# /var/ossec/bin/ossec-control enable integrator # /var/ossec/bin/ossec-control restart
In ossec.conf added
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/G03M3Pw325346457568</hook_url>
</integration>
# tail -f /var/ossec/logs/integrations.log
Mon May 14 20:41:09 UTC 2018 /var/ossec/integrations/slack /tmp/slack-1526330469--304009402.alert https://hooks.slack.com/services/G03M3Pw325346457568
Mon May 14 20:41:10 UTC 2018 /var/ossec/integrations/slack Slack integration ran successfully
but when I check the service status I see this -
# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
wazuh-modulesd is running...
wazuh-db is running...
ossec-integratord: Process 10104 not used by ossec, removing...
ossec-integratord not running...
What is this mean??
Is I am missing anything here. please let us know..
Thank you in advance
SR
<!-- Integration with Slack --> <integration> <name>slack</name> <hook_url>https://hooks.slack.com/services/T000/B000/XXXXX</hook_url> <level>10</level> <group>multiple_drops|authentication_failures</group> <alert_format>json</alert_format> </integration>
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/T000/B000/XXXXX</hook_url>
<level>4</level>
<alert_format>json</alert_format>
</integration>
Here when we are saying level 4 means , it will send alerts to slack which are level 4 and above? Please confirm..like in <alert_level> in ossec.conf
Thanks,
SR
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/xxxxxxxx/xxxxxxg45U7feXiS14nMLk...</hook_url>
<level>4</level>
<alert_format>json</alert_format>
</integration>
# systemctl status wazuh-manager
● wazuh-manager.service - SYSV: Starts and stops Wazuh (Host Intrusion Detection System)
Loaded: loaded (/etc/rc.d/init.d/wazuh-manager; bad; vendor preset: disabled)
Active: active (running) since Thu 2018-05-17 21:50:39 UTC; 2min 26s ago
Docs: man:systemd-sysv-generator(8)
Process: 21086 ExecStop=/etc/rc.d/init.d/wazuh-manager stop (code=exited, status=0/SUCCESS)
Process: 21206 ExecStart=/etc/rc.d/init.d/wazuh-manager start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/wazuh-manager.service
├─ 8880 /var/ossec/bin/ossec-integratord
├─20603 sh -c /var/ossec/integrations/slack '/tmp/slack-1526593799--380026459.alert' '' 'https://hooks.slack.com/services/xxxxxxxx/xxxxxxg45U7feXiS14nMLk......
├─20604 /bin/sh /var/ossec/integrations/slack /tmp/slack-1526593799--380026459.alert https://hooks.slack.com/services/xxxxxxxx/xxxxxxg45U7feXiS14nMLk...
└─20612 curl -s --data @/tmp/tmp.gfwkWav97l https://hooks.slack.com/services/xxxxxxxx/xxxxxxg45U7feXiS14nMLk...
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxxxxxxx</hook_url>
<alert_format>json</alert_format>
<level>4</level>
</integration>
# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
wazuh-modulesd is running...
wazuh-db is running...
ossec-integratord is running...
What is blocking to send the alerts to slack? Could you please help in resolving the issue.
Thanks,
SR
2018/08/28 18:54:00 ossec-integratord: DEBUG: sending new alert.
2018/08/28 18:54:00 ossec-integratord: DEBUG: skipping: integration disabled
2018/08/28 18:54:00 ossec-integratord: DEBUG: jqueue_next()
2018/08/28 18:54:00 ossec-integratord: DEBUG: sending new alert.
2018/08/28 18:54:00 ossec-integratord: DEBUG: skipping: integration disabled
2018/08/28 18:54:00 ossec-integratord: DEBUG: jqueue_next()
2018/08/28 18:54:00 ossec-integratord: DEBUG: sending new alert.
2018/08/28 18:54:00 ossec-integratord: DEBUG: skipping: integration disabled
But when I check the status -
# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
wazuh-modulesd is running...
wazuh-db is running...
ossec-integratord is running...
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8ddbf54-0892-4672-8a44-3c5f13f6dd56%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
wazuh-modulesd is running...
wazuh-db is running...
ossec-integratord is running...
If I get any flag about integrator enabled, I will have this in my puppet code condition and enable is this flag is not exist.
Thanks,
SR
Hi Sr
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
# ls -la /var/ossec/integrations/
total 16
drwxr-x---. 2 root ossec 54 Jul 13 00:58 .
drwxr-x---. 19 root ossec 258 Jun 18 14:19 ..
-rwxr-x---. 1 root ossec 1343 Jun 18 14:19 pagerduty
-rwxr-x---. 1 root ossec 3269 Jun 18 14:19 slack
-rwxr-x---. 1 root ossec 6353 Jun 18 14:19 virustotal
# curl -o /var/ossec/integrations/slack https://raw.githubusercontent.com/wazuh/wazuh/v3.3.1/integrations/slack
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3269 100 3269 0 0 5393 0 --:--:-- --:--:-- --:--:-- 5394
Thanks,
SR
# ps ax | grep ossec-integratord
30653 ? S 0:00 /var/ossec/bin/ossec-integratord
30726 pts/2 S+ 0:00 /var/ossec/bin/ossec-integratord -fdd
30728 pts/0 S+ 0:00 grep --color=auto ossec-integratord
2018/08/31 17:21:44 ossec-integratord: DEBUG: file /tmp/slack-1535736104--1134160914.alert was written.
2018/08/31 17:21:44 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1535736104--1134160914.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx' > /dev/null 2>&1
2018/08/31 17:21:44 ossec-integratord: DEBUG: Command run succesfully
2018/08/31 17:21:44 ossec-integratord: DEBUG: jqueue_next()
2018/08/31 17:21:44 ossec-integratord: DEBUG: sending new alert.
2018/08/31 17:21:44 ossec-integratord: DEBUG: file /tmp/slack-1535736104-1814661256.alert was written.
2018/08/31 17:21:44 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1535736104-1814661256.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx' > /dev/null 2>&1
2018/08/31 17:21:45 ossec-integratord: DEBUG: Command run succesfully
2018/08/31 17:21:45 ossec-integratord: DEBUG: jqueue_next()
2018/08/31 17:21:45 ossec-integratord: DEBUG: sending new alert.
2018/08/31 17:21:45 ossec-integratord: DEBUG: file /tmp/slack-1535736105-365899966.alert was written.
2018/08/31 17:21:45 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1535736105-365899966.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx' > /dev/null 2>&1
Why it's discarding the alerts to send?
Thanks,
SR
2018/09/04 23:42:54 ossec-integratord: DEBUG: file /tmp/slack-1536104574-900638155.alert was written.
2018/09/04 23:42:54 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1536104574-900638155.alert' '' 'https://hooks.slack.com/services/T03M3P565/xxxxxxxxxxxxxxxxxx' > /dev/null 2>&1
2018/09/04 23:42:54 ossec-integratord: DEBUG: Command run succesfully
2018/09/04 23:42:54 ossec-integratord: DEBUG: jqueue_next()
# pip list
backports.ssl-match-hostname (3.4.0.2)
certifi (2018.1.18)
chardet (3.0.4)
configobj (4.7.2)
decorator (3.4.0)
docopt (0.6.2)
idna (2.6)
iniparse (0.4)
ldap (1.0.2)
ldap3 (2.4.1)
perf (0.1)
pip (8.1.2)
pyasn1 (0.4.2)
pycurl (7.19.0)
pygobject (3.22.0)
pygpgme (0.3)
pyliblzma (0.5.3)
pymongo (3.6.1)
python-linux-procfs (0.4.9)
pyudev (0.15)
pyxattr (0.5.1)
requests (2.18.4)
schedutils (0.4)
setuptools (0.9.8)
six (1.9.0)
slip (0.4.0)
slip.dbus (0.4.0)
SSSDConfig (1.15.2)
urlgrabber (3.10)
urllib3 (1.22)
yum-metadata-parser (1.1.4)
# yum install python-requests
Determining fastest mirrors
Package python-requests-2.6.0-1.el7_1.noarch already installed and latest version
Nothing to do
Thanks,
SR
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QzhZojC9XFE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5c463583-bbfc-49df-bbd7-d8d5659913a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
# pip
pip pip2 pip2.7
Thanks,
SR
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5c463583-bbfc-49df-bbd7-d8d5659913a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5c463583-bbfc-49df-bbd7-d8d5659913a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QzhZojC9XFE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/80a3abf1-e31b-43ae-9969-3b2d69ad1563%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5c463583-bbfc-49df-bbd7-d8d5659913a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QzhZojC9XFE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/80a3abf1-e31b-43ae-9969-3b2d69ad1563%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
# pip list | grep requests
requests 2.18.4
# pip list | grep urllib3
urllib3 1.21.1
# pip list | grep chardet
chardet 3.0.4
Thanks,
SR
2018/09/05 22:03:32 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 22:03:32 ossec-integratord: DEBUG: sending new alert.
2018/09/05 22:03:32 ossec-integratord: DEBUG: skipping: integration disabled
When I check below, I see integrator is still up.
# ps aux | grep integrator
ossecm 16033 0.0 0.0 19336 1008 ? S 18:04 0:01 /var/ossec/bin/ossec-integratord
ossecm 20601 0.0 0.0 19336 1392 pts/1 S+ 20:54 0:01 /var/ossec/bin/ossec-integratord -fdd
root 22394 0.0 0.0 112668 980 pts/2 S+ 22:03 0:00 grep --color=auto integrator
If I run manually this command it sends alert message -
/var/ossec/integrations/slack '/tmp/alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxx'
Is slack integration has any open issue? Please let me know.
Thanks,
SR
Now, the reason for that happening might be several:
1- The permissions of the file aren't correct, so the ossec user can't execute the script
2018/09/05 22:03:32 ossec-integratord: DEBUG: skipping: integration disabled
2018/09/05 21:38:06 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 21:38:07 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 21:38:08 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 21:38:09 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 21:38:10 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 21:38:11 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 21:38:12 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 21:38:12 ossec-integratord: DEBUG: sending new alert.
2018/09/05 21:38:12 ossec-integratord: DEBUG: file /tmp/slack-1536183492--1312863239.alert was written.
2018/09/05 21:38:12 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1536183492--1312863239.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxx' > /dev/null 2>&1
2018/09/05 21:38:12 ossec-integratord: ERROR: Unable to run integration for slack -> /var/ossec/integrations/slack
2018/09/05 21:38:12 ossec-integratord: DEBUG: jqueue_next()
2018/09/05 21:38:12 ossec-integratord: DEBUG: sending new alert.
2018/09/05 21:38:12 ossec-integratord: DEBUG: skipping: integration disabled
I am running 3.3.1 version.
How I can resolve this issue?Which permission I need to fix?
Thanks,
SR
# ls -la /var/ossec/integrations
total 16
drwxr-x---. 2 root ossec 54 Sep 6 23:30 .
drwxr-x---. 19 root ossec 258 Jun 18 14:19 ..
-rwxr-x---. 1 root ossec 1343 Jun 18 14:19 pagerduty
-rwxr-x---. 1 root ossec 3269 Sep 6 23:30 slack
-rwxr-x---. 1 root ossec 6353 Jun 18 14:19 virustotal
# /var/ossec/integrations/slack '/tmp/slack.alert' '' 'https://hooks.slack.com/services/xxxxxxxx'
Traceback (most recent call last):
File "/var/ossec/integrations/slack", line 128, in <module>
main(sys.argv)
File "/var/ossec/integrations/slack", line 54, in main
json_alert = json.load(alert_file)
File "/usr/lib64/python2.7/json/__init__.py", line 290, in load
**kw)
File "/usr/lib64/python2.7/json/__init__.py", line 338, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python2.7/json/decoder.py", line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python2.7/json/decoder.py", line 384, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded