search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.44k stars 1.04k forks source link

ossec-slack issue on server-agents configuration #2052

Closed NathanFRuiz closed 2 years ago

NathanFRuiz commented 2 years ago

I'm testing Ossec as our IDPS solution, I chose the one-server-multiple-agents configuration as the agents will be installed on instances within an autoscaling group, I've managed to make everything work however the slack integration doesn't seem to work on the agents:

These are the configurations I've tried with little success

   <command>
    <name>ossec-slack</name>
    <executable>ossec-slack.sh</executable>
    <expect></expect> <!-- no expect args required -->
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <command>ossec-slack</command>
    <location>local</location>
    <level>3</level>
  </active-response>

with this on the server I'll get the alerts for server related logs only, and adding this directly to agent will trigger empty alerts on slack.

   <command>
    <name>ossec-slack</name>
    <executable>ossec-slack.sh</executable>
    <expect></expect> <!-- no expect args required -->
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <command>ossec-slack</command>
    <location>all</location>
    <level>3</level>
  </active-response>

This do not work at all, and the same with

The closest I got were empty alerts on slack sent from the agent ossec-slack.sh script, but for my understanding it doesn't make sense as the alert should be sent from the server and not from the agent itself

NathanFRuiz commented 2 years ago

I Got it <local>server<local/> is the right way to do it