active response script for OSSEC(, written in perl, to send jabber(xmpp) messages of certain alerts.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

124 lines
2.7 KiB

#!/usr/bin/env perl
#ABSTRACT: script to send ossec alerts through jabber as an active response
use strict;
use warnings;
use File::Basename;
use OSSEC;
use Try::Tiny;
use XML::LibXML;
use Pod::Usage;
if($ARGV[0] eq "--help" || $ARGV[0] eq "-h")
pod2usage(-verbose => 2);
my $ALERTID = $ARGV[3];
my $ossec = OSSEC->new();
my $log = $ossec->arLog();
my $mysql = $ossec->mysql();
# load configuration file if exist
if (! -e $ossec->ossecPath() . "/etc/jabber.conf")
$log->fatal("ossec-jabber","no \"" . $ossec->ossecPath() . "/etc/jabber.conf\" found");
# at the moment we rely on the alerts being in a mysql database
if (!$ossec->mysqlAvail())
$log->fatal("ossec-jabber","no mysql database configuration found");
open(my $fh, '<', $ossec->ossecPath() ."/etc/jabber.conf");
binmode $fh;
my $config = XML::LibXML->load_xml(IO => $fh);
close $fh;
#fetch options
my $options="";
my @options_nodes = $config->getElementsByTagName("options");
if (@options_nodes)
$options = $options_nodes[0]->textContent;
#fetch $recipients
my @recipient_nodes = $config->getElementsByTagName("recipient");
my @recipients;
if (@recipient_nodes)
my $r = $recipient_nodes[0]->textContent;
$r =~s/\n//g;
#wait for mysql update from ossec
#sometimes updating the mysql database requires some time because of OSSEC internals
sleep 3;
my $alert;
try {
$alert = $mysql->searchAlert($ALERTID);
}catch {
$log->fatal("ossec-jabber"," alert $ALERTID not found");
my $message .= $alert->{timestamp_string} . " on agent " . $alert->{"agent"} . ": " . $alert->{"description"};
for my $r (@recipients)
$log->info("ossec-jabber", "send to $r alert " . $ALERTID . " Description: " . $alert->{description});
readpipe("echo \" $message \" | sendxmpp $options $r");
=head1 NAME
ossec-jabber - send OSSEC alerts through jabber (XMPP) using sendxmpp commandline tool
ossec-jabber [action] [username] [srcip] [alertid] [ruleid] [agent name] [filename]
-help | -h brief help message
please read OSSEC documentation for all the parameters
B<This program> will search for the given alertid in the OSSEC mysql database and
send it via B<sendxmpp> through a jabber server.
=head2 sendxmpp
Please install B<sendxmpp> and provide a working sendxmpp configuration file.
The configuration file has to be placed under B<OSSEC_BASE>/etc/jabber.conf
=head2 Example