Pagerduty Slack

PagerDuty integrations with Slack

OSSEC Integrates Slack and PagerDuty Posted on January 20, 2016 July 3, 2020 by Daniel Cid One of the new features that we open sourced and pushed to OSSEC is an “integrator” daemon that we have been using internally to connect OSSEC to external APIs and alerting tools. PagerDuty is the central nervous system for a company’s digital operations. We identify issues and opportunities in real time and bring together the right people to respond to problems faster and prevent them in the future.

Use Zoho Flow to integrate PagerDuty with Slack, in atleast 30 different ways, without writing code. Automate any tasks that keep you away from what you do best.

AUTOMATE

Pagerduty Slack

Automate redundant manual tasks and save your precious time and effort

ORCHESTRATE

Orchestrate your business process by integrating the apps you use efficiently

Explore prebuilt integration flows to get started

Load More

Didn't find the integration you are looking for? Create one yourself.

All Triggers - A trigger kickstarts the flow

New Notification

Triggers when there is a new notification

New or Updated Incident

Triggers when new incidents are created, or when existing incidents change state

Message starred

Triggers when a message is starred

Channel created

Triggers when a new channel is created

Message posted to public channel

Triggers when a new message is posted to the selected public channel

Message posted to private channel

Triggers when a new message is posted to the selected private channel

Load More

All Actions - Action are the automated tasks

Find User on Call

Finds the user on call for a specific schedule

Fetch user - By name

Fetches the details of an existing user by name

Set channel topic

Slack

Sets the topic for the selected channel

Fetch user - By username

Pagerduty Slack

Fetches the details of an existing user by username

Send public channel message

Sends a message to the selected public channel

Update profile

Pagerduty Log In

Updates the profile information for the selected user

Send private channel message

Sends a message to the selected private channel

Send direct message

Sends a direct message to the selected user

Fetch user - By ID

Fetches the details of an existing user by ID

Load More

What is Zoho Flow?

Zoho Flow is an integration platform that helps you connect your apps without any code. Automate complex business workflows within minutes. Set a trigger, add actions, use Delays and Decisions to create your entire workflow on an easy to use builder.

Start your 15 day free trial

Testimonial

Owain ap ReesSales Director, Artico

“It is amazing what processes can be automated [with Zoho Flow]. It can be difficult to visualize what can be done. Ask the experts at Zoho Flow, they can tell you straight away and if it needs customization they will help you build it!” Know more

Watch Zoho Flow in action

Advanced tools to help you build complex workflows in minutes

Pagerduty Slack Webhook

Webhooks

Use the webhook trigger to receive data from a wide range of services in multiple formats, including JSON, form data, and plain text.

Schedules

Execute actions automatically at specific times every day, or on a particular day of every week, month, or year.

Decisions

Include if/then branches to have your workflows carry out different sets of tasks based on the conditions you specify.

Delays

Set time delays between any two actions in your workflow. Stall actions for hours, days, weeks, or even until a specific date.

Custom functions

Write simple scripting functions to format data, call web APIs, send emails, and more.

One of the new features that we open sourced and pushed to OSSEC is an “integrator” daemon that we have been using internally to connect OSSEC to external APIs and alerting tools. The first two APIs we officially added were for Slack and PagerDuty.

To get started, you have to download OSSEC from our fork, either from the development branch or from the our stable branch:

After you install (or update) OSSEC, you need to enable the integrator daemon with the following command:

If the right version of OSSEC is installed, no errors will be generated and you are ready to configure it.

Integrating with Slack

Slack is taking the world by storm and many companies are using it for internal communication. Most people are always connected to it, making it more practical to use for real-time alerts than to depend solely on email.

Additionally, Slack integration is very easy to configure. First, you have to go to Slack and enable a new integration under Settings > Custom Integrations > Incoming Webhooks.

You then choose a channel and a new hook will be created in the format of:
https://hooks.slack.com/services/RANDOMSTRING/RANDOMSTRING.

Save that URL and add it in with the following to your ossec.conf file:

Once you restart OSSEC, it will force all alerts with level above 10 to go to the OSSEC room you chose before, just like this:

You can also specify per alert category or rule id, by using the <group> or <rule_id> entries. So if you only want to receive all authentication related alerts via slack, you can add the following to your config:

Restart OSSEC and you are done.

Integrating with PagerDuty

PagerDuty is one of the best products out there to manage and notify network and security administrators (DevOps/SecOps) about issues that deserve immediate attention.

It is a powerful tool and one that can now be integrated with OSSEC. Be careful not to overdo it with this one. Only push to PagerDuty events that really matter.

Pagerduty Slack Who Is On Call

For example, we have some rules that are categorized as “immediate_response_required” as they tend to be related to service availability; either a service went down or the system is running out of memory. An example would be the Nginx rule 31321 and the Syslog rule 1007:

As you can see, this triggers an alert if Nginx is unable to assign an address (likely down) or if a log file is generating an warning about no space left. These are generally pretty serious as they affect the availability of the server. So they can be a good one to push straight to Pagerduty for immediate attention.

To do that, you first need to get your API key from the Pagerduty site. Go to Configuration > Services and view the service you have your escalations integrated with. There, you will see the API key to use, like this:

Pagerduty Slack

Pagerduty

Save the integration key and copy to the ossec.conf:

In this example we tied OSSEC to the immediate_response group, so any serious availability issue will be pushed straight to the Pagerduty escalation. Similar to the Slack integration, you can tie it to alert levels (using <level>) or to specific alert ids (using <rule_id>).

Adding More Integrations

That’s it for now, however, adding new integrations to OSSEC is very easy and we plan to add more very soon. Hipchat is the next one on our list.

Are there any other integrations you want to see? Let us know and we will make it happen.

Need Help with OSSEC?

We leverage OSSEC extensively across all our products to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Intrusion Detection System (HIDS); with a powerful correlation and analysis engine that integrates log analysis, file integrity monitoring, rootkit detection, real-time alerting, and active response.

It provides complete coverage if you are looking for an endpoint (server) security solution.

  • If you have not used OSSEC before, I recommend reading my guide to get started: http://dcid.me/texts/my-ossec-setup-manual.html
  • If you need help with your OSSEC implementation, we provide professional consultation at ColdPath

Note that OSSEC requires root access to your servers and is meant for network / server administrators with Linux skills.