Thanks everyone for the feedback and support. It all made sense and your
comment did guide me to resolve it, wasn't any harder then updating the
<location> section and add agent ID, e.g.:
<active-response>
<command>ossec-slack</command>
<location>server,AGENT.ID <http://agent.id/></location>
<level>7</level>
</active-response>
Den tisdag 23 maj 2017 kl. 16:18:29 UTC+2 skrev Jesus Linares:
>
> I see your point.. I thought you were talking about the *integratord*.
>
> I never tried it using AR, but in your active-response configuration I see:
>
>> <location>local</location>
>
>
> It means that OSSEC is going to execute the script in the agent that
> generated the event. So, you must to configure your slack script in every
> agent. I think for this reason Daniel Cid created the integratord.
> <https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html>
>
> I hope it helps.
>
> On Tuesday, May 23, 2017 at 12:46:36 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Hello again Jesus,
>>
>> As I did state, so we're not misunderstanding each other, I do not run
>> the wazuh forked version, but the 2.9.0 OSSEC version.
>> This is the configuration settings i've got:
>>
>> ossec-slack.sh
>>
>> SLACKUSER="ossec"
>>
>> CHANNEL="#channel"
>>
>> SITE="https://hooks.slack.com/services/...";
>>
>> SOURCE="ossec2slack"
>>
>> ossec.conf
>>
>> <command>
>>
>> <name>ossec-slack</name>
>>
>> <executable>ossec-slack.sh</executable>
>>
>> <expect></expect> <!-- no expect args required -->
>>
>> <timeout_allowed>no</timeout_allowed>
>>
>> </command>
>>
>>
>> <active-response>
>>
>> <command>ossec-slack</command>
>>
>> <location>local</location>
>>
>> <level>7</level>
>>
>> </active-response>
>>
>> Kind regards,
>> Fredrik
>>
>> Den tisdag 23 maj 2017 kl. 11:08:51 UTC+2 skrev Jesus Linares:
>>>
>>> Hi Fredrik,
>>>
>>> this is the flow:
>>>
>>> - The integrator reads the alerts from alerts*.log *filtering by
>>> *rule_id*, *level*, *group *or *event_location*.
>>> - It executes the script using the arguments *hook_url *and *api_key*
>>> .
>>> - The slack script send the alert to slack.
>>>
>>> Clarification: The host specific alerts are sent to slack but the agent
>>>> alerts are being ignored.
>>>
>>> Review your integrator configuration, maybe you have a filter to get
>>> only alerts in the current host. Share here the config.
>>>
>>> Regards.
>>>
>>>
>>> On Tuesday, May 23, 2017 at 10:55:55 AM UTC+2, Fredrik Hilmersson wrote:
>>>>
>>>> Clarification: The host specific alerts are sent to slack but the agent
>>>> alerts are being ignored.
>>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
