Integration - UNIX Socket Communication

[Miguel Angel Torrez Maldonado]

Hi Wazuh Team,

I am writing to report an issue with a custom integration script that I have deployed. The script is designed to query our MISP instance and send enriched alert data back to the Wazuh manager via the UNIX socket.

Based on our internal debugging, we have confirmed that the script is executing successfully, receiving a valid response from the MISP API, and correctly formatting the alert data. However, the Wazuh manager does not appear to be receiving the alert.


The following is the code snippet from my custom-misp.py script that handles the socket communication:

# Determines the path to the Wazuh event queue socket
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
socket_addr = f"{pwd}/queue/sockets/queue"

def send_event(msg: Dict[str, Any], agent: Optional[Dict[str, str]] = None):
    try:
        if not agent or agent.get("id") == "000":
            string = f"1:misp:{json.dumps(msg)}"
        else:
            string = (
                f"1:[{agent.get('id')}] ({agent.get('name')}) "
                f"{agent.get('ip', 'any')}->misp:{json.dumps(msg)}"
            )

        sock = socket(AF_UNIX, SOCK_DGRAM)
        sock.connect(socket_addr)
        sock.send(string.encode())
        sock.close()

    except Exception as e:
        logging.error(f"Error al enviar el evento: {e}")


Here is the relevant output from our script's debug log, showing the complete process:

2025-09-01 12:09:41,409 - DEBUG - [MISP] POST https://172.19.0.110/attributes/restSearch/ → {'value': 'e-mailrelay.com'}

2025-09-01 12:09:41,410 - DEBUG - Starting new HTTPS connection (1): 172.19.0.110:443
2025-09-01 12:09:41,601 - DEBUG - https://172.19.0.110:443 "POST /attributes/restSearch/ HTTP/11" 200 None
2025-09-01 12:09:41,604 - DEBUG - Respuesta de MISP: {
  "response": {
    "Attribute": [
      {
        "id": "317979",
        "event_id": "1800",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "domain",
        "to_ids": true,
        "uuid": "9b5c1aa4-e7e6-48e1-ac23-84ad0127a2f0",
        "timestamp": "1756276254",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "e-mailrelay.com",
        "Event": {
          "id": "1800",
          "info": "OSINT - Exclusive disclosure of the attack activities of the APT group “NightEagle”",
          "org_id": "1",
          "orgc_id": "7",
          "uuid": "24fe9665-88f8-49d9-9d28-2de0020acf48",
          "user_id": "1",
          "distribution": "3",
          "publish_timestamp": "1756388218"
        }
      }
    ]
  }
}
2025-09-01 12:09:41,605 - DEBUG - JSON object being sent: {
  "integration": "misp",
  "misp": {
    "event_id": "1800",
    "category": "Network activity",
    "value": "e-mailrelay.com",
    "type": "domain",
    "found_on_ioc": "e-mailrelay.com"
  }
}

2025-09-01 12:09:41,605 - DEBUG - Full string being sent to socket: 1:[001] (AD1) 172.19.0.114->misp:{"integration": "misp", "misp": {"event_id": "1800", "category": "Network activity", "value": "e-mailrelay.com", "type": "domain", "found_on_ioc": "e-mailrelay.com"}}


Could you please assist with diagnosing why this data is not being received by the Wazuh manager's socket?

How can I see what Wazuh is receiving from the script?
Could the script send directly to the manager event queue and then process the rules from there? In that case, would I need to use wazuh-archives to see what the script sends to Wazuh?

This is my Wazuh rule for MISP:

<rule id="100622" level="12">
<field name="misp.category">\.+</field>
<description>MISP - IoC found on Threat Intel - Category: $(misp.category), Attribute: $(misp.value)</description>
<options>no_full_log</options>
<group>misp_alert,</group>
</rule>
</group>

Thank you for your time and help.

[Pablo Ariel Gonzalez]

Miguel:

I understand that, based on what you explained, the current approach might not fully fit your use case. Still, I recommend checking out our new public integrations resource, which includes a specific document for MISP.

The first checks I would suggest are the following:

1. Verify socket permissions and path: Make sure the script has permission to access and write to the UNIX socket (queue/sockets/queue). The path must be correct according to your Wazuh installation. Keep in mind that using sockets is a delicate method — you should verify that you are targeting the correct socket for each Wazuh version, since this could change from one release to another.

2. Check the manager logs: You can find them in /var/ossec/logs/ossec.log. Look for messages related to receiving custom events or any socket errors.

3. Confirm what Wazuh is receiving: Events sent to the socket should appear in the logs and also in the archive files (/var/ossec/logs/archives/archives.log). This allows you to confirm whether the event is arriving and how Wazuh is parsing it.

4. Message format: Double-check that the string your script sends matches the format expected by Wazuh. Even a small formatting issue can prevent the event from being processed.

5. Review your Wazuh rule: Your rule looks correct, but make sure that the field misp.category is actually present in the JSON event and that the value matches the regular expression.