Hey Guys a couple of things
1. I've configured a test instance of the Wazuh fork with 2 agents, and
I've configured the slack webhook integration successfully. However the
alerts generated do not provide the hostname of the agent that generated
the alert. I've tried to determine where the hostname exists. Is it
possible to deliver the payload in a custom format?
Where do the variables for the slack integration get parsed from? The email
notifications for the same alerts do include the hostname, so surely we can
pass this to the slack notifier.
I'm using this for file integrity monitoring, and here is the alert I'm
producing:
2018-03-15T19:05:41-0400 syscheck
Rule:550 (level 7): Integrity checksum changed.
IP:
Integrity checksum changed for: /path/to/test/file Size changed from 91 to
100 Old md5sum was: c24f35831b5f0f2e44fcbf802e62dd78 New md5sum is : ...
The $alertlocation variable in /var/ossec/integrations/slack appears to
only indicate the module for the check (in this case syscheck), and not any
identfying information about the server. Is there any way to enable this?
2. It's also worth noting that the integration does not parse correctly for
slack. The newline returns need to be double escaped to function correctly,
and the backticks for the preformatted text needs spaces around them:
echo 'payload={"username":"OSSEC2slack Integration from '$alertlocation'",
"icon_emoji": ":ghost:", "text": "OSSEC Alert \\n ``` '$alertdate
$alertlocation' \\n Rule:'$ruleid' (level '$alertlevel'):
'$ruledescription' \\n IP:'$srcip' \\n '$alertlog' \\n ``` "}' > $postfile
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
