https://sys-adm.in/security/850-ossec-otpravka-uvedomlenij-v-telegram.html
- Thêm đoạn cấu hình sau vào file config của ossec
/var/ossec/etc/ossec.conf
<ossec_config>
...
<command>
<name>send-telegram</name>
<executable>ossec-telegram.sh</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>send-telegram</command>
<location>local</location>
<level>6</level>
</active-response>
...
</ossec_config>
- Tạo một script
/var/ossec/active-response/bin/ossec-telegram.sh
có nội dung như sau:
#!/bin/sh
# Author: Yevgeniy Goncharov aka xck, http://sys-adm.in
# Send alert to Telegram fromm OSSEC
# Sys env / paths / etc
# -------------------------------------------------------------------------------------------\
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
# Telegram settings
TOKEN="682436648:AAESTcCBsSQir25WWQxmTFQzG1FvooGPl_0"
#CHAT_ID="-1001482606391"
CHAT_ID=""
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
# Getting alert time
ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1`
# Getting end of alert
ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2`
# Getting full alert
#ALERT=meditech`grep -A 5 "Alert $ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "Alert"`
ALERT=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
#echo Alert: $ALERT >> ${PWD}/../logs/active-responses.log
curl -s \
-X POST \
https://api.telegram.org/bot$TOKEN/sendMessage \
-d text="$ALERT" \
-d chat_id=$CHAT_ID
ALERT=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
curl -s \
-X POST \
https://api.telegram.org/bot$TOKEN/sendMessage \
-d text="$ALERT" \
-d chat_id=$CHAT_ID
#echo $ACTION $USER $IP $ALERTID $RULEID >> ${PWD}/../logs/active-responses.log
#echo ALERTTIME=$ALERTTIME ALERTLAST=$ALERTLAST ALERT=$ALERT >> ${PWD}/../logs/active-responses.log
#echo `grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'` >> ${PWD}/../logs/active-responses.log
Note: Script sử dụng lại từ: https://github.com/m0zgen/ossec-to-telegram/blob/master/ossec-telegram.sh