Integrating Telegram with Wazuh

Telegram is a very popular messaging service, with the option to talk with people in groups or private on the cloud, for example. One of the most used Telegram features are bots, and these bots, thanks to the Telegram API, can be created by anyone.

On the other side, Wazuh is a fork of OSSEC used to collect, aggregate, index and analyze security data.

In this post, we’ll create a Telegram bot to receive Wazuh alerts directly in a Telegram chat using the integrations module in Wazuh.

Creating the bot

To send Wazuh alerts to a Telegram chat, we need to create a bot first. To do this we have to send a couple of messages to @BotFather. After starting the bot with the /start command, we have to send the /newbot command to start creating the bot, and we will choose the name of the bot, WazuhBlogBot in this case.

Conversation with BotFather to create a new Telegram bot.

We can also set a profile picture and a description for the bot, among other things.

Writing the script

Once the bot is ready, we can write the script that will send the Wazuh alerts. First, we need the chat id, this is the identifier of the conversation we are having with the bot. To get the chat id we have to access this webpage:

https://api.telegram.org/bot<YOUR-BOT-TOKEN>/getUpdates

We will see something like this when accessing this page in the browser:

{"ok":true,"result":[{"update_id":530302469,"message":{"message_id":27,"from":{"id":38488931,"is_bot":false,"first_name":"xxxxxx","last_name":"xxxxxx","username":"xxxxxx" ,"language_code":"es"},"chat":{"id":xxxxxxxxx,"first_name":"xxxxxxx","last_name":"xxxxxxx","username":"xxxxxxx","type":"p rivate"},"date":1595488212,"text":"a"}}]}

With the token given by BotFather and the chat id we just got, we have all the necessary information for the script.

The first thing to do will be installing the requests package using pip3 to send requests to the Telegram servers:

pip3 install requests

Once requests is installed, we have to set the interpreter to be used by the script:

#!/usr/bin/env python3

The script will have three arguments:

• alert_file: file containing the alert.
• hook_url: defined in the ossec.conf, contains the token.

We’ll write now the function to generate the message:

In this case, messages will have the following information:

• title: description of the alert, if it exists.
• description: complete log of the alert.
• groups: groups of the rule.
• rule: rule identifier and its level.
• agent: agent’s name and identifier.

You can also modify the information sent by the script by adding fields from the alerts in the alerts.json file.

The message is written in markdown format, so we can play with the format of the message that will be sent. After creating it, we can send it to Telegram:

We can also add some debug message in case there is any problem with the script:

The final script will look like this:

Configuring Wazuh to send alerts to Telegram

After writing previous Python script, we have to copy it to the machine where the Wazuh manager is installed, in this folder: /var/ossec/integrations/. Now, let’s give the script the corresponding permissions and user:

chmod 750 /var/ossec/integrations/custom-telegram
chown root:ossec /var/ossec/integrations/custom-telegram

After doing this, the last step will be to add the integration configuration in the ossec.conf file and the Telegram integration will be ready:

With <YOUR-BOT-TOKEN> being your token given by BotFather.

After this, restart the manager and the integration will be working. You’ll receive messages like this one:

Message from the Wazuh Telegram bot.

References

• Wazuh integrations: https://documentation.wazuh.com/4.0/user-manual/manager/manual-integration.html#manual-integration
• Telegram API: https://core.telegram.org/bots/api