Prerequisites:
- Wazuh stack (Manager + indexer+ dashboard) Or Wazuh manager and Elasticsearch.
- Discord integration https://opensourcesecurityblogs.com/discord-wazuh-integration/
Use case:
Monitor Wazuh indexer/Elasticsearch/Opensearch Indexing and get a discord notification if no events indexed for the last 5 minutes.
Monitoring Script:
#!/var/ossec/framework/python/bin/python3
import json
import requests
from requests.auth import HTTPBasicAuth
from socket import socket, AF_UNIX, SOCK_DGRAM
SOCKET_ADDR = '/var/ossec/queue/sockets/queue'
AUTH = HTTPBasicAuth('Username', 'YourWazuhIndexer/ElasticsearchPassword')
WazuhIndexer_URL = 'https://WazuhIndexer.ElasticsearchIP:9200'
#query data for the last 5 mins
QUERY = {
"query": {
"bool": {
"must": [],
"filter": [
{"match_all": {}},
{"range": {"timestamp": {"gte": "now-5m/m"}}}
]
}
}
}
def send_event(sock, msg):
try:
string = f'1:WazuhIndexer_query:{msg}'
sock.send(string.encode())
except Exception as e:
print(f"Error sending event: {e}")
def fetch_hits(url, query):
try:
response = requests.get(url, auth=AUTH, verify=False, json=query)
response.raise_for_status() # Raise an error for bad status codes
return json.loads(response.text)['hits']['total']['value']
except requests.exceptions.RequestException as e:
print(f"Error fetching data from Elasticsearch: {e}")
return None
def main():
try:
sock = socket(AF_UNIX, SOCK_DGRAM)
sock.connect(SOCKET_ADDR)
# Fetch Wazuh alerts events hits
wazuh_hits = fetch_hits(f'{WazuhIndexer_URL}/wazuh-alerts*/_search', QUERY)
if wazuh_hits is not None:
send_event(sock, f'All Wazuh Alerts Events indexed retruns: {wazuh_hits} hits')
# Fetch all events hits
all_hits = fetch_hits(f'{WazuhIndexer_URL}/*/_search', QUERY)
if all_hits is not None:
send_event(sock, f'All Indexed Events returns: {all_hits} hits')
except Exception as e:
print(f"Error with socket operations: {e}")
finally:
sock.close()
if __name__ == "__main__":
main()Wazuh Manager Configuration:
Place the script in the Wazuh manager under the path /var/ossec/integrations assigning the following permissions and ownership:
chown :wazuh /var/ossec/integrations/monitorIndexing.py
chmod 750 /var/ossec/integrations/monitorIndexing.pyAdd the configuration to run the script and the rules to trigger the alerts in your Wazuh manager:
<wodle name="command">
<disabled>no</disabled>
<command>/var/ossec/integrations/monitorIndexing.py</command>
<interval>1m</interval>
<ignore_output>yes</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
<integration>
<name>custom-discord</name>
<group>monitoring</group>
<hook_url>https://discord.com/api/webhooks/125309xxxx</hook_url>
<api_key>https://192.168.121.97</api_key>
<alert_format>json</alert_format>
</integration>
<group name="monitoring,">
<rule id="100302" level="8">
<location>WazuhIndexer_query</location>
<match>All Wazuh Alerts Events indexed retruns: 0 hits</match>
<description>No Wazuh alerts indexed for the last 5 minutes</description>
</rule>
<rule id="100303" level="10">
<location>WazuhIndexer_query</location>
<match>All Indexed Events returns: 0 hits</match>
<description>No events indexed for the last 5 minutes</description>
</rule>
</group>
Make sure to restart the Wazuh manager to apply the changes: systemctl restart wazuh-manager
Result:
Hope this helps 馃榾
40 responses to “Get notified when Elasticsearch/Wazuh Indexer/ OpenSearch stops indexing data”
stromectol australia – buy candesartan online tegretol 200mg price
order accutane 20mg online – cost zyvox 600 mg buy zyvox pill
amoxil tablets – valsartan 160mg usa order ipratropium 100 mcg pills
azithromycin 250mg cost – buy cheap generic bystolic purchase bystolic
prednisolone 40mg brand – prednisolone 20mg tablet buy prometrium paypal
cheap furosemide – furosemide 100mg sale cheap betnovate 20gm
brand augmentin 625mg – augmentin sale duloxetine 20mg sale
buy doxycycline without prescription – buy ventolin inhalator without prescription order glucotrol 10mg sale
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
amoxiclav tablet – buy generic augmentin 375mg generic cymbalta 40mg
rybelsus 14 mg oral – cyproheptadine 4mg generic purchase cyproheptadine generic
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
buy tizanidine 2mg online – buy microzide online cheap buy hydrochlorothiazide 25mg online cheap
Your article helped me a lot, is there any more related content? Thanks!
tadalafil 40mg us – cialis 20mg usa buy sildenafil 50mg without prescription
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
sildenafil without a doctor’s prescription – viagra overnight buy generic cialis
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
lipitor generic – buy amlodipine 10mg pill lisinopril 2.5mg canada
cenforce sale – buy chloroquine buy glucophage 500mg for sale
prilosec 10mg pill – atenolol 50mg cost order tenormin 50mg generic
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?
medrol us – medrol 8 mg otc triamcinolone 10mg cheap
clarinex 5mg for sale – generic clarinex buy priligy 30mg for sale
best canadian pharmacy
canadian pharmacieswith no prescription
top rated canadian pharmacies online
highest rated canadian pharmacies
canadian discount pharmacy
medicin without prescription
top 10 mail order pharmacies
viagra sildenafil
sildenafil interactions
over the counter cialis
best 10 online canadian pharmacies
women viagra pills
top canadian pharmacies
buy misoprostol 200mcg pills – buy misoprostol 200mcg pill buy diltiazem 180mg online