How to Integrate Wazuh and Telegram to Receive Alerts

Bisola AdedijiBisola Adediji
3 min read

Integrating Wazuh with Telegram allows you to receive real-time security alerts via Telegram messages. This integration involves using Wazuh's API to send alerts to a Telegram bot. The bot can then forward these messages to your Telegram chat or group.

Here's a step-by-step guide to integrating Wazuh and Telegram for real-time alerts:

Create a Telegram Bot

First, you need to create a Telegram bot that will send the alerts to your chat or group.

  1. Open Telegram and search for the user @BotFather. This is the official bot that helps you create new bots on Telegram.

  2. Start a conversation with @BotFather by sending the /start command.

  3. Create a new bot by sending /newbot and following the instructions. You will be asked to provide:

    • A name for your bot.

    • A unique username that ends with bot (e.g., WazuhAlertBot).

  4. After successfully creating the bot, you will receive a bot token. This token will be used to authenticate requests and send messages via the Telegram API.

  5. Copy the token provided by @BotFather. You will use this token later.

Get Your Chat ID or Group ID

Next, you need to identify the chat ID or group ID where the alerts will be sent.

  1. Find your Chat ID:

    • If you want to receive alerts in a private chat with your bot, send any message to the bot.

    • Use this URL (in a browser) to get your chat ID:

        https://api.telegram.org/bot<YourBotToken>/getUpdates

Replace <YourBotToken> with the actual token you got from @BotFather.

This will show you the chat information in JSON format. Look for the chat object, and find the id field, which is your chat ID.

  1. Find your Group ID:

    • If you want to send alerts to a group, first add the bot to the desired group.

    • Send a message in the group.

    • Then, use the same URL as above to retrieve the group_id.

Create Python Wrapper

  • To create the wrapper, run nano /var/ossec/integrations/custom-telegram as root.

  • Copy and paste this code into the wrapper

  • ```plaintext #!/bin/sh

    WPYTHON_BIN="framework/python/bin/python3"

    SCRIPT_PATH_NAME="$0"

    DIR_NAME="$(cd $(dirname ${SCRIPT_PATH_NAME}); pwd -P)" SCRIPT_NAME="$(basename ${SCRIPT_PATH_NAME})"

    case ${DIR_NAME} in /active-response/bin | /wodles*) if [ -z "${WAZUH_PATH}" ]; then WAZUH_PATH="$(cd ${DIR_NAME}/../..; pwd)" fi

    PYTHON_SCRIPT="${DIR_NAME}/${SCRIPT_NAME}.py" ;; */bin) if [ -z "${WAZUH_PATH}" ]; then WAZUH_PATH="$(cd ${DIR_NAME}/..; pwd)" fi

    PYTHON_SCRIPT="${WAZUH_PATH}/framework/scripts/${SCRIPT_NAME}.py" ;; */integrations) if [ -z "${WAZUH_PATH}" ]; then WAZUH_PATH="$(cd ${DIR_NAME}/..; pwd)" fi

    PYTHON_SCRIPT="${DIR_NAME}/${SCRIPT_NAME}.py" ;; esac

${WAZUH_PATH}/${WPYTHON_BIN} ${PYTHON_SCRIPT} "$@"



### Create the Python Script

* Create a .py file by running `nano /var/ossec/integrations/custom-telegram.py`

* Copy and paste the code below into the wrapper and replace the **CHAT\_ID** variable with your chat ID.

    ```plaintext
    #!/usr/bin/env python

    import sys
    import json
    import requests
    from requests.auth import HTTPBasicAuth

    #CHAT_ID="xxxx"
    CHAT_ID=""

    # Read configuration parameters
    alert_file = open(sys.argv[1])
    hook_url = sys.argv[3]


    # Read the alert file
    alert_json = json.loads(alert_file.read())
    alert_file.close()

    # Extract data fields
    alert_level = alert_json['rule']['level'] if 'level' in alert_json['rule'] else "N/A"
    description = alert_json['rule']['description'] if 'description' in alert_json['rule'] else "N/A"
    agent = alert_json['agent']['name'] if 'name' in alert_json['agent'] else "N/A"
    # Generate request
    msg_data = {}
    msg_data['chat_id'] = CHAT_ID
    msg_data['text'] = {}
    msg_data['text']['description'] =  description
    msg_data['text']['alert_level'] = str(alert_level)
    msg_data['text']['agent'] =  agent
    headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}


    # Send the request
    requests.post(hook_url, headers=headers, data=json.dumps(msg_data))

    sys.exit(0)

  • Update permissions

      chown root:ossec /var/ossec/integrations/custom-telegram*

  chmod 750 /var/ossec/integrations/custom-telegram*

Integration with Wazuh

  • On your Wazuh manager, open the ossec.conf file- nano /var/ossec/etc/ossec.conf

  • Scroll to integrations and add your telegram bot.

      <integration>
          <name>custom-telegram</name>
          <level>3</level>
          <hook_url>https://api.telegram.org/bot*YOUR API KEY*/sendMessage</hook_url>
          <alert_format>json</alert_format>
      </integration>

  • You can further customise to only send alerts for specified rules

  • Restart Wazuh manager

Verify Alerts

Test the integration by creating conditions that match the rules you set up.

2
Subscribe to my newsletter

Read articles from Bisola Adediji directly inside your inbox. Subscribe to the newsletter, and don't miss out.

wazuhSecurityHomelab

Written by

Bisola Adediji
Bisola Adediji