This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Lansweeper on-prem (ticketing) with SIEM Wazuh

ruisage
Scout Sweeper II
‎08-28-2024 12:28 PM

Lansweeper on-prem (ticketing) integration with SIEM Wazuh.

0 Kudos
Kudo
Comments
Knytmar3
Engaged Sweeper
‎02-04-2025 10:49 AM

Hi Ruisage,

A work around you could consider until a fully integration is implemented is setting up email alerts on your Wazuh server.

Prerequisites:
  Wazuh Dashboard: Administrator rights
  Lansweeper: Edit Configuration rights or higher
  Wazuh Server (Low level trouble shooting): SUDO Administrator access

Open Lansweeper configuration, Ticket Content. 
Add a Security Team or any relevant teams required to be notified, then under ticket type, Add Ticket Type, Name the ticket type (Wazuh SIEM/Security Alert) Complete the rest of the categories as seen fit for your environment.
Once Ticket type has been created set the Agent team to the designated Team which was initially created.
Further customization can be done as needed for your environment.

While within the Lansweeper configuration navigate to Email Settings, section Ticket Dispatching Add a Rule.
Name the rule accordingly, change the conditions field for From Email leave the Equal field, then insert the email address intended to be used for Wazuh Email Alert configuration.
Under the actions select Set Ticket Type: Then select the Ticket type category created for Wazuh/Security alerts

Now move to the Wazuh Dashboard, Open the menu list, go to Server Management and click on the drop down list, select settings. From the Settings configuration, select Alerts under Alerts and output management.
Go to Email Alerts tab and configure Email alert settings.
Under the General tab Define your minimum level of severity you would like the alerts to fire. 

References:
Perform actions on new tickets using dispatching rules: https://community.lansweeper.com/t5/configuring-using-the-helpdesk/perform-actions-on-new-tickets-us...
Configure ticket types, states and priorities: https://community.lansweeper.com/t5/configuring-using-the-helpdesk/configure-ticket-types-states-and...
Create and add custom fields to ticket types: https://community.lansweeper.com/t5/configuring-using-the-helpdesk/create-and-add-custom-fields-to-t...
Alert management server configuration: https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#generic-email-opti...

Notes:
From my experience upgrading your Wazuh environment the ossec configuration file created a new configuration file no longer allowing email alerts to be configured within the Dashboard but still able to configure from (wazuh server)/var/ossec/etc/ file ossec.conf.new
At the time of your post you would have had version 4.8/4.9 if current installed at the time of the post. Current version available 4.10
ps, version 4.10 now allows for agent upgrades within the Dashboard rather than having to update via RESTful API and PUT /agents/upgrade command

Regards,
Knytmar3

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now
li.common.scroll-to.top