Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-24 Thread Fredrik Hilmersson
Thanks everyone for the feedback and support. It all made sense and your comment did guide me to resolve it, wasn't any harder then updating the section and add agent ID, e.g.: ossec-slack server,AGENT.ID 7 Den tisdag 23 maj 2017 kl.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-24 Thread Fredrik Hilmersson
Thanks everyone for the feedback and support. It all made sense and your comment did guide me to resolve it, wasn't any harder then updating the section and add agent ID, e.g.: ossec-slack local,AGENT.ID 7 Have a nice day and, Kind regards Fredrik Den tisdag

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Jesus Linares
I see your point.. I thought you were talking about the *integratord*. I never tried it using AR, but in your active-response configuration I see: > local It means that OSSEC is going to execute the script in the agent that generated the event. So, you must to configure your slack script in

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Hello again Jesus, As I did state, so we're not misunderstanding each other, I do not run the wazuh forked version, but the 2.9.0 OSSEC version. This is the configuration settings i've got: ossec-slack.sh SLACKUSER="ossec" CHANNEL="#channel" SITE="https://hooks.slack.com/services/...;

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Jesus Linares
Hi Fredrik, this is the flow: - The integrator reads the alerts from alerts*.log *filtering by *rule_id*, *level*, *group *or *event_location*. - It executes the script using the arguments *hook_url *and *api_key*. - The slack script send the alert to slack. Clarification: The host

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Clarification: The host specific alerts are sent to slack but the agent alerts are being ignored. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Hello and thanks Jesus, I've read the documentation, however I do not use the forked wazuh version of OSSEC so i'm not sure that the integrator applies? What I want to clarify regarding my issue, so I do not misunderstand the approach. The OSSEC server (host) is the one responsible for sending

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-22 Thread Jesus Linares
Hi Fredrik, check out the documentation about *integrator* : https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-integration.html I hope it helps. Regards. On Monday, May 22, 2017 at 4:53:56 PM UTC+2, Fredrik Hilmersson wrote: > > Hello Miguelangel! > > I do not

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-22 Thread Fredrik Hilmersson
Hello Miguelangel! I do not see any new rows regarding the agent-ossec.com (within the host active-response.log, only in the alerts.log). Here's what you asked for from the ../etc/ossec.conf (server host) ossec-slack ossec-slack.sh no

[ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-21 Thread Fredrik Hilmersson
I set up a OSSEC server along with an remote agent. The alert log file is populated with alerts regarding both the host and the agent. However, the integrated slack notification script only send reports regarding the host. The only difference within the log is how the hostnames are displayed,