Wazuh with ServiceNow integration
Zaks Ace
it was pretty basic and easy steps written on their documentation how ever I have followed the steps still stuck!
I have started with Simple ossec configuration in the
nano /var/ossec/etc/ossec.config
<!-- ServiceNow Integration -->
<integration>
<name>custom-servicenow.py</name>
<level>12</level>
<hook_url>https://instance.service-now.com/api/now/v2/table/incident</hook_url>
<api_key>'User:Password'</api_key>
<alert_format>json</alert_format>
</integration>
#!/var/ossec/framework/python/bin/python3
import sys
import json
import requests
# Extract arguments
alert_file_path = sys.argv[1]
api_key = sys.argv[2]
hook_url = sys.argv[3]
# Read the alert file
try:
with open(alert_file_path, 'r') as alert_file:
alerts = [json.loads(line) for line in alert_file if line.strip()]
except json.JSONDecodeError as e:
print(f"Error decoding JSON: {e}")
sys.exit(1)
except Exception as e:
print(f"Error reading alert file: {e}")
sys.exit(1)
# Process each alert
for alert_json in alerts:
try:
# Extract issue fields
alert_level = alert_json['rule']['level']
ruleid = alert_json['rule']['id']
description = alert_json['rule']['description']
agentid = alert_json['agent']['id']
agentname = alert_json['agent']['name']
# Prepare the payload for ServiceNow
payload = {
"short_description": f"Wazuh Ticket #{ruleid} - {description}",
"description": f"Rule ID: {ruleid}\nAlert Level: {alert_level}\nAgent: {agentid} - {agentname}\nDetails: {json.dumps(alert_json)}",
# "impact": "1 - High",
# "urgency": "1 - High",
# "assignment_group": "",
# "category": ""
}
# Headers for the request
headers = {'Content-Type': 'application/json'}
# Send the alert to ServiceNow
response = requests.post(hook_url, auth=(api_key.split(':')[0], api_key.split(':')[1]), headers=headers, data=json.dumps(payload))
# Check for success
if response.status_code == 201:
print("Incident created successfully!")
print("Response:", response.json())
else:
print(f"Failed to create incident. HTTP Status Code: {response.status_code}")
print("Response:", response.text)
except KeyError as e:
print(f"Missing key in alert JSON: {e}")
except Exception as e:
print(f"Error processing alert: {e}")
its simple script which opens read file successfully sent alert to servicenow.
I have given these premission and ownership
-rwxr-x---. 1 root wazuh 2010 Jan 6 17:16 custom-servicenow.py
whenever I try to get that paticular logs to check if integeration works or not
[root@wazuh-manager etc]# grep custom-servicenow /var/ossec/logs/ossec.log
2025/01/06 17:24:44 wazuh-integratord: INFO: Enabling integration for: 'custom-servicenow.py'.
this is only message I get
how I check ?
I created
echo {"rule": {"level":12, "description": "Test alert for ServiceNow integration"}} >> /var/ossec/logs/alerts/alerts.json to check if this is working or not My wazuh version is 4.5.1 any guidance would be great!
Md. Nazmur Sakib
Hi Zaks,
I am not very good with scripting. You can follow this document to verify your custom integration.
https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html#custom-integration
Also, the log you are using in your alerts.json is not in write format. I will suggest using a log like this to simulate with a Wazuh json format alert.
{"timestamp":"2025-01-07T05:30:36.498+0000","rule":{"level":13,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh91"},"manager":{"name":"wazuh91"},"id":"1736227836.558781","full_log":"Jan 07 05:30:36 wazuh91 su[18147]: pam_unix(su:session): session opened for user root(uid=0) by wazuh91(uid=0)","predecoder":{"program_name":"su","timestamp":"Jan 07 05:30:36","hostname":"wazuh91"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh91","dstuser":"root(uid=0)","uid":"0"},"location":"journald"}
The script should have the following permissions
chmod 750 /var/ossec/integrations/custom-script
chown root:wazuh /var/ossec/integrations/custom-script
Also, you can check this community discussion. One of our community members previously integrated ServiceNow with Wazuh. He also shared the script he is using
https://groups.google.com/g/wazuh/c/PmIDtpdL2e0
I hope you find this information useful.
Zaks Ace
2025/01/07 18:15:34 wazuh-integratord: INFO: Enabling integration for: 'custom-servicenow.py'.
as soon above nothing else. I am facing this issue can you help me figure this out
Md. Nazmur Sakib
Can you share the output of this command?
cat /var/ossec/logs/integrations.log
Set the debug level to 2 for the integratord, this can be done by writing integrator.debug=2 in the file /var/ossec/etc/local_internal_options.conf
(e.g. with echo "integrator.debug=2" >> /var/ossec/etc/local_internal_options.conf). Restart the manager for changes to take effect with (systemctl restart wazuh-manager) and share the output of this command
cat /var/ossec/logs/ossec.log | grep wazuh-integratord
Looking forward to your update on the issue.
Zaks Ace
Mon Dec 30 13:59:12 UTC 2024 Wrong arguments
Fri Jan 10 19:29:08 UTC 2025 Wrong arguments
cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2025/01/14 14:38:43 wazuh-integratord: INFO: Enabling integration for: 'custom-servicenow'.
2025/01/14 14:38:43 wazuh-integratord: INFO: Enabling integration for: 'custom-abuseipdb.py'.
2025/01/14 15:14:24 wazuh-integratord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/01/14 15:14:46 wazuh-integratord[5387] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2025/01/14 15:14:46 wazuh-integratord[5387] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2025/01/14 15:14:46 wazuh-integratord[5387] main.c:165 at main(): DEBUG: Chrooted to directory: /var/ossec, using user: wazuh
2025/01/14 15:14:46 wazuh-integratord[5387] intgcom.c:76 at intgcom_main(): DEBUG: Local requests thread ready
2025/01/14 15:14:46 wazuh-integratord[5387] main.c:176 at main(): INFO: Started (pid: 5387).
2025/01/14 15:14:46 wazuh-integratord[5387] integrator.c:53 at OS_IntegratorD(): DEBUG: JSON file queue connected.
2025/01/14 15:14:46 wazuh-integratord[5387] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'custom-servicenow'.
2025/01/14 15:14:46 wazuh-integratord[5387] integrator.c:143 at OS_IntegratorD(): INFO: Enabling integration for: 'custom-abuseipdb.py'.
2025/01/14 15:14:46 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:47 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:48 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:49 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:50 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:51 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:52 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:53 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:54 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:55 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:55 wazuh-integratord[5387] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2025/01/14 15:14:55 wazuh-integratord[5387] integrator.c:208 at OS_IntegratorD(): DEBUG: Skipping: Alert level is too low
2025/01/14 15:14:55 wazuh-integratord[5387] integrator.c:272 at OS_IntegratorD(): DEBUG: Skipping: Rule doesn't match.
2025/01/14 15:14:55 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:56 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:57 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:58 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:14:59 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:15:00 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:15:01 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:15:02 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:15:03 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:15:03 wazuh-integratord[5387] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2025/01/14 15:15:03 wazuh-integratord[5387] integrator.c:208 at OS_IntegratorD(): DEBUG: Skipping: Alert level is too low
2025/01/14 15:15:03 wazuh-integratord[5387] integrator.c:272 at OS_IntegratorD(): DEBUG: Skipping: Rule doesn't match.
When I do echo and set the path it to /var/ossec/logs/alerts/alerts.json
2025/01/14 15:16:58 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/01/14 15:16:58 wazuh-integratord[5387] json-queue.c:140 at jqueue_parse_json(): WARNING: Invalid JSON alert read from 'logs/alerts/alerts.json': 'timestamp:2025-01-07T05:30:36.498+0000 rule:level:13 rule:description:PAM: Login session opened. rule:id:5501 rule:mitre:id:[T1078] rule:mitre:tactic:[Defense Evasion rule:mitre:Persistence rule:mitre:Privilege Escalation rule:mitre:Initial Access] rule:mitre:technique:[Valid Accounts] rule:firedtimes:3 rule:mail:false rule:groups:[pam rule:syslog rule:authentication_success] rule:pci_dss:[10.2.5] rule:gpg13:[7.8 rule:7.9] rule:gdpr:[IV_32.2] rule:hipaa:[164.312.b] rule:nist_800_53:[AU.14 rule:AC.7] rule:tsc:[CC6.8 rule:CC7.2 rule:CC7.3] agent:id:000 agent:name:wazuh91 manager:{name:wazuh91} id:1736227836.558781 full_log:Jan 07 05:30:36 wazuh91 su[18147]: pam_unix(su:session): session opened for user root(uid=0) by wazuh91(uid=0) predecoder:program_name:su predecoder:timestamp:Jan 07 05:30:36 predecoder:hostname:wazuh91 decoder:parent:pam decoder:name:pam data:srcuser:wazuh91 data:dstuser:root(uid=0) data:uid:0 location:journald'
2025/01/14 15:16:59 wazuh-integratord[5387] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
Although I am using
echo {"timestamp":"2025-01-07T05:30:36.498+0000","rule":{"level":13,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh91"},"manager":{"name":"wazuh91"},"id":"1736227836.558781","full_log":"Jan 07 05:30:36 wazuh91 su[18147]: pam_unix(su:session): session opened for user root(uid=0) by wazuh91(uid=0)","predecoder":{"program_name":"su","timestamp":"Jan 07 05:30:36","hostname":"wazuh91"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh91","dstuser":"root(uid=0)","uid":"0"},"location":"journald"} >> /var/ossec/logs/alerts/alerts.json
<integration>
<name>custom-servicenow</name>
<level>10</level>
<group>all</group>
<rule_id>all</rule_id>
<alert_format>json</alert_format>
</integration>
reason for level 10 to check if it can get an alert of level 10 and above
Zaks Ace
Md. Nazmur Sakib
For testing Let’s ingest the logs in this way.
First, increase the rule 5501 level to 13.
Add this rule in this file
/var/ossec/etc/rules/local_rules.xml
<group name="pam,syslog,">
<rule id="5501" level="13" overwrite="yes">
<if_sid>5500</if_sid>
<match>session opened for user </match>
<description>PAM: Login session opened.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Next, create a test log file.
touch /tmp/test.log
Now add this configuration in /var/ossec/etc/ossec.conf under <ossec_config>
<localfile>
<location>/tmp/test.log</location>
<log_format>syslog</log_format>
</localfile>
To monitor this log file.
Next, add this log to the log file to trigger an alert.
Jan 07 05:30:36 wazuh91 su[18147]: pam_unix(su:session): session opened for user root(uid=0) by wazuh91(uid=0)","predecoder
{"timestamp":"2025-01-07T05:30:36.498+0000","rule":{"level":13,"description":"PAM: Login session opened.","id":"5501","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["pam","syslog","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh91"},"manager":{"name":"wazuh91"},"id":"1736227836.558781","full_log":"Jan 07 05:30:36 wazuh91 su[18147]: pam_unix(su:session): session opened for user root(uid=0) by wazuh91(uid=0)","predecoder":{"program_name":"su","timestamp":"Jan 07 05:30:36","hostname":"wazuh91"},"decoder":{"parent":"pam","name":"pam"},"data":{"srcuser":"wazuh91","dstuser":"root(uid=0)","uid":"0"},"location":"/tmp/test.log"}
Let me know if you can ingest the logs following this.