配置远程服务的地址
编辑/var/ossec/etc/ossec.conf文件,使用remote标签可以自定义服务监听使用的本地ip地址。
<ossec_config>
<remote>
<local_ip>172.17.116.129</local_ip>
</remote>
</ossec_config>
systemctl restart wazuh-manager
设置报警级别
/var/ossec/etc/ossec.conf文件,alerts标签:
<ossec_config>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
</ossec_config>
- 这里设置的是可以触发报销消息的最低事件级别阈值,从低至高共16个级别
systemctl restart wazuh-manager
与外部API接口进行功能集成
Wazuh可以按需和外部的其他事件管理、监控报警管理平台进行集成,自动地将将定级别或类别的报警消息发送到第三方的平台上去,以实现统一的事件管理。
使用/var/ossec/etc/ossec.conf文件,integration标签:
<!--Custom external Integration -->
<integration>
<name>custom-integration</name>
<hook_url>WEBHOOK</hook_url>
<level>10</level>
<group>multiple_drops|authentication_failures</group>
<api_key>APIKEY</api_key> <!-- Replace with your external service API key -->
<alert_format>json</alert_format>
</integration>
- 只有name属性是必填的,该参数值是自定义脚本文件的文件名
- 自定义脚本必须要以"custom-"作为文件名的前缀,可以是shell或python脚本文件
- 自定义脚本必须读取和解析处理命令行参数,其中参数1对应着包含报警消息内容的文件、参数2对应着api_key的值、参数3对应着hook_url的值。
- 在ossec.conf–integration中除name参数是必填外,其它参数均是选填。
自定义脚本文件的部署路径与权限设置:
chmod 750 /var/ossec/integrations/custom-script
chown root:ossec /var/ossec/integrations/custom-script
以下是实现与jira API功能集成的一个自定义脚本示例:
#!/usr/bin/env python
import sys
import json
import requests
from requests.auth import HTTPBasicAuth
# Read configuration parameters
alert_file = open(sys.argv[1])
user = sys.argv[2].split(':')[0]
api_key = sys.argv[2].split(':')[1]
hook_url = sys.argv[3]
# Read the alert file
alert_json = json.loads(alert_file.read())
alert_file.close()
# Extract issue fields
alert_level = alert_json['rule']['level']
ruleid = alert_json['rule']['id']
description = alert_json['rule']['description']
agentid = alert_json['agent']['id']
agentname = alert_json['agent']['name']
# Set the project attributes ===> This section needs to be manually configured before running!
project_key = 'WT' # You can get this from the beggining of an issue key. For example, WS for issue key WS-5018
issuetypeid = '10002' # Check https://confluence.atlassian.com/jirakb/finding-the-id-for-issue-types-646186508.html. There's also an API endpoint to get it.
# Generate request
headers = {'content-type': 'application/json'}
issue_data = {
"update": {},
"fields": {
"summary": 'Wazuh Alert: ' + description,
"issuetype": {
"id": issuetypeid
},
"project": {
"key": project_key
},
"description": {
'version': 1,
'type': 'doc',
'content': [
{
"type": "paragraph",
"content": [
{
"text": '- Rule ID: ' + str(ruleid) + '\n- Alert level: ' + str(alert_level) + '\n- Agent: ' + str(agentid) + ' ' + agentname,
"type": "text"
}
]
}
],
},
}
}
# Send the request
response = requests.post(hook_url, data=json.dumps(issue_data), headers=headers, auth=(user, api_key))
#print(json.dumps(json.loads(response.text), sort_keys=True, indent=4, separators=(",", ": "))) # <--- Uncomment this line for debugging
sys.exit(0)
官网参考资料:https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/
配置Wazuh输出报警消息到syslog的方法
使用/var/ossec/etc/ossec.conf文件,syslog_output标签:
<ossec_config>
<syslog_output>
<level>9</level>
<server>192.168.1.241</server>
</syslog_output>
<syslog_output>
<server>192.168.1.240</server>
</syslog_output>
</ossec_config>
systemctl restart wazuh-manager
配置Wazuh输出报警消息到数据库的方法
使用/var/ossec/etc/ossec.conf文件,database_output标签:
<database_output>
<hostname>192.168.1.122</hostname>
<username>MySQLadmin</username>
<password>secret1234</password>
<database>Alerts_DB</database>
<type>mysql</type>
</database_output>
准备好库与用户、权限:
CREATE DATABASE Alerts_DB;
CREATE USER 'MySQLadmin'@'<MANAGER_IP>' IDENTIFIED BY 'secret1234';
GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on Alerts_DB.* to 'MySQLadmin'@'<MANAGER_IP>';
初始化库表结构:
mysql -u root -p Alerts_DB < src/os_dbd/mysql.schema
systemctl restart wazuh-manager
配置Wazuh每天生成一份报告
使用/var/ossec/etc/ossec.conf文件,reports标签:
<ossec_config>
<reports>
<category>syscheck</category>
<title>Daily report: File changes</title>
<email_to>example@test.com</email_to>
</reports>
</ossec_config>
- 将syscheck类别的报警消息发给指定邮箱
配置邮件发送服务
使用/var/ossec/etc/ossec.conf文件,global标签:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>me@test.com</email_to>
<smtp_server>mail.test.com</smtp_server>
<email_from>wazuh@test.com</email_from>
</global>
</ossec_config>
- email_to参数值只能填写一个邮件地址,但email_to参数允许使用多个
- Wazuh不支持smtp认证,如果需要进行smtp认证则请参照这份资料配置一个代理: configure a server relay
更加细粒度的邮件报警配置方法:
<ossec_config>
<email_alerts>
<email_to>alice@test.com</email_to>
<event_location>server1|server2</event_location>
</email_alerts>
<email_alerts>
<email_to>is@test.com</email_to>
<event_location>/log/secure$</event_location>
</email_alerts>
<email_alerts>
<email_to>bob@test.com</email_to>
<event_location>192.168.</event_location>
</email_alerts>
<email_alerts>
<email_to>david@test.com</email_to>
<level>12</level>
</email_alerts>
</ossec_config>
systemctl restart wazuh-manager