Wazuh Integration to JIRA

[Johan Vermeulen]

Hi Everybody,

I am getting the following error when integrating to JIRA.

ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-jira /tmp/custom-jira-1601357169--1205151018.alert johan.v...@xyz.co.za:APIKEY https://cyberstack.atlassian.net/projects/WI/issues  > /dev/null 2>&1). Check file and permissions.

Anybody that can help maybe.

Regards

Johan

[Sandra Ocando]

Hi Johan,

The script must belong to the root user and the ossec group while being executable by the user and the group, to ensure this is the case you may run the following commands:

chmod 750 /var/ossec/integrations/custom-jira
chown root:ossec /var/ossec/integrations/custom-jira

In case you haven't done it before, check our blog about how to integrate external software using integrator: https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/

Please let us know if this solves the issue and if you have any other question do not hesitate to ask.

Best regards,
Sandra.

[Johan Vermeulen]

Hi Sandra,

Thanks for the prompt reply.

I did run the commands for access (and retried again) but still getting the same issue.

Thanks

Johan

[Sandra Ocando]

Hi Johan,

Since the permissions of the file are correct, the next step would be to verify the folders permissions by executing:
 

# ls -ld /var /var/ossec/ /var/ossec/integrations/

The expected permissions are:

drwxr-xr-x. 19 root root  281 Sep 29 09:05 /var
drwxr-x---. 19 root ossec 242 Sep  8 18:39 /var/ossec/
drwxr-x---.  2 root ossec 134 Sep 29 09:02 /var/ossec/integrations/

You can also try to run the following command to verify that ossecm has the correct permissions for the file:

sudo -u ossecm /var/ossec/integrations/custom-jira

 
The python interpreter must also be executable by the ossecm user, in order to avoid any compatibility issues you can change the first line of the custom-jira file to use the embedded python in Wazuh:

 #!/var/ossec/framework/python/bin/python3

I have verified that in the case that there was no interpreter, that there was a missing library or that the /tmp/ directory was unreadable, the error message would be different that the one you are getting.

Hope this is helpful,
Sandra

[Johan Vermeulen]

Hi Sandra,

Looks like permission error even after repapplying permissions

[root@localhost johan]# sudo -u ossecm /var/ossec/integrations/custom-jira

sudo: unable to execute /var/ossec/integrations/custom-jira: Permission denied

[root@localhost johan]# chmod 750 /var/ossec/integrations/custom-jira

[root@localhost johan]# chown root:ossec /var/ossec/integrations/custom-jira

[root@localhost johan]# sudo -u ossecm /var/ossec/integrations/custom-jira

sudo: unable to execute /var/ossec/integrations/custom-jira: Permission denied

[root@localhost johan]# ^C

[Johan Vermeulen]

Also directory permission looks fine.

[root@localhost johan]# ls -ld /var /var/ossec/ /var/ossec/integrations/

drwxr-xr-x. 23 root root  4096 Sep  4 10:06 /var

drwxr-x---. 19 root ossec  242 Sep  4 10:16 /var/ossec/

drwxr-x---.  2 root ossec  132 Sep 29 11:55 /var/ossec/integrations/

[Sandra Ocando]

Could you please try changing the first line of custom-jira to:

#!/var/ossec/framework/python/bin/python3

[Johan Vermeulen]

Hi Sarah,

That made a difference and script is running now but fails with different error.

2020/09/29 15:46:11 ossec-integratord: ERROR: Unable to run integration for custom-jira -> /var/ossec/integrations/custom-jira

2020/09/29 15:46:11 ossec-integratord: ERROR: While running custom-jira -> /var/ossec/integrations/custom-jira. Output: KeyError: 'syscheck'

 

2020/09/29 15:46:11 ossec-integratord: ERROR: Exit status was: 1

[Sandra Ocando]

Hi Johan,

The integration example on the blogpost was created specifically for alerts of the syscheck group, so on line 25 it tries to determine the syscheck path:

path = alert_json['syscheck']['path']

If you wish you may personalize the integration to better fit your project's needs, for example the following script will include all the generated alerts (not only FIM):

#!/var/ossec/framework/python/bin/python3

import sys
import json
import requests
from requests.auth import HTTPBasicAuth

# Set the project attributes
project_alias = 'TI'
issue_name ='FIM'

# Read configuration parameters
alert_file = open(sys.argv[1])
user = sys.argv[2].split(':')[0]
api_key = sys.argv[2].split(':')[1]
hook_url = sys.argv[3]

# Read the alert file
alert_json = json.loads(alert_file.read())
alert_file.close()

# Extract issue fields
alert_level = alert_json['rule']['level']
description = alert_json['rule']['description']

# Generate request
msg_data = {}
msg_data['fields'] = {}
msg_data['fields']['project'] = {}
msg_data['fields']['project']['key'] = project_alias
msg_data['fields']['summary'] = 'Wazuh alert: [' + description + ']'
msg_data['fields']['description'] = '- State: ' + description + '\n- Alert level: ' + str(alert_level)
msg_data['fields']['issuetype'] = {}
msg_data['fields']['issuetype']['name'] = issue_name
headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}

# Send the request
requests.post(hook_url, data=json.dumps(msg_data), headers=headers, auth=(user, api_key))

sys.exit(0)

Best regards,
Sandra.

[Johan Vermeulen]

Hi Sarah,

I update the script and I do not see any errors in the ossec.log anymore but I also do not see any successful attempts fired in the log either.

Tasks are not generated in JIRA (although I get email for alerts I would have expected to be fired to JIRA)

Nothing is written to integrations.log 

Regards

Johan

[Sandra Ocando]

Hi Johan,

I modified the custom-jira script to include debugging information including the reply from the Jira API which will allow us to determine if there is any issue with the request.

#!/var/ossec/framework/python/bin/python3

import sys
import json
import requests
from requests.auth import HTTPBasicAuth

import time
import os

# Configure logging
debug_enabled = True
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
log_file = '{0}/logs/integrations.log'.format(pwd)

def debug(msg):
    if debug_enabled:
        now = time.strftime("%a %b %d %H:%M:%S %Z %Y")
        msg = "{0}: {1}\n".format(now, msg)
        print(msg)
        f = open(log_file, "a")
        f.write(msg)
        f.close()  

debug('Starting to run Jira integration')

# Set the project attributes
project_alias = 'TI'
issue_name ='FIM'

# Read configuration parameters
alert_file = open(sys.argv[1])
user = sys.argv[2].split(':')[0]
api_key = sys.argv[2].split(':')[1]
hook_url = sys.argv[3]

debug('Reading alert file ' + sys.argv[1])

# Read the alert file
alert_json = json.loads(alert_file.read())
alert_file.close()

# Extract issue fields
alert_level = alert_json['rule']['level']
description = alert_json['rule']['description']

# Generate request
msg_data = {}
msg_data['fields'] = {}
msg_data['fields']['project'] = {}
msg_data['fields']['project']['key'] = project_alias
msg_data['fields']['summary'] = 'Wazuh alert: [' + description + ']'
msg_data['fields']['description'] = '- State: ' + description + '\n- Alert level: ' + str(alert_level)
msg_data['fields']['issuetype'] = {}
msg_data['fields']['issuetype']['name'] = issue_name
headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}

debug('Sending message with the content: ' + str(msg_data))

# Send the request
response = requests.post(hook_url, data=json.dumps(msg_data), headers=headers, auth=(user, api_key))

debug('Jira replied: '+ response.text)

sys.exit(0)

Please let me know what you find.

Best regards,
Sandra.

[Sandra Ocando]

Hi Johan,

Thank you for sharing the result of the debugging privately. I noticed that Jira is replying with a webpage that indicates that it cannot find an issue matching the search (see image).



In your original message I can see that the integration is using

https://cyberstack.atlassian.net/projects/WI/issues

for the hook_url, this is the webpage URL and not that of Jira's API. You should change the hook_url to: 

https://cyberstack.atlassian.net/rest/api/2/issue/

More information about the Jira's API can be found here: https://developer.atlassian.com/server/jira/platform/rest-apis/

Please let us know if this solves the issue.

Best regards,
Sandra.

[Austin Songer]

I feel that the blog post should include this example, because I spent hours trying to figure this out. It would also be nice to list all the other groups other syscheck that could be used.

[Harlei Lima]

Hi everyone.
I noticed that custom-jira script by default runing with unicode "utf-8". When I runing it with python3 passing the file /var/ossec/allerts/alerts.json as parameter and it returned "UnicodeDecodeError: 'utf-8' codec can't decode byte"...

However I changed the unicode default in my custon-jira script python to "alert_file = open(sys.argv[1], encoding='iso8859-1')" for exemple, so the error changed too.

Somebody could tell me what is the correct python and   alert.json  unicode version to wazuh can to send the alerts to jira?

I attached a doc tho try discribe what I did.

[Sandra Ocando]

Hi Harlei,

I've noticed that the error in your screenshot mentions a position larger than 4.4 million, the Wazuh integrator uses a temporary file that contains only a single alert and not the full alerts.json file. To test the integration the /tmp/teste-alert.json file should only contain a single line, you may create this file manually or by executing tail -1 /var/ossec/logs/alerts/alerts.json > /tmp/teste-alert.json.

It's not necessary to change the default encoding, if the error continues please send your /tmp/teste-alert.json for further testing.

Let us know if you have any questions.

Best regards,
Sandra.