Difference between revisions of "OSSec+SMS"
From Atomicorp Wiki
m (Protected "OSSec+SMS" ([edit=sysop] (indefinite) [move=sysop] (indefinite)) [cascading]) |
|||
(3 intermediate revisions by one user not shown) | |||
Line 16: | Line 16: | ||
4) download and install smssend | 4) download and install smssend | ||
− | < | + | <pre> |
wget http://www.barsnick.net/sw/smssend-3.2-1.i586.rpm | wget http://www.barsnick.net/sw/smssend-3.2-1.i586.rpm | ||
yum install smssend-3.2-1.i586.rpm | yum install smssend-3.2-1.i586.rpm | ||
− | </ | + | </pre> |
5) create the .sms file you will be using | 5) create the .sms file you will be using | ||
+ | <pre> | ||
cat > /usr/share/smssend/clickatell.sms << "EOF" | cat > /usr/share/smssend/clickatell.sms << "EOF" | ||
NbParams 7 | NbParams 7 | ||
Line 44: | Line 45: | ||
GO | GO | ||
EOF | EOF | ||
+ | </pre> | ||
6) add the following to your /var/ossec/etc/ossec.conf | 6) add the following to your /var/ossec/etc/ossec.conf | ||
+ | <pre> | ||
<command> | <command> | ||
<name>smsnotify</name> | <name>smsnotify</name> | ||
Line 62: | Line 65: | ||
<level>10</level> | <level>10</level> | ||
</active-response> | </active-response> | ||
+ | </pre> | ||
7) create your own smsnotify.sh | 7) create your own smsnotify.sh | ||
+ | <pre> | ||
cat > /var/ossec/active-response/bin/smsnotify.sh << "EOF" | cat > /var/ossec/active-response/bin/smsnotify.sh << "EOF" | ||
#!/bin/sh | #!/bin/sh | ||
Line 72: | Line 77: | ||
USER=$2 | USER=$2 | ||
IP=$3 | IP=$3 | ||
+ | |||
+ | echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" > /tmp/alertid | ||
+ | ALERTID=`cat /tmp/alertid | awk '{print $11}' | cut -d "." -f 1` | ||
+ | |||
+ | # Getting alert header | ||
+ | LOG=`grep -A 3 $ALERTID /var/ossec/logs/alerts/alerts.log | tail -n 2` | ||
+ | |||
+ | # Create session and save to /tmp/sessionid | ||
wget "http://api.clickatell.com/http/auth?api_id=''yourapi_id''&user=''yourusername''&password=''yourpassword''" -O /tmp/sessionid -q | wget "http://api.clickatell.com/http/auth?api_id=''yourapi_id''&user=''yourusername''&password=''yourpassword''" -O /tmp/sessionid -q | ||
− | |||
+ | # Use only the session id for the variable | ||
sessionid=`cat /tmp/sessionid | awk '{print $2}'` | sessionid=`cat /tmp/sessionid | awk '{print $2}'` | ||
− | |||
− | smssend clickatell.sms $sessionid ''yourusername'' ''yourpassword'' ''yourapi_id'' "ServerAlert" ''yourphoneNo'' " | + | # Send sms |
− | + | smssend clickatell.sms $sessionid ''yourusername'' ''yourpassword'' ''yourapi_id'' "ServerAlert" ''yourphoneNo'' "$LOG" | |
EOF | EOF | ||
+ | </pre> | ||
+ | |||
+ | <pre> | ||
chmod 755 /var/ossec/active-response/bin/smsnotify.sh | chmod 755 /var/ossec/active-response/bin/smsnotify.sh | ||
+ | </pre> | ||
8) do an asl -f -s to restart ossec and your are good to go :) | 8) do an asl -f -s to restart ossec and your are good to go :) | ||
Enjoy | Enjoy |
Latest revision as of 16:09, 28 June 2024
OSSEC SMS notification on CentOS with ASL
This tutorial will help you use the ossec notification system provided by ASL to send alerts to your phone.
1) Create an account with Clickatell (they will be providing the sms gateway service)
2) Add some credit to your account
3) Create a "Connection" and note you API_ID
4) download and install smssend
wget http://www.barsnick.net/sw/smssend-3.2-1.i586.rpm yum install smssend-3.2-1.i586.rpm
5) create the .sms file you will be using
cat > /usr/share/smssend/clickatell.sms << "EOF" NbParams 7 %Sessionid : Session ID %Login : Your username %Password : Your Pass %ApiID : Your API ID %Sender : API Sender Name %Tel : Phone number To Send Message To %Message Size=160 Convert : Your message PostURL https://api.clickatell.com/http/sendmsg? #GetURL https://api.clickatell.com/http/sendmsg? #Params session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message% PostData session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message% Search ID: PrintMsg message sent Else ErrorMsg 1 error sending message GO EOF
6) add the following to your /var/ossec/etc/ossec.conf
<command> <name>smsnotify</name> <executable>smsnotify.sh</executable> <expect>srcip</expect> </command> <active-response> <!-- This response will notify the admin via - sms for every event that fires a rule with - level (severity) >= 10. --> <command>smsnotify</command> <location>local</location> <level>10</level> </active-response>
7) create your own smsnotify.sh
cat > /var/ossec/active-response/bin/smsnotify.sh << "EOF" #!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=$1 USER=$2 IP=$3 echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" > /tmp/alertid ALERTID=`cat /tmp/alertid | awk '{print $11}' | cut -d "." -f 1` # Getting alert header LOG=`grep -A 3 $ALERTID /var/ossec/logs/alerts/alerts.log | tail -n 2` # Create session and save to /tmp/sessionid wget "http://api.clickatell.com/http/auth?api_id=''yourapi_id''&user=''yourusername''&password=''yourpassword''" -O /tmp/sessionid -q # Use only the session id for the variable sessionid=`cat /tmp/sessionid | awk '{print $2}'` # Send sms smssend clickatell.sms $sessionid ''yourusername'' ''yourpassword'' ''yourapi_id'' "ServerAlert" ''yourphoneNo'' "$LOG" EOF
chmod 755 /var/ossec/active-response/bin/smsnotify.sh
8) do an asl -f -s to restart ossec and your are good to go :)
Enjoy