WAZUH, !! SLACKERS!!

by Posted on
Hmm, my loyal fans reading my posts.

This a quick and dirty post on integrating Slack notifications into Wazuh.

Based on the Wazuh Slack Integrations documents. One should read these before cutting and pasting.

We shall assume one is signed into the wazuh server and has become the superuser. We will also require the slack webhook, either obtain from your slack administrator or create one.

We shall change the directory to the /var/ossec/etc directory and back up our ossec.conf file. Mistakes happen, this is an easy way to recover.

cd /var/ossec/etc
cp ./ossec.conf ./<DATE>-<TIME>-ossec.conf

We will edit the ossec.conf file and insert the following code before the Osquery Integration stanza.

<!-- Slack Integration -->
<integration>
    <name>slack</name>
    <hook_url>YOUR_SLACK_WEBHOOK</hook_url> <!-- Replace with your Slack Webhook -->
    <level>9</level>
    <alert_format>json</alert_format>
</integration>

In line 5, set the minimum rule level you desire slack notifications for, slack will be triggered for any rule equal to or greater than that.

NOTE: Leave the <!– Replace with your Slack Webhook –> comment in place.

Restart the wazuh manager and check the /var/ossec/logs/ossec.log for errors.

systemctl restart wazuh-manager
tail -f /var/ossec/logs/ossec.log

Test your integration by triggering a rule that has a rule level equal to or greater than the specified rule level, and review your slack channel.

Published by crawls