TECHIES WORLD

For Techs.... Techniques.... Technologies....

LinuxPython

How to push WAZUH alerts to JIRA

Ossec provides an option to integrate custom scripts with it. This article explains the configuration to integrate a script to push WAZUH alerts to JIRA.

Step1: Login to WAZUH manager server as root via SSH.

Step2: Open Ossec configuration file.

#vi /var/ossec/etc/ossec.conf

Step3: Add or modify the custom integration section as below.

<integration>
    <name>custom-script</name>
    <group>syscheck</group>
    <alert_format>json</alert_format>
</integration>

Step4: Open a new file "/var/ossec/integrations/custom-script".

#vi /var/ossec/integrations/custom-script

Step5: Save the below script to the file.

#!/usr/bin/env python

from jira.client import JIRA
import sys
import json

jira_options={'server': 'URL'}
jira=JIRA(options=jira_options,basic_auth=('USERNAME','PASSWORD'))

alert_file = open(sys.argv[1])

alert_json = json.loads(alert_file.read())
alert_file.close()

# Extract issue fields
alert_level = alert_json['rule']['level']
description = alert_json['rule']['description']
path = alert_json['syscheck']['path']

# or creating issues using dict:

issue_dict = {
    'project': {'key': 'WAZ'},
    'summary': 'FIM alert on [' + path + ']',
    'description': '- State: ' + description + '\n- Alert level: ' + str(alert_level),
    'issuetype': {'name': 'Bug'},
}
new_issue = jira.create_issue(fields=issue_dict)

sys.exit(0)

Here we need to replace URL, USERNAME and PASSWORD with the corresponding details of JIRA.

Also note that the all the modules used in this script should be installed in prior.

Step6: Correct the permissions of the file.

#chmod 750 /var/ossec/integrations/custom-script

Step7: Correct the ownership of the file.

#chown root:ossec /var/ossec/integrations/custom-script

Step8: Restart Ossec manager service.

#/var/ossec/bin/ossec-control restart

The WAZUH alerts will start populating in JIRA now.

That's all…

Leave a Reply