Trigger an Email Alert when a services starts/stops
427 views
Skip to first unread message
Bhagyesh Parmar
Dec 20, 2021, 1:29:51 PM12/20/21
to Wazuh mailing list
Hey everyone,
Can anyone help me with this?
Regards,
Bhagyesh
On Mon, 20 Dec, 2021, 11:50 Bhagyesh Parmar, <101bh...@gmail.com> wrote:
Hello Ramiro,I am trying to get email notification on my email whenever any service running on the server gets stopped or restarted.I am able to find start and stop logs into the syslog file and added file path into wazuh agent ossec.conf file and logs are received by the wazuh-manager in archives. but I need them in alers and for that I have tried to create a decoder and rule set given below.Can you please have a look at it and correct me if I am doing something wrong here.-------------
Decoder
--------------
<decoder name="systemed_mongodb">
<program_name>^systemd</program_name>
</decoder>
<decoder name="systemed_mongodb">
<parent>systemd</parent>
<regex>(\w+) MongoDB Database Server\.*</regex>
<order>state</order>
</decoder>
-----------------
Ruleset
------------------
<rule id="100010" level="5">
<program_name>systemd</program_name>
<description>MongoDB Service start-stop</description>
</rule>Thank you.--Kind Regards,Bhagyesh
Juan Nicolás Asselle
Dec 20, 2021, 4:50:31 PM12/20/21
to Wazuh mailing list
Hi Bhagyesh,
One of the fists things to do is to follow the log file where systemd currently log.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
Then based on the current default syslog decoder and rule, we could create a custom decoder and custom rule that allows handling these events
<decoder name="systemd">
<parent>systemd</parent>
<regex type="pcre2">^(Started|Stopped) (.+)\.$</regex>
<order>status, daemon</order>
</decoder>
<group name="local,systemd">
<rule id="100002" level="0">
<if_sid>40700</if_sid>
<status>Started|Stopped</status>
<description>Service $(daemon) $(status).</description>
</rule>
<rule id="100003" level="3">
<if_sid>100002</if_sid>
<field name="daemon">MongoDB Database Server</field>
<description>Service $(daemon) $(status).</description>
<options>alert_by_email</options>
</rule>
</group>
Testing them with wazuh-logtest
/var/ossec/bin/wazuh-logtest 130 ↵
Starting wazuh-logtest v4.2.5
Type one log per line
Dec 20 19:25:00 wazuh-dev systemd[1]: Started MongoDB Database Server.
**Phase 1: Completed pre-decoding.
full event: 'Dec 20 19:25:00 wazuh-dev systemd[1]: Started MongoDB Database Server.'
timestamp: 'Dec 20 19:25:00'
hostname: 'wazuh-dev'
program_name: 'systemd'
**Phase 2: Completed decoding.
name: 'systemd'
daemon: 'MongoDB Database Server'
status: 'Started'
**Phase 3: Completed filtering (rules).
id: '100003'
level: '3'
description: 'Service MongoDB Database Server Started.'
groups: '['local', 'systemd']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.
See that <options>alert_by_email</options> (ref https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html) will send an email alert when alert is triggered.
Hope this helps!
Regards,
Nico
Bhagyesh Parmar
Dec 21, 2021, 3:47:15 AM12/21/21
to Juan Nicolás Asselle, Wazuh mailing list
Hi Juan,
It worked for me and I was able to get alerts in wazuh and send the email alert as well.
Thank you for your help.
Regards,
Bhagyesh
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9e052af7-5677-4b24-8298-4807c7c8a29dn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages