​
Overview

The Wazuh provider enables seamless integration between Keep and Wazuh. It allows you to get alerts from Wazuh to Keep via custom integration making it easier to track security-related activities in one place.

Please refer to the Wazuh Docs if you want to learn more about Wazuh Custom Integrations.

​
Connecting Wazuh to Keep

To connect Wazuh to Keep, you need to configure it as a custom integration in Wazuh. Follow the steps below to set up the integration:

  1. Keep webhook scripts need to installed on the Wazuh server.

  2. You can download the Keep webhook scripts using the following command:

wget -O custom-keep.py https://github.com/keephq/keep/blob/main/keep/providers/wazuh_provider/custom-keep.py?raw=true
wget -O custom-keep https://github.com/keephq/keep/blob/main/keep/providers/wazuh_provider/custom-keep?raw=true
  1. Copy the downloaded script to the following path on the Wazuh server: /var/ossec/integrations/ and set correct permissions
cp custom-keep.py /var/ossec/integrations/custom-keep.py
cp custom-keep /var/ossec/integrations/custom-keep
chown root:wazuh custom-keep*
chmod 750 /var/ossec/integrations/custom-keep*

  1. Get the Webhook URL of Keep which is https://api.keephq.dev/alerts/event/wazuh.

  2. Get the API Key of Keep which you can generate in the Keep settings.

  3. In the config /var/ossec/etc/ossec.conf set new integration block

<integration>
    <name>custom-keep</name>
    <level>10</level>
    <hook_url>PLACE_YOUR_KEEP_WEBHOOK_URL_HERE</hook_url>
    <api_key>PLACE_HERE_YOUR_API_KEY</api_key>
    <alert_format>json</alert_format>
</integration>

Please refer to the Wazuh Documentation for more information and set the level you are interested in. 7. Restart the wazuh-manager

$ systemctl restart wazuh-manager
vLLM ProviderWebhook Provider