Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-22 Thread Miguelangel Freitas
Hi Fredrik, Can you see in logs/active-responses.log any new row regarding ( agent-ossec.com)? Could you share and from etc/ossec.conf regarding slack notification?, thanks. Regards, On Sun, May 21, 2017 at 4:18 PM, Fredrik Hilmersson < f.hilmers...@worldclearing.org> wrote: > I set up a OSS

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-22 Thread Fredrik Hilmersson
Hello Miguelangel! I do not see any new rows regarding the agent-ossec.com (within the host active-response.log, only in the alerts.log). Here's what you asked for from the ../etc/ossec.conf (server host) ossec-slack ossec-slack.sh no

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-22 Thread Jesus Linares
Hi Fredrik, check out the documentation about *integrator* : https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-integration.html I hope it helps. Regards. On Monday, May 22, 2017 at 4:53:56 PM UTC+2, Fredrik Hilmersson wrote: > > Hello Miguelangel! > > I do not se

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Hello and thanks Jesus, I've read the documentation, however I do not use the forked wazuh version of OSSEC so i'm not sure that the integrator applies? What I want to clarify regarding my issue, so I do not misunderstand the approach. The OSSEC server (host) is the one responsible for sending

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Clarification: The host specific alerts are sent to slack but the agent alerts are being ignored. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Jesus Linares
Hi Fredrik, this is the flow: - The integrator reads the alerts from alerts*.log *filtering by *rule_id*, *level*, *group *or *event_location*. - It executes the script using the arguments *hook_url *and *api_key*. - The slack script send the alert to slack. Clarification: The host

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Hello again Jesus, As I did state, so we're not misunderstanding each other, I do not run the wazuh forked version, but the 2.9.0 OSSEC version. This is the configuration settings i've got: ossec-slack.sh SLACKUSER="ossec" CHANNEL="#channel" SITE="https://hooks.slack.com/services/..."; SOURC

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Jesus Linares
I see your point.. I thought you were talking about the *integratord*. I never tried it using AR, but in your active-response configuration I see: > local It means that OSSEC is going to execute the script in the agent that generated the event. So, you must to configure your slack script in ev

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Thanks everyone for the feedback and support. It all made sense and your comment did guide me to resolve it, wasn't any harder then updating the section and add agent ID, e.g.: ossec-slack local,AGENT.ID 7 Have a nice day and, Kind regards Fredrik Den tisdag

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-24 Thread Fredrik Hilmersson
Thanks everyone for the feedback and support. It all made sense and your comment did guide me to resolve it, wasn't any harder then updating the section and add agent ID, e.g.: ossec-slack server,AGENT.ID 7 Den tisdag 23 maj 2017 kl. 16:18:2