Integration with Slack

3,105 views
Skip to first unread message

SR

unread,
May 14, 2018, 4:59:50 PM5/14/18
to Wazuh mailing list
Hi Ossec Team,

I tried to follow steps -


# /var/ossec/bin/ossec-control enable integrator
# /var/ossec/bin/ossec-control restart
In ossec.conf added
 <integration>


    <name>slack</name>


    <hook_url>https://hooks.slack.com/services/G03M3Pw325346457568</hook_url>


  </integration>
I see this logs 

# tail -f  /var/ossec/logs/integrations.log 

Mon May 14 20:41:09 UTC 2018 /var/ossec/integrations/slack /tmp/slack-1526330469--304009402.alert  https://hooks.slack.com/services/G03M3Pw325346457568    

Mon May 14 20:41:10 UTC 2018 /var/ossec/integrations/slack Slack integration ran successfully



but when I check the service status I see this -


# /var/ossec/bin/ossec-control status

ossec-monitord is running...

ossec-logcollector is running...

ossec-remoted is running...

ossec-syscheckd is running...

ossec-analysisd is running...

ossec-maild is running...

ossec-execd is running...

wazuh-modulesd is running...

wazuh-db is running...

ossec-integratord: Process 10104 not used by ossec, removing...

ossec-integratord not running...


What is this mean??



Is I am missing anything here. please let us know..



Thank you in advance 


SR


Alberto Marín

unread,
May 14, 2018, 5:35:26 PM5/14/18
to Wazuh mailing list
Hi SR,

if you are using Wazuh v3.2.2, you need to add <alert_format>json</alert_format> in your configuration, since the new Slack integration uses the JSON format internally.
Example:
<!-- Integration with Slack -->
<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/T000/B000/XXXXX</hook_url>
  <level>10</level>
  <group>multiple_drops|authentication_failures</group>
  <alert_format>json</alert_format>
</integration>

If you are using an older version, please execute ossec-integratord with the debug option to get more information: /var/ossec/bin/ossec-integratord -fdd

Best regards.

SR

unread,
May 16, 2018, 9:09:13 AM5/16/18
to Wazuh mailing list
Hi Alberto,

Now I am able to make it work via my puppet code.

I am using 3.2.1 version .

 <integration>

  <name>slack</name>

  <hook_url>https://hooks.slack.com/services/T000/B000/XXXXX</hook_url>

  <level>4</level>

  <alert_format>json</alert_format>

 </integration>


Here when we are saying level 4 means , it will send alerts to slack which are level 4 and above? Please confirm..like in <alert_level> in ossec.conf


Thanks,

SR

Alberto Marín

unread,
May 16, 2018, 2:03:20 PM5/16/18
to Wazuh mailing list
Hi SR,

the level filter indicates that only alerts with the specified level or above will be pushed to Slack.

You can use more filters as described in the documentation:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html


Best regards,
Alberto Marin



On Monday, May 14, 2018 at 1:59:50 PM UTC-7, SR wrote:

SR

unread,
May 17, 2018, 6:22:50 PM5/17/18
to Wazuh mailing list
Hi Alberto,

After integrating I see that it's sending blank ossec rules to slack channel. after I revert the changes and restarted ossec I see below 

Ossec file content

<integration>

  <name>slack</name>

  <hook_url>https://hooks.slack.com/services/xxxxxxxx/xxxxxxg45U7feXiS14nMLk...</hook_url>

  <level>4</level>

  <alert_format>json</alert_format>

</integration>





# systemctl status wazuh-manager

wazuh-manager.service - SYSV: Starts and stops Wazuh (Host Intrusion Detection System)

   Loaded: loaded (/etc/rc.d/init.d/wazuh-manager; bad; vendor preset: disabled)

   Active: active (running) since Thu 2018-05-17 21:50:39 UTC; 2min 26s ago

     Docs: man:systemd-sysv-generator(8)

  Process: 21086 ExecStop=/etc/rc.d/init.d/wazuh-manager stop (code=exited, status=0/SUCCESS)

  Process: 21206 ExecStart=/etc/rc.d/init.d/wazuh-manager start (code=exited, status=0/SUCCESS)

   CGroup: /system.slice/wazuh-manager.service

           ├─ 8880 /var/ossec/bin/ossec-integratord

           ├─20603 sh -c /var/ossec/integrations/slack '/tmp/slack-1526593799--380026459.alert' '' 'https://hooks.slack.com/services/xxxxxxxx/xxxxxxg45U7feXiS14nMLk......

           ├─20604 /bin/sh /var/ossec/integrations/slack /tmp/slack-1526593799--380026459.alert https://hooks.slack.com/services/xxxxxxxx/xxxxxxg45U7feXiS14nMLk...

           └─20612 curl -s --data @/tmp/tmp.gfwkWav97l https://hooks.slack.com/services/xxxxxxxx/xxxxxxg45U7feXiS14nMLk...



Then disabled . /var/ossec/bin/ossec-control disable integrator

Please let us know why it's ending blank messages



Thanks,
SR

Alberto Marín

unread,
May 17, 2018, 7:50:18 PM5/17/18
to Wazuh mailing list
Hi SR,

if you are using Wazuh version 3.2.1, you need to remove the line <alert_format>json</alert_format>, because this integration uses the JSON format only from version 3.2.2

The Slack integration was recently improved with new design and more information in this version.


Best regards,
Alberto Marin

On Monday, May 14, 2018 at 1:59:50 PM UTC-7, SR wrote:

SR

unread,
Aug 28, 2018, 11:57:06 AM8/28/18
to Wazuh mailing list
Hi Wazuh Team,

Now I have wazuh 3.3.1 version running and thought of enabling the slack integration.


In wazuh manager ossec.conf file I have added below code -


<integration>

    <name>slack</name>

    <hook_url>https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxxxxxxx</hook_url>

    <alert_format>json</alert_format>

    <level>4</level>

</integration>



Below is the log I see and only once it's posted to slack and after that it's stopped sending to slack channel

# tail -f /var/ossec/logs/integrations.log 
Mon Aug 27 22:53:27 UTC 2018 /tmp/slack-1535410406-1165733187.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:28 UTC 2018 /tmp/slack-1535410408-128861643.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:30 UTC 2018 /tmp/slack-1535410410-2140320927.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:32 UTC 2018 /tmp/slack-1535410411-1025876868.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:33 UTC 2018 /tmp/slack-1535410413--700882650.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:35 UTC 2018 /tmp/slack-1535410415-829522022.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:36 UTC 2018 /tmp/slack-1535410416-1736469271.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:38 UTC 2018 /tmp/slack-1535410418--363055627.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:40 UTC 2018 /tmp/slack-1535410419--1730157660.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx
Mon Aug 27 22:53:41 UTC 2018 /tmp/slack-1535410421-109713161.alert  https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx


# /var/ossec/bin/ossec-control status

ossec-monitord is running...

ossec-logcollector is running...

ossec-remoted is running...

ossec-syscheckd is running...

ossec-analysisd is running...

ossec-maild is running...

ossec-execd is running...

wazuh-modulesd is running...

wazuh-db is running...

ossec-integratord is running...



What is blocking to send the alerts to slack? Could you please help in resolving the issue.


Thanks,

SR

Alberto Marín

unread,
Aug 28, 2018, 1:19:56 PM8/28/18
to Wazuh mailing list
Hi SR,

apparently your configuration is correct.
Please, stop ossec-integratord and execute it with debug mode to get more information:

/var/ossec/bin/ossec-integratord -fdd

Best regards.

SR

unread,
Aug 28, 2018, 3:17:07 PM8/28/18
to Wazuh mailing list
Hi Alberto,


After enabling debug mode I see these logs-


2018/08/28 18:54:00 ossec-integratord: DEBUG: sending new alert.

2018/08/28 18:54:00 ossec-integratord: DEBUG: skipping: integration disabled

2018/08/28 18:54:00 ossec-integratord: DEBUG: jqueue_next()

2018/08/28 18:54:00 ossec-integratord: DEBUG: sending new alert.

2018/08/28 18:54:00 ossec-integratord: DEBUG: skipping: integration disabled

2018/08/28 18:54:00 ossec-integratord: DEBUG: jqueue_next()

2018/08/28 18:54:00 ossec-integratord: DEBUG: sending new alert.

2018/08/28 18:54:00 ossec-integratord: DEBUG: skipping: integration disabled


But when I check the status -


# /var/ossec/bin/ossec-control status

ossec-monitord is running...

ossec-logcollector is running...

ossec-remoted is running...

ossec-syscheckd is running...

ossec-analysisd is running...

ossec-maild is running...

ossec-execd is running...

wazuh-modulesd is running...

wazuh-db is running...

ossec-integratord is running...


ossec-integratord is still running.What is disabling the integration. I am using puppet wazuh module in my setup.


Thanks,
SR

Jose Luis Ruiz

unread,
Aug 28, 2018, 3:18:44 PM8/28/18
to SR, Wazuh mailing list
Hi Sr

did you install the python-requests?? is a dependence for the script.

-- 
Jose Luis Ruiz
@jlruizmlg
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8ddbf54-0892-4672-8a44-3c5f13f6dd56%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

SR

unread,
Aug 30, 2018, 11:42:51 AM8/30/18
to Wazuh mailing list
Hi Jose,

I have installed python-requests.

Is there any process or flag I can check that /var/ossec/bin/ossec-control enable integrator is enabled and working

Earlier I thought /var/ossec/bin/ossec-control status of result ossec-integratord is running... will prove that integrator is enabled and working.

But in my case even though it shows running in Integrator debug log I see 2018/08/28 18:54:00 ossec-integratord: DEBUG: skipping: integration disabled.


# /var/ossec/bin/ossec-control status

ossec-monitord is running...

ossec-logcollector is running...

ossec-remoted is running...

ossec-syscheckd is running...

ossec-analysisd is running...

ossec-maild is running...

ossec-execd is running...

wazuh-modulesd is running...

wazuh-db is running...

ossec-integratord is running...


If I get any flag about integrator enabled, I will have this in my puppet code condition and enable is this flag is not exist.


Thanks,

SR

Hi Sr

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

migue...@wazuh.com

unread,
Aug 30, 2018, 12:25:03 PM8/30/18
to Wazuh mailing list

Hi SR,

if the /var/ossec/bin/ossec-control enable integrator didn't worked.
Please send me the output of this command:

ls -la /var/ossec/integrations/

And make sure the slack integration script is correct doing:


Best regards.

SR

unread,
Aug 30, 2018, 1:12:07 PM8/30/18
to Wazuh mailing list
Hi ,

Here is the output -

# ls -la /var/ossec/integrations/

total 16

drwxr-x---.  2 root ossec   54 Jul 13 00:58 .

drwxr-x---. 19 root ossec  258 Jun 18 14:19 ..

-rwxr-x---.  1 root ossec 1343 Jun 18 14:19 pagerduty

-rwxr-x---.  1 root ossec 3269 Jun 18 14:19 slack

-rwxr-x---.  1 root ossec 6353 Jun 18 14:19 virustotal



# curl -o /var/ossec/integrations/slack https://raw.githubusercontent.com/wazuh/wazuh/v3.3.1/integrations/slack

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100  3269  100  3269    0     0   5393      0 --:--:-- --:--:-- --:--:--  5394



Thanks,

SR

migue...@wazuh.com

unread,
Aug 31, 2018, 7:05:05 AM8/31/18
to Wazuh mailing list
Let's try to reload the wazuh-manager binaries.

To do that:

/var/ossec/bin/ossec-control enable integrator
/var/ossec/bin/ossec-control reload

And after that, run again the integrator daemon in debug mode:

/var/ossec/bin/ossec-integratord -fdd

This way we can check if the integration daemon starts properly this time.
Make sure to stop the debug integrator process, otherway you may have two instances of the same process running if the first one also started properly.

You can verify there is only one integrator process using:

ps ax | grep ossec-integratord

Let me know if it worked.

SR

unread,
Aug 31, 2018, 1:44:18 PM8/31/18
to Wazuh mailing list
Hi , 

Followed the steps

Will monitor how it goes -

# ps ax | grep ossec-integratord

30653 ?        S      0:00 /var/ossec/bin/ossec-integratord

30726 pts/2    S+     0:00 /var/ossec/bin/ossec-integratord -fdd

30728 pts/0    S+     0:00 grep --color=auto ossec-integratord



In debug logs I see  - 

2018/08/31 17:21:44 ossec-integratord: DEBUG: file /tmp/slack-1535736104--1134160914.alert was written.

2018/08/31 17:21:44 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1535736104--1134160914.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx' > /dev/null 2>&1

2018/08/31 17:21:44 ossec-integratord: DEBUG: Command run succesfully

2018/08/31 17:21:44 ossec-integratord: DEBUG: jqueue_next()

2018/08/31 17:21:44 ossec-integratord: DEBUG: sending new alert.

2018/08/31 17:21:44 ossec-integratord: DEBUG: file /tmp/slack-1535736104-1814661256.alert was written.

2018/08/31 17:21:44 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1535736104-1814661256.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx' > /dev/null 2>&1

2018/08/31 17:21:45 ossec-integratord: DEBUG: Command run succesfully

2018/08/31 17:21:45 ossec-integratord: DEBUG: jqueue_next()

2018/08/31 17:21:45 ossec-integratord: DEBUG: sending new alert.

2018/08/31 17:21:45 ossec-integratord: DEBUG: file /tmp/slack-1535736105-365899966.alert was written.

2018/08/31 17:21:45 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1535736105-365899966.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxx' > /dev/null 2>&1



Why it's discarding the alerts to send?



Thanks,

SR

migue...@wazuh.com

unread,
Sep 3, 2018, 5:09:21 AM9/3/18
to Wazuh mailing list
Hi SR,

Those logs are looking good now!

It is not the alerts what are beeing discarded. What is beeing sent to /dev/null/ is the stdout and stderr of the script that sends the alerts to the slack webhook.

If you change that webhook for your slack app webhook at ossec.conf, it should work correctly.

Remember to reload with /var/ossec/bin/ossec-control reload after you modify ossec.conf.

Best regards.

Rodrigo Montoro

unread,
Sep 4, 2018, 7:18:31 AM9/4/18
to Wazuh mailing list
Hi Miguel,

Another point I noticed, alerts coming from agents aren't with "Agent Name" so it broke integration. Just did a minor chance to keep working but I think something I need to see not sending name

[root@wazuh integrations]# diff slack slack2
89,90c89,90
<     msg['text'] = alert['full_log']
<     agent = { "title":"Agent", "value":"({0}) - {1}".format(alert['agent']['id'],alert['predecoder']['hostname']) }
---
>     msg['text'] = alert.get('full_log')
>     agent = { "title":"Agent", "value":"({0}) - {1}".format(alert['agent']['id'],alert['agent']['name']) }
[root@wazuh integrations]# 

Alert sample

{"timestamp":"2018-09-04T10:58:38.658+0000","rule":{"level":3,"description":"PAM: Login session opened.","id":"5501","firedtimes":2,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"]},"agent":{"id":"001"},"manager":{"name":"wazuh"},"id":"1536058718.611877","full_log":"Sep 4 07:58:42 ip-10-7-11-142 sshd[30399]: pam_unix(sshd:session): session opened for user campaignbuilder by (uid=0)","predecoder":{"program_name":"sshd","timestamp":"Sep 4 07:58:42","hostname":"files"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"campaignbuilder","uid":"0"},"location":"/var/log/secure"}

It's "breaking" some views too.

thanks

migue...@wazuh.com

unread,
Sep 4, 2018, 9:54:58 AM9/4/18
to Wazuh mailing list
Hello Rodrigo,

That is a bug in version 3.6.0: https://github.com/wazuh/wazuh/pull/1213
It's fixed in version 3.6.1 that is going to be released today.

Thanks you very much for reporting.

Best regards,
Miguel R.

SR

unread,
Sep 4, 2018, 2:38:20 PM9/4/18
to Wazuh mailing list
Hi,


I have slack webhook configured already in ossec.conf. Why it's not sending alert to my slack channel. What is stopping. I am completely blocked.

Could you please help ..

Thanks,
SR

Rodrigo Montoro

unread,
Sep 4, 2018, 7:23:34 PM9/4/18
to Wazuh mailing list
I think you are having "agent name" issue. Slack integration uses it when an event come from an agent and it disable slack integration =(!



Traceback (most recent call last):
File "/var/ossec/integrations/slackold", line 128, in <module>
main(sys.argv)
File "/var/ossec/integrations/slackold", line 59, in main
msg = generate_msg(json_alert)
File "/var/ossec/integrations/slackold", line 90, in generate_msg
agent = { "title":"Agent", "value":"({0}) - {1}".forma
t(alert['agent']['id'],alert['agent']['name']) }

KeyError: 'name'

As Miguel told, they are going to fix it in next release or you can edit as I mentioned you slack code

Change this line at /var/ossec/integrations/slack

agent = { "title":"Agent", "value":"({0}) - {1}".format(alert['agent']['id'],alert['agent']['name']) }

To this

agent = { "title":"Agent", "value":"({0}) - {1}".format(alert['agent']['id'],alert['predecoder']['hostname']) }

Reload OSSEC and all would work fine

Hope it helps or use new release when available.

Regards

SR

unread,
Sep 4, 2018, 7:43:52 PM9/4/18
to Wazuh mailing list
Hi Rodrigo,

Thank you for the response.

I tired the below fix but unfortunately no luck. I see the message being tried to send from debug log but in slack channel I don't see any message :( 


2018/09/04 23:42:54 ossec-integratord: DEBUG: file /tmp/slack-1536104574-900638155.alert was written.

2018/09/04 23:42:54 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1536104574-900638155.alert' '' 'https://hooks.slack.com/services/T03M3P565/xxxxxxxxxxxxxxxxxx' > /dev/null 2>&1

2018/09/04 23:42:54 ossec-integratord: DEBUG: Command run succesfully

2018/09/04 23:42:54 ossec-integratord: DEBUG: jqueue_next()

Rodrigo Montoro

unread,
Sep 4, 2018, 8:55:51 PM9/4/18
to Wazuh mailing list
One test that could help you is trying to simulate slack integration manually.

First, pick any event from some agent from /var/ossec/logs/alerts/alerts.json and save somewhere like /tmp/alert

So run integration without sending stderr to dev/null

 /var/ossec/integrations/slack '/tmp/alert' '' 'https://hooks.slack.com/services/T03M3P565/xxxxxxxxxxxxxxxxxx

See if some error appear for you.

Hope it helps.

Regards,

SR

unread,
Sep 5, 2018, 12:30:45 AM9/5/18
to Wazuh mailing list
Hi,

I tried the command to manually trigger the alert to slack integration getting below error 

   No module 'requests' found. Install: pip install requests


I have below information. I have already have installed Pip requests installed. Is there any specific version required for this?

Python version - python2.7



# pip list

backports.ssl-match-hostname (3.4.0.2)

certifi (2018.1.18)

chardet (3.0.4)

configobj (4.7.2)

decorator (3.4.0)

docopt (0.6.2)

idna (2.6)

iniparse (0.4)

ldap (1.0.2)

ldap3 (2.4.1)

perf (0.1)

pip (8.1.2)

pyasn1 (0.4.2)

pycurl (7.19.0)

pygobject (3.22.0)

pygpgme (0.3)

pyliblzma (0.5.3)

pymongo (3.6.1)

python-linux-procfs (0.4.9)

pyudev (0.15)

pyxattr (0.5.1)

requests (2.18.4)

schedutils (0.4)

setuptools (0.9.8)

six (1.9.0)

slip (0.4.0)

slip.dbus (0.4.0)

SSSDConfig (1.15.2)

urlgrabber (3.10)

urllib3 (1.22)

yum-metadata-parser (1.1.4)


#  yum install python-requests

Determining fastest mirrors

Package python-requests-2.6.0-1.el7_1.noarch already installed and latest version

Nothing to do


Thanks,

SR

Rodrigo Montoro(Sp0oKeR)

unread,
Sep 5, 2018, 5:35:22 AM9/5/18
to SR, Wazuh mailing list
If you just run python —version which version appear?

Because rpm seems 2.6 . Probably installing requests to different version

If you type pip<tab><tab> what do you have ?




--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QzhZojC9XFE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

For more options, visit https://groups.google.com/d/optout.
--
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

SR

unread,
Sep 5, 2018, 9:41:04 AM9/5/18
to Wazuh mailing list
Hi,

I have below versions -

# pip

pip     pip2    pip2.7  



Thanks,

SR

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5c463583-bbfc-49df-bbd7-d8d5659913a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Rodrigo Montoro(Sp0oKeR)

unread,
Sep 5, 2018, 9:42:31 AM9/5/18
to SR, Wazuh mailing list
Try to install requests in all version and so run manual test again

pip install requests
pip2 install requests
pip2.7 install requests

Hope it helps.



To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5c463583-bbfc-49df-bbd7-d8d5659913a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QzhZojC9XFE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/80a3abf1-e31b-43ae-9969-3b2d69ad1563%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

SR

unread,
Sep 5, 2018, 12:06:36 PM9/5/18
to Wazuh mailing list
I don't know it's strange and still digging the issue..

I see that requests is installed already in all pip version.


Thanks,
SR
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5c463583-bbfc-49df-bbd7-d8d5659913a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QzhZojC9XFE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/80a3abf1-e31b-43ae-9969-3b2d69ad1563%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

SR

unread,
Sep 5, 2018, 3:08:29 PM9/5/18
to Wazuh mailing list
Hi All,

Finally I was able to resolve the issue with these version . It will help if some one facing same issue.

# pip list | grep requests

requests                     2.18.4   

# pip list | grep urllib3

urllib3                      1.21.1   

# pip list | grep chardet

chardet                      3.0.4    


Thanks,

SR

SR

unread,
Sep 5, 2018, 6:07:34 PM9/5/18
to Wazuh mailing list
Hi ,

My bad after monitoring some time I see once again the logs from debug integrator  -


2018/09/05 22:03:32 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 22:03:32 ossec-integratord: DEBUG: sending new alert.

2018/09/05 22:03:32 ossec-integratord: DEBUG: skipping: integration disabled



When I check below, I see integrator is still up.


# ps aux | grep integrator

ossecm   16033  0.0  0.0  19336  1008 ?        S    18:04   0:01 /var/ossec/bin/ossec-integratord

ossecm   20601  0.0  0.0  19336  1392 pts/1    S+   20:54   0:01 /var/ossec/bin/ossec-integratord -fdd

root     22394  0.0  0.0 112668   980 pts/2    S+   22:03   0:00 grep --color=auto integrator


If I run manually this command it sends alert message -



/var/ossec/integrations/slack '/tmp/alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxx'


Is slack integration has any open issue? Please let me know.


Thanks,

SR

migue...@wazuh.com

unread,
Sep 6, 2018, 1:56:14 PM9/6/18
to Wazuh mailing list
Hello again SR,

The skipping: integration disabled log message is a problem...
That happens because when the /integrations/slack script exit with an error code 1, the integration disables itself, generating those debug messages when another alert comes in.
Before those messages, you should see something like this happening:
 
ossec-integratord: DEBUG: file /tmp/slack-1536104574-900638155.alert was written.
ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1536104574-900638155.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxxxx > /dev/null 2>&1
ossec-integratord: ERROR: Unable to run integration for slack -> /var/ossec/integrations/slack

If you are not in version 3.6.0, you don't have to worry about fixing the agent.name bug.

Now, the reason for that happening might be several:

1- The permissions of the file aren't correct, so the ossec user can't execute the script





2018/09/05 22:03:32 ossec-integratord: DEBUG: skipping: integration disabled

migue...@wazuh.com

unread,
Sep 6, 2018, 2:10:04 PM9/6/18
to Wazuh mailing list
Sorry, I made a mistake and posted before ending.

I continue here:

1- The permissions of the file aren't correct, so the ossec user can't execute the script.
    To check that is not the case, execute ls -la /var/ossec/integrations
    
2- The python-request dependency isn't installed, in this case, it looks it's ok

3- The script exit 1 for other reason, so what you can do is execute the command by yourself trying to send an alert to your slack webhook and see what the problem is.
    try this:
       tail -n1 /var/ossec/logs/alerts/alerts.json > /tmp/slack.alert
       /var/ossec/integrations/slack '/tmp/slack.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxxxx

Hope it helps.

Best regards,
Miguel R.

SR

unread,
Sep 6, 2018, 7:57:59 PM9/6/18
to Wazuh mailing list
Hi ,


Yes I see this error -


2018/09/05 21:38:06 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 21:38:07 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 21:38:08 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 21:38:09 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 21:38:10 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 21:38:11 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 21:38:12 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 21:38:12 ossec-integratord: DEBUG: sending new alert.

2018/09/05 21:38:12 ossec-integratord: DEBUG: file /tmp/slack-1536183492--1312863239.alert was written.

2018/09/05 21:38:12 ossec-integratord: DEBUG: Running: /var/ossec/integrations/slack '/tmp/slack-1536183492--1312863239.alert' '' 'https://hooks.slack.com/services/xxxxxxxxxxxxxxxx' > /dev/null 2>&1

2018/09/05 21:38:12 ossec-integratord: ERROR: Unable to run integration for slack -> /var/ossec/integrations/slack

2018/09/05 21:38:12 ossec-integratord: DEBUG: jqueue_next()

2018/09/05 21:38:12 ossec-integratord: DEBUG: sending new alert.

2018/09/05 21:38:12 ossec-integratord: DEBUG: skipping: integration disabled



I am running 3.3.1 version.


How I can resolve this issue?Which permission I need to fix?


Thanks,

SR

SR

unread,
Sep 7, 2018, 1:10:01 AM9/7/18
to Wazuh mailing list
Hi,

Here is inline output for (1) and (3)

1- The permissions of the file aren't correct, so the ossec user can't execute the script.
    To check that is not the case, execute ls -la /var/ossec/integrations

# ls -la /var/ossec/integrations

total 16

drwxr-x---.  2 root ossec   54 Sep  6 23:30 .

drwxr-x---. 19 root ossec  258 Jun 18 14:19 ..

-rwxr-x---.  1 root ossec 1343 Jun 18 14:19 pagerduty

-rwxr-x---.  1 root ossec 3269 Sep  6 23:30 slack

-rwxr-x---.  1 root ossec 6353 Jun 18 14:19 virustotal


3- The script exit 1 for other reason, so what you can do is execute the command by yourself trying to send an alert to your slack webhook and see what the problem is.
    try this:

# /var/ossec/integrations/slack '/tmp/slack.alert' '' 'https://hooks.slack.com/services/xxxxxxxx'

Traceback (most recent call last):

  File "/var/ossec/integrations/slack", line 128, in <module>

    main(sys.argv)

  File "/var/ossec/integrations/slack", line 54, in main

    json_alert = json.load(alert_file)

  File "/usr/lib64/python2.7/json/__init__.py", line 290, in load

    **kw)

  File "/usr/lib64/python2.7/json/__init__.py", line 338, in loads

    return _default_decoder.decode(s)

  File "/usr/lib64/python2.7/json/decoder.py", line 366, in decode

    obj, end = self.raw_decode(s, idx=_w(s, 0).end())

  File "/usr/lib64/python2.7/json/decoder.py", line 384, in raw_decode

    raise ValueError("No JSON object could be decoded")

ValueError: No JSON object could be decoded


Thanks,
SR

migue...@wazuh.com

unread,
Sep 7, 2018, 10:10:10 AM9/7/18
to Wazuh mailing list
Hi SR,

that output is caused by the /tmp/slack.alert not containing a json alert, make sure after executing
tail -n1 /var/ossec/logs/alerts/alerts.json > /tmp/slack.alert

Check the slack alert contains a json alert executing

cat /tmp/slack.alert

Otherway, if that doesn't work and you have problem finding a json alert to test, I attached a sample slack.alert to this post. You can copy that to the /tmp location and repeat the process:

Execute /var/ossec/integrations/slack '/tmp/slack.alert' '' 'https://hooks.slack.com/services/xxxxxxxx' and send me the output so I can keep helping you figuring out what is causing the error

Best regards,
Miguel R.
Reply all
Reply to author
Forward
0 new messages