wazuh
从入门到上线
Wazuh 整合 Telegram 告警通知
Wazuh agent 密碼驗證機制
本文档使用 MrDoc 发布
-
+
首页
Wazuh 整合 Telegram 告警通知
這邊內容是參考以下文章 腳本就是他寫的 https://medium.com/@jesusjimsa_12801/integrating-telegram-with-wazuh-4d8db91025f 腳本內容如下 *記得替換CHAT_ID* ``` #!/usr/bin/env python3 # -*- coding: utf-8 -*- import sys import json try: import requests except Exception: print("No module 'requests' found. Install: pip3 install requests") sys.exit(1) CHAT_ID = "51477xxxx" def create_message(alert_json): # Get alert information title = alert_json['rule']['description'] if 'description' in alert_json['rule'] else '' description = alert_json['full_log'] if 'full_log' in alert_json else '' description.replace("\\n", "\n") alert_level = alert_json['rule']['level'] if 'level' in alert_json['rule'] else '' groups = ', '.join(alert_json['rule']['groups']) if 'groups' in alert_json['rule'] else '' rule_id = alert_json['rule']['id'] if 'rule' in alert_json else '' agent_name = alert_json['agent']['name'] if 'name' in alert_json['agent'] else '' agent_id = alert_json['agent']['id'] if 'id' in alert_json['agent'] else '' # Format message with markdown msg_content = f'*{title}*\n\n' msg_content += f'_{description}_\n' msg_content += f'*Groups:* {groups}\n' if len(groups) > 0 else '' msg_content += f'*Rule:* {rule_id} (Level {alert_level})\n' msg_content += f'*Agent:* {agent_name} ({agent_id})\n' if len(agent_name) > 0 else '' msg_data = {} msg_data['chat_id'] = CHAT_ID msg_data['text'] = msg_content msg_data['parse_mode'] = 'markdown' # Debug information with open('/var/ossec/logs/integrations.log', 'a') as f: f.write(f'MSG: {msg_data}\n') return json.dumps(msg_data) # Read configuration parameters alert_file = open(sys.argv[1]) hook_url = sys.argv[3] # Read the alert file alert_json = json.loads(alert_file.read()) alert_file.close() # Send the request msg_data = create_message(alert_json) headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'} response = requests.post(hook_url, headers=headers, data=msg_data) # Debug information with open('/var/ossec/logs/integrations.log', 'a') as f: f.write(f'RESPONSE: {response}\n') sys.exit(0) ``` 接著修改ossec.conf 指向到我們剛剛寫的腳本名稱 然後這篇配置我們的Hook URL 記得替換 然後因為測試使用 我們設定等級為3 實際上在正式使用時,建議依需求調整 ``` <ossec_config> <integration> <name>custom-telegram</name> <hook_url>https://api.telegram.org/bot<YOUR-BOT-TOKEN>/sendMessage</hook_url> <alert_format>json</alert_format> <level>3</level> </integration> </ossec_config> ```
admin
2024年5月20日 16:46
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
分享
链接
类型
密码
更新密码