I want all OSSEC notifications to be routed to a Slack room instead of email. 2.9.Beta5 has a ossec-slack.sh active response script. The relevant parts of my ossec.conf are:
<command>
<name>ossec-slack</name>
<executable>ossec-slack.sh</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>ossec-slack</command>
<location>local</location>
<level>1</level>
</active-response>
This works for SSH logins (failed and successful), but as far as I can tell doesn't trigger anything else. What am I doing wrong/how are others doing this? Is this just beta software being beta software?
First make sure your ossec-slack.sh file has the correct information in the top:
# FILE: /var/ossec/active-response/bin/ossec-slack.sh
SLACKUSER="ossec"
CHANNEL="#slack_chanel" # include the hash "#"
SITE="https://hooks.slack.com/services/TOKEN"
SOURCE="ossec2slack"
Your "SLACKUSER" is the same as the "Customize Name" field that you set in your Slack WebHook Integrations page.
Now that your ossec-slack.sh file is set up you can test your Slack integration manually:
/var/ossec/active-response/bin/ossec-slack.sh
Running the script manually will post recent entries from your alerts log file:
/var/ossec/logs/alerts/alerts.log
When this script is triggered as an active-response, it will only post the information for the current alert, rather than posting from your log file.
When you have verified that you can post Slack messages manually, add the following XML blocks to your ossec.conf file:
<!-- FILE: /var/ossec/etc/ossec.conf -->
<ossec_config>
<command>
<name>ossec-slack</name>
<executable>ossec-slack.sh</executable>
<expect></expect> <!-- no expect args required -->
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>ossec-slack</command>
<location>local</location>
<level>3</level>
</active-response>
</ossec_config>
The settings above will post to your Slack channel whenever a level 3 or above alert is triggered.
Note: no arguments are required within the <expect> tag. But the <expect> tag itself, is required. See OSSEC's active-response documentation for more information.
To test this integration, restart your ossec server:
/var/ossec/bin/ossec-control restart
You should see the "OSSEC Started" alert very quickly:
If you do not see the alert, check your logs for any misconfigurations:
tail /var/ossec/etc/logs/ossec.log
tail /var/ossec/logs/active-responses.log
Not a full answer, but adding on here. To ensure this works, make sure you don't have this set in /var/ossec/etc/ossec.conf. If it's there, just remove.
<active-response>
<disabled>yes</disabled>
</active-response>
Related
I have a requirement to send out a slack message via jenkins post build step based on certain condition. I have put the below code snippet under "Custom Message" of Slack Notification of my jenkins build. Below prints the entire content of get_schedule_response.txt.
Here's the result for the schedule execution --------> ${FILE,path="$WORKSPACE/get_schedule_response.txt"}
I want to send out this slack notification only if the get_schedule_response.txt file content contains text SUCCESS in it. Is it possible to do?
by using grep command u can find out the word SUCESSS in the file get_schedule_response.txt file
if [(grep -o "SUCCESS" "$WORKSPACE/get_schedule_response.txt"}) = "SUCCESS"];
then
#include your slack notification for success
else
#include your slack notification for success
# -o : Print only the matched parts of a matching line,
to refer all options for grep command follow this link
https://www.geeksforgeeks.org/grep-command-in-unixlinux/
Keep forgetting that Logging chapter of the the Kernel User's Guide already has an answer.
Paraphrasing the 2.9 Example: Add a handler to log info events to file section in the Logging chapter of the Kernel User's Guide:
1. Set log level (default: notice)
Globally: logger:set_primary_config/2
For certain modules only: logger:set_module_level/2
Accepted log levels (from least severe to most):
debug, info, notice, warning, error, critical, alert, emergency
Note:
The default log level in the Erlang shell is notice, so if you leave it as is, but set a lower level (such as debug or info) when adding a log handler in the next step, those level of logs will never get through.
Example:
logger:set_primary_config(level, debug).
2. Configure and add log handler
Specify the handler configuration map, for example:
Config = #{config => #{file => "./sample.log"}, level => debug}.
And add the handler:
logger:add_handler(to_file_handler, logger_std_h, Config).
logger_std_h is the standard handler for Logger.
3. Filter out logs below a certain level on Erlang shell
Following the examples above, all levels of logs will be printed. To restore the notice default, but still save every level of logs in the file), use logger:set_handler_config/3.
logger:set_handler_config(default, level, notice).
Work in progress: Log each process' events into their own logfile
This module documents my (partially successful) attempts; will revisit and expand on this section when time permits. My use case was that the FreeSWITCH phone server would spawn an Erlang process to handle the call, and so logging each of them into their own files made sense at the time.
I have a Pylint running in a Jenkins pipeline. To implement it, I used Gerrit trigger plugin and Next Generation Warnings plugin. Everything is working as expected - Jenkins is joining the review, checks change with pylint and generates report.
Now, I'd like to post pylint score in a custom "Build successful" message. I wanted to pass the pylint score to a environment variable and use it in dedicated window for Gerrit plugin message.
Unfortunately no matter what I try, I cannot pass any "new" variable to the message. Passing parameters embedded in pipeline works (e.g. patchset number).
I created new environment variable in Configure Jenkins menu, tried exporting to shell, writing to it (via $VAR and env. syntax) but nothing works - that is, build message displays raw string like $VAR instead of what variable contains.
What should I do to pass local pylint score (distinct for every pipeline occurence) to the custom build message for Gerrit?
I don't think the custom message can be used for this. This is just supposed to be a static message.
They way I do this is to use the SSH command to perform the review. You can also achieve the same using the REST API.
First I run my linting and white space checking script that will generate a json file with the information I would like to pass to Gerrit. Next I send it to Gerrit using SSH. See below my pipeline script and an example json file.
As a bonus I have added the robot comments. This will now show up in your review as a remark from Jenkins that line 8 of my Jenkins file has a trailing white space. You can easily replace this with your lint result of you like or just ignore it and only put the message. It is easier to use a json file as it will make it easier to create multi line messages
node('master') {
sh """
cat lint_change.json | ssh -p ${env.GERRIT_PORT} ${env.GERRIT_HOST} gerrit review ${env.GERRIT_PATCHSET_REVISION} --json
"""
}
Example json file:
{
"labels": {
"Code-Style": "-1"
},
"message": "Lint Bot Review\nLint Results:\n Errors: 0\n Warnings: 0\n\nWhitespace results:\n Errors: 1",
"robot_comments": {
"Jenkinsfile": [
{
"robot_id": "lint-bot",
"line": "8",
"message": "trailing whitespace."
}
]
}
}
Alternatively, you may want to look at a new gerrit-code-review-plugin that should make this things even easier. However, I have not tried this yet.
--- Problem resolved. see comment ---
pytest-html is great. When viewing the report locally I can click the check box [pass][fail][skip]. I also can click the sort button for each column
I use Jenkins "publish html report" to see the report on Jenkins. The column sort button is gone, the check boxes are gone. Thanks in advance.
pytest -vs ${test_suite} --url $url --junitxml ${test_suite_xml} --html=${test_suite_html}
pytest-html 1.19.0
Jenkins 2.121.2
html publisher plugin 1.16
Found the reason. Java Script is disabled.
follow this link to set Content Security Policy
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
What confused me was, nothing seems happen after running that command. Here is why:
How to interpret the output:
No output below "Result" header: default protection
Output Result: below "Result" header: protection disabled
Output Result: some text here below "Result" header: custom protection
Inside the Execute Shell, a LIST=$(ls -1 dir_name/*rpm) is done. How can I pass the contents of LIST so that they're displayed in the Default Content or whatever is the body of the Editable Email Notification?
You can use the InjectEnv plugin with some settings like below:
In the Jenkins build step (or post step), you can use the $MY_LIST variable:
+ echo build-failure-analyzer.xml buildtriggerbadge.xml cloudbees-plugin-gateway.xml com.cloudbees.dockerpublish.DockerBuilder.xml com.orctom.jenkins.plugin.globalpostscript.GlobalPostScript.xml com.tikal.jenkins.plugins.multijob.PhaseJobsConfig.xml config_project_creation.xml config.xml config.xml.old Connection Activity monitoring to slaves.log credentials.xml Download metadata.log envinject-plugin-configuration.xml envInject.xml Fingerprint cleanup.log hudson.maven.MavenModuleSet.xml hudson.model.UpdateCenter.xml hudson.plugins.copyartifact.TriggeredBuildSelector.xml hudson.plugins.git.GitSCM.xml hudson.plugins.git.GitTool.xml hudson.plugins.groovy.Groovy.xml hudson.plugins.logfilesizechecker.LogfilesizecheckerWrapper.xml