maikroservice

How to connect wazuh and discord: a Step-By-Step Guide.

Photo by ELLA DON on Unsplash

How to connect wazuh and discord: a Step-By-Step Guide.

Maik Ro's photo
Maik Ro
ยท

4 min read

Table of contents

Wazuh comes with a couple of external integrations by default - among them are Slack, Virustotal, shuffle, and Pagerduty.

The one that I missed was Discord - so I decided to build it. Now you can forward your all or specific alerts to a discord channel of your choice.

Here is the link to the code required: https://github.com/maikroservice/wazuh-discord-integration/

In order to get this running you need to do the following steps:

Create Discord Server

First up create a discord server if you do not have one yet. In order to do that open Discord and click the big plus button:

Then choose the Create My Own option and in the next screen select the option that meets your needs - I will choose the For me and my friends option, because this server is for internal use only.

The only thing left to do is to give the server a name.

Add a private text channel

You need to either create or choose an existing channel where the alerts should be posted. I created a channel called wazuh-alerts to be explicit about the channel's purpose. Here is how you do that:

First up, click the small + button next to the TEXT CHANNELS - choose a Text channel and make sure to select the Private Channel option at the bottom. You could also directly allow access for specific roles/groups should you wish to do so, or you can skip the selection for now.

If all goes well you will now see a NEW channel with the correct name on your server.

Create a Webhook integration

You need a webhook to send messages to your server - this is basically a bot member of your server that has the right to post messages in specific channels.

Right-click on your server - choose Server Settings -> Integrations .

Then you will see the following screen and need to press the New Webhook button.

Give that integration a name and select the channel to receive the alerts. You could also add a picture if you want to but it is not necessary for the next steps to work.

The important part is the Webhook URL, this is the url that wazuh connects to and sends the alerts. They will then be converted into messages and posted in the discord channel.

๐Ÿ’ก
Keep in mind that anyone with this url can send messages to your chosen channel - protect it as much as you can.

Copy the Webhook URL and save it for the next step.

Register the integration in wazuh

  1. You need to register the integration in wazuh - for that to happen start wazuh, connect to the dashboard and visit the configuration area in the management tab.

Next in the top right click on Edit configuration

Now you are editing the ossec.conf located here /var/ossec/etc/ossec.conf

Directly under the </global> tag you can paste the following code:

 <integration>
     <name>custom-discord</name>
     <hook_url>https://discord.com/api/webhooks/XXXXXXXXXXX</hook_url>
     <alert_format>json</alert_format>
 </integration>

The name needs to start with custom- - which took me the better part of an hour to debug... ๐Ÿ˜…

Now you do not have to make the same mistake.

When done correctly it should look like this:

Add your discord webhook url

The last step in the configuration section is to add the correct webhook url between <hook_url> and </hook_url>. Once that is done you need to click the Save button, it will take a little while and there will be a small popup once it is saved.

Head to the terminal for the final two steps.

Set up wazuh integration

Wazuh's integrations are located in /var/ossec/integrations - You will see 7 files there already.

Most integrations consist of two files - one Python file (e.g. slack.py) and one bash script (slack).

You need to add two files now: custom-discord and custom-discord.py - copy and paste the files from GitHub (https://github.com/maikroservice/wazuh-discord-integration/) into this folder. Next, use the following commands to change the permissions and adjust the ownership of the two files.

sudo chmod 750 /var/ossec/integrations/custom-*
sudo chown root:wazuh /var/ossec/integrations/custom-*

The folder should now look like this:

Once that is done make sure that pip is setup correctly and has the requests library installed.


# debian / ubuntu
sudo apt-get install python3-pip
pip3 install requests

# amazon linux / centos
sudo yum install python3-pip
pip3 install requests

Restart the wazuh manager and you should see alerts showing up in the discord channel.

/var/ossec/bin/wazuh-control restart

You can trigger it by typing the wrong password for a user on a machine running the wazuh agent. If all goes well you should see something like the screenshot below.

If you do not see the alerts in Discord you can first look at the logs of integratord. If you see an error such as the one below you might want to increase the verbosity of the integratord log.

How you ask?! - Use the following command:

/var/ossec/bin/wazuh-integratord  -dd

That should give you a detailed description of what's going wrong and can fix it.

Sources

https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#manual-integration

Did you find this article valuable?

Support Maik Ro by becoming a sponsor. Any amount is appreciated!

hackingSecuritycybersecurity