Integration with external APIs

Integrator is a new daemon that allows the connection of Wazuh to external APIs and alerting tools such as Slack and PagerDuty.

Configuration

Integrator is not enabled by default. Integrator is enabled using the following command:

$ /var/ossec/bin/ossec-control enable integrator
$ /var/ossec/bin/ossec-control restart

Integrations are configured in the file etc/ossec.conf, which is located inside your Wazuh installation directory. Add the following inside <ossec_config> </ossec_config> to configure this integration:

<integration>
     <name> </name>
     <hook_url> </hook_url>
     <api_key> </api_key>

  <!-- Optional filters -->

     <rule_id> </rule_id>
     <level> </level>
     <group> </group>
     <event_location> </event_location>
</integration>

Integration with Slack

<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/...</hook_url>
</integration>

Integration with PagerDuty

<integration>
  <name>pagerduty</name>
  <api_key>MYKEY</api_key>
</integration>