Wazuh comes with a couple of external integrations by default - among them are Slack, Virustotal, shuffle, and Pagerduty.
The one that I missed was Discord - so I decided to build it. Now you can forward your all or specific alerts to a discord channel of your choice.
Here is the link to the code required: https://github.com/maikroservice/wazuh-discord-integration/
In order to get this running you need to do the following steps:
Create Discord Server
First up create a discord server if you do not have one yet. In order to do that open Discord and click the big plus button:
Then choose the
Create My Own option and in the next screen select the option that meets your needs - I will choose the
For me and my friends option, because this server is for internal use only.
The only thing left to do is to give the server a name.
Add a private text channel
You need to either create or choose an existing channel where the alerts should be posted. I created a channel called
wazuh-alerts to be explicit about the channel's purpose. Here is how you do that:
First up, click the small
+ button next to the
TEXT CHANNELS - choose a
Text channel and make sure to select the
Private Channel option at the bottom. You could also directly allow access for specific roles/groups should you wish to do so, or you can skip the selection for now.
If all goes well you will now see a
NEW channel with the correct name on your server.
Create a Webhook integration
You need a webhook to send messages to your server - this is basically a bot member of your server that has the right to post messages in specific channels.
Right-click on your server - choose
Server Settings ->
Then you will see the following screen and need to press the
New Webhook button.
Give that integration a name and select the channel to receive the alerts. You could also add a picture if you want to but it is not necessary for the next steps to work.
The important part is the
Webhook URL, this is the url that wazuh connects to and sends the alerts. They will then be converted into messages and posted in the discord channel.
Copy the Webhook URL and save it for the next step.
Register the integration in wazuh
- You need to register the integration in wazuh - for that to happen start wazuh, connect to the dashboard and visit the configuration area in the management tab.
Next in the top right click on
Now you are editing the
ossec.conf located here
Directly under the
</global> tag you can paste the following code:
<integration> <name>custom-discord</name> <hook_url>https://discord.com/api/webhooks/XXXXXXXXXXX</hook_url> <alert_format>json</alert_format> </integration>
The name needs to start with
custom- - which took me the better part of an hour to debug... 😅
Now you do not have to make the same mistake.
When done correctly it should look like this:
Add your discord webhook url
The last step in the configuration section is to add the correct webhook url between
</hook_url>. Once that is done you need to click the
Save button, it will take a little while and there will be a small popup once it is saved.
Head to the terminal for the final two steps.
Set up wazuh integration
Wazuh's integrations are located in
/var/ossec/integrations - You will see 7 files there already.
Most integrations consist of two files - one Python file (e.g. slack.py) and one bash script (slack).
You need to add two files now:
custom-discord.py - copy and paste the files from GitHub (https://github.com/maikroservice/wazuh-discord-integration/) into this folder. Next, use the following commands to change the permissions and adjust the ownership of the two files.
sudo chmod 750 /var/ossec/integrations/custom-* sudo chown root:wazuh /var/ossec/integrations/custom-*
The folder should now look like this:
Once that is done make sure that pip is setup correctly and has the
requests library installed.
# debian / ubuntu sudo apt-get install python3-pip pip3 install requests # amazon linux / centos sudo yum install python3-pip pip3 install requests
Restart the wazuh manager and you should see alerts showing up in the discord channel.
You can trigger it by typing the wrong password for a user on a machine running the wazuh agent. If all goes well you should see something like the screenshot below.
If you do not see the alerts in Discord you can first look at the logs of
integratord. If you see an error such as the one below you might want to increase the verbosity of the
How you ask?! - Use the following command:
That should give you a detailed description of what's going wrong and can fix it.
Did you find this article valuable?
Support Maik Ro by becoming a sponsor. Any amount is appreciated!