Integracion Slack

[Federico Lozan]

Hello, is there a way for the Slack integration to send notifications for only one level? That is to say, I want to receive only those of level 10 in a slack channel, in another channel only those of level 11 and so on... Try the following "if_level" but it throws me an error and doesn't recognize it.

<integration>

    <name>slack1</name>
 <hook_url>URL</hook_url>
    <if_level>1</if_level>
    <alert_format>json</alert_format>
</integration>

I'm sorry my ingles, speak español.

[Sandra Ocando]

Hi Federico,

To achieve this, I've modified the Slack integration script.  Attached you'll find the modified version which sends all level 10 alerts to one channel, level 11 to another channel and the remaining level 12 or higher to a third channel.

For this I have created three Webhooks, one for each channel, and set them in the script as variables:

webhook10 = " <!-- Replace with your Slack Webhook -->"
webhook11 = " <!-- Replace with your Slack Webhook -->"
webhook12 = " <!-- Replace with your Slack Webhook -->"

To set this custom integration, follow these steps:

- Modify the attached custom-slack script and set your Webhooks. You may add or remove channels according to your needs. To do so, add or remove Webhook variables and modify the generate_and_send_msg function accordingly.

- Add your custom-slack script in /var/ossec/integrations/custom-slack

- Change the permissions and ownership:

chown root:wazuh /var/ossec/integrations/custom-slack
chmod 750 /var/ossec/integrations/custom-slack

Note that for Wazuh versions prior 4.3.x, the ownership should be: root:ossec

- In /var/ossec/etc/ossec.conf configure your custom Slack integration in the following way to receive messages for alerts level 10 and above:

<integration>
    <name>custom-slack</name>
    <level>10</level>
    <alert_format>json</alert_format>
</integration>

- Restart your manager so changes can take effect: systemctl restart wazuh-manager

Hope you find this script useful, let us know if you have any questions.
Best regards,
Sandra.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fbc60889-6e9d-477c-92ba-46897b58824cn%40googlegroups.com.

[Federico Lozan]

Sandra, hi!

We tried to use the modified Slack integration script.
In the integrations folder we have the files named "slack" and "slack.py". Should we modify the slack.py for it to work?
Thanks a lot for all your help!

 

[Sandra Ocando]

Hi Federico,

There's no need to edit the "slack" or "slack.py" files. The custom-slack integration does not depend on these.
To use the custom-slack script, follow the steps described in my previous email. Remember to remove the previous Slack integration configuration from your ossec.conf and add the new one.
If it does not work as expected, look for errors or warnings in /var/ossec/logs/ossec.log and /var/ossec/logs/integrations.log.
Let us know if you have any questions.

Best regards,
Sandra

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cbc7aea7-49df-40af-9a1d-91069618c5fcn%40googlegroups.com.

[Federico Lozan]

Understood, the file has to have the extension ".py"?

  Thank you

[Sandra Ocando]

No, it's not necessary.  Please note that the file must have exactly the same name as the one set in the <name> field in the integration configuration.It's also worth mentioning that all the custom integrations must start with "custom-". For more information, check out the integration reference.

<integration>
    <name>custom-slack</name>
    <level>10</level>
    <alert_format>json</alert_format>
</integration>

Cheers,
Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/13fd803c-7001-44b7-a453-ef6e1d63e0d7n%40googlegroups.com.