Event Alerts

86 views
Skip to first unread message

Anastasia Yudina

unread,
Aug 7, 2025, 7:53:23 AM8/7/25
to Wazuh | Mailing List
Hi! I didn't know how to name the topic correctly. I have a problem. I wanted to set up Telegram alerts for events above level 12. Initially, it seemed to work out, something came. But after a few days, the notifications stopped coming. However, if I send a test alert, I receive it. There was also a problem that the "Overview" tab stopped displaying events at levels 12-14 and 15 altogether. I'm sending you a screenshot. But when I used the command to check the "sudo grep -r"level rules=\"1[3-9]\"" / var/ossec/ruleset/rules/" there are a lot of them displayed, which suggests that events are simply not transmitted to wazuh. Help pleasewazuh1.PNGwazuh2.PNG
Movavi everywhere, every day

diego...@wazuh.com

unread,
Aug 7, 2025, 8:31:17 AM8/7/25
to Wazuh | Mailing List

Hello Anastasia Yudina

I will review your query carefully on my side and try to provide you with a complete response as soon as possible.

To assist you better, could you please confirm the following details:

  • What exact version of Wazuh are you using?

  • What type of logs are you monitoring with this configuration?

  • Could you share your current Telegram alert configuration, especially the relevant parts of ossec.conf or the integration setup?

  • Have you checked the Wazuh logs (e.g., ossec.logintegrations.log) for any errors or warnings related to Telegram alert sending?

  • Does the issue occur only with specific rules or alert levels?

  • Are there any recent changes, updates, or modifications in your environment or configuration?

  • Which specific rule(s) and decoder(s) are you using for these alerts? This is important to ensure that events are being properly decoded and matched by the rules.

With this information, I'll be able to investigate more thoroughly and provide you with precise solutions. Looking forward to your response to continue assisting you.

Anastasia Yudina

unread,
Aug 12, 2025, 12:35:55 AM8/12/25
to Wazuh | Mailing List

1.        What exact version of Wazuh are you using? - WAZUH_VERSION="v4.12.0"

2.        What type of logs are you monitoring with this configuration? - I tried to set it up so that I receive notifications about events above level 12.

3.        Could you share your current Telegram alert configuration, especially the relevant parts of ossec.conf or the integration setup?

<command>

  <name>telegram-alert</name>

  <executable>telegram-alert.sh</executable>

  <timeout_allowed>no</timeout_allowed>

</command>

 

<active-response>

  <command>telegram-alert</command>

  <location>server</location>

  <level>10</level>

</active-response>

4.        Have you checked the Wazuh logs (e.g., ossec.log, integrations.log) for any errors or warnings related to Telegram alert sending? - The logs could not be found. When sending a test message in the echo console,{"rule":{"id":"87105","description":"Critical vulnerability","level":12},"agent":{"name":"test-agent"},"vulnerability":{"cve":"CVE-2024-1234"}}' | sudo /var/ossec/active-response/bin/telegram-alert.sh "the message is coming.

5.        Does the issue occur only with specific rules or alert levels? - I set up alerts only for events above level 10. The problem is also that the "Overview" section does not display the categories of "High severity" and "Critical severity".

6.        Are there any recent changes, updates, or modifications in your environment or configuration? - There were no configuration changes. A large number of new scanning agents have been added.

7.        Which specific rule(s) and decoder(s) are you using for these alerts? This is important to ensure that events are being properly decoded and matched by the rules. -

8.        With this information, I'll be able to investigate more thoroughly and provide you with precise solutions. Looking forward to your response to continue assisting you.

ALERT_JSON=$(cat -)

echo "Raw JSON: $ALERT_JSON" >> /tmp/wazuh-telegram.log

 

 

TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")

RULE_ID=$(echo "$ALERT_JSON" | jq -r '.rule.id? // "unknown"')

RULE_DESC=$(echo "$ALERT_JSON" | jq -r '.rule.description? // "No details"')

AGENT_NAME=$(echo "$ALERT_JSON" | jq -r '.agent.name? // "unknown"')

ALERT_LEVEL=$(echo "$ALERT_JSON" | jq -r '.rule.level? // "0"')

 

MESSAGE="*🛡 Wazuh Alert

▫️ *Rule*: #$RULE_ID (Level $ALERT_LEVEL) 

▫️ *Agent*: $AGENT_NAME 

▫️ *Time*: $TIMESTAMP 

▫️ *Description*: $RULE_DESC"

 

curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \

  -d chat_id="$CHAT_ID" \

  -d text="$MESSAGE" \

  -d parse_mode="Markdown" >> /tmp/wazuh-telegram.log

 

echo "Сообщение отправлено: $MESSAGE" >> /tmp/wazuh-telegram.log

 

/var/ossec/etc/ossec.conf

<command>

  <name>telegram-alert</name>

  <executable>telegram-alert.sh</executable>

  <timeout_allowed>no</timeout_allowed>

</command>

 

<active-response>

  <command>telegram-alert</command>

  <location>server</location>

  <level>10</level>  <!-- Уровень оповещений (10=Warning и выше) -->

</active-response>


четверг, 7 августа 2025 г. в 19:31:17 UTC+7, diego...@wazuh.com:

Movavi everywhere, every day

diego...@wazuh.com

unread,
Aug 12, 2025, 7:05:50 AM8/12/25
to Wazuh | Mailing List
Thank you for sharing your configuration details. We would like to clarify that while we can assist with general Wazuh configuration and troubleshooting within the Wazuh ecosystem, official support does not cover native integrations with third-party applications such as Telegram. However, we can provide some recommendations and possible workarounds to assist you moving forward.

If you are performing alert generation tests on a node where events are not being generated, or where no external sources are sending event data, it is possible that no real alerts are created or indexed. As a result, these alerts will not appear in the dashboard overview.

This occurs because Wazuh relies on incoming events to generate alerts, process them, index the data into Elasticsearch (or your configured storage), and display it on the web interface.

When running tests, please verify that alerts are being generated in the file:

/var/ossec/logs/alerts/alerts.json

If no alerts appear there, nothing will be displayed in the overview.

As an alternative or complementary approach, you might find this community guide helpful—it demonstrates a practical way to send Wazuh alerts to Telegram:

https://medium.com/@hasithaupekshitha97/wazuh-alerts-to-telegram-fb9d15b2e544

While we do not provide official support for custom integrations with third-party systems, focusing on these aspects will help ensure your Wazuh alerting pipeline is functioning correctly and that Telegram notifications are triggered as expected.
Reply all
Reply to author
Forward
0 new messages