0

Currently I see just email notification which can be sent for alerts in OSSec. Is there any way to make an http call in case of an alert?

GG.
  • 2,835
  • 5
  • 27
  • 34

2 Answers2

0

I couldn't find any direct way to send ossec notification to webhook URL. But, I got this working with help of logstash, which we use for log parsing and indexing. I added a logstash output with following configuration:

output {
  if [type] == "ossec_alert" {
    http {
      http_method => "post"
      url => "https://mythhpwebhook.com?key=1234"
      content_type => "application/json"
      mapping => ["Subject", "OSSEC Alert: %{signature}", "Message", "%{message}"]
    }
  }
}

Not: message and signature are variable from filter applied to ossec input.

GG.
  • 2,835
  • 5
  • 27
  • 34
0

i found, that you can send ossec notification with active responces: look at this example and this ossec-tweeter.sh

BaZZiliO
  • 232
  • 1
  • 6
  • Note that [link-only answers](http://meta.stackoverflow.com/tags/link-only-answers/info) are discouraged, SO answers should be the end-point of a search for a solution (vs. yet another stopover of references, which tend to get stale over time). Please consider adding a stand-alone synopsis here, keeping the link as a reference – kleopatra Sep 12 '15 at 07:32
  • Thank you for you attention! I've add sources for example of http call in case of an alert? – BaZZiliO Sep 13 '15 at 15:19
  • well ... the solution is still in the links only, isn't it? Could you add the relevant parts of those? – kleopatra Sep 13 '15 at 15:58
  • Nope, i can't do this. Due to my contract i can't post any details. But links to another resourses, as i think, i still can post. – BaZZiliO Sep 14 '15 at 22:54