How to push WAZUH alerts to JIRA
Ossec provides an option to integrate custom scripts with it. This article explains the configuration to integrate a script to push WAZUH alerts to JIRA.
Step1: Login to WAZUH manager server as root via SSH.
Step2: Open Ossec configuration file.
#vi /var/ossec/etc/ossec.conf
Step3: Add or modify the custom integration section as below.
<integration>
<name>custom-script</name>
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
Step4: Open a new file "/var/ossec/integrations/custom-script".
#vi /var/ossec/integrations/custom-script
Step5: Save the below script to the file.
#!/usr/bin/env python
from jira.client import JIRA
import sys
import json
jira_options={'server': 'URL'}
jira=JIRA(options=jira_options,basic_auth=('USERNAME','PASSWORD'))
alert_file = open(sys.argv[1])
alert_json = json.loads(alert_file.read())
alert_file.close()
# Extract issue fields
alert_level = alert_json['rule']['level']
description = alert_json['rule']['description']
path = alert_json['syscheck']['path']
# or creating issues using dict:
issue_dict = {
'project': {'key': 'WAZ'},
'summary': 'FIM alert on [' + path + ']',
'description': '- State: ' + description + '\n- Alert level: ' + str(alert_level),
'issuetype': {'name': 'Bug'},
}
new_issue = jira.create_issue(fields=issue_dict)
sys.exit(0)
Here we need to replace URL, USERNAME and PASSWORD with the corresponding details of JIRA.
Also note that the all the modules used in this script should be installed in prior.
Step6: Correct the permissions of the file.
#chmod 750 /var/ossec/integrations/custom-script
Step7: Correct the ownership of the file.
#chown root:ossec /var/ossec/integrations/custom-script
Step8: Restart Ossec manager service.
#/var/ossec/bin/ossec-control restart
The WAZUH alerts will start populating in JIRA now.
That's all…