Telegram Alert Log

Tuong Vi

unread,

Nov 12, 2020, 10:54:45 PM11/12/20

to Wazuh mailing list

I want to create an alert from wazuh to telegram to set up an alert when many identical logs appear, how can I do this?

Jose Miguel Hernandez Garcia

unread,

Nov 13, 2020, 3:38:15 AM11/13/20

to Wazuh mailing list

Hi!

Thanks to the integrator daemon, Wazuh can be connected with different APIs such as Slack, Virustotal, Telegram, or custom ones.

To configure it you just need to add an integration block in your ossec.conf file as follows:

<!--Custom external Integration -->
<integration>
<name>custom-telegram</name>
<level>10</level>
<api_key>APIKEY</api_key>
<alert_format>json</alert_format>
</integration>

APIKEY should be your Telegram API URL that will be passed to your custom script as an argument.

Then you need to create a script in /var/ossec/integrations that must start with custom- (I.E: custom-telegram).

This script can be written in your preferred programming language and will be used to parse the received alert and communicate with your API.

Here you can check some examples:

- https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/

- https://wazuh.com/blog/aws-sns-integration/

In order to test the script before testing it with the integration block, you can execute it manually and pass to it a dummy alert in .json format as an argument.

Also, integratord has a debug mode that can be enabled in order to help you debug any kind of error that you find during testing.

To enable it, go to /var/ossec/etc/internal_options.conf and change the integrator.debug value from 0 to 2.

Here you can see some documentation about integratord and internal options:

- https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/integration.html?highlight=integration

- https://documentation.wazuh.com/4.0/user-manual/manager/manual-integration.html#manual-integration

- https://documentation.wazuh.com/4.0/user-manual/reference/internal-options.html?highlight=internal%20options#integrator

Hope that this helps!

Best regards,

Josemi.

Jose Miguel Hernandez Garcia

unread,

Nov 13, 2020, 4:23:57 AM11/13/20

to Wazuh mailing list

Here you have a short guide about how to configure a custom Telegram integration:

1. Get your bot API token: https://www.siteguarding.com/en/how-to-get-telegram-bot-api-token

2. Get the chat ID: https://stackoverflow.com/questions/32423837/telegram-bot-how-to-get-a-group-chat-id

At this point you should have :

- bot token: https://api.telegram.org/bot**YourBOTToken**

- Chat id: CHAT_ID="555556497"

3. Create a script called custom-telegram in /var/ossec/integrations. Here you have an example:

#!/usr/bin/env python
  
import sys
import json
import requests
  
#CHAT_ID="xxxx"
CHAT_ID="YourChatID"
 
# Read configuration parameters
alert_file = open(sys.argv[1])
hook_url = sys.argv[3]
  


# Read the alert file
alert_json = json.loads(alert_file.read())
alert_file.close()
  
# Extract data fields
alert_level = alert_json['rule']['level'] if 'level' in alert_json['rule'] else "N/A"
description = alert_json['rule']['description'] if 'description' in alert_json['rule'] else "N/A"
path = alert_json['syscheck']['path'] if 'path' in alert_json['syscheck'] else "N/A"
 
# Generate request
msg_data = {}
msg_data['chat_id'] = CHAT_ID 
msg_data['text'] = {}
msg_data['text']['Path'] = path 
msg_data['text']['description'] =  description
msg_data['text']['alert_level'] = str(alert_level)
headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}
 


# Send the request
requests.post(hook_url, headers=headers, data=json.dumps(msg_data))
 
sys.exit(0)

4. Give the correct permissions to the script:

 chmod 750 /var/ossec/integrations/custom-telegram
 chown root:ossec /var/ossec/integrations/custom-telegram

5. Add the integration block to your ossec.conf:

<integration>
        <name>custom-telegram</name>
        <level>10</level>


        <hook_url>https://api.telegram.org/bot<HEREYOURTOKEN>/sendMessage</hook_url>
        <alert_format>json</alert_format>
</integration>

Note that this will only send you alerts with a level higher or equal to 10.

Hope that this helps!

Tuong Vi

unread,

Nov 15, 2020, 9:12:44 PM11/15/20

to Wazuh mailing list

I mean warning rather than sending log, I have configured like that but the log sent via telegram is not the same as my request. for example, each warning would be like: in 10 minutes there are 100 403 errors

Jose Miguel Hernandez Garcia

unread,

Nov 17, 2020, 4:08:30 AM11/17/20

to Wazuh mailing list

Hi!

Sorry for the late reply.

If you are using Opendistro in your environment, you can use Opendistro alerting,

which allows you to get notifications when data from one or more Elasticsearch indices meet certain conditions.

Here is the documentation about this feature:

- https://opendistro.github.io/for-elasticsearch-docs/docs/alerting/

- https://opendistro.github.io/for-elasticsearch-docs/docs/alerting/api/

On the other hand, you can create a simple script that fetches data from Elasticsearch and sends

notifications to your Telegram channel if the data meet certain requirements.

Hope that this helps,

Best regards,

Josemi.

Reply all

Reply to author

Forward