Wazuh notifier
Wazuh notifier enables the Wazuh manager to be notified when selected events occur.
Contents
The main script is a custom active response Python script: wazuh-active-response.py.
The actual sending of the messages is done by 2 notifier Python scripts:
Discord notifier: wazuh-discord-notifier.py, and NTFY.sh notifier: wazuh-ntfy-notifier.py
A YAML configuration: wazuh-notifier-config.yaml, and a Python module: wazuh_notifier_lib.py
Wazuh notifier is a stateless implementation and only notifies, using the Discord and/or NTFY.sh messaging services.
The Wazuh notifier is triggered by configuring the ossec.conf and adding an active response configuration.
Installation
Step 1
Download the files from https://github.com/RudiKlein/wazuh-notifier to your server.
Step 2
Copy the 4 Python files to the /var/ossec/active-response/bin/ folder
$ cp <folder contaning downloaded Wazuh notifier files>/wazuh-*.py /var/ossec/active-response/bin/
Set the correct ownership
$ chown root:wazuh /var/ossec/active-response/bin/wazuh-*.py
Set the correct permissions
$ chmod uog+rx /var/ossec/active-response/bin/wazuh-*.py
Step 3
Copy the YAML file to /var/ossec/etc/
$ cp <folder contaning downloaded Wazuh notifier files>/wazuh-notifier-config.yaml /var/ossec/etc/
Set the correct ownership
$ chown root:wazuh /var/ossec/etc/wazuh-notifier-config.yaml
Set the correct permissions
$ chmod uog+r /var/ossec/etc/wazuh-notifier-config.yaml
Step 4
Modify the ossec.conf configuration file and add the following
<command>
<name>wazuh-active-response</name>
<executable>wazuh-active-response.py</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>wazuh-active-response</command>
<location>server</location>
<level></level>
<rules_id></rules_id>
</active-response>
Add the rules you want to be informed about between the <rules_id></rules_id>, with the rules id's seperated by comma's.
Example: <rules_id>5402, 3461, 8777</rules_id>
(Please refer to the Wazuh online documentation for more information 1)
The Active Response module
The wazuh-active-response.py acts as the interface between Wazuh and the messaging notifiers for Discord and ntfy. It is based on the example active response Python script in the 1.
The Discord notifier
The ntfy.sh notifier
The YAML configuration
Enable/disable the notifiers
discord_enabled: 1 (0 if not set in the yaml configuration)
ntfy_enabled: 1 (0 if not set in the yaml configuration)
Exclude rules that are enabled in the ossec.conf active response definition.
This prevents the need to alter the ossec.conf for temporary rule disabling and stopping/starting wazuh-manager.
Additionally, agents can also be excluded from notifications.
excluded_rules: "5401, 5402, 5403"
excluded_agents: "999"
Default settings for the ntfy notifier. This overrules the hardcoded defaults.
ntfy_server: "https://ntfy.sh/"
ntfy_sender: "Wazuh (IDS)"
ntfy_destination: "__KleinTest"
ntfy_priority: "5"
ntfy_message: "Test message"
ntfy_tags: "information, testing, yaml"
ntfy_click: "https://google.com"