Create Event via HTTP or MQTT Request?

[Steven Kan]

I have my spiffy new Wazuh server set up, with agents installed on a variety of PCs. One of the PCs is running my security camera NVR software (Blue Iris). I would like to log an event in Wazuh when one particular camera (inside my server closet) detects motion.

I have motion-trigger set up successfully within Blue Iris, and it dutifully tags the video at the correct time, but by default it does not log any event that gets pushed by the agent over to Wazuh. Wazuh is seeing other events from the Blue Iris PC, such as me logging into to view footage, but it does not see the motion trigger event. 

Blue Iris does have a feature whereby it can send an HTTP or MQTT request upon motion-trigger, via this setup dialog box:

Is there a way for me to populate that with something that Wazuh could receive as an "event"?

[Diego Ariel Balbuena]

Hi Steven! Thank you for sharing with the community

Can you help me to understand what the web request does? Since it does not log any event, the web request should create an event. You are not able to create a new event by using a web request to Wazuh, what should this new event contain?

There are some tools to create tickets based on API calls, they could be integrated with Wazuh.

Please let me share our documentation for Log data collection and Agentless monitoring. 

Is the Blue Iris able to trigger a motion event via Syslog? Once you create the relevant event you should be able to ingest it in Wazuh without issues.

I hope this help, the key here is to generate the event and it should contain the relevant data.

Thanks,

Diego 

[Steven Kan]

Diego,

The web request is to allow Blue Iris to trigger any arbitrary external system that has a web server. Just as a hypothetical example, I have a web-controlled power strip that can be commanded with commands such as:

http://192.168.1.224/outlet?1=CCL

to turn an outlet on or off. If I wanted to turn on power to some device when this camera triggered, then I could put that URL in the Web Request dialog for that camera's trigger options.

Since Blue Iris doesn't have any native integration with Wazuh, and since it doesn't write camera triggers to the system event log, I was hoping to use this Web Request as a way for Blue Iris to tell Wazuh, "Please log an event." Then, if we ever need to do forensics, we can correlate the timestamp of the BI event with the other interesting events around that timestamp.

[Diego Ariel Balbuena]

Steven,

Let me share the Wazuh RestAPI reference: https://documentation.wazuh.com/current/user-manual/api/reference.html

There is no endpoint available in order to trigger a new event.

On the other hand, I think you should be able to call the Notifications module endpoint from the OpenSearch RestAPI

Reference: https://opensearch.org/docs/latest/observing-your-data/notifications/api/

You should be able to create a channel configuration and then send a notification by using the Blue Iris web request.

You need to allow access to the Wazuh Indexer at port 9200 with valid credentials

https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports

I hope this helps!

Diego

[Diego Ariel Balbuena]

Hi Steven!

I have contacted the devel team and we are currently working on this epic to add the POST /events endpoint to the Wazuh API. This will allow directly sending events to Analysisd via the API. The development is expected to be added as part of the 4.5.0 Wazuh version

Hope this helps.

[Steven Kan]

Diego,

Great news! I suppose that means it was a good idea! :lol:

I will await 4.5, as I don't have the skillset to program to the existing APIs.

Thanks!