Alert to telegram

1,005 views
Skip to first unread message

Serzh

unread,
Dec 2, 2021, 2:01:48 AM12/2/21
to Wazuh mailing list
Hi. I tried to set up alerts in telegram. Doesn't work for me. I am using the ova wazuh image, it contains python 2.7.5, maybe this is the reason? Or install pip of a specific version?
Message has been deleted

Selu López

unread,
Dec 2, 2021, 3:29:27 AM12/2/21
to Serzh, Wazuh mailing list
Hello Elvis,

What is the Wazuh version of your OVA? I just tried the integration of the link you shared in a Wazuh installation by sources and it worked well for me. In any case, neither the installation mode nor the Python contained in the OVA should affect as the script uses Wazuh's embedded Python (which you can find at /var/ossec/framework/python/bin/python3). This Python is at version 3.x since Wazuh 4.0 and even earlier, so this shouldn't be a problem.

There are a few things you can check to see if they are configured correctly:
  1. First, make sure you've created a bash script on this path /var/ossec/integrations/custom-telegram and that the content includes everything between lines 3 and 37 of the link you shared. That is, make sure it contains everything shown here: custom-telegram.
  2. Make also sure that you have created a Python script in /var/ossec/integrations/custom-telegram.py and that it contains everything that is shown between lines 43 and 79 of your link: custom-telegram python script.
  3. Inside the Python script that you created in step 2, make sure to fulfill the CHAT_ID variable (CHAT_ID="") that is found here. You should write the ID of the conversation to where the bot should send the alerts. For instance, in my case, it looks like this:  CHAT_ID="143544397". This step is very important, if you do not specify any chat_id, the bot won't be able to send you anything. I will explain how to get said CHAT_ID in the annex.
  4. Check if the user and permissions of the custom-telegram and custom-telegram.py scripts were correctly applied as specified here.
  5. Make sure to replace *YOUR API KEY* with your bot key in the configuration block that you have to add in the Wazuh ossec.conf file.  It should look similar to this: <hook_url>https://api.telegram.org/bot4935339560:ALPLyMN8qThtMA9d3nKqEK361AfY-1unrJ7/sendMessage</hook_url>
  6. Do not forget to restart Wazuh manager after all these steps: service wazuh-manager restart

Annex

Getting a Telegram API Key
You need to search for @BotFather in Telegram. The process is then quite simple, just type /newbot and follow the instructions. It should give you an API key as shown in the image below:

get_telegram_api.png

Getting Chat ID
Once you have created your bot, you must access the following link from your browser, replacing *YOUR API KEY* with the API key that you have been provided:

https://api.telegram.org/bot*YOUR API KEY*/getUpdates

Then, within Telegram, access your new bot and press /start or write something to him. After doing so, go back to the browser and reload the previous link. You should see a JSON with information about what happened. Search it for the content of the id key within the chat field. This is what you are looking for:

telegram_chat_id.png

Hope this solves your problem. Let me know otherwise.

Regards,
Selu.

On Thu, Dec 2, 2021 at 8:01 AM Serzh <elvi...@gmail.com> wrote:
Hi. I tried to set up alerts in telegram. Doesn't work for me. I am using the ova wazuh image, it contains python 2.7.5, maybe this is the reason? Or install pip of a specific version?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7f9bf5f8-b419-41f7-970a-854b9c375defn%40googlegroups.com.
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

Selu López

unread,
Dec 3, 2021, 2:59:23 AM12/3/21
to Serzh, Wazuh mailing list
Hi Serzh,

Sorry for the delay. For some reason, Google has cataloged the messages in this thread as spam and they were blocked. You'd better reply via Gmail directly (using the "Reply to All" button) to avoid this problem.

Regarding your question about whether to add the minus symbol: sure! In my case, the chat ID did not contain it, but if yours does, you must write it as is. 

Also, if you want to check if your server has a problem communicating with Telegram, you can effectively use cURL command, which should return the same response as in the browser:

 curl https://api.telegram.org/bot*YOUR BOT ID*/getUpdates

Let me known if that works.

Regards,
Selu.

On Thu, Dec 2, 2021 at 1:28 PM Serzh <elvi...@gmail.com> wrote:
Thanks for the help. I checked the settings. Is it possible that the problem is that the wazuh server is behind a firewall and uses a proxy server? How to check network access to a bot? Sorry i'm newbie

четверг, 2 декабря 2021 г. в 11:29:27 UTC+3, joselui...@wazuh.com:
Message has been deleted

Selu López

unread,
Dec 9, 2021, 3:12:19 AM12/9/21
to elvi...@gmail.com, Wazuh mailing list
Hello Elvis,

Try adding verify=False to the following line, so it looks like this:

# Send the request requests.post(hook_url, headers=headers, data=json.dumps(msg_data), verify=False)

You can also read about using proxies to connect to the telegram API in this question from a user with a problem similar to yours:

Regards,
Selu.

On Wed, Dec 8, 2021 at 10:36 PM elvi...@gmail.com <elvi...@gmail.com> wrote:
Curl command result :
  {"ok":true,"result":[]}[root@wazuh-manager wazuh]#

It seems to me that the python script does not use a proxy. I saw messages in the ossec log
Dec 6, 2021 @ 09:27:41.000 wazuh-integratord ERROR While running custom-telegram -> integrations. Output: requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api.telegram.org', port=443): Max retries exceeded with url: /bot********:*************/sendMessage (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f06e3619340>: Failed to establish a new connection: [Errno 101] Network is unreachable'))

пятница, 3 декабря 2021 г. в 10:59:23 UTC+3, joselui...@wazuh.com:

elvi...@gmail.com

unread,
Dec 15, 2021, 2:19:10 AM12/15/21
to Wazuh mailing list
I add proxies = {'http': 'http://proxyip :3128', 'https': 'http://proxyip:3128'}

requests.post(hook_url, headers=headers, data=json.dumps(msg_data), proxies=proxies)

That work for me.


четверг, 9 декабря 2021 г. в 11:12:19 UTC+3, joselui...@wazuh.com:
Reply all
Reply to author
Forward
0 new messages