SMS for Wazuh

by Posted on

Wazuh provides basic email notifications and can be “hacked” to send emails to an SMS Gateway, but the alerts will tend to be longer than a life sentence. Fortunately, AWS has a service, and Wazuh has an integration module to do this.

As the line stolen from “The Matrix” said, “First of all, we’ll need an SNS-TOPIC for SMS.”

I recommend one examine the AWS SNS documentation.

From the management console:

Step 1: Log into the management console. Search for SNS

Step 2: From the SNS Dashboard, Select Topics:

Step 3: In the Topics Panel, select Create Topic:

Step 4: Create the topic:

We will select Standard, enter a topic name, and set a friendly name; thence, select create a topic. Note encryption in transit is now the default option.

Step 5: Note Results, Specifically the ARN (Amazon Resource Name)

Note the ARN, and then create a subscription.

In the protocol panel, we have several options; for THIS example, we will select SMS.

In the subscriptions panel, we note the subscription was created and confirmed.

From the CLI:

Step 1: Create the Topic

$ aws --region us-east-1 --profile default sns create-topic --name wazuh_sms_sns_topic
{
    "TopicArn": "arn:aws:sns:us-east-1:XXXXXXXXXXXXXXXXXXXXX:wazuh_sms_sns_topic"
}

This uses the CLI command SNS.create-topic. There are a few options, but a review of the command reference is suggested.

DO NOTE THE TOPIC ARN.

Step 2: Create the subscription to the topic ARN created prior:

aws --region us-east-1 --profile default sns subscribe --topic-arn arn:aws:sns:us-east-1:XXXXXXXXXXXX:wazuh_sms_sns_topic --protocol sns --notification-endpoint 1917XXXXXXX

Integration with Wazuh As per AWS SNS integration

Assuming one has logged into the Wazuh Server and has become the superuser, we will change the directory to the /var/ossec/etc directory and back up our ossec.conf file.

cd /var/ossec/conf
cp ossec.conf <DATE>-<TIME>-ossec.onf

I will retrieve the custom script and change file permissions and group.

curl "https://wazuh.com/resources/blog/sending-wazuh-alerts-via-sms/custom-sns-integration.py" -o /var/ossec/integrations/custom-sns-integration
chmod 750 /var/ossec/integrations/custom-sns-integration
chown root:ossec /var/ossec/integrations/custom-sns-integration

We will create an sns.conf file in the /var/ossec/etc directory.

nano /var/ossec/etc/sns.conf
# INSERT IN sns.conf
[SNSCONFIG]
topic_arn=arn:aws:sns:us-east-1:xxxxxxxxxxx:sms-alerts-service
region=us-east-1

We will then add the SNS integration stanza into the integrations chapter in the ossec.conf file

<integration>
   <name>custom-sns-integration</name>
   <alert_format>json</alert_format>
   <level>12</level>
</integration>

Note it’s possible to filter alerts through its rule_id or group.

Thence we will restart the wazah-manager service.

systemctl restart wazuh-manager

Whilst monitoring /var/ossec/logs/ossec.log for issues and errors.

Review /var/ossec/logs/sns.log for sent SNS messages.

Published by crawls