Currently I see just email notification which can be sent for alerts in OSSec. Is there any way to make an http call in case of an alert?
I couldn't find any direct way to send ossec notification to webhook URL. But, I got this working with help of logstash, which we use for log parsing and indexing. I added a logstash output with following configuration:
output {
if [type] == "ossec_alert" {
http {
http_method => "post"
url => "https://mythhpwebhook.com?key=1234"
content_type => "application/json"
mapping => ["Subject", "OSSEC Alert: %{signature}", "Message", "%{message}"]
}
}
}
Not: message and signature are variable from filter applied to ossec input.