Integration "shuffle" skipped with message "Skipping: Integration disabled" when configured in /var/ossec/etc/ossec.conf

109 views
Skip to first unread message

Alfian :D

unread,
Oct 7, 2025, 7:09:24 AM10/7/25
to Wazuh | Mailing List

Hello Wazuh community,

I’m running into a problem while trying to integrate Shuffle (webhook) with my Wazuh manager and would appreciate any guidance.

Summary / Expected behavior
I added a <integration> entry in /var/ossec/etc/ossec.conf so that Wazuh will forward alerts to a Shuffle webhook. After restarting the manager and generating web attacks on my victim VM (XSS examples), I expect wazuh-integratord to send alerts to Shuffle. Instead, it logs Skipping: Integration disabled and does not send anything.

Environment (what I know)

  • Wazuh manager (single VM)

  • Shuffle runs on a separate VM (local lab) reachable by HTTP

  • I’m using the default installations that come with the Wazuh packages on Ubuntu

  • Alerts are being generated and present in /var/ossec/logs/alerts/alerts.json (I can see XSS and web-accesslog alerts)

  • wazuh-integratord is running

Config snippet I added
I added the following block into /var/ossec/etc/ossec.conf:

<integration> <name>shuffle</name> <hook_url>http://192.168.xx.xxx:3001/api/v1/hooks/webhook_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</hook_url> <level>5</level> <alert_format>json</alert_format> </integration>

I also have the integrator enabled:

<integrator> <disabled>no</disabled> </integrator>
  But it’s the same, there’s still no result

What I did to test

  1. Restarted Wazuh manager / integrator (systemctl restart wazuh-manager, etc.).

  2. Fired web attacks from my victim VM (e.g. http://192.168.xx.xxx/usersaa%3Cscript%3EXSS13123%3C/script%3E).

  3. Monitored the Wazuh integrator logs using tail -f /var/ossec/logs/ossec.log.

Observed behavior / logs
In /var/ossec/logs/ossec.log I repeatedly see:

2025/10/07 14:25:12 wazuh-integratord[16365] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next() 2025/10/07 14:25:12 wazuh-integratord[16365] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert. 2025/10/07 14:25:12 wazuh-integratord[16365] integrator.c:179 at OS_IntegratorD(): DEBUG: Skipping: Integration disabled

At the same time, the alert itself is present in alerts.json (so the rule fired and the alert exists), but integrator refuses to send it.


pdnb

unread,
Oct 7, 2025, 7:25:28 AM10/7/25
to Wazuh | Mailing List
hi Alfian,

check ls -ls /var/ossec/integrations/ for 

 4 -rwxr-x---. 1 root wazuh  1045 Sep 19 18:54 shuffle
 8 -rwxr-x---. 1 root wazuh  7249 Sep 19 18:54 shuffle.py

be careful for permissions

 

John E

unread,
Oct 7, 2025, 8:06:30 AM10/7/25
to Wazuh | Mailing List
Hello Alfian,

pdnb is right, you need to first confirm the permission of the Shuffle integration file.
You can set the right permission.

chmod +x /var/ossec/integrations/shuffle

Regards
Reply all
Reply to author
Forward
0 new messages