Alert to telegram

[Serzh]

Hi. I tried to set up alerts in telegram. Doesn't work for me. I am using the ova wazuh image, it contains python 2.7.5, maybe this is the reason? Or install pip of a specific version?

I have used these scripts https://github.com/OpenSecureCo/Demos/blob/main/Telegram%20Integration

[Selu López]

Hello Elvis,

What is the Wazuh version of your OVA? I just tried the integration of the link you shared in a Wazuh installation by sources and it worked well for me. In any case, neither the installation mode nor the Python contained in the OVA should affect as the script uses Wazuh's embedded Python (which you can find at /var/ossec/framework/python/bin/python3). This Python is at version 3.x since Wazuh 4.0 and even earlier, so this shouldn't be a problem.

There are a few things you can check to see if they are configured correctly:

1. First, make sure you've created a bash script on this path /var/ossec/integrations/custom-telegram and that the content includes everything between lines 3 and 37 of the link you shared. That is, make sure it contains everything shown here: custom-telegram.
2. Make also sure that you have created a Python script in /var/ossec/integrations/custom-telegram.py and that it contains everything that is shown between lines 43 and 79 of your link: custom-telegram python script.
3. Inside the Python script that you created in step 2, make sure to fulfill the CHAT_ID variable (CHAT_ID="") that is found here. You should write the ID of the conversation to where the bot should send the alerts. For instance, in my case, it looks like this:  CHAT_ID="143544397". This step is very important, if you do not specify any chat_id, the bot won't be able to send you anything. I will explain how to get said CHAT_ID in the annex.
4. Check if the user and permissions of the custom-telegram and custom-telegram.py scripts were correctly applied as specified here.
5. Make sure to replace *YOUR API KEY* with your bot key in the configuration block that you have to add in the Wazuh ossec.conf file.  It should look similar to this: <hook_url>https://api.telegram.org/bot4935339560:ALPLyMN8qThtMA9d3nKqEK361AfY-1unrJ7/sendMessage</hook_url>
6. Do not forget to restart Wazuh manager after all these steps: service wazuh-manager restart

Annex

Getting a Telegram API Key
You need to search for @BotFather in Telegram. The process is then quite simple, just type /newbot and follow the instructions. It should give you an API key as shown in the image below:

Getting Chat ID
Once you have created your bot, you must access the following link from your browser, replacing *YOUR API KEY* with the API key that you have been provided:

https://api.telegram.org/bot*YOUR API KEY*/getUpdates

Then, within Telegram, access your new bot and press /start or write something to him. After doing so, go back to the browser and reload the previous link. You should see a JSON with information about what happened. Search it for the content of the id key within the chat field. This is what you are looking for:



Hope this solves your problem. Let me know otherwise.

Regards,
Selu.

On Thu, Dec 2, 2021 at 8:01 AM Serzh <elvi...@gmail.com> wrote:

Hi. I tried to set up alerts in telegram. Doesn't work for me. I am using the ova wazuh image, it contains python 2.7.5, maybe this is the reason? Or install pip of a specific version?

I have used these scripts https://github.com/OpenSecureCo/Demos/blob/main/Telegram%20Integration

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7f9bf5f8-b419-41f7-970a-854b9c375defn%40googlegroups.com.

[Selu López]

Hi Serzh,

Sorry for the delay. For some reason, Google has cataloged the messages in this thread as spam and they were blocked. You'd better reply via Gmail directly (using the "Reply to All" button) to avoid this problem.

Regarding your question about whether to add the minus symbol: sure! In my case, the chat ID did not contain it, but if yours does, you must write it as is. 

Also, if you want to check if your server has a problem communicating with Telegram, you can effectively use cURL command, which should return the same response as in the browser:

 curl https://api.telegram.org/bot*YOUR BOT ID*/getUpdates

Let me known if that works.

Regards,

Selu.

On Thu, Dec 2, 2021 at 1:28 PM Serzh <elvi...@gmail.com> wrote:

Thanks for the help. I checked the settings. Is it possible that the problem is that the wazuh server is behind a firewall and uses a proxy server? How to check network access to a bot? Sorry i'm newbie

четверг, 2 декабря 2021 г. в 11:29:27 UTC+3, joselui...@wazuh.com:

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/feb8cfa6-f65a-4766-b861-f6d78b3f964dn%40googlegroups.com.

[Selu López]

Hello Elvis,

Try adding verify=False to the following line, so it looks like this:

# Send the request requests.post(hook_url, headers=headers, data=json.dumps(msg_data), verify=False)

You can also read about using proxies to connect to the telegram API in this question from a user with a problem similar to yours:

https://stackoverflow.com/questions/57671068/how-to-get-request-from-telegram-api-use-tor

Regards,

Selu.

On Wed, Dec 8, 2021 at 10:36 PM elvi...@gmail.com <elvi...@gmail.com> wrote:

Curl command result :

  {"ok":true,"result":[]}[root@wazuh-manager wazuh]#

It seems to me that the python script does not use a proxy. I saw messages in the ossec log

Dec 6, 2021 @ 09:27:41.000 wazuh-integratord ERROR While running custom-telegram -> integrations. Output: requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api.telegram.org', port=443): Max retries exceeded with url: /bot********:*************/sendMessage (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f06e3619340>: Failed to establish a new connection: [Errno 101] Network is unreachable'))

пятница, 3 декабря 2021 г. в 10:59:23 UTC+3, joselui...@wazuh.com:

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/07a8906a-2607-4c2c-85be-f4e5ff220124n%40googlegroups.com.

[elvi...@gmail.com]

I add proxies = {'http': 'http://proxyip :3128', 'https': 'http://proxyip:3128'}

requests.post(hook_url, headers=headers, data=json.dumps(msg_data), proxies=proxies)

That work for me.

четверг, 9 декабря 2021 г. в 11:12:19 UTC+3, joselui...@wazuh.com: