Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OSSEC Slack Integration

Tags:

slack-api

I want all OSSEC notifications to be routed to a Slack room instead of email. 2.9.Beta5 has a ossec-slack.sh active response script. The relevant parts of my ossec.conf are:

<command>
  <name>ossec-slack</name>
  <executable>ossec-slack.sh</executable>
  <expect>srcip</expect>
  <timeout_allowed>no</timeout_allowed>
</command>


<active-response>
  <command>ossec-slack</command>
  <location>local</location>
  <level>1</level>
</active-response>

This works for SSH logins (failed and successful), but as far as I can tell doesn't trigger anything else. What am I doing wrong/how are others doing this? Is this just beta software being beta software?

like image 240
Mark Fletcher Avatar asked Dec 25 '22 06:12

Mark Fletcher

1 Answers

First make sure your ossec-slack.sh file has the correct information in the top:

# FILE: /var/ossec/active-response/bin/ossec-slack.sh

SLACKUSER="ossec"
CHANNEL="#slack_chanel"  # include the hash "#"
SITE="https://hooks.slack.com/services/TOKEN"
SOURCE="ossec2slack"

Your "SLACKUSER" is the same as the "Customize Name" field that you set in your Slack WebHook Integrations page.

SLACKUSER Integration Example

Now that your ossec-slack.sh file is set up you can test your Slack integration manually:

/var/ossec/active-response/bin/ossec-slack.sh

Running the script manually will post recent entries from your alerts log file:

/var/ossec/logs/alerts/alerts.log

When this script is triggered as an active-response, it will only post the information for the current alert, rather than posting from your log file.

When you have verified that you can post Slack messages manually, add the following XML blocks to your ossec.conf file:

<!-- FILE: /var/ossec/etc/ossec.conf -->

<ossec_config>
    <command>
        <name>ossec-slack</name>
        <executable>ossec-slack.sh</executable>
        <expect></expect> <!-- no expect args required -->
        <timeout_allowed>no</timeout_allowed>
    </command>

    <active-response>
        <command>ossec-slack</command>
        <location>local</location>
        <level>3</level>
    </active-response>
</ossec_config>

The settings above will post to your Slack channel whenever a level 3 or above alert is triggered.

Note: no arguments are required within the <expect> tag. But the <expect> tag itself, is required. See OSSEC's active-response documentation for more information.

To test this integration, restart your ossec server:

/var/ossec/bin/ossec-control restart

You should see the "OSSEC Started" alert very quickly:

OSSEC Message posted to Slack

If you do not see the alert, check your logs for any misconfigurations:

tail /var/ossec/etc/logs/ossec.log
tail /var/ossec/logs/active-responses.log
like image 135
f1lt3r Avatar answered Jan 17 '23 23:01

f1lt3r
Sign in to Comment

Related questions

Can I figure out who installed a Slack App?
How to use the permalink_public URL of an uploaded image to include it in a message?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!