Slack integration

You can connect Wazuh to external APIs and alerting tools such as Slack. This integration allows reporting alerts through messages sent to the platform by using the wazuh-integratord deamon.

For more information about integrations, check the Integration with external APIs section of the documentation.

Configuration

Configure your environment as follows to test the PoC.

  1. Create a Slack webhook. This is a unique URL to which Wazuh will send messages with the alerts.

  2. Replace YOUR_SLACK_WEBHOOK in the below configuration with the URL obtained in the previous step. Set this Slack integration configuration in /var/ossec/etc/ossec.conf at the Wazuh manager.

    <integration>
    <name>slack</name>
    <hook_url>YOUR_SLACK_WEBHOOK</hook_url> <!-- Replace with your Slack Webhook -->
    <level>10</level>
    <alert_format>json</alert_format>
</integration>

  3. Restart the Wazuh manager to apply the configuration changes.

    # systemctl restart wazuh-manager

Steps to generate the alerts

No action is required. Wazuh automatically forwards alerts level 10 or higher to the provided Slack webhook.

Query the alerts

The Slack channel you associated your Slack webhook with will show the alerts in real time.