MISP Integration
70 views
Skip to first unread message
Nathan D.
Oct 8, 2025, 9:26:46 AM (2 days ago) Oct 8
to Wazuh | Mailing List
Hi everyone,
I inserted the script and I took the rules from this file too :
I installed a MISP instance so that I could integrate it with Wazuh. I installed Sysmon on the Windows endpoint and used the SwiftOnSecurity configuration.
I inserted the script and I took the rules from this file too :
https://github.com/wazuh/integrations/tree/main/integrations/misp
In the /var/ossec/integration folder
I modified the ossec.conf configuration file as follows
<integration>
<name>custom-email.py</name>
<rule_id>60204,100002,100003,100004,100005,100006,100007,100008,100009,100010,100011,100012,100013,100015,100016</rule_id>
<alert_format>json</alert_format>
<options>JSON</options>
</integration>
<integration>
<name>custom-misp</name>
<group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
<alert_format>json</alert_format>
</integration>
My integration is correctly recorded in the logs (ossec.log).
And I modified the script to put the IP address of my instance and add the Auth_key (read-only user).
However, I don't yet see any correlation of MISP alerts in Wazuh.
Has anyone already set up this integration and could guide me through the verification or debugging steps?
Thank you in advance.
I used this to help me :
https://medium.com/@AdonayT/1-misp-overview-a0b79d683234
https://github.com/socfortress/Wazuh-Rules/tree/main/MISP
In the /var/ossec/integration folder
I modified the ossec.conf configuration file as follows
<integration>
<name>custom-email.py</name>
<rule_id>60204,100002,100003,100004,100005,100006,100007,100008,100009,100010,100011,100012,100013,100015,100016</rule_id>
<alert_format>json</alert_format>
<options>JSON</options>
</integration>
<integration>
<name>custom-misp</name>
<group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
<alert_format>json</alert_format>
</integration>
My integration is correctly recorded in the logs (ossec.log).
And I modified the script to put the IP address of my instance and add the Auth_key (read-only user).
However, I don't yet see any correlation of MISP alerts in Wazuh.
Has anyone already set up this integration and could guide me through the verification or debugging steps?
Thank you in advance.
I used this to help me :
https://medium.com/@AdonayT/1-misp-overview-a0b79d683234
https://github.com/socfortress/Wazuh-Rules/tree/main/MISP
jesusd...@wazuh.com
Oct 8, 2025, 2:00:44 PM (2 days ago) Oct 8
to Wazuh | Mailing List
It seems your configurations are correctly configured, but can you please share me these details to troubleshoot further your issue
- What version of Wazuh are you currently using?
- Are Sysmon alerts being generated ?
- Check the permissions of the integration script using `ls -la /var/ossec/integrations`. Additionally, verify whether the script is saved with or without the `.py` extension. If you are using the Wazuh custom MISP script (https://github.com/wazuh/integrations/blob/main/integrations/misp/custom-misp.py), either remove the `.py` extension or include it in your integration name as this `<name>custom-misp.py</name>`
- Have you placed the `custom_misp_rules.xml` rules file in your Wazuh Manager `/var/ossec/etc/rules/` directory ?
- Check for integratord logs `cat /var/ossec/logs/ossec.log | grep wazuh-integratord` in your manager
- What version of Wazuh are you currently using?
- Are Sysmon alerts being generated ?
- Check the permissions of the integration script using `ls -la /var/ossec/integrations`. Additionally, verify whether the script is saved with or without the `.py` extension. If you are using the Wazuh custom MISP script (https://github.com/wazuh/integrations/blob/main/integrations/misp/custom-misp.py), either remove the `.py` extension or include it in your integration name as this `<name>custom-misp.py</name>`
- Have you placed the `custom_misp_rules.xml` rules file in your Wazuh Manager `/var/ossec/etc/rules/` directory ?
- Check for integratord logs `cat /var/ossec/logs/ossec.log | grep wazuh-integratord` in your manager
Nathan D.
Oct 9, 2025, 7:05:51 AM (yesterday) Oct 9
to Wazuh | Mailing List
I am using version 4.13.1 for the manager and the agents are on 4.13.
For the sysmon, I am sending you a screenshot, but I imagine it is fine and I can see them on the Windows machine.
As permission on the script, I have this :
-rwxr-x--- 1 wazuh wazuh 17778 Oct 8 11:32 custom-misp
I have placed the rules in the directory:
ndriss@wazuhprog:/$ ls /var/ossec/etc/rules/
custom_misp_rules.xml eset_local_rules.xml local_rules.xml local_rules.xml.save
-> cat /var/ossec/logs/ossec.log | grep wazuh-integratord
When I run the command to view the integratord logs, nothing appears
Thank you
For the sysmon, I am sending you a screenshot, but I imagine it is fine and I can see them on the Windows machine.
As permission on the script, I have this :
-rwxr-x--- 1 wazuh wazuh 17778 Oct 8 11:32 custom-misp
I have placed the rules in the directory:
ndriss@wazuhprog:/$ ls /var/ossec/etc/rules/
custom_misp_rules.xml eset_local_rules.xml local_rules.xml local_rules.xml.save
-> cat /var/ossec/logs/ossec.log | grep wazuh-integratord
When I run the command to view the integratord logs, nothing appears
Thank you
jesusd...@wazuh.com
Oct 9, 2025, 1:27:05 PM (22 hours ago) Oct 9
to Wazuh | Mailing List
The image shows a Windows Sysmon alert showing correctly integration with your Windows Events.
Ensure that you are executing the command on your server or manager instance. Even if no integration is configured, it should output something like this:
```
[root@wazuh-manager-master-0 bin]# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2025/10/09 01:13:09 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
```
Also please share the following details:
- /var/ossec/logs/integrations.log
- /var/ossec/custom-misp-integration/logs/integrations.log
- How are you configuring the credentials and base url ?
Ensure that you are executing the command on your server or manager instance. Even if no integration is configured, it should output something like this:
```
[root@wazuh-manager-master-0 bin]# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2025/10/09 01:13:09 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
```
Also please share the following details:
- /var/ossec/logs/integrations.log
- /var/ossec/custom-misp-integration/logs/integrations.log
- How are you configuring the credentials and base url ?
Nathan D.
4:47 AM (7 hours ago) 4:47 AM
to Wazuh | Mailing List
Thank you for your reply.
I run all my commands on the server that hosts the manager.
For the command: cat /var/ossec/logs/ossec.log | grep wazuh-integratord
I enabled debugging and got this:
2025/10/10 05:03:59 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 05:04:00 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 05:04:01 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:272 at OS_IntegratorD(): DEBUG: Skipping: Rule doesn't match.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:240 at OS_IntegratorD(): DEBUG: Skipping: Group doesn't match.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 07:34:10 wazuh-integratord[162763] json-queue.c:162 at jqueue_parse_json(): DEBUG: Can't read from 'logs/alerts/alerts.json'. Trying again
ndriss@wazuhprog:/$ sudo cat /var/ossec/logs/integrations.log
Nothing appeared
ndriss@wazuhprog:/var/ossec/integrations/custom-misp-integration/logs$ cat integrations.log
2025-10-08 13:21:09,138 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 13:49:41,511 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:41:05,818 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:43:21,240 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:44:24,983 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:44:42,333 [ERROR] wazuh-misp-integration: Failed to parse alert input: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
2025-10-08 14:46:33,825 [ERROR] wazuh-misp-integration: Failed to parse alert input: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
2025-10-08 16:56:31,827 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
For identifiers, I use the auth_key, and for the base URL, I use the IP address of my instance. Like this :
MISP_BASE_URL = "https:/<IP>"
MISP_API_KEY = "<My_auth_key>"
VERIFY_SSL = False
I run all my commands on the server that hosts the manager.
For the command: cat /var/ossec/logs/ossec.log | grep wazuh-integratord
I enabled debugging and got this:
2025/10/10 05:03:59 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 05:04:00 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 05:04:01 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:272 at OS_IntegratorD(): DEBUG: Skipping: Rule doesn't match.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:240 at OS_IntegratorD(): DEBUG: Skipping: Group doesn't match.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 07:34:10 wazuh-integratord[162763] json-queue.c:162 at jqueue_parse_json(): DEBUG: Can't read from 'logs/alerts/alerts.json'. Trying again
ndriss@wazuhprog:/$ sudo cat /var/ossec/logs/integrations.log
Nothing appeared
ndriss@wazuhprog:/var/ossec/integrations/custom-misp-integration/logs$ cat integrations.log
2025-10-08 13:21:09,138 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 13:49:41,511 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:41:05,818 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:43:21,240 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:44:24,983 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:44:42,333 [ERROR] wazuh-misp-integration: Failed to parse alert input: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
2025-10-08 14:46:33,825 [ERROR] wazuh-misp-integration: Failed to parse alert input: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
2025-10-08 16:56:31,827 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
For identifiers, I use the auth_key, and for the base URL, I use the IP address of my instance. Like this :
MISP_BASE_URL = "https:/<IP>"
MISP_API_KEY = "<My_auth_key>"
VERIFY_SSL = False
Reply all
Reply to author
Forward
0 new messages