>>> agent-ossec.com). Is there anything i'm missing regarding my setup >>>> which causes the script to dismiss the agent alerts? Any tip or help is >>>> greatly appreciated. >>>> >>>> Kind regards, >>>> Fredrik >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
