can't read logs/alerts/alerts.json

floppyG commented 3 months ago

Hello, i followed the logic on your scheme but turns out that my code is trying to open alerts.json in alerts folder without any luck 2024/06/13 16:43:57 wazuh-integratord[81506] json-queue.c:162 at jqueue_parse_json(): DEBUG: Can't read from 'logs/alerts/alerts.json'. Trying again 2024/06/13 16:43:57 wazuh-integratord[81506] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert. 2024/06/13 16:43:57 wazuh-integratord[81506] integrator.c:179 at OS_IntegratorD(): DEBUG: Skipping: Integration disabled 2024/06/13 16:43:57 wazuh-integratord[81506] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()

this is the part of my code that accept the input fields

def main(args):
    debug("# Starting")

    # Check arguments
    if len(args) < 3:
        print("Usage: python script_name.py path_to_alerts.json api_key")
        sys.exit(1)

    alert_file_location = args[1]
    api_key = args[2]

    debug("# File location")
    debug(alert_file_location)
    debug("# API Key")
    debug(api_key)

    # Load alert. Parse JSON object.
    with open(alert_file_location) as alert_file:
        json_alert = json.load(alert_file)
    debug("# Processing alert")
    debug(json_alert)

    # Request MISP info
    misp_info = request_misp_info(json_alert, api_key)

    # If positive match, handle or process the MISP info here
    if misp_info:
        process_misp_info(misp_info)

gustavoconforti commented 3 months ago

Hey there, @floppyG!

Based on what you've provided, I have two propositions:

PROPOSITION A

It might just be the case that your script does not have sufficient permissions to read from the alerts file. I point this out here .

I currently don't have access to a Wazuh installation and haven't worked with it recently, but the idea is that the alerts file is typically owned by the user root in the wazuh group. Such as any other file in Linux, in order to read from it you must either:

Run your script as the user that owns the file
Configure the file to accept being read by other user
Run your script as root:root

Assuming you are providing to the correct alerts.json file path as an argument, try to give these permissions to your script and see if it works.

sudo chown root:wazuh /path/to/your/script

PROPOSITION B

You may not be providing to the correct alerts.json file path as an argument to your script.

Again, haven't worked with it recently, but from what I remeber and according to Wazuh documentation the alerts file is located at /var/ossec/logs/alerts/alerts.json. The log you've provided mentions the file logs/alerts/alerts.json.

As Linux file paths can be both absolute and relative, if your script is not in the /var/ossec then it probably won't find any logs/alerts/alerts.json. Integrations files are generally located in /var/ossec/integrations/, so there is also a good chance this is the problem.

If that is indeed the case, it should be fixed by providing the absolute path /var/ossec/logs/alerts/alerts.json to your script.

Does that make sense? Not an expert at any of this, but that's what I can think of from the information you've provided. If those are things you already ruled out feel free to share more data, I'm happy to help.

Let me know if it works!

floppyG commented 3 months ago

Hello @gustavoconforti and thank you for your response, for proposal B that you mentioned, this I think is not the problem as I had already tried passing the alerts.json file as an argument to the script, it works, but the script gets killed after a few seconds as the code tries to encumber all of alerts.json (40Gb or so). For proposal A on the other hand, I followed socfortess's tutorial but apparently even if you put file permissions as he did it doesn't work :/

gustavoconforti commented 3 months ago

I see, that's interesting. Can you share additional information?

What is your Wazuh version?
Are you using integratord as the entry to your script? If so, how does your ossec.conf look like? Particularly the integration block.
How does your script folder look like (ls -la)?

If your script works when using the absolute path of the alerts file, then it might a configuration problem.

When the integrations are enabled through the ossec.conf file, Wazuh does not send the whole alerts file to the script, as it might encounter the same problem you did perhaps. It instead creates a temporary file with the information of a single alert and then sends it to the script. I try to document this flow here, if you are interested.

For additional debugging you can also try this:

Enable integratord debugging
1. Edit /var/ossec/etc/internal_options.conf
2. Change integrator.debug value to 2 (this will write a lot of things to the log file, remember to change back to the default value)

Check the log file for the new information you've just enabled

sudo tail -f /var/ossec/logs/ossec.log | 
grep integrator |
grep -v 'jqueue_next()' |
grep -v 'sending new alert.' |
grep -v "skipping: rule doesn't match."

For instance, this is an issue I ran into regarding file permission, as I mentioned in the previous comment:

2023/08/24 17:18:24 wazuh-integratord[12522] integrator.c:419 at OS_IntegratorD(): ERROR: Couldn't execute command (integrations /tmp/custom-iris-1692908304--1177572634.alert debug). Check file and permissions.

For reference, this was what my files looked like.

├─/var/ossec/
|   ├─ etc/
|   |   ├─ internal_options.conf
|   |   └─ ossec.conf
|   ├─ integrations/
|   |      └─ custom-iris <---- my script file      
|   └─ logs/
|      ├─ alerts/
|      |    └─ alerts.json
|      └─ ossec.log
└─ /tmp/
     └─ iris_integration.log

A second step of troubleshooting, if the previous doesn't help, might be to enable logging in your own script. Something like this (assuming this is Python you are using):

import logging
import sys

# Configure logging to a file
logging.basicConfig(filename='/tmp/iris_integration.log', level=logging.INFO,
                    format='%(asctime)s - %(levelname)s - %(message)s')

try:
   # Your code here
   sys.exit(0)

except Exception as e:
    # Handle exceptions and log errors
    logging.error(f"An error occurred: {str(e)}")
    sys.exit(1)

floppyG commented 3 months ago

Hello @gustavoconforti and thank you for your effort in this issue.

here is the integration block inside ossec.conf

here is my integration folder looks like

drwxr-x---  2 root  wazuh  4096 Jun 13 16:31 .
drwxr-x--- 19 root  wazuh  4096 May 21 12:06 ..
-rwxr-x---  1 wazuh wazuh  3308 Jun 13 16:31 MISP_search.py
-rwxr-x---  1 root  wazuh   893 May 22 11:45 custom-shuffle
-rwxr-x---  1 root  wazuh  5325 May 22 11:47 custom-shuffle.py
-rwxr-x---  1 root  wazuh  1045 Apr 25 12:00 maltiverse
-rwxr-x---  1 root  wazuh 17358 Apr 25 12:00 maltiverse.py
-rwxr-x---  1 root  wazuh  1045 Apr 25 12:00 pagerduty
-rwxr-x---  1 root  wazuh  7090 Apr 25 12:00 pagerduty.py
-rwxr-x---  1 root  wazuh  1045 Apr 25 12:00 slack
-rwxr-x---  1 root  wazuh  7289 Apr 25 12:00 slack.py
-rwxr-x---  1 wazuh wazuh   441 Jun 13 12:44 test.py
-rwxr-x---  1 root  wazuh  1045 Apr 25 12:00 virustotal
-rwxr-x---  1 root  wazuh  9785 Apr 25 12:00 virustotal.py

i also share with you my input part of the code so you can chack it out as well,

if __name__ == "__main__":
    try:
        # Main function
        main(sys.argv)

    except Exception as e:
        debug(str(e))

def main(args):
    debug("# Starting")

    # Check arguments
    if len(args) < 3:
        print("Usage: python script_name.py path_to_alerts.json api_key")
        sys.exit(1)

    alert_file_location = open(sys.argv[1])
    api_key = sys.argv[2]

    debug("# File location")
    debug(alert_file_location)
    debug("# API Key")
    debug(api_key)

    # Load alert. Parse JSON object.
    with open(alert_file_location) as alert_file:
        json_alert = json.load(alert_file)
    debug("# Processing alert")
    debug(json_alert)

i check on integration.log and found out this particular log error:

Thu Jun 13 11:00:52 CEST 2024 Wrong arguments
Thu Jun 13 11:00:52 CEST 2024: # Exiting: Bad arguments.
Thu Jun 13 11:00:57 CEST 2024 Wrong arguments
Thu Jun 13 11:00:57 CEST 2024: # Exiting: Bad arguments.
Thu Jun 13 11:05:06 CEST 2024 Wrong arguments
Thu Jun 13 11:05:06 CEST 2024: # Exiting: Bad arguments.

also i set the integrator.debug = 2 and this is what comes out

2024/06/18 11:48:01 wazuh-integratord[145178] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 11:48:01 wazuh-integratord[145178] integrator.c:179 at OS_IntegratorD(): DEBUG: Skipping: Integration disabled

finally, I want to share with you the output of my code in windows VScode environment as a demonstration that if I pass as parameter 1 the path to alerts.json (in the same direcotory) and the MISP API key (parameter 2) the code works perfectly.

& C:/Users/lab/AppData/Local/Microsoft/WindowsApps/python3.11.exe testv4.0.3.py alerts/alerts.json 7rO1TKt7dtZ0RYskHrw9y9S9Vnd8gsg9J1mmN5lg
Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: # Starting

Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: # File location

Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: alerts/alerts.json

Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: # API Key

Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: API_key

Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: # Processing alert

Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: {'_index': 'wazuh-alerts-4.x-2024.06.06', '_id': '****', '_version': 1, '_score': None, '_source': {'input': {'type': 'log'}, 'agent': {'ip': '*.*.*.*', 'name': '*****', 'id': '***', 'labels': {'ServerType': 'Exchange', 'Customer': '****'}}, 'manager': {'name': 'wazuhserver'}, 'data': {'DeviceType': '******', 'srcip': '3.137.217.140', 'HTTP_status': '443', 'User': '**********', 'DeviceId': '********************', 'domain': '**************', 'Cmd': 'Sync', 'CorrelationID': '<empty>', 'cafeReqId': '*****************'}, 'rule': {'firedtimes': 1724, 'mail': False, 'level': 5, 'description': 'Device connected from 3.137.217.140', 'groups': ['****'], 'id': '105900'}, 'location': '*********************', 'decoder': {'name': 'OWA'}, 'id': '1717679443.1650022823', 'GeoLocation': {'country_name': 'United States', 'location': {'lon': ******, 'lat': ******}}, 'full_log': '2024-06-06 13:10:37 *.*.*.* POST /Microsoft-Server-ActiveSync/default.eas Cmd=Sync&User=******%******&DeviceId=*****************&DeviceType=Outlook&CorrelationID=<empty>;&cafeReqId=**************************; 443 **************** 3.137.217.140 Outlook-iOS-Android/1.0 - 200 0 0 162', 'timestamp': '2024-06-06T15:10:43.896+0200'}, 'fields': {'timestamp': ['2024-06-06T13:10:43.896Z']}, 'highlight': {'rule.id': ['@opensearch-dashboards-highlighted-field@105900@/opensearch-dashboards-highlighted-field@']}, 'sort': [1717679443896]}

C:\Users\lab\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.11_qbz5n2kfra8p0\LocalCache\local-packages\Python311\site-packages\urllib3\connectionpool.py:1103: InsecureRequestWarning: Unverified HTTPS request is being made to host '*.*.*.*'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
  warnings.warn(
Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: Received MISP Info:

Tue Jun 18 11:53:21 ora legale Europa occidentale 2024: {
  "response": {
    "Attribute": [
      {
        "id": "255708",
        "event_id": "1193",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "ip-src",
        "to_ids": true,
        "uuid": "90fed0f9-30c3-405a-b140-5ae7b3bc0d00",
        "timestamp": "1607604988",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "3.137.217.140",
        "Event": {
          "org_id": "1",
          "distribution": "3",
          "id": "1193",
          "info": "OSINT - CobaltStrike C2s Dec2020_10",
          "orgc_id": "3",
          "uuid": "1c4e9e86-eff3-485f-aa1d-1bff68101b14"
        }
      }
    ]
  }
}

gustavoconforti commented 3 months ago

Not a problem, happy to help :)

I have a couple suggestions for you to try out. Assuming from your logs you are using the latest version of Wazuh (4.8), please take a look at these documentation pages if you haven't already:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/

Suggestions:

As per the documentation, rename your script by adding the custom- prefix. Could you try custom-misp (without the .py extension) for the purpose of the test?
As you are not specifying the .py extension in the file name, the OS won't know wich interpreter to use. Due to that, add this line to the beggining of your script:

#!/usr/bin/env python3

Please add these permissions to your script:

# sudo chown root:wazuh /var/ossec/integrations/custom-misp
# ls -l /var/ossec/integrations/
-rwxr-x---  1 root wazuh  3308 Jun 13 16:31 custom-misp

In your integration block, update the name tag and remove the rule_id restraints. This way any alert should trigger the integration, so the message Skipping: Integration disabled won't show anymore. This is for testing only, just so that we know that we have a good amount of alerts being sent to wazuh-integratord.

<integration>
   <name>custom-misp</name>
   <api_key>xxx-xxx-xxx</api_key>
   <alert_format>json</alert_format>
</integration>

Finally, restart the Wazuh Manager service to apply the changes.

sudo systemctl restart wazuh-manager

PS.: If you are running a production environment for a company or something, be aware this may cause an increment in processing usage and log writing, depending on how many alerts you have triggering at any given time (and we just removed the rule_id restraints of the integration block, so ALL alerts WILL try to use the integration). If your Wazuh server does not have that much spare resources, apply these changes and monitor it closely. If you find any issue, just remove the whole integration block and restart the service. Better safe than sorry.

As you tested the script manually with a sample alert file, the code seems to be working fine. This makes me think that we are facing a Wazuh configuration issue even more.

With these changes everything should be set up according to the documentation standards. If that still does not work, at least we have a good foundation to work from.

After making these changes and restarting Wazuh, in case is still does not work, give it a couple minutes and extract a good chunk (50 lines or so) of the integrations log again with this command please.

sudo tail -f /var/ossec/logs/ossec.log | grep integrator

Keep me posted!

floppyG commented 3 months ago

Hello @gustavoconforti thank you far all your tips, i followed every single change that you mantioned and i finally starting having somethink new in ossec.log

2024/06/18 14:23:27 wazuh-integratord[149342] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 14:23:27 CEST 2024: list index out of range
2024/06/18 14:23:27 wazuh-integratord[149342] integrator.c:451 at OS_IntegratorD(): DEBUG:
2024/06/18 14:23:27 wazuh-integratord[149342] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 14:23:27 wazuh-integratord[149342] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 14:23:27 wazuh-integratord[149342] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 14:23:27 wazuh-integratord[149342] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718713407-1221898875.alert was written.
2024/06/18 14:23:27 wazuh-integratord[149342] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718713407-1221898875.alert 7rO1TKt7dtZ0RYskHrw9y9S9Vnd8gsg9J1mmN5lg debug

still i don't see any log incoming in my wazuh discover, DEBUG: Tue Jun 18 14:23:27 CEST 2024: list index out of range this log in particular concern me a bit...

i show you below the edit that i've done in my code to get these logs:

    alert_file_location = open(sys.argv[1])
    api_key = sys.argv[2].split(':')[1]

also i noticed that in my integration block: with the rule_id tags sets the ossec.log writes the following:

2024/06/18 14:49:02 wazuh-integratord[175743] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 14:49:02 wazuh-integratord[175743] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 14:49:02 wazuh-integratord[175743] integrator.c:272 at OS_IntegratorD(): DEBUG: Skipping: Rule doesn't match.
2024/06/18 14:49:02 wazuh-integratord[175743] json-queue.c:162 at jqueue_parse_json(): DEBUG: Can't read from 'logs/alerts/alerts.json'. Trying again

i tried to run the script manually and this is what i get

python3 custom-MISP_search /tmp/custom-MISP_search-1718716540-664368569.alert 7rO1TKt7dtZ0RYskHrw9y9S9Vnd8gsg9J1mmN5lg

Tue Jun 18 15:32:43 CEST 2024: # Starting

Tue Jun 18 15:32:43 CEST 2024: list index out of range

thank you for everything

gustavoconforti commented 3 months ago

That's nice to hear. I just wasn't able to understand from your last comment whether or not the integration working now. Can you clarify that?

This 'index out of range' error I had never seen before. I looked it up quickly but found nothing helpful. Looking it up in more depth might be useful.

If you still need support with the MISP integration I kindly ask that you share a uninterrupted sequence of 50 or so lines of the ossec.log file, with the integrator grep filter. This is so that I can have a better context for what is happening and in which order.

floppyG commented 3 months ago

the script is being running by wazuh, but somehow the script is returning an error:

2024/06/18 15:42:03 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:03 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:03 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:03 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718123-1121382999.alert was written.
2024/06/18 15:42:03 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718123-1121382999.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:04 CEST 2024: # Starting

2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:04 CEST 2024: list index out of range

2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718124-21932817.alert was written.
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718124-21932817.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:04 rootcheck: INFO: Ending rootcheck scan.
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:04 CEST 2024: # Starting

2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:04 CEST 2024: list index out of range

2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718124-626298400.alert was written.
2024/06/18 15:42:04 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718124-626298400.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:05 CEST 2024: # Starting

2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:05 CEST 2024: list index out of range

2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718125-681649207.alert was written.
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718125-681649207.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:05 CEST 2024: # Starting

2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:05 CEST 2024: list index out of range

2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718125-637355669.alert was written.
2024/06/18 15:42:05 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718125-637355669.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:06 CEST 2024: # Starting

2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:06 CEST 2024: list index out of range

2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718126--1501181426.alert was written.
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718126--1501181426.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:06 CEST 2024: # Starting

2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:06 CEST 2024: list index out of range

2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718126--695656356.alert was written.
2024/06/18 15:42:06 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718126--695656356.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:07 CEST 2024: # Starting

2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:07 CEST 2024: list index out of range

2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718127-1179312040.alert was written.
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718127-1179312040.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:07 CEST 2024: # Starting

2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:07 CEST 2024: list index out of range

2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718127-1064805169.alert was written.
2024/06/18 15:42:07 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718127-1064805169.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:08 CEST 2024: # Starting

2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:08 CEST 2024: list index out of range

2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718128-673086679.alert was written.
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718128-673086679.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:08 CEST 2024: # Starting

2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:08 CEST 2024: list index out of range

2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718128-80273307.alert was written.
2024/06/18 15:42:08 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718128-80273307.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:09 CEST 2024: # Starting

2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:09 CEST 2024: list index out of range

2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718129-1657172706.alert was written.
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718129-1657172706.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:09 CEST 2024: # Starting

2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:09 CEST 2024: list index out of range

2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718129--1410022127.alert was written.
2024/06/18 15:42:09 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718129--1410022127.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:10 CEST 2024: # Starting

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:10 CEST 2024: list index out of range

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718130--466924685.alert was written.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718130--466924685.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:10 CEST 2024: # Starting

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:10 CEST 2024: list index out of range

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718130--772114394.alert was written.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718130--772114394.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:10 CEST 2024: # Starting

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:10 CEST 2024: list index out of range

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718130-1350890763.alert was written.
2024/06/18 15:42:10 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718130-1350890763.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:11 CEST 2024: # Starting

2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:11 CEST 2024: list index out of range

2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718131--463045915.alert was written.
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718131--463045915.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:11 CEST 2024: # Starting

2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:11 CEST 2024: list index out of range

2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718131--1114002321.alert was written.
2024/06/18 15:42:11 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718131--1114002321.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:12 CEST 2024: # Starting

2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:12 CEST 2024: list index out of range

2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718132--1436190308.alert was written.
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718132--1436190308.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:12 CEST 2024: # Starting

2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:12 CEST 2024: list index out of range

2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718132-1101300425.alert was written.
2024/06/18 15:42:12 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718132-1101300425.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:13 CEST 2024: # Starting

2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:13 CEST 2024: list index out of range

2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718133-40339284.alert was written.
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718133-40339284.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:13 CEST 2024: # Starting

2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:13 CEST 2024: list index out of range

2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718133-671747065.alert was written.
2024/06/18 15:42:13 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718133-671747065.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:14 CEST 2024: # Starting

2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:14 CEST 2024: list index out of range

2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718134--221011551.alert was written.
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718134--221011551.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:14 CEST 2024: # Starting

2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:14 CEST 2024: list index out of range

2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718134--1149336519.alert was written.
2024/06/18 15:42:14 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718134--1149336519.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:15 CEST 2024: # Starting

2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:15 CEST 2024: list index out of range

2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718135-1318907240.alert was written.
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718135-1318907240.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:15 CEST 2024: # Starting

2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:15 CEST 2024: list index out of range

2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718135-607031849.alert was written.
2024/06/18 15:42:15 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718135-607031849.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:16 CEST 2024: # Starting

2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:16 CEST 2024: list index out of range

2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718136-585369786.alert was written.
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718136-585369786.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:16 CEST 2024: # Starting

2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:16 CEST 2024: list index out of range

2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718136-865698341.alert was written.
2024/06/18 15:42:16 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718136-865698341.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:17 CEST 2024: # Starting

2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:17 CEST 2024: list index out of range

2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718137-928499521.alert was written.
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718137-928499521.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:17 CEST 2024: # Starting

2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:17 CEST 2024: list index out of range

2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718137-1381254979.alert was written.
2024/06/18 15:42:17 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718137-1381254979.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:18 CEST 2024: # Starting

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:18 CEST 2024: list index out of range

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718138-214305363.alert was written.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718138-214305363.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:18 CEST 2024: # Starting

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:18 CEST 2024: list index out of range

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718138--283926708.alert was written.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718138--283926708.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:18 CEST 2024: # Starting

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:18 CEST 2024: list index out of range

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718138-1816954273.alert was written.
2024/06/18 15:42:18 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718138-1816954273.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:19 CEST 2024: # Starting

2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:19 CEST 2024: list index out of range

2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718139--1897754315.alert was written.
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718139--1897754315.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:19 CEST 2024: # Starting

2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG: Tue Jun 18 15:42:19 CEST 2024: list index out of range

2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:451 at OS_IntegratorD(): DEBUG:

2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:464 at OS_IntegratorD(): DEBUG: Command ran successfully.
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:293 at OS_IntegratorD(): DEBUG: File /tmp/custom-MISP_search-1718718139--1955558356.alert was written.
2024/06/18 15:42:19 wazuh-integratord[287775] integrator.c:442 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/custom-MISP_search-1718718139--1955558356.alert 7rO1TKgvdtZ0RYskHts9y9S9Vnd8gsg9J1nnN5lg  debug

gustavoconforti commented 3 months ago

These logs seem to be fine, I think we got the Wazuh part right. It seems that it is indeed sending the temporary alert files (/tmp/custom-MISP_search-1718718139--1897754315.alert for instance) as arguments to your script. We need to check if the script is receiving them properly and what it is doing with it.

Can you enable logging in your script? Make it print the contents alert file it received in a log file somewhere so that we can check if it is indeed receiving a valid JSON. It might also be nice to enable error logging. I provided a sample I used in my scripts, let me share again.

import logging
import sys

# Configure logging to a file
logging.basicConfig(filename='/tmp/iris_integration.log', level=logging.INFO,
                    format='%(asctime)s - %(levelname)s - %(message)s')

try:
   # Your code here
   sys.exit(0)

except Exception as e:
    # Handle exceptions and log errors
    logging.error(f"An error occurred: {str(e)}")
    sys.exit(1)

And what is your exact Wazuh version?

floppyG commented 3 months ago

Hi @gustavoconforti i finally fixed the issue!

the problem was related to input sequence that wasn't updated by Wazuh docs :/

#!/var/ossec/framework/python/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.

import json
import sys
import time
import os
from socket import socket, AF_UNIX, SOCK_DGRAM  # Import necessary modules

try:
    import requests
    from requests.auth import HTTPBasicAuth
except Exception as e:
    print("No module 'requests' found. Install: pip install requests")
    sys.exit(1)

# Global vars

debug_enabled = True
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
socket_addr = "{0}/queue/sockets/queue".format(pwd)

# Socket address for Wazuh
socket_addr = "{0}/queue/sockets/queue".format(pwd)

def main(args):
    debug("# Starting")

    # Check arguments
    if len(args) < 3:
        print("Usage: python script_name.py path_to_alerts.json api_key")
        sys.exit(1)

    alert_file_location = args[1]
    api_key = args[2]

    debug("# File location")
    debug(alert_file_location)
    debug("# API Key")
    debug(api_key)

    # Load alert. Parse JSON object.
    with open(alert_file_location) as alert_file:
        json_alert = json.load(alert_file)

    debug("# Processing alert")
    debug(json_alert)

    # Request MISP info
    misp_info = request_misp_info(json_alert, api_key)

    # If positive match, handle or process the MISP info here
    if misp_info:
        process_misp_info(misp_info)

def debug(msg):
    if debug_enabled:
        now = time.strftime("%a %b %d %H:%M:%S %Z %Y")
        msg = "{0}: {1}\n".format(now, msg)
        print(msg)

def query_misp(srcip, api_key):
    url = 'https://my-MISP_ip/attributes/restSearch'
    headers = {
        'Accept': 'application/json',
        'Authorization': api_key,
        'Content-Type': 'application/json'
    }
    payload = {
        'returnFormat': 'json',
        'type': 'ip-src',
        'value': srcip
    }
    response = requests.post(url, headers=headers, json=payload, verify=False)
    if response.status_code == 200:
        return response.json()
    else:
        debug(f"# Error: The MISP encountered an error. Status Code: {response.status_code}")
        sys.exit(1)

def request_misp_info(alert, api_key):
    if "data" not in alert["_source"]:
        debug("# No data found in the alert.")
        return None

    # Now check for "srcip" within "data"
    if "srcip" not in alert["_source"]["data"]:
        debug("# No source IP address found in the alert.")
        return None

    # Request info using MISP API
    data = query_misp(alert["_source"]["data"]["srcip"], api_key)

    return data

def process_misp_info(misp_info):
    # Example: Print or process MISP info as needed
    debug("Received MISP Info:")
    debug(json.dumps(misp_info, indent=2))

    # Send the MISP info to Wazuh using send_event function
    send_event(misp_info)

def send_event(msg, agent=None):
    """
    Sends event data to Wazuh.
    """
    if not agent or agent["id"] == "000":
        string = "1:misp:{0}".format(json.dumps(msg))
    else:
        string = "1:[{0}] ({1}) {2}->misp:{3}".format(
            agent["id"],
            agent["name"],
            agent["ip"] if "ip" in agent else "any",
            json.dumps(msg),
        )
    sock = socket(AF_UNIX, SOCK_DGRAM)
    sock.connect(socket_addr)
    sock.send(string.encode())
    sock.close()

if __name__ == "__main__":
    try:
        # Main function
        main(sys.argv)
    except Exception as e:
        debug(str(e))

gustavoconforti commented 3 months ago

That's good to hear, it was my pleasure to help ;)

gustavoconforti / wazuh-integrations

can't read logs/alerts/alerts.json #1