[ossec-list] Re: Sending Agent Hostname In Slack Integrator Notifications

Fri, 16 Mar 2018 11:41:36 -0700 

Hi Mark W,

The Slack integration was updated some days ago in Wazuh and it will be 
included in the new release 3.2.2. 
https://github.com/wazuh/wazuh/pull/443

However, you can download and use the new script if you are running Wazuh 
version 3.0 or newer in your manager.
You only need to add the tag <alert_format>json</alert_format>  in the 
configuration and replace the script in */var/ossec/integrations*

Best regards,
Alberto Marin

On Thursday, March 15, 2018 at 5:33:02 PM UTC-7, Mark W. wrote:
>
> Hey Guys a couple of things
>
> 1. I've configured a test instance of the Wazuh fork with 2 agents, and 
> I've configured the slack webhook integration successfully. However the 
> alerts generated do not provide the hostname of the agent that generated 
> the alert. I've tried to determine where the hostname exists. Is it 
> possible to deliver the payload in a custom format?
>
> Where do the variables for the slack integration get parsed from? The 
> email notifications for the same alerts do include the hostname, so surely 
> we can pass this to the slack notifier.
>
> I'm using this for file integrity monitoring, and here is the alert I'm 
> producing:
>
>  2018-03-15T19:05:41-0400 syscheck 
>  Rule:550 (level 7): Integrity checksum changed. 
>  IP: 
>  Integrity checksum changed for: /path/to/test/file Size changed from 91 
> to 100 Old md5sum was: c24f35831b5f0f2e44fcbf802e62dd78 New md5sum is : ... 
>
> The $alertlocation  variable in /var/ossec/integrations/slack appears to 
> only indicate the module for the check (in this case syscheck), and not any 
> identfying information about the server. Is there any way to enable this?
>
>
> 2. It's also worth noting that the integration does not parse correctly 
> for slack. The newline returns need to be double escaped to function 
> correctly, and the backticks for the preformatted text needs spaces around 
> them:
>
>
> echo 'payload={"username":"OSSEC2slack Integration from '$alertlocation'", 
> "icon_emoji": ":ghost:", "text": "OSSEC Alert \\n ``` '$alertdate 
> $alertlocation' \\n Rule:'$ruleid' (level '$alertlevel'): 
> '$ruledescription' \\n IP:'$srcip' \\n '$alertlog' \\n ``` "}' > $postfile
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to