Custom Integration not working
992 views
Skip to first unread message
serano...@gmail.com
Mar 12, 2023, 7:24:12 AM3/12/23
to Wazuh mailing list
Hi All.
I'm trying to run a custom integration i've created to interact with fortigate api.
Starting manually the script all works fine, so the problem is no into the script, for me.
I've configure the integration in wazuh like this:
<integration>
<name>fgt_int.py</name>
<hook_url>https://192.168.55.100/api/v2/</hook_url>
<api_key>myapikey</api_key>
<level>2</level>
<rule_id>81622</rule_id>
<alert_format>json</alert_format>
</integration>
<name>fgt_int.py</name>
<hook_url>https://192.168.55.100/api/v2/</hook_url>
<api_key>myapikey</api_key>
<level>2</level>
<rule_id>81622</rule_id>
<alert_format>json</alert_format>
</integration>
this is the beginning of the script, that should write into the log file at least the info that is starting :
#!/var/ossec/framework/python/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
import requests
import json
import sys
import time
import datetime
from requests.packages.urllib3.exceptions import InsecureRequestWarning
LOG_FILE = "/var/ossec/logs/active-responses.log"
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
write_debug_file("FGT-INT",f"START")
# Copyright (C) 2015-2022, Wazuh Inc.
import requests
import json
import sys
import time
import datetime
from requests.packages.urllib3.exceptions import InsecureRequestWarning
LOG_FILE = "/var/ossec/logs/active-responses.log"
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
write_debug_file("FGT-INT",f"START")
but when i trigger the rule, into the log file nothing is written, like wazuh not even try to start the script.
File is into the integration folder
Permission are correct (owner= root:wazuh permission: 750)
what i'm missing?
Thanks for your works guys, have a nice day.
Francisco Tuduri
Mar 12, 2023, 11:08:34 AM3/12/23
to Wazuh mailing list
Hello Stefano!
If you check the ossec.log file for error messages (for instance with: cat /var/ossec/logs/ossec.log | grep ERROR) you should see a line like this:
2023/03/12 11:56:48 wazuh-integratord: ERROR: Invalid integration: 'fgt_int.py'. Not currently supported.
Please, rename the script so that it begins with "custom-" and change the "name" option of the integration configuration block accordingly, restart the manager, and try again.
Let me know how it goes.
Have a nice day!
Regards!
The problem seems to be the name of the integration: <name>fgt_int.py</name>
In the case of custom external integration the name must begin with "custom-".
See here the reference documentation.If you check the ossec.log file for error messages (for instance with: cat /var/ossec/logs/ossec.log | grep ERROR) you should see a line like this:
2023/03/12 11:56:48 wazuh-integratord: ERROR: Invalid integration: 'fgt_int.py'. Not currently supported.
Please, rename the script so that it begins with "custom-" and change the "name" option of the integration configuration block accordingly, restart the manager, and try again.
Let me know how it goes.
Have a nice day!
Regards!
Stefano Serano
Mar 12, 2023, 1:08:20 PM3/12/23
to Francisco Tuduri, Wazuh mailing list
Damn that was easy.
Thanks Francisco, you saved me.
Have a nice day.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/zSNRXVx5PwQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cbb90b8f-9383-4a81-9747-ad5e3b39cd8dn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages