Hi Alberto, Brilliant! Thanks, it worked perfectly with a nicely formatted notification.
On Friday, March 16, 2018 at 11:41:24 AM UTC-7, [email protected] wrote: > > Hi Mark W, > > The Slack integration was updated some days ago in Wazuh and it will be > included in the new release 3.2.2. > https://github.com/wazuh/wazuh/pull/443 > > However, you can download and use the new script if you are running Wazuh > version 3.0 or newer in your manager. > You only need to add the tag <alert_format>json</alert_format> in the > configuration and replace the script in */var/ossec/integrations* > > Best regards, > Alberto Marin > > On Thursday, March 15, 2018 at 5:33:02 PM UTC-7, Mark W. wrote: >> >> Hey Guys a couple of things >> >> 1. I've configured a test instance of the Wazuh fork with 2 agents, and >> I've configured the slack webhook integration successfully. However the >> alerts generated do not provide the hostname of the agent that generated >> the alert. I've tried to determine where the hostname exists. Is it >> possible to deliver the payload in a custom format? >> >> Where do the variables for the slack integration get parsed from? The >> email notifications for the same alerts do include the hostname, so surely >> we can pass this to the slack notifier. >> >> I'm using this for file integrity monitoring, and here is the alert I'm >> producing: >> >> 2018-03-15T19:05:41-0400 syscheck >> Rule:550 (level 7): Integrity checksum changed. >> IP: >> Integrity checksum changed for: /path/to/test/file Size changed from 91 >> to 100 Old md5sum was: c24f35831b5f0f2e44fcbf802e62dd78 New md5sum is : ... >> >> The $alertlocation variable in /var/ossec/integrations/slack appears to >> only indicate the module for the check (in this case syscheck), and not any >> identfying information about the server. Is there any way to enable this? >> >> >> 2. It's also worth noting that the integration does not parse correctly >> for slack. The newline returns need to be double escaped to function >> correctly, and the backticks for the preformatted text needs spaces around >> them: >> >> >> echo 'payload={"username":"OSSEC2slack Integration from >> '$alertlocation'", "icon_emoji": ":ghost:", "text": "OSSEC Alert \\n ``` >> '$alertdate $alertlocation' \\n Rule:'$ruleid' (level '$alertlevel'): >> '$ruledescription' \\n IP:'$srcip' \\n '$alertlog' \\n ``` "}' > $postfile >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
