debian/ossec-hids/var/ossec/active-response/bin/ossec-pagerduty.sh

   1 #!/bin/bash -x
   2
   3 # Change these values!
   4 # APIKEY Your pagerduty api key
   5
   6 APIKEY="xxxxxxx"
   7 # Checking user arguments
   8 if [ "x$1" = "xdelete" ]; then
   9     exit 0;
  10 fi
  11 ALERTID=$4
  12 RULEID=$5
  13 LOCAL=`dirname $0`;
  14 ALERTTIME=`echo "$ALERTID" | cut -d  "." -f 1`
  15 ALERTLAST=`echo "$ALERTID" | cut -d  "." -f 2`
  16
  17 # Logging
  18 cd $LOCAL
  19 cd ../
  20 PWD=`pwd`
  21 echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
  22 ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
  23
  24 ALERTLOG= ${PWD}/../logs/alerts/alerts.log
  25
  26 postfile=`mktemp`
  27
  28 echo '{ "service_key": "'$APIKEY'", "incident_key": "Alert: '$ALERTTIME' / Rule: '$RULEID'", "event_type": "trigger", "description": "OSSEC Alert: '$ALERTLAST'", "client": "OSSEC IDS", "client_url": "http://dcid.me/ossec", "details": { "location": "'$HOSTNAME'", "Rule":"'$RULEID'", "Description":"'$ALERTFULL'", "Log":"'$ALERTLOG'"} } ' > $postfile
  29
  30 curl -H "Content-type: application/json" -X POST --data @$postfile "https://events.pagerduty.com/generic/2010-04-15/create_event.json"