Wazuh Integration

Wazuh is an open-source security platform that unifies XDR and SIEM capabilities to protect workloads across on-premises, virtualized, containerized, and cloud environments. Integrating Wazuh with ilert lets you route security alerts from the Wazuh Manager to the right on-call teams and manage incident response in one place.

In ilert: Create a Wazuh alert source

1. Go to Alert sources -> Alert sources and click Create new alert source.

1. Search for Wazuh in the search field, click the Wazuh tile, and then Next.

1. Give your alert source a name, optionally assign teams, and click Next.

2. Select an escalation policy by creating a new one or assigning an existing one.

1. Select your Alert grouping preference and click Continue setup. You may click Do not group alerts for now and change it later.

1. The next page shows additional settings, such as custom alert templates or notification priority. Click Finish setup for now.

2. On the final page, copy the generated integration key. You will use it on the Wazuh Manager.

In Wazuh: Install the integration script

Prerequisites

• Wazuh Manager installed and running

• Python 3 installed on the Wazuh server

• Python requests module installed:

• The ilert integration key from the previous step

1. Download the script

Clone the ilert-wazuh repository on your Wazuh Manager:

2. Copy the script to the Wazuh integrations directory

3. Set permissions and ownership

4. Configure Wazuh

Edit /var/ossec/etc/ossec.conf and add the following inside the <ossec_config> block. Replace INTEGRATION_KEY with your ilert integration key:

The <api_key> field is required by Wazuh but is not used in the payload, since the integration key is already part of the <hook_url>.

The <level> option defines the minimum alert level that triggers the integration. Only alerts at or above this level are forwarded to ilert. The value must be equal to or greater than the <log_alert_level> in your <alerts> configuration — alerts below <log_alert_level> are not written to the alerts log and will never reach the integration.

5. Restart the Wazuh Manager

Verify the integration

Trigger a test alert:

Check the logs:

Debug mode

To enable debug logging, add debug to the integration options:

Debug output is written to /var/ossec/logs/integrations.log.

Severity mapping

The script maps the Wazuh rule level to an ilert event severity:

FAQ

Will alerts in ilert be resolved automatically?

No. Wazuh alerts are events and are not automatically resolved by a follow-up state change. Resolve the corresponding ilert alert manually, or configure alert auto-resolution on the alert source.