A few months back I wrote about encrypting OSSEC email alerts here, using procmail. In this article I’ll use procmail as well to call a script that will send the alert via Jabber.
As a recap:
- OSSEC receives an alert and needs to send an email;
- The MTA (postfix) will use procmail as DA due to the mailbox_command = /usr/bin/procmail’ command in /etc/postfix/main.cf;
- The procmail recipe will be executed which is in the home dir of the user wherefore the mail was destined (/var/ossec/.procmailrc);
- This recipe will execute a script (send_encrypted_alarm.sh) that will send an encrypted mail.
Give it the right owner and permissions:
chown ossec:root /var/ossec/tmp/alert.txt chmod 664 /var/ossec/tmp/alert.txt
A script that will send the jabber message will be called in send_encrypted_alarm.sh. The latter will now look like this:
#!/bin/bash /usr/bin/formail -I "" > /var/ossec/tmp/alert.txt cat /var/ossec/tmp/alert.txt | /usr/bin/gpg --homedir /var/ossec/.gnupg - --trust-model always -ear "firstname.lastname@example.org" | /usr/bin/mail -s "$SUBJECT" email@example.com /usr/bin/python /var/ossec/send_jabber_alarm.py firstname.lastname@example.org /var/ossec/tmp/alert.txt
Now, let’s create the /var/ossec/send_jabber_alarm.py script. First we will need to download the xmpppy module from : http://sourceforge.net/projects/xmpppy/files/xmpppy/. Do the regular tar zxvf for extracting, go to the directory with the unpacked files and do the typical stuff to install it (./setup install). Then create send_jabber_alarm.py and add the following:
#!/usr/bin/python import sys,os,xmpp,time if len(sys.argv) < 2: print "Syntax: xsend JID text" sys.exit(0) tojid=sys.argv m = open(sys.argv,'r') array = m.readlines() m.close() msg="" for record in array: msg = msg + record username = 'email@example.com' # from whom will the message be sent password = 'test' jid=xmpp.protocol.JID(username) cl=xmpp.Client(jid.getDomain(),debug=) con=cl.connect() if not con: print "Could not connect" sys.exit() auth=cl.auth(jid.getNode(),password,resource=jid.getResource()) if not auth: print "Authentication failed" sys.exit() #cl.SendInitPresence(requestRoster=0) # you may need to uncomment this for old server id=cl.send(xmpp.protocol.Message(tojid, msg)) time.sleep(1) # some older servers will not send the message if you disconnect immediately after sending #cl.disconnect()
That’s it. Every time an alert is generated with a level that is high enough to send a mail, a jabber message will be sent as well.