# Wazuh Integration
[Wazuh](https://wazuh.com/) is an open-source security platform that unifies XDR and SIEM capabilities to protect workloads across on-premises, virtualized, containerized, and cloud environments. Integrating Wazuh with ilert lets you route security alerts from the Wazuh Manager to the right on-call teams and manage incident response in one place.
## In ilert: Create a Wazuh alert source
1. Go to **Alert sources** -> **Alert sources** and click **Create new alert source**.
2. Search for **Wazuh** in the search field, click the Wazuh tile, and then **Next**.
3. Give your alert source a name, optionally assign teams, and click **Next**.
4. Select an **escalation policy** by creating a new one or assigning an existing one.
5. Select your [Alert grouping](https://docs.ilert.com/alerting/configure-alerting/alert-sources#alert-grouping) preference and click **Continue setup**. You may click **Do not group alerts** for now and change it later.
6. The next page shows additional settings, such as custom alert templates or notification priority. Click **Finish setup** for now.
7. On the final page, copy the generated **integration key**. You will use it on the Wazuh Manager.
## In Wazuh: Install the integration script
### Prerequisites
* Wazuh Manager installed and running
* Python 3 installed on the Wazuh server
* Python `requests` module installed:
```bash
pip3 install requests
```
* The ilert integration key from the previous step
### 1. Download the script
Clone the [ilert-wazuh](https://github.com/iLert/ilert-wazuh) repository on your Wazuh Manager:
```bash
git clone https://github.com/iLert/ilert-wazuh.git
cd ilert-wazuh
```
### 2. Copy the script to the Wazuh integrations directory
```bash
cp custom-ilert /var/ossec/integrations/custom-ilert
```
### 3. Set permissions and ownership
```bash
chmod 750 /var/ossec/integrations/custom-ilert
chown root:wazuh /var/ossec/integrations/custom-ilert
```
### 4. Configure Wazuh
Edit `/var/ossec/etc/ossec.conf` and add the following inside the `` block. Replace `INTEGRATION_KEY` with your ilert integration key:
```xml
custom-ilertINTEGRATION_KEYhttps://api.ilert.com/api/v1/events/wazuh/INTEGRATION_KEY3json
```
The `` field is required by Wazuh but is not used in the payload, since the integration key is already part of the ``.
The `` option defines the minimum alert level that triggers the integration. Only alerts at or above this level are forwarded to ilert. The value must be equal to or greater than the `` in your `` configuration — alerts below `` are not written to the alerts log and will never reach the integration.
| Level | Severity | Examples |
| ----- | -------- | ----------------------------------------------- |
| 0-6 | Info | System notifications, successful logins |
| 7-9 | Warning | Bad word matches, first time events |
| 10-12 | Error | Multiple failed logins, file integrity changes |
| 13+ | Critical | Active attacks, high importance security events |
### 5. Restart the Wazuh Manager
```bash
systemctl restart wazuh-manager
```
## Verify the integration
Trigger a test alert:
```bash
systemd-cat -t sshd <<< "Failed password for invalid user admin from 192.168.1.100 port 22 ssh2"
```
Check the logs:
```bash
tail -f /var/ossec/logs/alerts/alerts.json
tail -f /var/ossec/logs/integrations.log
```
## Debug mode
To enable debug logging, add `debug` to the integration options:
```xml
custom-ilertINTEGRATION_KEYhttps://api.ilert.com/api/v1/events/wazuh/INTEGRATION_KEY3jsondebug
```
Debug output is written to `/var/ossec/logs/integrations.log`.
## Severity mapping
The script maps the Wazuh rule level to an ilert event severity:
| Wazuh Level | ilert Severity |
| ----------- | -------------- |
| 0-6 | info |
| 7-9 | warning |
| 10-12 | error |
| 13+ | critical |
## FAQ
#### **Will alerts in ilert be resolved automatically?**
No. Wazuh alerts are events and are not automatically resolved by a follow-up state change. Resolve the corresponding ilert alert manually, or configure [alert auto-resolution](https://docs.ilert.com/alerting/configure-alerting/alert-sources) on the alert source.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ilert.com/integrations/inbound-integrations/wazuh.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
