SMS for Wazuh

Wazuh provides basic email notifications and can be “hacked” to send emails to an SMS Gateway, but the alerts will tend to be longer than a life sentence. Fortunately, AWS has a service, and Wazuh has an integration module to do this.

As the line stolen from “The Matrix” said, “First of all, we’ll need an SNS-TOPIC for SMS.”

I recommend one examine the AWS SNS documentation.

From the management console:

Step 1: Log into the management console. Search for SNS

Step 2: From the SNS Dashboard, Select Topics:

Step 3: In the Topics Panel, select Create Topic:

Step 4: Create the topic:

We will select Standard, enter a topic name, and set a friendly name; thence, select create a topic. Note encryption in transit is now the default option.

Step 5: Note Results, Specifically the ARN (Amazon Resource Name)

Note the ARN, and then create a subscription.

In the protocol panel, we have several options; for THIS example, we will select SMS.

In the subscriptions panel, we note the subscription was created and confirmed.

From the CLI:

Step 1: Create the Topic

$ aws --region us-east-1 --profile default sns create-topic --name wazuh_sms_sns_topic
{
    "TopicArn": "arn:aws:sns:us-east-1:XXXXXXXXXXXXXXXXXXXXX:wazuh_sms_sns_topic"
}

This uses the CLI command SNS.create-topic. There are a few options, but a review of the command reference is suggested.

DO NOTE THE TOPIC ARN.

Step 2: Create the subscription to the topic ARN created prior:

aws --region us-east-1 --profile default sns subscribe --topic-arn arn:aws:sns:us-east-1:XXXXXXXXXXXX:wazuh_sms_sns_topic --protocol sns --notification-endpoint 1917XXXXXXX

Integration with Wazuh As per AWS SNS integration

Assuming one has logged into the Wazuh Server and has become the superuser, we will change the directory to the /var/ossec/etc directory and back up our ossec.conf file.

cd /var/ossec/conf
cp ossec.conf <DATE>-<TIME>-ossec.onf

I will retrieve the custom script and change file permissions and group.

curl "https://wazuh.com/resources/blog/sending-wazuh-alerts-via-sms/custom-sns-integration.py" -o /var/ossec/integrations/custom-sns-integration
chmod 750 /var/ossec/integrations/custom-sns-integration
chown root:ossec /var/ossec/integrations/custom-sns-integration

We will create an sns.conf file in the /var/ossec/etc directory.

nano /var/ossec/etc/sns.conf
# INSERT IN sns.conf
[SNSCONFIG]
topic_arn=arn:aws:sns:us-east-1:xxxxxxxxxxx:sms-alerts-service
region=us-east-1

We will then add the SNS integration stanza into the integrations chapter in the ossec.conf file

<integration>
   <name>custom-sns-integration</name>
   <alert_format>json</alert_format>
   <level>12</level>
</integration>

Note it’s possible to filter alerts through its rule_id or group.

Thence we will restart the wazah-manager service.

systemctl restart wazuh-manager

Whilst monitoring /var/ossec/logs/ossec.log for issues and errors.

Review /var/ossec/logs/sns.log for sent SNS messages.