Shuffler.io Integration

[Mike Farmer]

Following the KB:  Shuffle extensions documentation (shuffler.io)

After completing we get in the ossec.log file

2022/12/06 22:54:50 wazuh-integratord: ERROR: Couldn't execute command (integrations /tmp/custom-shuffle-1670367290--1011350888.alert  https://shuffler.io/api/v1/hooks/webhook_17f9aced-1725-4a89-b314-5ae7bf1a01d1   > /dev/null 2>&1). Check file and permissions.

Have checked the file and directory permissions no success.

[Francisco Tuduri]

Hi Mike!

I see that the article says to change the script permissions with chown root:ossec. But since Wazuh version 4.3 the user and group were changed to wazuh. So, assuming that you are using version 4.3+ please try changing the scripts permissions with:

chown root:wazuh custom-shuffle

chown root:wazuh custom-shuffle.py

Let me know if this fixed your issue.

Regards!

[Francisco Tuduri]

Hi Mike!

Just to give you a heads up that Wazuh v4.4 will have native integration with Shuffle.

Regards!

[Mike Farmer]

Yeah we already ran into this detail and used that command to fix up the permissions - no luck on resolution though.

[Mike Farmer]

Good to know that 4.4 will have this integration.  Hoping to resolve before then though :)

[Francisco Tuduri]

Hello Mike!

A couple of requests:

• What Wazuh version are you using?
• Let's increase de logging level for the integrator and chek the log:
  • Add integrator.debug=1 to /var/ossec/local_internal_options.conf (Doc Reference)
  • Restart the manager: systemctl restart wazuh-manager
  • Please share the integratord log: cat /var/ossec/logs/ossec.log | grep integratord
• Please share the permission output of the integrations directory: ls -l /var/ossec/integrations/

Thanks!