Error receiving Telegram and Mail alerts
131 views
Skip to first unread message
Facu Basgall
Mar 3, 2023, 11:44:19 AM3/3/23
to Wazuh mailing list
Hello!
I wanted to ask if you can help me with an error that is happening to me, I do not know from what moment I started to happen.
We detected that there is a time delay, not always the same time, between the event is generated in Wazuh and between the alert arrives in the mail and in Telegram.
Attached is a screenshot of the event in Wazuh and the alert in Telegram. In the mail it arrives at the same time as in Telegram, but they are different integrations.
Thanks for your help.
I wanted to ask if you can help me with an error that is happening to me, I do not know from what moment I started to happen.
We detected that there is a time delay, not always the same time, between the event is generated in Wazuh and between the alert arrives in the mail and in Telegram.
Attached is a screenshot of the event in Wazuh and the alert in Telegram. In the mail it arrives at the same time as in Telegram, but they are different integrations.
Thanks for your help.
Federico Gustavo Galland
Mar 6, 2023, 4:26:04 AM3/6/23
to Wazuh mailing list
Hi Facu,
Thanks for reaching out to us.
It seems for some reason the screenshot did not go through. Anyway, it's interesting that you are getting the same delay on e-mail notifications and with a custom integration. It would come in handy if you shared your ossec.conf with us, just to know which rules you set up notifications on and to be able to try and replicate.
It would also be a good idea if you shared your telegram integration script. We know there are a few published on various websites, but nothing official, and integrations, when set up improperly, it could lead to the manager delaying processing of other tasks.
Looking forward to hearing back from you.
Regards,
Federico
Facu Basgall
Mar 6, 2023, 10:28:19 AM3/6/23
to Federico Gustavo Galland, Wazuh mailing list
Hi Federico!
Now I upload the screenshots.
And I also attach the integrations and the ossec.conf
And I also attach the integrations and the ossec.conf
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QUHwq5SYj1c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/94ae3d4d-cbf8-4467-b341-9b1e9ae8a58en%40googlegroups.com.
Saludos cordiales.
Anl. Sist. Basgall Facundo.
F Tux
Mar 13, 2023, 7:35:49 AM3/13/23
to Wazuh mailing list
Hi Facu,
Apologize for the delay. I've been dedicated full-time to priority tasks since Tuesday last week.
I don't see anything that should be causing these delays, but bear in mind the alert is actually an agent queue flood, and as such, it is indicating that the agent is generating more events than it can send to the Wazuh Manager.
Integrations running on the Manager are run in a queue, so if the integration is getting triggered by a very large number of events that could be locking new reports from being sent.
It is also possible that there is a connectivity issue taking several connection attempts to actually reach the telgram/e-mail servers.
It would probably be a good idea to add logging/debugging facilities to your scripts and check their output, just to check the execution timestamp (when the Wazuh Server actually runs the scripts) and to gather any useful data on what is causing the delays.
Let me know if you've gathered any further insight in this topic.
Regards,
Federico
Facu Basgall
Mar 31, 2023, 3:08:10 AM3/31/23
to F Tux, Wazuh mailing list
Good afternoon Federico
A thousand apologies for the delay, I have not been available.
I wanted to tell you that the implementation of Wazuh we have 200 agents and the custom-mail and telegram integrations, but we also had test integrations with MISP, OpenCTI and VirusTotal.
These last 3 integrations were disabled (momentarily) and the time to receive Wazuh alerts was normalized.
We are still working to investigate the cause of the previous error as we would like to be able to integrate the tools I mentioned before. If you have any information available that could help us, I would be very grateful.
Regards
A thousand apologies for the delay, I have not been available.
I wanted to tell you that the implementation of Wazuh we have 200 agents and the custom-mail and telegram integrations, but we also had test integrations with MISP, OpenCTI and VirusTotal.
These last 3 integrations were disabled (momentarily) and the time to receive Wazuh alerts was normalized.
We are still working to investigate the cause of the previous error as we would like to be able to integrate the tools I mentioned before. If you have any information available that could help us, I would be very grateful.
Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1903e157-c06a-4e88-a08a-382d7413e0e5n%40googlegroups.com.
Federico Gustavo Galland
Mar 31, 2023, 5:06:40 AM3/31/23
to Facu Basgall, F Tux, Wazuh mailing list
Hi Facu,
It could be that one of these integrations scripts was locking the execution of the others for too long. I'd have to take a look at the code to tell.
Were you able to pin point it down to one of these integration scripts?
Regards,
Federico
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAJgViQqpxtPXHXaB4XVjMN-gFcNr8_nZ2ocGg3TcrV1JJmKg7Q%40mail.gmail.com.
 |
|
+1 (844) 349 2984
wazuh.com
federico...@wazuh.com
f-galland
Reply all
Reply to author
Forward
0 new messages