search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
63 stars 30 forks source link

Validate Integration options tag behavior #4005

Closed Deblintrake09 closed 1 year ago

Deblintrake09 commented 1 year ago
Target version Related issue Related PR Planning
4.6.0 https://github.com/wazuh/wazuh/issues/14479 https://github.com/wazuh/wazuh/pull/16090 https://github.com/wazuh/wazuh-qa/issues/3998

Description

This Issue aims to do Manual Testing and validate the Integrations behavior with the new options tag.

Slack proposed checks

TIER 0 - No options passed ```Gherkin Given that integration is configured without options tag When an alert is generated in manager Then Alert is sent and appears in Slack with default values ```
TIER 1 - Valid Options modify data in Slack - Custom pretext ```Gherkin Given that integration is configured with custom pretext When an alert is generated in manager Then Alert is sent and appears in Slack with custom title ```
TIER 2 - Valid Options with invalid value - Invalid URL ```Gherkin Given that integration is configured with custom `author_icon` with invalid URL When an alert is generated in manager Then Alert is sent and appears in Slack without author's icon ```
TIER 2 - Invalid JSON format - Integration is stopped ```Gherkin Given that integration is configured with and the passed options value is not in JSON format When the integration starts Then an error message is shown and integration is stopped ```
TIER 2 - Not recognized options - Value is ignored ```Gherkin Given that integration is configured with a key that is not existent When the integration starts and an alert is generated Then the integration works and the passed key is ignored ```
TIER 2 - Options configured with empty value ```Gherkin Given that integration is configured and no value is passed When the manager is started Then the integration is stopped as no value is found ```

PagerDuty proposed checks

TIER 0 - No options passed ```Gherkin Given that integration is configured without options tag When an alert is generated in manager Then Alert is sent and PagerDuty Incident is created with default values ```
TIER 1 - Valid Options modify data in PagerDuty - Custom Payload Summary ```Gherkin Given that integration is configured with custom `Payload summary` When an alert is generated in manager Then Alert is sent and incident is generated in PagerDuti with custom summary ```
TIER 2 - Valid Options with invalid value - Invalid action ```Gherkin Given that integration is configured with custom `event_action` with invalid value When an alert is generated in manager Then Alert is sent and PagerDuty responds to invalid value ```
TIER 2 - Invalid JSON format - Integration is stopped ```Gherkin Given that integration is configured with and the passed options value is not in JSON format When the integration starts Then an error message is shown and integration is stopped ```
TIER 2 - Not recognized options - Value is ignored ```Gherkin Given that integration is configured with a key that is not existent When the integration starts and an alert is generated Then the integration works and the passed key is ignored ```
TIER 2 - Options configured with empty value ```Gherkin Given that integration is configured and no value is passed When the manager is started Then the integration is stopped as no value is found ```

Virustotal proposed checks

TIER 0 - No options passed ```Gherkin Given that integration is configured without options tag When an alert is generated in manager Then Alert is sent and Virustotal Incident is created with default values ```
TIER 1 - Valid Options modify data in Virustotal - Custom Resouce ```Gherkin Given that integration is configured with custom `Payload resource` When an alert is generated in manager for a given file Then Alert is sent with custom resource Then Virustotal respond to custom resource and not actual alert generator ```
TIER 2 - Valid Options with invalid value - Invalid action ```Gherkin Given that integration is configured with custom `allinfo` with invalid value When an alert is generated in manager Then Alert is sent and Virustotal responds to invalid value ```
TIER 2 - Invalid JSON format - Integration is stopped ```Gherkin Given that integration is configured with and the passed options value is not in JSON format When the integration starts Then an error message is shown and integration is stopped ```
TIER 2 - Not recognized options - Value is ignored ```Gherkin Given that integration is configured with a key that is not existent When the integration starts and an alert is generated Then the integration works and the passed key is ignored ```
TIER 2 - Options configured with empty value ```Gherkin Given that integration is configured and no value is passed When the manager is started Then the integration is stopped as no value is found ```

Shuffle Integration cases

TIER 0 - No options passed ```Gherkin Given that integration is configured without options tag When an alert is generated in manager Then when alert is being sent integration fails ```
TIER 1 - Valid Options modify data in message sent - Custom Resouce ```Gherkin Given that integration is configured with custom Value When an alert is generated in manager for a given file Then message is sent with custom resource Then integration message is sent and Shuffle's response is 200. ```
TIER 2 - Valid Options with invalid value - Invalid action ```Gherkin Given that integration is configured with custom invalid value When an alert is generated in manager Then message is sent with custom resource Then integration message is sent and Shuffle's response is 200. ```
TIER 2 - Invalid JSON format - Integration is stopped ```Gherkin Given that integration is configured with and the passed options value is not in JSON format When the integration starts Then an error message is shown and integration is stopped ```
TIER 2 - Not recognized options - Value is ignored ```Gherkin Given that integration is configured with a key that is not existent When the integration starts and an alert is generated Then the integration works and the passed key is ignored ```
TIER 2 - Options configured with empty value ```Gherkin Given that integration is configured and no value is passed When the manager is started Then the integration is stopped as no value is found ```

Configuration and considerations

Slack

When testing the Slack integration, the options to be tested are the options present in the following endpoint's options

Configuration consideration

<integration>
    <name>slack</name>
    <hook_url>https://hooks.slack.com/services/XXXXXXXXXXXXXX</hook_url>
    <alert_format>json</alert_format>
    <options>{"pretext": "Custom Title"}</options>
</integration>

PagerDuty

For testing the Pagerduty Integration, we will need to configure the integration and test the values of the target endpoint.

Configuration

<integration>
  <name>pagerduty</name>
  <api_key>API_KEY</api_key> <!-- Replace with your PagerDuty API key -->
  <options>{<KEY>: <VALUE>}</options>
</integration>

Virustotal

The target endpoint for the Virustotal integration is https://developers.virustotal.com/v2.0/reference/file-report.

Configuration details

<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
  <options>OPTIONS_JSON_DATA</options>
</integration>

Shuffle

Shuffle integration does not use a specific direct API, since it receives data and sends it to other integrated applications. For this, we will need to integrate Wazuh with Shuffle following the documentation here 

<integration>
  <name>custom-integration</name>
  <hook_url>WEBHOOK</hook_url>
  <alert_format>json</alert_format>
  <options>OPTIONS_JSON</options>
</integration>
Deblintrake09 commented 1 year ago

Review Data

Tester Commit
@Deblintrake09 https://github.com/wazuh/wazuh/pull/16090/commits/d036dda058916d03d8b197f2d7a43f3bcad2a7a0

Testing Enviroment

OS Deployment Image Notes
Centos 8 Local qactl/centos8

Tested Packages

System Manager Agent
Centos Installed from sources Not tested
Deblintrake09 commented 1 year ago

Slack Integration results

Empty JSON in options tag - Uses default data - Configure integration ```xml slack https://hooks.slack.com/services/XXXXXXXXXXXXXX json {} ``` - Restart Manager - Check integration has started ``` # cat /var/ossec/logs/ossec.log | grep integratord 2023/03/17 17:16:18 wazuh-integratord[19767] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/17 17:16:18 wazuh-integratord[19767] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679073378-107288595.alert was written. 2023/03/17 17:16:18 wazuh-integratord[19767] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679073378-1328125738.options was written. 2023/03/17 17:16:18 wazuh-integratord[19767] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/slack-1679073378-107288595.alert https://hooks.slack.com/services/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 debug /tmp/slack-1679073378-1328125738.options 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: # Starting 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: # Options file location 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: /tmp/slack-1679073378-1328125738.options 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: # Processing options 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: {} 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: # Alert file location 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: /tmp/slack-1679073378-107288595.alert 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: # Processing alert 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: {'timestamp': '2023-03-17T17:16:17.093+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'c3'}, 'manager': {'name': 'c3'}, 'id': '1679073377.590565', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'} 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: # Generating message 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: {"attachments": [{"color": "good", "pretext": "WAZUH Alert", "title": "Ossec server started.", "text": "ossec: Manager started.", "fields": [{"title": "Agent", "value": "(000) - c3"}, {"title": "Location", "value": "wazuh-monitord"}, {"title": "Rule ID", "value": "502 _(Level 3)_"}], "ts": "1679073377.590565"}]} 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: # Sending message 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:16:18 UTC 2023: # Response received: 2023/03/17 17:16:19 wazuh-integratord[19767] integrator.c:449 at OS_IntegratorD(): DEBUG: Command ran successfully. ``` - Check alerts in Slack ![Image](https://user-images.githubusercontent.com/14501079/225977487-a23a23b2-ac33-4f5d-a18e-162d13f0d60b.png)
Custom pretext in options tag - Configure integration ```xml slack https://hooks.slack.com/services/XXXXXXXXXXXXXX json {"pretext": "Custom Test Title"} ``` - Restart Manager - Check integration has started ``` # cat /var/ossec/logs/ossec.log | grep integratord 2023/03/17 17:17:57 wazuh-integratord[20235] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/17 17:17:57 wazuh-integratord[20235] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679073477-570095764.alert was written. 2023/03/17 17:17:57 wazuh-integratord[20235] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679073477-1324468057.options was written. 2023/03/17 17:17:57 wazuh-integratord[20235] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/slack-1679073477-570095764.alert https://hooks.slack.com/services/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 debug /tmp/slack-1679073477-1324468057.options 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: # Starting 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: # Options file location 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: /tmp/slack-1679073477-1324468057.options 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: # Processing options 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: {'pretext': 'Custom Test Title'} 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: # Alert file location 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: /tmp/slack-1679073477-570095764.alert 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: # Processing alert 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: {'timestamp': '2023-03-17T17:17:56.499+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'c3'}, 'manager': {'name': 'c3'}, 'id': '1679073476.590808', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'} 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: # Generating message 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: {"attachments": [{"color": "good", "pretext": "Custom Test Title", "title": "Ossec server started.", "text": "ossec: Manager started.", "fields": [{"title": "Agent", "value": "(000) - c3"}, {"title": "Location", "value": "wazuh-monitord"}, {"title": "Rule ID", "value": "502 _(Level 3)_"}], "ts": "1679073476.590808"}]} 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: # Sending message 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:17:58 UTC 2023: # Response received: 2023/03/17 17:17:58 wazuh-integratord[20235] integrator.c:449 at OS_IntegratorD(): DEBUG: Command ran successfully. ``` - Check alerts in Slack ![Image](https://user-images.githubusercontent.com/14501079/225977913-abd57bd6-51c0-49f8-a803-7c73fdc7d0ee.png)
Not recognized options - Value is ignored - Configure integration ```xml slack https://hooks.slack.com/services/XXXXXXXXXXXXXX json {"pretext": "Custom Title", "Custom_option":"test_value"} ``` - Restart Manager - Check integration has started ``` # cat /var/ossec/logs/ossec.log | grep integratord 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679073732-1426112664.alert was written. 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679073732-654294549.options was written. 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/slack-1679073732-1426112664.alert https://hooks.slack.com/services/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 debug /tmp/slack-1679073732-654294549.options 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: # Starting 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: # Options file location 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: /tmp/slack-1679073732-654294549.options 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: # Processing options 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: {'Custom_option': 'test_value'} 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: # Alert file location 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: /tmp/slack-1679073732-1426112664.alert 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: # Processing alert 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: {'timestamp': '2023-03-17T17:22:10.877+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'c3'}, 'manager': {'name': 'c3'}, 'id': '1679073730.591294', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'} 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: # Generating message 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: {"attachments": [{"color": "good", "pretext": "WAZUH Alert", "title": "Ossec server started.", "text": "ossec: Manager started.", "fields": [{"title": "Agent", "value": "(000) - c3"}, {"title": "Location", "value": "wazuh-monitord"}, {"title": "Rule ID", "value": "502 _(Level 3)_"}], "ts": "1679073730.591294", "Custom_option": "test_value"}]} 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: # Sending message 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:22:12 UTC 2023: # Response received: 2023/03/17 17:22:12 wazuh-integratord[21163] integrator.c:449 at OS_IntegratorD(): DEBUG: Command ran successfully. ``` - Check alerts in Slack ![Image](https://user-images.githubusercontent.com/14501079/225978247-b70f0886-2f08-4b88-b0d7-c9d1c065c12d.png)
No Options tag used - Integration does not start - Configure integration ```xml slack https://hooks.slack.com/services/XXXXXXXXXXXXXX json ``` - Restart Manager - Check integration has started ``` # cat /var/ossec/logs/ossec.log | grep integratord 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679068608-1969501137.alert was written. 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/slack-1679068608-1969501137.alert https://hooks.slack.com/services/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 debug 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 15:56:48 UTC 2023: # Starting 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 15:56:48 UTC 2023: # Options file location 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 15:56:48 UTC 2023: 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 15:56:48 UTC 2023: # JSON file doesn't exist 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for slack -> integrations 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:446 at OS_IntegratorD(): ERROR: While running slack -> integrations. Output: 2023/03/17 15:56:48 wazuh-integratord[18701] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 6 ```
Options configured with empty value - Integration does not start - Configure integration ```xml slack https://hooks.slack.com/services/XXXXXXXXXXXXXX json ``` - Restart Manager - Check integration has started ``` # cat /var/ossec/logs/ossec.log | grep integratord 2023/03/17 15:58:28 wazuh-integratord[19174] integrator.c:127 at OS_IntegratorD(): INFO: Enabling integration for: 'slack'. 2023/03/17 15:58:28 wazuh-integratord[19174] integrator.c:137 at OS_IntegratorD(): DEBUG: jqueue_next() 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679068727--1719401819.alert was written. 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679068727-192833069.options was written. 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/slack-1679068727--1719401819.alert https://hooks.slack.com/services/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 debug /tmp/slack-1679068727-192833069.options 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 15:58:47 UTC 2023: # Starting 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 15:58:47 UTC 2023: # Options file location 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 15:58:47 UTC 2023: /tmp/slack-1679068727-192833069.options 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 15:58:47 UTC 2023: Failed getting json_alert Expecting value: line 2 column 1 (char 1) 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for slack -> integrations 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:446 at OS_IntegratorD(): ERROR: While running slack -> integrations. Output: 2023/03/17 15:58:47 wazuh-integratord[19174] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Invalid JSON format - Integration is stopped - Configure integration ```xml slack https://hooks.slack.com/services/XXXXXXXXXXXXXX json {"pretext": "Custom Title" ``` - Restart Manager - Check integration has started ``` # cat /var/ossec/logs/ossec.log | grep integratord 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679073626--1792151340.alert was written. 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/slack-1679073626--993098947.options was written. 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/slack-1679073626--1792151340.alert https://hooks.slack.com/services/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 debug /tmp/slack-1679073626--993098947.options 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:20:26 UTC 2023: # Starting 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:20:26 UTC 2023: # Options file location 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:20:26 UTC 2023: /tmp/slack-1679073626--993098947.options 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Fri Mar 17 17:20:26 UTC 2023: Failed getting json_alert Invalid control character at: line 1 column 31 (char 30) 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for slack -> integrations 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:446 at OS_IntegratorD(): ERROR: While running slack -> integrations. Output: 2023/03/17 17:20:26 wazuh-integratord[20698] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Deblintrake09 commented 1 year ago

PagerDuty Integration results

No Options tag used - Integration fails - Configure integration ```xml pagerduty API_KEY ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:22:32 wazuh-integratord[4440] integrator.c:127 at OS_IntegratorD(): INFO: Enabling integration for: 'pagerduty'. 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:390 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679408560--1132653819.alert was written. 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/pagerduty-1679408560--1132653819.alert 1b7753d129374006c01b9a229d61594d debug 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:22:40 UTC 2023: # Starting 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:22:40 UTC 2023: # Options file location 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:22:40 UTC 2023: 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:22:40 UTC 2023: # JSON file doesn't exist 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:446 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 6 2023/03/21 14:22:40 wazuh-integratord[4440] integrator.c:137 at OS_IntegratorD(): DEBUG: jqueue_next() ```
Empty Options tag used - Integration fails - Configure integration ```xml pagerduty API_KEY ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:23:38 wazuh-integratord[4933] integrator.c:127 at OS_IntegratorD(): INFO: Enabling integration for: 'pagerduty'. 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:390 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679408627-1507579399.alert was written. 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679408627--386640180.options was written. 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/pagerduty-1679408627-1507579399.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1679408627--386640180.options 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:23:47 UTC 2023: # Starting 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:23:47 UTC 2023: # Options file location 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:23:47 UTC 2023: /tmp/pagerduty-1679408627--386640180.options 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:23:47 UTC 2023: Failed getting json_alert Expecting value: line 2 column 1 (char 1) 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:446 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: 2023/03/21 14:23:47 wazuh-integratord[4933] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Empty JSON used - Integration uses default values - Configure integration ```xml pagerduty API_KEY {} ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:24:31 wazuh-integratord[5436] integrator.c:127 at OS_IntegratorD(): INFO: Enabling integration for: 'pagerduty'. 2023/03/21 14:24:38 wazuh-integratord[5436] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:24:38 wazuh-integratord[5436] integrator.c:390 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679408678--356544873.alert was written. 2023/03/21 14:24:38 wazuh-integratord[5436] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679408678--1489661486.options was written. 2023/03/21 14:24:38 wazuh-integratord[5436] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/pagerduty-1679408678--356544873.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1679408678--1489661486.options 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:24:39 UTC 2023: # Starting 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:24:39 UTC 2023: # Options file location 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:24:39 UTC 2023: /tmp/pagerduty-1679408678--1489661486.options 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:24:39 UTC 2023: # Processing options 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:24:39 UTC 2023: {} 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:24:39 UTC 2023: # Alert file location 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:24:39 UTC 2023: /tmp/pagerduty-1679408678--356544873.alert 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:24:39 UTC 2023: Failed getting json_alert Expecting value: line 1 column 1 (char 0) 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:446 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: 2023/03/21 14:24:39 wazuh-integratord[5436] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Custom Valid value in option - Configure integration ```xml pagerduty API_KEY {"summary":"Custom Summary"} ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:390 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679408861--1755193798.alert was written. 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679408861--1920831850.options was written. 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/pagerduty-1679408861--1755193798.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1679408861--1920831850.options 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:27:41 UTC 2023: # Starting 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:27:41 UTC 2023: # Options file location 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:27:41 UTC 2023: /tmp/pagerduty-1679408861--1920831850.options 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:27:41 UTC 2023: # Processing options 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:27:41 UTC 2023: {'summary': 'Custom Summary'} 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:27:41 UTC 2023: # Alert file location 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:27:41 UTC 2023: /tmp/pagerduty-1679408861--1755193798.alert 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:27:41 UTC 2023: Failed getting json_alert Expecting value: line 1 column 1 (char 0) 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/03/21 14:27:41 wazuh-integratord[5928] integrator.c:446 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: 2023/03/21 14:27:41 wazuh-integratord[6415] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Invalid value used in option - Configure integration ```xml pagerduty API_KEY {"severity":"Custom Severity"} ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:30:12 wazuh-integratord[6415] integrator.c:127 at OS_IntegratorD(): INFO: Enabling integration for: 'pagerduty'. 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:390 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679409021--254316837.alert was written. 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679409021-60925139.options was written. 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/pagerduty-1679409021--254316837.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1679409021-60925139.options 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: # Starting 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: # Options file location 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: /tmp/pagerduty-1679409021-60925139.options 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: # Processing options 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: {'severity': 'Custom Severity'} 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: # Alert file location 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: /tmp/pagerduty-1679409021--254316837.alert 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: Failed getting json_alert Expecting value: line 1 column 1 (char 0) 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:446 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Non existent field used in option - Configure integration ```xml pagerduty API_KEY {"custom_option":"Custom Value"} ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:30:12 wazuh-integratord[6415] integrator.c:127 at OS_IntegratorD(): INFO: Enabling integration for: 'pagerduty'. 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:390 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679409021--254316837.alert was written. 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/pagerduty-1679409021-60925139.options was written. 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/pagerduty-1679409021--254316837.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1679409021-60925139.options 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: # Starting 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: # Options file location 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: /tmp/pagerduty-1679409021-60925139.options 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: # Processing options 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: {"custom_option":"Custom Value"} 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: # Alert file location 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: /tmp/pagerduty-1679409021--254316837.alert 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:30:21 UTC 2023: Failed getting json_alert Expecting value: line 1 column 1 (char 0) 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:446 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: 2023/03/21 14:30:21 wazuh-integratord[6415] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```

Results :red_circle:

Testing failed for all cases where it was expected that integration worked

Deblintrake09 commented 1 year ago

Virustotal Integration results

No Options tag used - Integration fails - Configure integration ```xml virustotal API_KEY syscheck json ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/virustotal-1679409667-852374688.alert was written. 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/virustotal-1679409667-852374688.alert d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a debug 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:41:07 UTC 2023: # Starting 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:41:07 UTC 2023: # Options file location 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:41:07 UTC 2023: 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:41:07 UTC 2023: # JSON file doesn't exist 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for virustotal -> integrations 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:446 at OS_IntegratorD(): ERROR: While running virustotal -> integrations. Output: 2023/03/21 14:41:07 wazuh-integratord[6925] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 6 ```
Empty Options tag used - Integration fails - Configure integration ```xml virustotal API_KEY syscheck json ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/virustotal-1679409810--26200080.options was written. 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/virustotal-1679409810-1836619100.alert d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a debug /tmp/virustotal-1679409810--26200080.options 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:43:30 UTC 2023: # Starting 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:43:30 UTC 2023: # Options file location 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:43:30 UTC 2023: /tmp/virustotal-1679409810--26200080.options 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:43:30 UTC 2023: Failed getting json_alert Expecting value: line 2 column 1 (char 1) 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for virustotal -> integrations 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:446 at OS_IntegratorD(): ERROR: While running virustotal -> integrations. Output: 2023/03/21 14:43:30 wazuh-integratord[7914] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Empty JSON used - Integration uses default values - Configure integration ```xml virustotal API_KEY syscheck json {} ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:44:36 wazuh-integratord[8398] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:44:36 wazuh-integratord[8398] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/virustotal-1679409876-1812409774.alert was written. 2023/03/21 14:44:36 wazuh-integratord[8398] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/virustotal-1679409876--676539399.options was written. 2023/03/21 14:44:36 wazuh-integratord[8398] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/virustotal-1679409876-1812409774.alert d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a debug /tmp/virustotal-1679409876--676539399.options 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: # Starting 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: # Options file location 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: /tmp/virustotal-1679409876--676539399.options 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: # Processing options 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: {} 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: # Alert file location 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: /tmp/virustotal-1679409876-1812409774.alert 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: # Processing alert 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: {'timestamp': '2023-03-21T14:44:35.991+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'c3'}, 'manager': {'name': 'c3'}, 'id': '1679409875.28514', 'full_log': "File '/testdir/test_empty_json_in_options_tag' added\nMode: realtime\n", 'syscheck': {'path': '/testdir/test_empty_json_in_options_tag', 'mode': 'realtime', 'size_after': '0', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'd41d8cd98f00b204e9800998ecf8427e', 'sha1_after': 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'sha256_after': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2023-03-21T14:44:35', 'inode_after': 19533772, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'} 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: # Generating message 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: # Sending message 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:44:36 UTC 2023: # Final msg to send: 1:virustotal:{"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1679409875.28514", "file": "/testdir/test_empty_json_in_options_tag", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2023-03-21 14:43:08", "positives": 0, "total": 58, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1679409788"}, "integration": "virustotal"} 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:44:37 wazuh-integratord[8398] integrator.c:449 at OS_IntegratorD(): DEBUG: Command ran successfully. ```
Valid Options modify data in Virustotal - Custom Resouce - Configure integration ```xml virustotal API_KEY syscheck json {"virustotal":{"virustotal": {"source": {"file": "custom_file_name"}}}} ``` - Restart Manager - Check integration has started ``` 2023/03/21 14:50:38 wazuh-integratord[8913] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 14:50:38 wazuh-integratord[8913] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/virustotal-1679410238--590956189.alert was written. 2023/03/21 14:50:38 wazuh-integratord[8913] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/virustotal-1679410238-1132163175.options was written. 2023/03/21 14:50:38 wazuh-integratord[8913] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/virustotal-1679410238--590956189.alert d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a debug /tmp/virustotal-1679410238-1132163175.options 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Starting 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Options file location 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: /tmp/virustotal-1679410238-1132163175.options 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Processing options 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: {'virustotal': {'virustotal': {'source': {'file': 'custom_file_name'}}}} 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Alert file location 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: /tmp/virustotal-1679410238--590956189.alert 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Processing alert 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: {'timestamp': '2023-03-21T14:50:37.930+0000', 'rule': {'level': 5, 'description': 'File added to the system.', 'id': '554', 'firedtimes': 1, 'mail': False, 'groups': ['ossec', 'syscheck', 'syscheck_entry_added', 'syscheck_file'], 'pci_dss': ['11.5'], 'gpg13': ['4.11'], 'gdpr': ['II_5.1.f'], 'hipaa': ['164.312.c.1', '164.312.c.2'], 'nist_800_53': ['SI.7'], 'tsc': ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'c3'}, 'manager': {'name': 'c3'}, 'id': '1679410237.31924', 'full_log': "File '/testdir/test_custom_file_name' added\nMode: realtime\n", 'syscheck': {'path': '/testdir/test_custom_file_name', 'mode': 'realtime', 'size_after': '0', 'perm_after': 'rw-r--r--', 'uid_after': '0', 'gid_after': '0', 'md5_after': 'd41d8cd98f00b204e9800998ecf8427e', 'sha1_after': 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'sha256_after': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'uname_after': 'root', 'gname_after': 'root', 'mtime_after': '2023-03-21T14:50:37', 'inode_after': 19533773, 'event': 'added'}, 'decoder': {'name': 'syscheck_new_entry'}, 'location': 'syscheck'} 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Generating message 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Sending message 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Final msg to send: 1:virustotal:{"virustotal": {"virustotal": {"source": {"file": "custom_file_name"}}}, "integration": "virustotal"} 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:449 at OS_IntegratorD(): DEBUG: Command ran successfully. ```

Results :red_circle:

When adding custom value for one single option, all the information is replaced in the message, breaking the integration.

Deblintrake09 commented 1 year ago

Shuffle Integration results

No Options tag used - Integration fails - Configure integration ```xml shuffle WEBHOOK json ``` - Restart Manager - Check integration has started ``` 2023/03/21 16:19:15 wazuh-integratord[9577] integrator.c:127 at OS_IntegratorD(): INFO: Enabling integration for: 'shuffle'. 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679415564--1326628658.alert was written. 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/shuffle-1679415564--1326628658.alert http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 debug 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:19:24 UTC 2023: # Starting 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:19:24 UTC 2023: # Webhook 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:19:24 UTC 2023: http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:19:24 UTC 2023: # Options file location 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:19:24 UTC 2023: 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:19:24 UTC 2023: # JSON file doesn't exist 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for shuffle -> integrations 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:446 at OS_IntegratorD(): ERROR: While running shuffle -> integrations. Output: 2023/03/21 16:19:24 wazuh-integratord[9577] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 6 ```
Empty Options tag used - Integration fails - Configure integration ```xml shuffle WEBHOOK json ``` - Restart Manager - Check integration has started ``` 2023/03/21 16:20:46 wazuh-integratord[10070] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/shuffle-1679415646-854711470.alert http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 debug /tmp/shuffle-1679415646--1514413793.options 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:20:47 UTC 2023: # Starting 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:20:47 UTC 2023: # Webhook 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:20:47 UTC 2023: http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:20:47 UTC 2023: # Options file location 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:20:47 UTC 2023: /tmp/shuffle-1679415646--1514413793.options 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:20:47 UTC 2023: Failed getting json_alert Expecting value: line 2 column 1 (char 1) 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for shuffle -> integrations 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:446 at OS_IntegratorD(): ERROR: While running shuffle -> integrations. Output: 2023/03/21 16:20:47 wazuh-integratord[10070] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Empty JSON used - message is sent without changes - Configure integration ```xml shuffle WEBHOOK json {} ``` - Restart Manager - Check integration has started ``` 2023/03/21 16:21:32 wazuh-integratord[10562] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 16:21:32 wazuh-integratord[10562] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679415692-1145670246.alert was written. 2023/03/21 16:21:32 wazuh-integratord[10562] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679415692--1321212431.options was written. 2023/03/21 16:21:32 wazuh-integratord[10562] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/shuffle-1679415692-1145670246.alert http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 debug /tmp/shuffle-1679415692--1321212431.options 2023/03/21 16:21:34 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: /var/ossec/framework/python/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'shuffler.io'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings 2023/03/21 16:21:34 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: warnings.warn( 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Starting 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Webhook 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Options file location 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: /tmp/shuffle-1679415692--1321212431.options 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Processing options 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: {} 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Alert file location 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: /tmp/shuffle-1679415692-1145670246.alert 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Processing alert 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: {'timestamp': '2023-03-21T16:21:32.075+0000', 'rule': {'level': 7, 'description': 'Listened ports status (netstat) changed (new port opened or closed).', 'id': '533', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.2.7', '10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.14', 'AU.6'], 'tsc': ['CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'c3'}, 'manager': {'name': 'c3'}, 'id': '1679415692.35194', 'previous_output': "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 725/sshd\ntcp6 :::22 :::* 725/sshd\ntcp 0.0.0.0:111 0.0.0.0:* 1/systemd\ntcp6 :::111 :::* 1/systemd\nudp 0.0.0.0:111 0.0.0.0:* 1/systemd\nudp6 :::111 :::* 1/systemd\ntcp 0.0.0.0:1514 0.0.0.0:* 10230/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 10091/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 10042/python3", 'full_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 725/sshd\ntcp6 :::22 :::* 725/sshd\ntcp 0.0.0.0:111 0.0.0.0:* 1/systemd\ntcp6 :::111 :::* 1/systemd\nudp 0.0.0.0:111 0.0.0.0:* 1/systemd\nudp6 :::111 :::* 1/systemd\ntcp 0.0.0.0:1514 0.0.0.0:* 10723/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 10583/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 10534/python3", 'decoder': {'name': 'ossec'}, 'previous_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 725/sshd\ntcp6 :::22 :::* 725/sshd\ntcp 0.0.0.0:111 0.0.0.0:* 1/systemd\ntcp6 :::111 :::* 1/systemd\nudp 0.0.0.0:111 0.0.0.0:* 1/systemd\nudp6 :::111 :::* 1/systemd\ntcp 0.0.0.0:1514 0.0.0.0:* 10230/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 10091/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 10042/python3", 'location': 'netstat listening ports'} 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Generating message 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: {"severity": 2, "pretext": "WAZUH Alert", "title": "Listened ports status (netstat) changed (new port opened or closed).", "text": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 725/sshd\ntcp6 :::22 :::* 725/sshd\ntcp 0.0.0.0:111 0.0.0.0:* 1/systemd\ntcp6 :::111 :::* 1/systemd\nudp 0.0.0.0:111 0.0.0.0:* 1/systemd\nudp6 :::111 :::* 1/systemd\ntcp 0.0.0.0:1514 0.0.0.0:* 10723/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 10583/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 10534/python3", "rule_id": "533", "timestamp": "2023-03-21T16:21:32.075+0000", "id": "1679415692.35194", "all_fields": {"timestamp": "2023-03-21T16:21:32.075+0000", "rule": {"level": 7, "description": "Listened ports status (netstat) changed (new port opened or closed).", "id": "533", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.2.7", "10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "c3"}, "manager": {"name": "c3"}, "id": "1679415692.35194", "previous_output": "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 725/sshd\ntcp6 :::22 :::* 725/sshd\ntcp 0.0.0.0:111 0.0.0.0:* 1/systemd\ntcp6 :::111 :::* 1/systemd\nudp 0.0.0.0:111 0.0.0.0:* 1/systemd\nudp6 :::111 :::* 1/systemd\ntcp 0.0.0.0:1514 0.0.0.0:* 10230/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 10091/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 10042/python3", "full_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 725/sshd\ntcp6 :::22 :::* 725/sshd\ntcp 0.0.0.0:111 0.0.0.0:* 1/systemd\ntcp6 :::111 :::* 1/systemd\nudp 0.0.0.0:111 0.0.0.0:* 1/systemd\nudp6 :::111 :::* 1/systemd\ntcp 0.0.0.0:1514 0.0.0.0:* 10723/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 10583/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 10534/python3", "decoder": {"name": "ossec"}, "previous_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 725/sshd\ntcp6 :::22 :::* 725/sshd\ntcp 0.0.0.0:111 0.0.0.0:* 1/systemd\ntcp6 :::111 :::* 1/systemd\nudp 0.0.0.0:111 0.0.0.0:* 1/systemd\nudp6 :::111 :::* 1/systemd\ntcp 0.0.0.0:1514 0.0.0.0:* 10230/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 10091/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 10042/python3", "location": "netstat listening ports"}} 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Sending message 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:21:33 UTC 2023: # Response received: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:21:35 wazuh-integratord[10562] integrator.c:449 at OS_IntegratorD(): DEBUG: Command ran successfully. ```
Custom Value in option used - message is sent with value changed - Configure integration ```xml shuffle WEBHOOK json {"pretext":"Custom Pretext Value"} ``` - Restart Manager - Check integration has started ``` 2023/03/21 16:22:57 wazuh-integratord[11047] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 16:22:57 wazuh-integratord[11047] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679415777--842556292.alert was written. 2023/03/21 16:22:57 wazuh-integratord[11047] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679415777--217674640.options was written. 2023/03/21 16:22:57 wazuh-integratord[11047] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/shuffle-1679415777--842556292.alert http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 debug /tmp/shuffle-1679415777--217674640.options 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: /var/ossec/framework/python/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'shuffler.io'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: warnings.warn( 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Starting 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Webhook 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Options file location 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: /tmp/shuffle-1679415777--217674640.options 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Processing options 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: {'pretext': 'Custom Pretext Value'} 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Alert file location 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: /tmp/shuffle-1679415777--842556292.alert 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Processing alert 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: {'timestamp': '2023-03-21T16:22:56.594+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'c3'}, 'manager': {'name': 'c3'}, 'id': '1679415776.37548', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'} 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Generating message 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: {"severity": 1, "pretext": "Custom Pretext Value", "title": "Ossec server started.", "text": "ossec: Manager started.", "rule_id": "502", "timestamp": "2023-03-21T16:22:56.594+0000", "id": "1679415776.37548", "all_fields": {"timestamp": "2023-03-21T16:22:56.594+0000", "rule": {"level": 3, "description": "Ossec server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "c3"}, "manager": {"name": "c3"}, "id": "1679415776.37548", "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}} 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Sending message 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:22:58 UTC 2023: # Response received: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:22:59 wazuh-integratord[11047] integrator.c:449 at OS_IntegratorD(): DEBUG: Command ran successfully. ```
Add non existent option - option added - integration works - Configure integration ```xml shuffle WEBHOOK json {"custom_option":"Custom Option Value"} ``` - Restart Manager - Check integration has started ``` 2023/03/21 16:24:53 wazuh-integratord[11533] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 16:24:53 wazuh-integratord[11533] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679415893-29794508.alert was written. 2023/03/21 16:24:53 wazuh-integratord[11533] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679415893-27716578.options was written. 2023/03/21 16:24:53 wazuh-integratord[11533] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/shuffle-1679415893-29794508.alert http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 debug /tmp/shuffle-1679415893-27716578.options 2023/03/21 16:24:55 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: /var/ossec/framework/python/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'shuffler.io'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings 2023/03/21 16:24:55 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: warnings.warn( 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Starting 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Webhook 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Options file location 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: /tmp/shuffle-1679415893-27716578.options 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Processing options 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: {'custom_option': 'Custom Option Value'} 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Alert file location 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: /tmp/shuffle-1679415893-29794508.alert 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Processing alert 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: {'timestamp': '2023-03-21T16:24:53.360+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'c3'}, 'manager': {'name': 'c3'}, 'id': '1679415893.38846', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'} 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Generating message 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: {"severity": 1, "pretext": "WAZUH Alert", "title": "Ossec server started.", "text": "ossec: Manager started.", "rule_id": "502", "timestamp": "2023-03-21T16:24:53.360+0000", "id": "1679415893.38846", "all_fields": {"timestamp": "2023-03-21T16:24:53.360+0000", "rule": {"level": 3, "description": "Ossec server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "c3"}, "manager": {"name": "c3"}, "id": "1679415893.38846", "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}, "custom_option": "Custom Option Value"} 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Sending message 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 16:24:54 UTC 2023: # Response received: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 16:24:56 wazuh-integratord[11533] integrator.c:449 at OS_IntegratorD(): DEBUG: Command ran successfully. ```
Invalid JSON format - integration fails - Configure integration ```xml shuffle WEBHOOK json {"pretext":"Custom Pretext Value" ``` - Restart Manager - Check integration has started ``` 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:144 at OS_IntegratorD(): DEBUG: sending new alert. 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:276 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679432228--976096054.alert was written. 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:411 at OS_IntegratorD(): DEBUG: file /tmp/shuffle-1679432228-513159640.options was written. 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:427 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/shuffle-1679432228--976096054.alert http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 debug /tmp/shuffle-1679432228-513159640.options 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 20:57:08 UTC 2023: # Starting 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 20:57:08 UTC 2023: # Webhook 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 20:57:08 UTC 2023: http://shuffler.io/api/v1/hooks/webhook_f0c7c590-89ca-47f3-a151-d7b15a1b5bf7 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 20:57:08 UTC 2023: # Options file location 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 20:57:08 UTC 2023: /tmp/shuffle-1679432228-513159640.options 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 20:57:08 UTC 2023: Failed getting json_alert Expecting ',' delimiter: line 2 column 1 (char 34) 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:445 at OS_IntegratorD(): ERROR: Unable to run integration for shuffle -> integrations 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:446 at OS_IntegratorD(): ERROR: While running shuffle -> integrations. Output: 2023/03/21 20:57:08 wazuh-integratord[17842] integrator.c:447 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Deblintrake09 commented 1 year ago

Conclusion :red_circle:

During testing a series of errors were found and changes have been suggested.

Errors Found:

  1. In the Pagerduty integration, all cases that were expected to work, the integration breaks. It is not reading properly the json. options
  2. The Virustotal Integration, when we add custom values, message information is completely replaced and only what was configured in options is sent.

Message improvement suggestions:

  1. Between messages, there are messages that add no actual information. They should be removed: 
    2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Starting
2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: 
2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Options file location
  2. Some messages add the timestamp again, before the information they are displaying. The timestamp should be removed to make logs more readable. 
    
2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Processing options

AFTER REMOVING THE TIMESTAMP WOULD LOOK LIKE

2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: # Processing options

3. Some messages could be combined into one single message instead of two, to show less events and make the overall logs cleaner.

2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: # Processing options 2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: integratord: Tue Mar 21 14:50:38 UTC 2023: {'virustotal': {'virustotal': {'source': {'file': 'custom_file_name'}}}}

COULD BE COMBINED INTO

2023/03/21 14:50:39 wazuh-integratord[8913] integrator.c:436 at OS_IntegratorD(): DEBUG: Processing options: {'virustotal': {'virustotal': {'source': {'file': 'custom_file_name'}}}}

Deblintrake09 commented 1 year ago

Update 28/03/2023

Deblintrake09 commented 1 year ago

Review Data - Testing round 2

Tester Commit
@Deblintrake09 https://github.com/wazuh/wazuh/pull/16090/commits/75d309971e7ad2c50ea40ca840bdffae2251acb2

Testing Enviroment

OS Deployment Image Notes
Centos 8 Local qactl/centos8

Tested Packages

System Manager Agent
Centos Installed from sources Not tested

Considerations

Slack will not be tested as it was working correctly in round 1, only Pagerduty and Shuffle were failing and will be retested. Since each integration is isolated in it's own module, changes to the fixed integrations will not affect the Slack integration.

Deblintrake09 commented 1 year ago

PagerDuty Integration results

No Options tag used - Integration fails - Configure integration ```xml pagerduty API_KEY json ``` - Restart Manager - Check integration has started ``` 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:390 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681227344--1731232089.alert was written. 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/pagerduty-1681227344--1731232089.alert 1b7753d129374006c01b9a229d61594d debug 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running PagerDuty script 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:434 at OS_IntegratorD(): DEBUG: # JSON file for options doesn't exist 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '' with 'None' 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:434 at OS_IntegratorD(): DEBUG: Failed getting JSON alert. Error: Expecting value: line 1 column 1 (char 0) 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:443 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:444 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: Failed getting JSON alert. Error: Expecting value: line 1 column 1 (char 0) 2023/04/11 15:35:44 wazuh-integratord[10646] integrator.c:445 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Empty Options tag used - Integration fails - Configure integration ```xml pagerduty API_KEY json ``` - Restart Manager - Check integration has started ``` 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:137 at OS_IntegratorD(): DEBUG: jqueue_next() 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681228165-1979178805.alert was written. 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681228165--1942112580.options was written. 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/pagerduty-1681228165-1979178805.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1681228165--1942112580.options 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running PagerDuty script 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:434 at OS_IntegratorD(): DEBUG: Failed getting JSON options. Error: Expecting value: line 2 column 1 (char 1) 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:443 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:444 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: Failed getting JSON options. Error: Expecting value: line 2 column 1 (char 1) 2023/04/11 15:49:25 wazuh-integratord[14508] integrator.c:445 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Empty JSON used - Integration uses default values - Configure integration ```xml pagerduty API_KEY json {} ``` - Restart Manager - Check integration has started ``` 2023/04/11 15:48:04 wazuh-integratord[14033] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 15:48:04 wazuh-integratord[14033] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681228084--989391117.alert was written. 2023/04/11 15:48:04 wazuh-integratord[14033] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681228084--2043319587.options was written. 2023/04/11 15:48:04 wazuh-integratord[14033] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/pagerduty-1681228084--989391117.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1681228084--2043319587.options 2023/04/11 15:48:06 wazuh-integratord[14033] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running PagerDuty script 2023/04/11 15:48:06 wazuh-integratord[14033] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '/tmp/pagerduty-1681228084--2043319587.options' with '{}' 2023/04/11 15:48:06 wazuh-integratord[14033] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/pagerduty-1681228084--989391117.alert' with '{'timestamp': '2023-04-11T15:48:03.923+0000', 'rule': {'level': 7, 'description': 'Listened ports status (netstat) changed (new port opened or closed).', 'id': '533', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.2.7', '10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.14', 'AU.6'], 'tsc': ['CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'centos8.localdomain'}, 'manager': {'name': 'centos8.localdomain'}, 'id': '1681228083.508878', 'previous_output': "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 13701/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 13581/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 13530/python3", 'full_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 14174/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 14055/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 14004/python3", 'decoder': {'name': 'ossec'}, 'previous_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 13701/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 13581/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 13530/python3", 'location': 'netstat listening ports'}' 2023/04/11 15:48:06 wazuh-integratord[14033] integrator.c:434 at OS_IntegratorD(): DEBUG: # Generating message 2023/04/11 15:48:06 wazuh-integratord[14033] integrator.c:434 at OS_IntegratorD(): DEBUG: # Sending message {"routing_key": "1b7753d129374006c01b9a229d61594d", "event_action": "trigger", "payload": {"summary": "Listened ports status (netstat) changed (new port opened or closed).", "timestamp": "2023-04-11T15:48:03.923+0000", "source": "centos8.localdomain", "severity": "warning", "group": "ossec", "custom_details": {"timestamp": "2023-04-11T15:48:03.923+0000", "rule": {"level": 7, "description": "Listened ports status (netstat) changed (new port opened or closed).", "id": "533", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.2.7", "10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "centos8.localdomain"}, "manager": {"name": "centos8.localdomain"}, "id": "1681228083.508878", "previous_output": "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 13701/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 13581/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 13530/python3", "full_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 14174/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 14055/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 14004/python3", "decoder": {"name": "ossec"}, "previous_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 13701/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 13581/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 13530/python3", "location": "netstat listening ports"}}, "client": "Wazuh Monitoring Service", "client_url": "https://wazuh.com"} to PagerDuty server 2023/04/11 15:48:06 wazuh-integratord[14033] integrator.c:434 at OS_IntegratorD(): DEBUG: # Response received: > 2023/04/11 15:48:06 wazuh-integratord[14033] integrator.c:447 at OS_IntegratorD(): DEBUG: Command ran successfully. ``` ![imagen](https://user-images.githubusercontent.com/14501079/231225397-7b6ecc90-42c0-4eb9-a02b-8abfdc7252bd.png)
Custom Valid value in option - Configure integration ```xml pagerduty API_KEY {"summary":"Custom Summary"} ``` - Restart Manager - Check integration has started ``` 2023/04/11 15:46:18 wazuh-integratord[13561] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 15:46:18 wazuh-integratord[13561] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681227978-1708830361.alert was written. 2023/04/11 15:46:18 wazuh-integratord[13561] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681227978--461232518.options was written. 2023/04/11 15:46:18 wazuh-integratord[13561] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/pagerduty-1681227978-1708830361.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1681227978--461232518.options 2023/04/11 15:46:19 wazuh-integratord[13561] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running PagerDuty script 2023/04/11 15:46:19 wazuh-integratord[13561] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '/tmp/pagerduty-1681227978--461232518.options' with '{'summary': 'custom summary'}' 2023/04/11 15:46:19 wazuh-integratord[13561] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/pagerduty-1681227978-1708830361.alert' with '{'timestamp': '2023-04-11T15:46:17.213+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'centos8.localdomain'}, 'manager': {'name': 'centos8.localdomain'}, 'id': '1681227977.508630', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}' 2023/04/11 15:46:19 wazuh-integratord[13561] integrator.c:434 at OS_IntegratorD(): DEBUG: # Generating message 2023/04/11 15:46:19 wazuh-integratord[13561] integrator.c:434 at OS_IntegratorD(): DEBUG: # Sending message {"routing_key": "1b7753d129374006c01b9a229d61594d", "event_action": "trigger", "payload": {"summary": "Ossec server started.", "timestamp": "2023-04-11T15:46:17.213+0000", "source": "centos8.localdomain", "severity": "info", "group": "ossec", "custom_details": {"timestamp": "2023-04-11T15:46:17.213+0000", "rule": {"level": 3, "description": "Ossec server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "centos8.localdomain"}, "manager": {"name": "centos8.localdomain"}, "id": "1681227977.508630", "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}}, "client": "Wazuh Monitoring Service", "client_url": "https://wazuh.com", "summary": "custom summary"} to PagerDuty server 2023/04/11 15:46:19 wazuh-integratord[13561] integrator.c:434 at OS_IntegratorD(): DEBUG: # Response received: > 2023/04/11 15:46:19 wazuh-integratord[13561] integrator.c:447 at OS_IntegratorD(): DEBUG: Command ran successfully. ``` ![imagen](https://user-images.githubusercontent.com/14501079/231225481-ad050db9-89dd-47ba-ab5e-971c947abb66.png)
Invalid value used in option - Configure integration ```xml pagerduty API_KEY json {"severity":"Custom Severity"} ``` - Restart Manager - Check integration has started ``` 2023/04/11 16:10:46 wazuh-integratord[15540] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 16:10:46 wazuh-integratord[15540] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681229446--2123689215.alert was written. 2023/04/11 16:10:46 wazuh-integratord[15540] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681229446--1842679311.options was written. 2023/04/11 16:10:46 wazuh-integratord[15540] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/pagerduty-1681229446--2123689215.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1681229446--1842679311.options 2023/04/11 16:10:47 wazuh-integratord[15540] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running PagerDuty script 2023/04/11 16:10:47 wazuh-integratord[15540] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '/tmp/pagerduty-1681229446--1842679311.options' with '{'severity': 'Custom Severity'}' 2023/04/11 16:10:47 wazuh-integratord[15540] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/pagerduty-1681229446--2123689215.alert' with '{'timestamp': '2023-04-11T16:10:45.799+0000', 'rule': {'level': 7, 'description': 'Listened ports status (netstat) changed (new port opened or closed).', 'id': '533', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.2.7', '10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.14', 'AU.6'], 'tsc': ['CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'centos8.localdomain'}, 'manager': {'name': 'centos8.localdomain'}, 'id': '1681229445.512472', 'previous_output': "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 15135/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 15018/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 14968/python3", 'full_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 15681/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 15562/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 15511/python3", 'decoder': {'name': 'ossec'}, 'previous_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 15135/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 15018/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 14968/python3", 'location': 'netstat listening ports'}' 2023/04/11 16:10:47 wazuh-integratord[15540] integrator.c:434 at OS_IntegratorD(): DEBUG: # Generating message 2023/04/11 16:10:47 wazuh-integratord[15540] integrator.c:434 at OS_IntegratorD(): DEBUG: # Sending message {"routing_key": "1b7753d129374006c01b9a229d61594d", "event_action": "trigger", "payload": {"summary": "Listened ports status (netstat) changed (new port opened or closed).", "timestamp": "2023-04-11T16:10:45.799+0000", "source": "centos8.localdomain", "severity": "warning", "group": "ossec", "custom_details": {"timestamp": "2023-04-11T16:10:45.799+0000", "rule": {"level": 7, "description": "Listened ports status (netstat) changed (new port opened or closed).", "id": "533", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.2.7", "10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "centos8.localdomain"}, "manager": {"name": "centos8.localdomain"}, "id": "1681229445.512472", "previous_output": "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 15135/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 15018/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 14968/python3", "full_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 15681/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 15562/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 15511/python3", "decoder": {"name": "ossec"}, "previous_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 15135/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 15018/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 14968/python3", "location": "netstat listening ports"}}, "client": "Wazuh Monitoring Service", "client_url": "https://wazuh.com", "severity": "Custom Severity"} to PagerDuty server 2023/04/11 16:10:47 wazuh-integratord[15540] integrator.c:434 at OS_IntegratorD(): DEBUG: # Response received: > 2023/04/11 16:10:47 wazuh-integratord[15540] integrator.c:447 at OS_IntegratorD(): DEBUG: Command ran successfully. ``` ![imagen](https://user-images.githubusercontent.com/14501079/231224539-7f75c644-ebe4-4f87-ab95-f53ec8376b8f.png)
Non existent field used in option - Configure integration ```xml pagerduty API_KEY {"custom_option":"Custom Value"} ``` - Restart Manager - Check integration has started ``` 2023/04/11 16:12:21 wazuh-integratord[16017] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 16:12:21 wazuh-integratord[16017] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681229541--2106230983.alert was written. 2023/04/11 16:12:21 wazuh-integratord[16017] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681229541-1294932957.options was written. 2023/04/11 16:12:21 wazuh-integratord[16017] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/pagerduty-1681229541--2106230983.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1681229541-1294932957.options 2023/04/11 16:12:22 wazuh-integratord[16017] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running PagerDuty script 2023/04/11 16:12:22 wazuh-integratord[16017] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '/tmp/pagerduty-1681229541-1294932957.options' with '{'custom_option': 'Custom Option Value'}' 2023/04/11 16:12:22 wazuh-integratord[16017] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/pagerduty-1681229541--2106230983.alert' with '{'timestamp': '2023-04-11T16:12:20.030+0000', 'rule': {'level': 3, 'description': 'Ossec server started.', 'id': '502', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.6'], 'tsc': ['CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'centos8.localdomain'}, 'manager': {'name': 'centos8.localdomain'}, 'id': '1681229540.514620', 'full_log': 'ossec: Manager started.', 'decoder': {'name': 'ossec'}, 'location': 'wazuh-monitord'}' 2023/04/11 16:12:22 wazuh-integratord[16017] integrator.c:434 at OS_IntegratorD(): DEBUG: # Generating message 2023/04/11 16:12:22 wazuh-integratord[16017] integrator.c:434 at OS_IntegratorD(): DEBUG: # Sending message {"routing_key": "1b7753d129374006c01b9a229d61594d", "event_action": "trigger", "payload": {"summary": "Ossec server started.", "timestamp": "2023-04-11T16:12:20.030+0000", "source": "centos8.localdomain", "severity": "info", "group": "ossec", "custom_details": {"timestamp": "2023-04-11T16:12:20.030+0000", "rule": {"level": 3, "description": "Ossec server started.", "id": "502", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "centos8.localdomain"}, "manager": {"name": "centos8.localdomain"}, "id": "1681229540.514620", "full_log": "ossec: Manager started.", "decoder": {"name": "ossec"}, "location": "wazuh-monitord"}}, "client": "Wazuh Monitoring Service", "client_url": "https://wazuh.com", "custom_option": "Custom Option Value"} to PagerDuty server 2023/04/11 16:12:22 wazuh-integratord[16017] integrator.c:434 at OS_IntegratorD(): DEBUG: # Response received: > 2023/04/11 16:12:22 wazuh-integratord[16017] integrator.c:447 at OS_IntegratorD(): DEBUG: Command ran successfully. ``` ![imagen](https://user-images.githubusercontent.com/14501079/231224722-0e0d0823-51fb-4c72-9d18-0a88516d780e.png)
Invalid JSON - integration fails - Configure integration ```xml pagerduty API_KEY {"custom_option":"Custom Value} ``` - Restart Manager - Check integration has started ``` 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681232634--1889198657.alert was written. 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/pagerduty-1681232634--1811820426.options was written. 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/pagerduty-1681232634--1889198657.alert 1b7753d129374006c01b9a229d61594d debug /tmp/pagerduty-1681232634--1811820426.options 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running PagerDuty script 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:434 at OS_IntegratorD(): DEBUG: Failed getting JSON options. Error: Invalid control character at: line 1 column 32 (char 31) 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:443 at OS_IntegratorD(): ERROR: Unable to run integration for pagerduty -> integrations 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:444 at OS_IntegratorD(): ERROR: While running pagerduty -> integrations. Output: Failed getting JSON options. Error: Invalid control character at: line 1 column 32 (char 31) 2023/04/11 17:03:54 wazuh-integratord[19502] integrator.c:445 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Deblintrake09 commented 1 year ago

Shuffle Integration results

No Options tag used - Integration uses default values - Configure integration ```xml shuffle WEBHOOK json ``` - Restart Manager - Check integration has started ``` 2023/04/11 16:53:03 wazuh-integratord[16597] integrator.c:137 at OS_IntegratorD(): DEBUG: jqueue_next() 2023/04/11 16:53:03 wazuh-integratord[16597] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 16:53:03 wazuh-integratord[16597] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681231983-961053023.alert was written. 2023/04/11 16:53:03 wazuh-integratord[16597] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/shuffle-1681231983-961053023.alert https://shuffler.nw.r.appspot.com/api/v1/hooks/webhook_926c58ba-a169-41e2-bc1b-0b82791eea30 debug 2023/04/11 16:53:03 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: /var/ossec/framework/python/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'shuffler.nw.r.appspot.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings 2023/04/11 16:53:03 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: warnings.warn( 2023/04/11 16:53:04 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running Shuffle script 2023/04/11 16:53:04 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: # JSON file for options doesn't exist 2023/04/11 16:53:04 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '' with 'None' 2023/04/11 16:53:04 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/shuffle-1681231983-961053023.alert' with '{'timestamp': '2023-04-11T16:53:02.205+0000', 'rule': {'level': 7, 'description': 'Listened ports status (netstat) changed (new port opened or closed).', 'id': '533', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.2.7', '10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.14', 'AU.6'], 'tsc': ['CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'centos8.localdomain'}, 'manager': {'name': 'centos8.localdomain'}, 'id': '1681231982.514868', 'previous_output': "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 16158/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16037/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 15986/python3", 'full_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 16737/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16617/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 16567/python3", 'decoder': {'name': 'ossec'}, 'previous_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 16158/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16037/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 15986/python3", 'location': 'netstat listening ports'}' 2023/04/11 16:53:04 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: # Generating message 2023/04/11 16:53:04 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: # Sending message {"severity": 2, "pretext": "WAZUH Alert", "title": "Listened ports status (netstat) changed (new port opened or closed).", "text": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 16737/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16617/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 16567/python3", "rule_id": "533", "timestamp": "2023-04-11T16:53:02.205+0000", "id": "1681231982.514868", "all_fields": {"timestamp": "2023-04-11T16:53:02.205+0000", "rule": {"level": 7, "description": "Listened ports status (netstat) changed (new port opened or closed).", "id": "533", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.2.7", "10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "centos8.localdomain"}, "manager": {"name": "centos8.localdomain"}, "id": "1681231982.514868", "previous_output": "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 16158/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16037/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 15986/python3", "full_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 16737/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16617/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 16567/python3", "decoder": {"name": "ossec"}, "previous_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 16158/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 16037/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 15986/python3", "location": "netstat listening ports"}} to Shuffle server 2023/04/11 16:53:04 wazuh-integratord[16597] integrator.c:434 at OS_IntegratorD(): DEBUG: # Response received: > 2023/04/11 16:53:04 wazuh-integratord[16597] integrator.c:447 at OS_IntegratorD(): DEBUG: Command ran successfully. ```
Empty Options tag used - Integration fails - Configure integration ```xml shuffle WEBHOOK json ``` - Restart Manager - Check integration has started ``` 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232099-61113769.alert was written. 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232099--506908891.options was written. 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/shuffle-1681232099-61113769.alert https://shuffler.nw.r.appspot.com/api/v1/hooks/webhook_926c58ba-a169-41e2-bc1b-0b82791eea30 debug /tmp/shuffle-1681232099--506908891.options 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running Shuffle script 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:434 at OS_IntegratorD(): DEBUG: Failed getting JSON options. Error: Expecting value: line 2 column 1 (char 1) 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:443 at OS_IntegratorD(): ERROR: Unable to run integration for shuffle -> integrations 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:444 at OS_IntegratorD(): ERROR: While running shuffle -> integrations. Output: Failed getting JSON options. Error: Expecting value: line 2 column 1 (char 1) 2023/04/11 16:54:59 wazuh-integratord[17079] integrator.c:445 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Empty JSON used - message is sent without changes - Configure integration ```xml shuffle WEBHOOK json {} ``` - Restart Manager - Check integration has started ``` 2023/04/11 16:56:11 wazuh-integratord[17574] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 16:56:11 wazuh-integratord[17574] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232171-939734856.alert was written. 2023/04/11 16:56:11 wazuh-integratord[17574] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232171--866053343.options was written. 2023/04/11 16:56:11 wazuh-integratord[17574] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/shuffle-1681232171-939734856.alert https://shuffler.nw.r.appspot.com/api/v1/hooks/webhook_926c58ba-a169-41e2-bc1b-0b82791eea30 debug /tmp/shuffle-1681232171--866053343.options 2023/04/11 16:56:11 wazuh-integratord[17574] integrator.c:434 at OS_IntegratorD(): DEBUG: /var/ossec/framework/python/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'shuffler.nw.r.appspot.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings 2023/04/11 16:56:11 wazuh-integratord[17574] integrator.c:434 at OS_IntegratorD(): DEBUG: warnings.warn( 2023/04/11 16:56:12 wazuh-integratord[17574] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running Shuffle script 2023/04/11 16:56:12 wazuh-integratord[17574] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '/tmp/shuffle-1681232171--866053343.options' with '{}' 2023/04/11 16:56:12 wazuh-integratord[17574] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/shuffle-1681232171-939734856.alert' with '{'timestamp': '2023-04-11T16:56:10.721+0000', 'rule': {'level': 7, 'description': 'Listened ports status (netstat) changed (new port opened or closed).', 'id': '533', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.2.7', '10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.14', 'AU.6'], 'tsc': ['CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'centos8.localdomain'}, 'manager': {'name': 'centos8.localdomain'}, 'id': '1681232170.517264', 'previous_output': "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17219/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17100/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17049/python3", 'full_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17708/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17587/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17537/python3", 'decoder': {'name': 'ossec'}, 'previous_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17219/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17100/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17049/python3", 'location': 'netstat listening ports'}' 2023/04/11 16:56:12 wazuh-integratord[17574] integrator.c:434 at OS_IntegratorD(): DEBUG: # Generating message 2023/04/11 16:56:12 wazuh-integratord[17574] integrator.c:434 at OS_IntegratorD(): DEBUG: # Sending message {"severity": 2, "pretext": "WAZUH Alert", "title": "Listened ports status (netstat) changed (new port opened or closed).", "text": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17708/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17587/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17537/python3", "rule_id": "533", "timestamp": "2023-04-11T16:56:10.721+0000", "id": "1681232170.517264", "all_fields": {"timestamp": "2023-04-11T16:56:10.721+0000", "rule": {"level": 7, "description": "Listened ports status (netstat) changed (new port opened or closed).", "id": "533", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.2.7", "10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "centos8.localdomain"}, "manager": {"name": "centos8.localdomain"}, "id": "1681232170.517264", "previous_output": "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17219/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17100/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17049/python3", "full_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17708/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17587/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17537/python3", "decoder": {"name": "ossec"}, "previous_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17219/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17100/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17049/python3", "location": "netstat listening ports"}} to Shuffle server 2023/04/11 16:56:12 wazuh-integratord[17574] integrator.c:434 at OS_IntegratorD(): DEBUG: # Response received: > 2023/04/11 16:56:12 wazuh-integratord[17574] integrator.c:447 at OS_IntegratorD(): DEBUG: Command ran successfully. ```
Custom Value in option used - message is sent with value changed - Configure integration ```xml shuffle WEBHOOK json {"pretext":"Custom Pretext Value"} ``` - Restart Manager - Check integration has started ``` 2023/04/11 16:57:20 wazuh-integratord[18055] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 16:57:20 wazuh-integratord[18055] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232240-626621520.alert was written. 2023/04/11 16:57:20 wazuh-integratord[18055] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232240--1086591453.options was written. 2023/04/11 16:57:20 wazuh-integratord[18055] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/shuffle-1681232240-626621520.alert https://shuffler.nw.r.appspot.com/api/v1/hooks/webhook_926c58ba-a169-41e2-bc1b-0b82791eea30 debug /tmp/shuffle-1681232240--1086591453.options 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:434 at OS_IntegratorD(): DEBUG: /var/ossec/framework/python/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'shuffler.nw.r.appspot.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:434 at OS_IntegratorD(): DEBUG: warnings.warn( 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running Shuffle script 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '/tmp/shuffle-1681232240--1086591453.options' with '{'pretext': 'Custom Pretext Value'}' 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/shuffle-1681232240-626621520.alert' with '{'timestamp': '2023-04-11T16:57:20.078+0000', 'rule': {'level': 7, 'description': 'Listened ports status (netstat) changed (new port opened or closed).', 'id': '533', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.2.7', '10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.14', 'AU.6'], 'tsc': ['CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'centos8.localdomain'}, 'manager': {'name': 'centos8.localdomain'}, 'id': '1681232240.518462', 'previous_output': "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17708/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17587/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17537/python3", 'full_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18189/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18068/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18018/python3", 'decoder': {'name': 'ossec'}, 'previous_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17708/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17587/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17537/python3", 'location': 'netstat listening ports'}' 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:434 at OS_IntegratorD(): DEBUG: # Generating message 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:434 at OS_IntegratorD(): DEBUG: # Sending message {"severity": 2, "pretext": "Custom Pretext Value", "title": "Listened ports status (netstat) changed (new port opened or closed).", "text": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18189/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18068/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18018/python3", "rule_id": "533", "timestamp": "2023-04-11T16:57:20.078+0000", "id": "1681232240.518462", "all_fields": {"timestamp": "2023-04-11T16:57:20.078+0000", "rule": {"level": 7, "description": "Listened ports status (netstat) changed (new port opened or closed).", "id": "533", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.2.7", "10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "centos8.localdomain"}, "manager": {"name": "centos8.localdomain"}, "id": "1681232240.518462", "previous_output": "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17708/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17587/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17537/python3", "full_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18189/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18068/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18018/python3", "decoder": {"name": "ossec"}, "previous_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 17708/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 17587/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 17537/python3", "location": "netstat listening ports"}} to Shuffle server 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:434 at OS_IntegratorD(): DEBUG: # Response received: > 2023/04/11 16:57:21 wazuh-integratord[18055] integrator.c:447 at OS_IntegratorD(): DEBUG: Command ran successfully. ```
Add non existent option - option added - integration works - Configure integration ```xml shuffle WEBHOOK json {"custom_option":"Custom Option Value"} ``` - Restart Manager - Check integration has started ``` 2023/04/11 16:58:21 wazuh-integratord[18529] integrator.c:144 at OS_IntegratorD(): DEBUG: Sending new alert. 2023/04/11 16:58:21 wazuh-integratord[18529] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232301--1464016696.alert was written. 2023/04/11 16:58:21 wazuh-integratord[18529] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232301-1637709752.options was written. 2023/04/11 16:58:21 wazuh-integratord[18529] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/shuffle-1681232301--1464016696.alert https://shuffler.nw.r.appspot.com/api/v1/hooks/webhook_926c58ba-a169-41e2-bc1b-0b82791eea30 debug /tmp/shuffle-1681232301-1637709752.options 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:434 at OS_IntegratorD(): DEBUG: /var/ossec/framework/python/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'shuffler.nw.r.appspot.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:434 at OS_IntegratorD(): DEBUG: warnings.warn( 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running Shuffle script 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening options file at '/tmp/shuffle-1681232301-1637709752.options' with '{'custom_option': 'Custom Option Value'}' 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:434 at OS_IntegratorD(): DEBUG: # Opening alert file at '/tmp/shuffle-1681232301--1464016696.alert' with '{'timestamp': '2023-04-11T16:58:21.094+0000', 'rule': {'level': 7, 'description': 'Listened ports status (netstat) changed (new port opened or closed).', 'id': '533', 'firedtimes': 1, 'mail': False, 'groups': ['ossec'], 'pci_dss': ['10.2.7', '10.6.1'], 'gpg13': ['10.1'], 'gdpr': ['IV_35.7.d'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.14', 'AU.6'], 'tsc': ['CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'centos8.localdomain'}, 'manager': {'name': 'centos8.localdomain'}, 'id': '1681232301.519660', 'previous_output': "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18189/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18068/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18018/python3", 'full_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18670/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18550/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18499/python3", 'decoder': {'name': 'ossec'}, 'previous_log': "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18189/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18068/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18018/python3", 'location': 'netstat listening ports'}' 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:434 at OS_IntegratorD(): DEBUG: # Generating message 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:434 at OS_IntegratorD(): DEBUG: # Sending message {"severity": 2, "pretext": "WAZUH Alert", "title": "Listened ports status (netstat) changed (new port opened or closed).", "text": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18670/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18550/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18499/python3", "rule_id": "533", "timestamp": "2023-04-11T16:58:21.094+0000", "id": "1681232301.519660", "all_fields": {"timestamp": "2023-04-11T16:58:21.094+0000", "rule": {"level": 7, "description": "Listened ports status (netstat) changed (new port opened or closed).", "id": "533", "firedtimes": 1, "mail": false, "groups": ["ossec"], "pci_dss": ["10.2.7", "10.6.1"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"]}, "agent": {"id": "000", "name": "centos8.localdomain"}, "manager": {"name": "centos8.localdomain"}, "id": "1681232301.519660", "previous_output": "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18189/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18068/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18018/python3", "full_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18670/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18550/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18499/python3", "decoder": {"name": "ossec"}, "previous_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 911/sshd\ntcp6 :::22 :::* 911/sshd\nudp 127.0.0.1:323 0.0.0.0:* 840/chronyd\nudp6 ::1:323 :::* 840/chronyd\ntcp 0.0.0.0:1514 0.0.0.0:* 18189/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 18068/wazuh-authd\ntcp 0.0.0.0:55000 0.0.0.0:* 18018/python3", "location": "netstat listening ports"}, "custom_option": "Custom Option Value"} to Shuffle server 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:434 at OS_IntegratorD(): DEBUG: # Response received: > 2023/04/11 16:58:22 wazuh-integratord[18529] integrator.c:447 at OS_IntegratorD(): DEBUG: Command ran successfully. ```
Invalid JSON format - integration fails - Configure integration ```xml shuffle WEBHOOK json {"custom_option":"Custom Option Value} ``` - Restart Manager - Check integration has started ``` 2023/04/11 16:59:30 wazuh-integratord[19010] integrator.c:276 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232370--1466395964.alert was written. 2023/04/11 16:59:30 wazuh-integratord[19010] integrator.c:409 at OS_IntegratorD(): DEBUG: File /tmp/shuffle-1681232370--883062163.options was written. 2023/04/11 16:59:30 wazuh-integratord[19010] integrator.c:425 at OS_IntegratorD(): DEBUG: Running script with args: integrations /tmp/shuffle-1681232370--1466395964.alert https://shuffler.nw.r.appspot.com/api/v1/hooks/webhook_926c58ba-a169-41e2-bc1b-0b82791eea30 debug /tmp/shuffle-1681232370--883062163.options 2023/04/11 16:59:31 wazuh-integratord[19010] integrator.c:434 at OS_IntegratorD(): DEBUG: # Running Shuffle script 2023/04/11 16:59:31 wazuh-integratord[19010] integrator.c:434 at OS_IntegratorD(): DEBUG: Failed getting JSON options. Error: Invalid control character at: line 1 column 39 (char 38) 2023/04/11 16:59:31 wazuh-integratord[19010] integrator.c:443 at OS_IntegratorD(): ERROR: Unable to run integration for shuffle -> integrations 2023/04/11 16:59:31 wazuh-integratord[19010] integrator.c:444 at OS_IntegratorD(): ERROR: While running shuffle -> integrations. Output: Failed getting JSON options. Error: Invalid control character at: line 1 column 39 (char 38) 2023/04/11 16:59:31 wazuh-integratord[19010] integrator.c:445 at OS_IntegratorD(): ERROR: Exit status was: 7 ```
Deblintrake09 commented 1 year ago

Conclusion :green_circle:

After the latest changes, the second round of testing shows the integration is working as expected.

damarisg commented 1 year ago

QA review

damarisg commented 1 year ago

It will be closed because each case will be covered in https://github.com/wazuh/wazuh-qa/issues/3928, https://github.com/wazuh/wazuh-qa/issues/4012 and https://github.com/wazuh/wazuh-qa/issues/4014.