10. Integrating Wazuh with Telegram for Real-Time Security Alerts

FPT Metrodata IndonesiaFPT Metrodata Indonesia
4 min read

In the realm of cybersecurity, timely alerts are crucial for responding to potential threats. Wazuh, an open-source security monitoring platform, can be integrated with Telegram to send real-time alerts to a group chat, enabling security teams to stay informed on the go. This blog post walks you through the steps to set up Wazuh to send alerts to a Telegram group using a custom integration script.

Prerequisites

  • A running Wazuh instance (Wazuh Manager installed).

  • A Telegram account and access to the Telegram app.

  • Basic knowledge of Linux command-line operations.

  • Access to the /var/ossec/integrations/ directory on the Wazuh server.

Step 1: Create a Telegram Bot

To send alerts to a Telegram group, you first need to create a Telegram bot. Here's how:

  1. Open the Telegram app and search for @BotFather.

  2. Start a chat with BotFather and type /newbot to create a new bot.

  3. Follow the prompts to choose a name for your bot (e.g., @WazuhSecurityBot).

  4. Once created, BotFather will provide an API key. Save this key, as it will be used for the integration. The API endpoint for sending messages will look like this:

     https://api.telegram.org/bot<API_KEY>/sendMessage

Step 2: Add the Bot to a Telegram Group

  1. Open your bot using the link provided by BotFather (e.g., t.me/<yourbotname>).

  2. Create a new Telegram group or use an existing one.

  3. Add your bot to the group and ensure it has permissions to send messages.

Step 3: Retrieve the Chat ID

To send messages to the correct group, you need the group's Chat ID. Follow these steps to retrieve it:

  1. Send a test message to the Telegram group where your bot is added (e.g., type "Hello" in the group).

  2. Use the bot’s API key to query Telegram for recent updates. Open a web browser or use a tool like curl to make the following API call, replacing <API_KEY> with your bot’s API key:

     curl https://api.telegram.org/bot<API_KEY>/getUpdates

  3. The response will be a JSON object. Look for the chat object in the message section. The id field within the chat object is the Chat ID. It will look something like -4518350979 (group IDs typically start with a minus sign).

    Example response snippet:

     {
   "ok": true,
   "result": [
     {
       "update_id": 123456789,
       "message": {
         "message_id": 1,
         "chat": {
           "id": -4518350979,
           "title": "Wazuh Alerts Group",
           "type": "group"
         },
         "text": "Hello"
       }
     }
   ]
 }

  4. Note down the Chat ID (e.g., -4518350979) for use in the integration script.

Step 4: Configure Wazuh Integration

Add the Telegram integration to the Wazuh configuration file (/var/ossec/etc/ossec.conf). Include the following code inside the <ossec_config> section:

  <integration>
      <name>custom-telegram</name>
      <level>10</level>
      <api_key>TELEGRAM_CHAT_ID</api_key>
      <hook_url>TELEGRAM_API_TOKEN</hook_url>
      <alert_format>json</alert_format>
  </integration>

Replace <TELEGRAM_API_TOKEN> with the API key provided by BotFather.
For more details, please refer this official document from Wazuh.

Step 5: Deploy the Custom Telegram Integration Script

  1. Download the custom integration scripts (custom-telegram and custom-telegram.py) from the following GitHub repository:

     https://github.com/hawkteam404/wazuh-opencti/blob/main/custom-telegram

  2. Place both files in the /var/ossec/integrations/ directory on your Wazuh server.

  3. Set the appropriate permissions for the scripts by running:

     chown root:wazuh /var/ossec/integrations/custom-telegram*
 chmod 750 /var/ossec/integrations/custom-telegram*

  4. Open the custom-telegram.py script and update the CHAT_ID variable with the Chat ID obtained in Step 3. For example:

     CHAT_ID = "-4518350979"

Step 6: Restart Wazuh Manager

To apply the changes, restart the Wazuh Manager service:

systemctl restart wazuh-manager

Step 7: Test the Integration

Trigger a test alert in Wazuh (e.g., by simulating a security event or using a test rule). Check your Telegram group to ensure the bot is sending alerts as expected. The alerts will be formatted in JSON, containing details about the security event.

Troubleshooting Tips

  • No Alerts in Telegram: Verify the API key and Chat ID in the script and configuration. Ensure the bot has permission to send messages in the group.

  • Script Permission Issues: Double-check the ownership and permissions of the custom-telegram and custom-telegram.py files.

  • Wazuh Manager Errors: Check the Wazuh logs (/var/ossec/logs/ossec.log) for any integration-related errors.

Conclusion

Integrating Wazuh with Telegram provides a simple yet effective way to receive real-time security alerts on a platform that your team already uses. By following the steps above, you can set up this integration in minutes and enhance your incident response capabilities.

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

SecurityAlertsThreatMonitoringRealTimeAlerts#cybersecuritywazuhtelegramintegration

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.