Skip to content

iLert/ilert-wazuh

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
custom-ilert
custom-ilert
 
 

Repository files navigation

ilert-wazuh

ilert Wazuh Alerting Plugin

In Wazuh: Install the integration script

Prerequisites

  • Wazuh Manager installed and running
  • Python 3 installed on the Wazuh server
  • Python requests module installed: 
    pip3 install requests
  • The ilert integration key from the previous step

1. Download the script

Clone the ilert-wazuh repository on your Wazuh Manager:

git clone https://github.com/iLert/ilert-wazuh.git
cd ilert-wazuh

2. Copy the script to the Wazuh integrations directory

cp custom-ilert /var/ossec/integrations/custom-ilert

3. Set permissions and ownership

chmod 750 /var/ossec/integrations/custom-ilert
chown root:wazuh /var/ossec/integrations/custom-ilert

4. Configure Wazuh

Edit /var/ossec/etc/ossec.conf and add the following inside the <ossec_config> block. Replace INTEGRATION_KEY with your ilert integration key:

<integration>
  <name>custom-ilert</name>
  <api_key>INTEGRATION_KEY</api_key>
  <hook_url>https://api.ilert.com/api/v1/events/wazuh/INTEGRATION_KEY</hook_url>
  <level>3</level>
  <alert_format>json</alert_format>
</integration>

The <api_key> field is required by Wazuh but is not used in the payload, since the integration key is already part of the <hook_url>.

The <level> option defines the minimum alert level that triggers the integration. Only alerts at or above this level are forwarded to ilert. The value must be equal to or greater than the <log_alert_level> in your <alerts> configuration — alerts below <log_alert_level> are not written to the alerts log and will never reach the integration.

Level Severity Examples
0-6 Info System notifications, successful logins
7-9 Warning Bad word matches, first time events
10-12 Error Multiple failed logins, file integrity changes
13+ Critical Active attacks, high importance security events

5. Restart the Wazuh Manager

systemctl restart wazuh-manager

Verify the integration

Trigger a test alert:

systemd-cat -t sshd <<< "Failed password for invalid user admin from 192.168.1.100 port 22 ssh2"

Check the logs:

tail -f /var/ossec/logs/alerts/alerts.json
tail -f /var/ossec/logs/integrations.log

Debug mode

To enable debug logging, add debug to the integration options:

<integration>
  <name>custom-ilert</name>
  <api_key>INTEGRATION_KEY</api_key>
  <hook_url>https://api.ilert.com/api/v1/events/wazuh/INTEGRATION_KEY</hook_url>
  <level>3</level>
  <alert_format>json</alert_format>
  <options>debug</options>
</integration>

Debug output is written to /var/ossec/logs/integrations.log.

Severity mapping

The script maps the Wazuh rule level to an ilert event severity:

Wazuh Level ilert Severity
0-6 info
7-9 warning
10-12 error
13+ critical

About

ilert Wazuh Alerting Plugin

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages