Telegram Alerts Not Triggering as Expected

190 views
Skip to first unread message

Le Sok

unread,
Jul 7, 2025, 12:28:55 AM7/7/25
to Wazuh | Mailing List

Dear Wazuh Team,

I hope this message finds you well.

I’m reaching out regarding an issue I’ve encountered with the Telegram alert integration on my Wazuh setup. When I first configured it, alerts were sent frequently and consistently. However, recently I’ve noticed that Telegram only sends alerts occasionally mainly for CVEs or internal system events.

Critical alerts such as user activities being blocked by the firewall (e.g., potential DCSync attack attempts) no longer appear on Telegram, even though they are visible in the Wazuh dashboard.

Could you please help me understand why these alerts are no longer being sent to Telegram and how I can resolve this? I would like to ensure that all important security events are properly forwarded to Telegram in real time.

Thank you in advance for your support.

Best regards,

Bony V John

unread,
Jul 7, 2025, 3:29:05 AM7/7/25
to Wazuh | Mailing List

Hi,

I’ve tried to replicate this integration on my end by referring to some blogs (not official Wazuh documentation), and I encountered the same issue you mentioned—only specific alerts were being forwarded to the Telegram group.

https://medium.com/@jesusjimsa_12801/integrating-telegram-with-wazuh-4d8db91025f

https://medium.com/@hasithaupekshitha97/wazuh-alerts-to-telegram-fb9d15b2e544

The root cause in my case was related to the custom Telegram script. The problem was that it used parse_mode='Markdown' without properly escaping special Markdown characters, which caused Telegram to reject the message with an HTTP 400 Bad Request error.

You can check if you're facing the same issue by running the following command on your Wazuh manager and observing the output:

tail -f /var/ossec/logs/integrations.log

If the issue is related to Markdown formatting, you’ll likely see an output similar to this:
RESPONSE: <Response [400]>
MSG: {'chat_id': 'xxxxx', 'text': '*Windows Firewall: Extrenal traffic detetced from internal IP 192.168.0.106 to public IP xx.xx.xx.xx.*\n\n_2025-07-07 12:35:18 ALLOW UDP 192.168.0.106 xx.xx.xx.xx 51858 443 0 - - - - - - - SEND 14268_\n*Groups:* windows,  firewall, pfirewall\n*Rule:* 115163 (Level 3)\n*Agent:* TEst(047)\n', 'parse_mode': 'markdown'}

To resolve this, I updated the custom Telegram script. After the fix, all alerts are now successfully forwarded to my Telegram group. Here is the corrected script:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import sys
import json
import re

try:
    import requests
except Exception:
    print("No module 'requests' found. Install: pip3 install requests")
    sys.exit(1)

CHAT_ID = "xxxxxxxx"  # Replace with your actual chat ID

def escape_markdown(text):
    """
    Escapes Telegram MarkdownV2 special characters.
    """
    if not isinstance(text, str):
        text = str(text)
    escape_chars = r'_*[]()~`>#+=|{}.!-'
    return re.sub(f'([{re.escape(escape_chars)}])', r'\\\1', text)

def create_message(alert_json):
    # Extract fields from alert
    title = escape_markdown(alert_json.get('rule', {}).get('description', ''))
    description = alert_json.get('full_log', '').replace("\\n", "\n")
    description = escape_markdown(description)
    alert_level = escape_markdown(alert_json.get('rule', {}).get('level', ''))
    groups = ', '.join(alert_json.get('rule', {}).get('groups', []))
    groups = escape_markdown(groups)
    rule_id = escape_markdown(alert_json.get('rule', {}).get('id', ''))
    agent_name = escape_markdown(alert_json.get('agent', {}).get('name', ''))
    agent_id = escape_markdown(alert_json.get('agent', {}).get('id', ''))

    # Format message with Telegram MarkdownV2
    msg_content = f'*{title}*\n\n'
    msg_content += f'```{description}```\n'
    if groups:
        msg_content += f'*Groups:* {groups}\n'
    msg_content += f'*Rule:* {rule_id} \\(Level {alert_level}\\)\n'
    if agent_name:
        msg_content += f'*Agent:* {agent_name} \\({agent_id}\\)\n'

    msg_data = {
        'chat_id': CHAT_ID,
        'text': msg_content,
        'parse_mode': 'MarkdownV2'
    }

    # Debug logging
    with open('/var/ossec/logs/integrations.log', 'a') as f:
        f.write(f'MSG: {json.dumps(msg_data)}\n')

    return json.dumps(msg_data)

# Read alert JSON file and webhook
alert_file = open(sys.argv[1])
hook_url = sys.argv[3]

# Load alert
alert_json = json.loads(alert_file.read())
alert_file.close()

# Build and send message
msg_data = create_message(alert_json)
headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}
response = requests.post(hook_url, headers=headers, data=msg_data)

# Log the response
with open('/var/ossec/logs/integrations.log', 'a') as f:
    f.write(f'RESPONSE: {response.status_code} - {response.text}\n')

sys.exit(0)


Run the following commands to set the correct permissions and restart Wazuh Manager:
chown wazuh:wazuh /var/ossec/integrations/custom-telegram
chmod 550 /var/ossec/integrations/custom-telegram

Then restart the Wazuh manager service:
systemctl restart wazuh-manager

You can test the above updated script to see if it resolves the issue.
If it still doesn’t work, please share the following files on Wazuh manager to help us further troubleshoot:

  • /var/ossec/etc/ossec.conf 

  • /var/ossec/logs/ossec.log

  • /var/ossec/logs/integrations.log

These logs and configuration will help us analyze the issue more effectively and assist you better.

Message has been deleted

Le Sok

unread,
Jul 7, 2025, 6:53:22 AM7/7/25
to Wazuh | Mailing List
Still doesn't work, sir.
Here are 3 files on the Wazuh manager. please help me to check. 
ossec.conf
integrations.log
ossec.json

Bony V John

unread,
Jul 10, 2025, 1:44:49 AM7/10/25
to Wazuh | Mailing List

Hi,

Apologies for the delayed response. Upon reviewing your Wazuh manager ossec.conf file, I noticed that your Telegram integration is configured with the <level>13</level> tag. This means that only alerts with a rule level of 13 or higher will be sent to your Telegram group.

In the integration logs, I can see that alerts with levels 13 and 15 were successfully forwarded to your Telegram group. If the integration had failed, it would return a different HTTP status code. However, all the responses in the logs show 200, which indicates a successful transmission.

Could you please confirm whether the rules you mentioned (that are not triggering Telegram messages) have a rule level of 13 or above?

  • If the rule level is below 13, the alerts will not be sent to Telegram due to the level filter in your integration configuration.

  • To send alerts with a lower level, you can either:

    • Decrease the <level> value in the integration block, or

    • Use the <rule_id> or <group> tags in the integration configuration to target specific rules.

You can refer to the Wazuh documentation for more details on configuring external integrations: https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html

If the rule level is 13 or higher, and you’re still not receiving alerts on Telegram, please share the full log of the corresponding event from the archives.json file for further analysis.

For guidance on enabling and accessing the archives.json file, refer to the following documentation: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving

Reply all
Reply to author
Forward
0 new messages