Skip to content

Instantly share code, notes, and snippets.

@trangnth

trangnth/wazuh-alert-telegram.md

Created December 6, 2019 08:41
Show Gist options
  • Save trangnth/afbaf92aadab4f83aca1b6d0fc5ff647 to your computer and use it in GitHub Desktop.
Save trangnth/afbaf92aadab4f83aca1b6d0fc5ff647 to your computer and use it in GitHub Desktop.
Download ZIP
Config wazuh alert via telegram
Raw
wazuh-alert-telegram.md

Wazuh config alert telegram

Tham khảo:

https://sys-adm.in/security/850-ossec-otpravka-uvedomlenij-v-telegram.html

  • Thêm đoạn cấu hình sau vào file config của ossec /var/ossec/etc/ossec.conf
<ossec_config>
...
  <command>
    <name>send-telegram</name>
    <executable>ossec-telegram.sh</executable>
    <expect></expect>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
      <command>send-telegram</command>
      <location>local</location>
      <level>6</level>
  </active-response>
...
</ossec_config>
  • Tạo một script /var/ossec/active-response/bin/ossec-telegram.sh có nội dung như sau:
#!/bin/sh
# Author: Yevgeniy Goncharov aka xck, http://sys-adm.in
# Send alert to Telegram fromm OSSEC

# Sys env / paths / etc
# -------------------------------------------------------------------------------------------\
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

# Telegram settings
TOKEN="682436648:AAESTcCBsSQir25WWQxmTFQzG1FvooGPl_0"
#CHAT_ID="-1001482606391"
CHAT_ID=""


ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`


# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log


# Getting alert time
ALERTTIME=`echo "$ALERTID" | cut -d  "." -f 1`

# Getting end of alert
ALERTLAST=`echo "$ALERTID" | cut -d  "." -f 2`

# Getting full alert
#ALERT=meditech`grep -A 5 "Alert $ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "Alert"`
ALERT=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`

#echo Alert: $ALERT >> ${PWD}/../logs/active-responses.log

curl -s \
-X POST \
https://api.telegram.org/bot$TOKEN/sendMessage \
-d text="$ALERT" \
-d chat_id=$CHAT_ID

ALERT=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`

curl -s \
-X POST \
https://api.telegram.org/bot$TOKEN/sendMessage \
-d text="$ALERT" \
-d chat_id=$CHAT_ID

#echo $ACTION $USER $IP $ALERTID $RULEID >> ${PWD}/../logs/active-responses.log
#echo ALERTTIME=$ALERTTIME ALERTLAST=$ALERTLAST ALERT=$ALERT >> ${PWD}/../logs/active-responses.log
#echo `grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'` >> ${PWD}/../logs/active-responses.log

Note: Script sử dụng lại từ: https://github.com/m0zgen/ossec-to-telegram/blob/master/ossec-telegram.sh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment