Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-24 Thread Fredrik Hilmersson 
Thanks everyone for the feedback and support. It all made sense and your 
comment did guide me to resolve it, wasn't any harder then updating the 
 section and add agent ID, e.g.:



   ossec-slack

   server,AGENT.ID 

   7

   

Den tisdag 23 maj 2017 kl. 16:18:29 UTC+2 skrev Jesus Linares:
>
> I see your point.. I thought you were talking about the *integratord*.
>
> I never tried it using AR, but in your active-response configuration I see:
>
>> local
>
>
> It means that OSSEC is going to execute the script in the agent that 
> generated the event. So, you must to configure your slack script in every 
> agent. I think for this reason Daniel Cid created the integratord. 
> 
>
> I hope it helps.
>
> On Tuesday, May 23, 2017 at 12:46:36 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Hello again Jesus,
>>
>> As I did state, so we're not misunderstanding each other, I do not run 
>> the wazuh forked version, but the 2.9.0 OSSEC version.
>> This is the configuration settings i've got:
>>
>> ossec-slack.sh
>>
>> SLACKUSER="ossec"
>>
>> CHANNEL="#channel"
>>
>> SITE="https://hooks.slack.com/services/...;
>>
>> SOURCE="ossec2slack"
>>
>> ossec.conf
>>
>> 
>>
>>ossec-slack
>>
>>ossec-slack.sh
>>
>> 
>>
>>no
>>
>>
>>
>>
>> 
>>
>>ossec-slack
>>
>>local
>>
>>7
>>
>>
>>
>> Kind regards,
>> Fredrik
>>
>> Den tisdag 23 maj 2017 kl. 11:08:51 UTC+2 skrev Jesus Linares:
>>>
>>> Hi Fredrik,
>>>
>>> this is the flow:
>>>
>>>- The integrator reads the alerts from alerts*.log *filtering by 
>>>*rule_id*, *level*, *group *or *event_location*.
>>>- It executes the script using the arguments *hook_url *and *api_key*
>>>.
>>>- The slack script send the alert to slack.
>>>
>>> Clarification: The host specific alerts are sent to slack but the agent 
 alerts are being ignored.
>>>
>>> Review your integrator configuration, maybe you have a filter to get 
>>> only alerts in the current host. Share here the config.
>>>
>>> Regards.
>>>
>>>
>>> On Tuesday, May 23, 2017 at 10:55:55 AM UTC+2, Fredrik Hilmersson wrote:

 Clarification: The host specific alerts are sent to slack but the agent 
 alerts are being ignored.

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-24 Thread Fredrik Hilmersson 
Thanks everyone for the feedback and support. It all made sense and your 
comment did guide me to resolve it, wasn't any harder then updating the 
 section and add agent ID, e.g.:



   ossec-slack

   local,AGENT.ID

   7

   

Have a nice day and,
Kind regards

Fredrik
Den tisdag 23 maj 2017 kl. 16:18:29 UTC+2 skrev Jesus Linares:
>
> I see your point.. I thought you were talking about the *integratord*.
>
> I never tried it using AR, but in your active-response configuration I see:
>
>> local
>
>
> It means that OSSEC is going to execute the script in the agent that 
> generated the event. So, you must to configure your slack script in every 
> agent. I think for this reason Daniel Cid created the integratord. 
> 
>
> I hope it helps.
>
> On Tuesday, May 23, 2017 at 12:46:36 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Hello again Jesus,
>>
>> As I did state, so we're not misunderstanding each other, I do not run 
>> the wazuh forked version, but the 2.9.0 OSSEC version.
>> This is the configuration settings i've got:
>>
>> ossec-slack.sh
>>
>> SLACKUSER="ossec"
>>
>> CHANNEL="#channel"
>>
>> SITE="https://hooks.slack.com/services/...;
>>
>> SOURCE="ossec2slack"
>>
>> ossec.conf
>>
>> 
>>
>>ossec-slack
>>
>>ossec-slack.sh
>>
>> 
>>
>>no
>>
>>
>>
>>
>> 
>>
>>ossec-slack
>>
>>local
>>
>>7
>>
>>
>>
>> Kind regards,
>> Fredrik
>>
>> Den tisdag 23 maj 2017 kl. 11:08:51 UTC+2 skrev Jesus Linares:
>>>
>>> Hi Fredrik,
>>>
>>> this is the flow:
>>>
>>>- The integrator reads the alerts from alerts*.log *filtering by 
>>>*rule_id*, *level*, *group *or *event_location*.
>>>- It executes the script using the arguments *hook_url *and *api_key*
>>>.
>>>- The slack script send the alert to slack.
>>>
>>> Clarification: The host specific alerts are sent to slack but the agent 
 alerts are being ignored.
>>>
>>> Review your integrator configuration, maybe you have a filter to get 
>>> only alerts in the current host. Share here the config.
>>>
>>> Regards.
>>>
>>>
>>> On Tuesday, May 23, 2017 at 10:55:55 AM UTC+2, Fredrik Hilmersson wrote:

 Clarification: The host specific alerts are sent to slack but the agent 
 alerts are being ignored.

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Jesus Linares 
I see your point.. I thought you were talking about the *integratord*.

I never tried it using AR, but in your active-response configuration I see:

> local


It means that OSSEC is going to execute the script in the agent that 
generated the event. So, you must to configure your slack script in every 
agent. I think for this reason Daniel Cid created the integratord. 


I hope it helps.

On Tuesday, May 23, 2017 at 12:46:36 PM UTC+2, Fredrik Hilmersson wrote:
>
> Hello again Jesus,
>
> As I did state, so we're not misunderstanding each other, I do not run the 
> wazuh forked version, but the 2.9.0 OSSEC version.
> This is the configuration settings i've got:
>
> ossec-slack.sh
>
> SLACKUSER="ossec"
>
> CHANNEL="#channel"
>
> SITE="https://hooks.slack.com/services/...;
>
> SOURCE="ossec2slack"
>
> ossec.conf
>
> 
>
>ossec-slack
>
>ossec-slack.sh
>
> 
>
>no
>
>
>
>
> 
>
>ossec-slack
>
>local
>
>7
>
>
>
> Kind regards,
> Fredrik
>
> Den tisdag 23 maj 2017 kl. 11:08:51 UTC+2 skrev Jesus Linares:
>>
>> Hi Fredrik,
>>
>> this is the flow:
>>
>>- The integrator reads the alerts from alerts*.log *filtering by 
>>*rule_id*, *level*, *group *or *event_location*.
>>- It executes the script using the arguments *hook_url *and *api_key*.
>>- The slack script send the alert to slack.
>>
>> Clarification: The host specific alerts are sent to slack but the agent 
>>> alerts are being ignored.
>>
>> Review your integrator configuration, maybe you have a filter to get only 
>> alerts in the current host. Share here the config.
>>
>> Regards.
>>
>>
>> On Tuesday, May 23, 2017 at 10:55:55 AM UTC+2, Fredrik Hilmersson wrote:
>>>
>>> Clarification: The host specific alerts are sent to slack but the agent 
>>> alerts are being ignored.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson 
Hello again Jesus,

As I did state, so we're not misunderstanding each other, I do not run the 
wazuh forked version, but the 2.9.0 OSSEC version.
This is the configuration settings i've got:

ossec-slack.sh

SLACKUSER="ossec"

CHANNEL="#channel"

SITE="https://hooks.slack.com/services/...;

SOURCE="ossec2slack"

ossec.conf



   ossec-slack

   ossec-slack.sh



   no

   




   ossec-slack

   local

   7

   

Kind regards,
Fredrik

Den tisdag 23 maj 2017 kl. 11:08:51 UTC+2 skrev Jesus Linares:
>
> Hi Fredrik,
>
> this is the flow:
>
>- The integrator reads the alerts from alerts*.log *filtering by 
>*rule_id*, *level*, *group *or *event_location*.
>- It executes the script using the arguments *hook_url *and *api_key*.
>- The slack script send the alert to slack.
>
> Clarification: The host specific alerts are sent to slack but the agent 
>> alerts are being ignored.
>
> Review your integrator configuration, maybe you have a filter to get only 
> alerts in the current host. Share here the config.
>
> Regards.
>
>
> On Tuesday, May 23, 2017 at 10:55:55 AM UTC+2, Fredrik Hilmersson wrote:
>>
>> Clarification: The host specific alerts are sent to slack but the agent 
>> alerts are being ignored.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Jesus Linares 
Hi Fredrik,

this is the flow:

   - The integrator reads the alerts from alerts*.log *filtering by 
   *rule_id*, *level*, *group *or *event_location*.
   - It executes the script using the arguments *hook_url *and *api_key*.
   - The slack script send the alert to slack.

Clarification: The host specific alerts are sent to slack but the agent 
> alerts are being ignored.

Review your integrator configuration, maybe you have a filter to get only 
alerts in the current host. Share here the config.

Regards.


On Tuesday, May 23, 2017 at 10:55:55 AM UTC+2, Fredrik Hilmersson wrote:
>
> Clarification: The host specific alerts are sent to slack but the agent 
> alerts are being ignored.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson 
Clarification: The host specific alerts are sent to slack but the agent 
alerts are being ignored.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson 
Hello and thanks Jesus,

I've read the documentation, however I do not use the forked wazuh version 
of OSSEC so i'm not sure that the integrator applies? What I want to 
clarify regarding my issue, so I do not misunderstand the approach. The 
OSSEC server (host) is the one responsible for sending the slack 
notifications reading from the *alerts.log(?).*

The communication between the host and agent works, as my host alerts.log 
is getting populated with alerts regarding the agent. The issue seem to be 
that the slack script does not catch these, or do I need to specify 
anything at the agent side for the host to send its alerts or vice versa?

Kind regards

Den måndag 22 maj 2017 kl. 18:33:54 UTC+2 skrev Jesus Linares:
>
> Hi Fredrik,
>
> check out the documentation about *integrator*: 
> https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-integration.html
>
> I hope it helps.
> Regards.
>
> On Monday, May 22, 2017 at 4:53:56 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Hello Miguelangel!
>>
>> I do not see any new rows regarding the agent-ossec.com (within the host 
>> active-response.log, only in the alerts.log).
>>
>> Here's what you asked for from the ../etc/ossec.conf (server host)
>>
>> 
>>
>> ossec-slack
>>
>> ossec-slack.sh
>>
>>  
>>
>> no
>>
>> 
>>
>>
>> 
>>
>> ossec-slack
>>
>> local
>>
>> 7
>>
>> 
>>
>> Kind regards,
>> Fredrik
>>
>> Den måndag 22 maj 2017 kl. 16:47:54 UTC+2 skrev Miguelangel Freitas:
>>>
>>> Hi Fredrik,
>>>
>>> Can you see in logs/active-responses.log any new row regarding (
>>> agent-ossec.com)?
>>>
>>> Could you share  and 
>>>  from etc/ossec.conf regarding slack 
>>> notification?, 
>>> thanks.
>>>
>>> Regards,
>>>
>>> On Sun, May 21, 2017 at 4:18 PM, Fredrik Hilmersson <
>>> f.hilm...@worldclearing.org> wrote:
>>>
 I set up a OSSEC server along with an remote agent. The alert log file 
 is populated with alerts regarding both the host and the agent. However, 
 the integrated slack notification script only send reports regarding the 
 host. The only difference within the log is how the hostnames are 
 displayed, e.g., 2017-05-10, host-ossec.com.. and 2017-05-10, (
 agent-ossec.com). Is there anything i'm missing regarding my setup 
 which causes the script to dismiss the agent alerts? Any tip or help is 
 greatly appreciated.

 Kind regards,
 Fredrik

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-22 Thread Jesus Linares 
Hi Fredrik,

check out the documentation about *integrator*
: 
https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-integration.html

I hope it helps.
Regards.

On Monday, May 22, 2017 at 4:53:56 PM UTC+2, Fredrik Hilmersson wrote:
>
> Hello Miguelangel!
>
> I do not see any new rows regarding the agent-ossec.com (within the host 
> active-response.log, only in the alerts.log).
>
> Here's what you asked for from the ../etc/ossec.conf (server host)
>
> 
>
> ossec-slack
>
> ossec-slack.sh
>
>  
>
> no
>
> 
>
>
> 
>
> ossec-slack
>
> local
>
> 7
>
> 
>
> Kind regards,
> Fredrik
>
> Den måndag 22 maj 2017 kl. 16:47:54 UTC+2 skrev Miguelangel Freitas:
>>
>> Hi Fredrik,
>>
>> Can you see in logs/active-responses.log any new row regarding (
>> agent-ossec.com)?
>>
>> Could you share  and 
>>  from etc/ossec.conf regarding slack 
>> notification?, 
>> thanks.
>>
>> Regards,
>>
>> On Sun, May 21, 2017 at 4:18 PM, Fredrik Hilmersson <
>> f.hilm...@worldclearing.org> wrote:
>>
>>> I set up a OSSEC server along with an remote agent. The alert log file 
>>> is populated with alerts regarding both the host and the agent. However, 
>>> the integrated slack notification script only send reports regarding the 
>>> host. The only difference within the log is how the hostnames are 
>>> displayed, e.g., 2017-05-10, host-ossec.com.. and 2017-05-10, (
>>> agent-ossec.com). Is there anything i'm missing regarding my setup 
>>> which causes the script to dismiss the agent alerts? Any tip or help is 
>>> greatly appreciated.
>>>
>>> Kind regards,
>>> Fredrik
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-22 Thread Fredrik Hilmersson 
Hello Miguelangel!

I do not see any new rows regarding the agent-ossec.com (within the host 
active-response.log, only in the alerts.log).

Here's what you asked for from the ../etc/ossec.conf (server host)



ossec-slack

ossec-slack.sh

 

no






ossec-slack

local

7



Kind regards,
Fredrik

Den måndag 22 maj 2017 kl. 16:47:54 UTC+2 skrev Miguelangel Freitas:
>
> Hi Fredrik,
>
> Can you see in logs/active-responses.log any new row regarding (
> agent-ossec.com)?
>
> Could you share  and 
>  from etc/ossec.conf regarding slack 
> notification?, 
> thanks.
>
> Regards,
>
> On Sun, May 21, 2017 at 4:18 PM, Fredrik Hilmersson <
> f.hilm...@worldclearing.org > wrote:
>
>> I set up a OSSEC server along with an remote agent. The alert log file is 
>> populated with alerts regarding both the host and the agent. However, the 
>> integrated slack notification script only send reports regarding the host. 
>> The only difference within the log is how the hostnames are displayed, 
>> e.g., 2017-05-10, host-ossec.com.. and 2017-05-10, (agent-ossec.com). Is 
>> there anything i'm missing regarding my setup which causes the script to 
>> dismiss the agent alerts? Any tip or help is greatly appreciated.
>>
>> Kind regards,
>> Fredrik
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-21 Thread Fredrik Hilmersson 
I set up a OSSEC server along with an remote agent. The alert log file is 
populated with alerts regarding both the host and the agent. However, the 
integrated slack notification script only send reports regarding the host. 
The only difference within the log is how the hostnames are displayed, 
e.g., 2017-05-10, host-ossec.com.. and 2017-05-10, (agent-ossec.com). Is 
there anything i'm missing regarding my setup which causes the script to 
dismiss the agent alerts? Any tip or help is greatly appreciated.

Kind regards,
Fredrik

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.