OSSEC slack alerts for agents v2.9.0

473 views
Skip to first unread message

Fredrik Hilmersson

unread,
May 21, 2017, 4:28:48 PM5/21/17
to ossec-list
I set up a OSSEC server along with an remote agent. The alert log file is populated with alerts regarding both the host and the agent. However, the integrated slack notification script only send reports regarding the host. The only difference within the log is how the hostnames are displayed, e.g., 2017-05-10, host-ossec.com.. and 2017-05-10, (agent-ossec.com). Is there anything i'm missing regarding my setup which causes the script to dismiss the agent alerts? Any tip or help is greatly appreciated.

Kind regards,
Fredrik

Miguelangel Freitas

unread,
May 22, 2017, 10:47:54 AM5/22/17
to ossec...@googlegroups.com
Hi Fredrik,

Can you see in logs/active-responses.log any new row regarding (agent-ossec.com)?

Could you share <command></command> and <active-response></active-response> from etc/ossec.conf regarding slack notification?, thanks.

Regards,

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Fredrik Hilmersson

unread,
May 22, 2017, 10:53:56 AM5/22/17
to ossec-list
Hello Miguelangel!

I do not see any new rows regarding the agent-ossec.com (within the host active-response.log, only in the alerts.log).

Here's what you asked for from the ../etc/ossec.conf (server host)

    <command>

        <name>ossec-slack</name>

        <executable>ossec-slack.sh</executable>

        <expect></expect> <!-- no expect args required -->

        <timeout_allowed>no</timeout_allowed>

    </command>


    <active-response>

        <command>ossec-slack</command>

        <location>local</location>

        <level>7</level>

    </active-response>


Kind regards,
Fredrik

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

Jesus Linares

unread,
May 22, 2017, 12:33:54 PM5/22/17
to ossec-list
Hi Fredrik,


I hope it helps.
Regards.

Fredrik Hilmersson

unread,
May 23, 2017, 4:49:18 AM5/23/17
to ossec-list
Hello and thanks Jesus,

I've read the documentation, however I do not use the forked wazuh version of OSSEC so i'm not sure that the integrator applies? What I want to clarify regarding my issue, so I do not misunderstand the approach. The OSSEC server (host) is the one responsible for sending the slack notifications reading from the alerts.log(?).

The communication between the host and agent works, as my host alerts.log is getting populated with alerts regarding the agent. The issue seem to be that the slack script does not catch these, or do I need to specify anything at the agent side for the host to send its alerts or vice versa?

Kind regards

Fredrik Hilmersson

unread,
May 23, 2017, 4:55:55 AM5/23/17
to ossec-list
Clarification: The host specific alerts are sent to slack but the agent alerts are being ignored.

Jesus Linares

unread,
May 23, 2017, 5:08:51 AM5/23/17
to ossec-list
Hi Fredrik,

this is the flow:
  • The integrator reads the alerts from alerts.log filtering by rule_id, level, group or event_location.
  • It executes the script using the arguments hook_url and api_key.
  • The slack script send the alert to slack.
Clarification: The host specific alerts are sent to slack but the agent alerts are being ignored.
Review your integrator configuration, maybe you have a filter to get only alerts in the current host. Share here the config.

Regards.

Fredrik Hilmersson

unread,
May 23, 2017, 6:46:36 AM5/23/17
to ossec-list
Hello again Jesus,

As I did state, so we're not misunderstanding each other, I do not run the wazuh forked version, but the 2.9.0 OSSEC version.
This is the configuration settings i've got:

ossec-slack.sh

SLACKUSER="ossec"

CHANNEL="#channel"

SITE="https://hooks.slack.com/services/..."

SOURCE="ossec2slack"


ossec.conf

    <command>

       <name>ossec-slack</name>

       <executable>ossec-slack.sh</executable>

       <expect></expect> <!-- no expect args required -->

       <timeout_allowed>no</timeout_allowed>

   </command>


    <active-response>

       <command>ossec-slack</command>

       <location>local</location>

       <level>7</level>

   </active-response>


Kind regards,
Fredrik

Jesus Linares

unread,
May 23, 2017, 10:18:29 AM5/23/17
to ossec-list
I see your point.. I thought you were talking about the integratord.

I never tried it using AR, but in your active-response configuration I see:
<location>local</location>

It means that OSSEC is going to execute the script in the agent that generated the event. So, you must to configure your slack script in every agent. I think for this reason Daniel Cid created the integratord.

I hope it helps.
Message has been deleted

Fredrik Hilmersson

unread,
May 24, 2017, 3:02:07 AM5/24/17
to ossec-list
Thanks everyone for the feedback and support. It all made sense and your comment did guide me to resolve it, wasn't any harder then updating the <location> section and add agent ID, e.g.:

    <active-response>

       <command>ossec-slack</command>

       <location>server,AGENT.ID</location>

       <level>7</level>

   </active-response>

Reply all
Reply to author
Forward
0 new messages