wazuh icon indicating copy to clipboard operation
wazuh copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Unable to Integrate Wazuh with GitHub

Open Sahil-Nference opened this issue 2 years ago • 3 comments

Wazuh version Component Install Type Install Method Platform
4.3.7 Github Manager Packages/Sources Ubuntu 18.04.5

Description

When you try to integrate Wazuh with GitHub an error appears in Wazuh logs and a the alert 91448 is trigerred. Refer a similar issue: https://github.com/wazuh/wazuh/issues/13951

Evidences

Image showing wazuh throwing 91448 rule Error description in JSON

Steps to reproduce

  1. Generate an Enterprise Cloud account organization
  2. Generated a personal token from the account linked to the organization
  3. Add the configuration in /var/ossec/etc/ossec.conf:
<github>
    <enabled>yes</enabled>
    <interval>10s</interval>
    <time_delay>30s</time_delay>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <org_name>YOUR-ORGANIZATION</org_name>
        <api_token>API_TOKEN_FROM_PERSONAL_GITHUB_ACCOUNT</api_token>
    </api_auth>
    <api_parameters>
        <event_type>all</event_type>
    </api_parameters>
</github>
  1. Restart the Wazuh Manager in order to apply changes
  2. Wait a couple of seconds and check logs in ossec.log and alerts.log to see the logs describe on evidecnce section

Current Result: GitHub integration not working

Expected Result: The GitHub integration should work correctly

Sahil-Nference avatar Sep 19 '22 08:09 Sahil-Nference

Hi @Sahil-Nference,

Thank you for your detailed report.

Regarding the error thrown, it seems it is related to the audit log REST API which is not available. Did you follow all the steps and requirements from this documentation? Please, take special attention to the section Github requirements.

Could you also provide the content of the /var/ossec/logs/ossec.log file in the agent or manager where the integration is attempted to work? Did you find any error message in this file related to the Github integration?

I have also found the Troubleshooting documentation for the Github API, it is interesting to review the suggestions it contains since the error might be related to the Github configuration instead of the Wazuh integration. Could you please try to run a request outside Wazuh to the Github API to verify everything works from its side? Here you can see how to do it.

Looking forward to your answer. Thanks in advance!

chemamartinez avatar Sep 19 '22 10:09 chemamartinez

Greetings @chemamartinez

Yes, I have followed the documentation and all the steps for the setup. I have created a dummy organisation for POC and created an admin token for the same. 
Properly added into the ossec.conf file.



Point 1: To test the connectivity 
I tried adding wrong credentials in the configuration and I got ‘Bad Credentials’ error, proving that I have a successful connection

Point 2: Working of Wazuh As Wazuh works with the audio logs and do the analysis on the same, I tried fetching the audit logs separately via GitHub APIs

For this commend to fetch audit logs


gh api \
  -H "Accept: application/vnd.github+json" \
  /orgs/WitcherSahil/audit-log



We received this result

  

{
  "message": "Not Found",
  gh: Not Found (HTTP 404)
  "documentation_url": "https://docs.github.com/rest/reference/orgs#get-audit-log"
  }

For another command, we received response!


gh api \
  -H "Accept: application/vnd.github+json" \
  /orgs/ORG/installations

{
  "total_count": 0,
  "installations": []
}

The main issue here is that I can see Audit logs if i navigate in Github website following these steps

do you know what is happening here?

Sahil-Nference avatar Sep 19 '22 12:09 Sahil-Nference

Let's try to narrow down the problem to discover the cause.

First of all, regarding your tests, it seems the API is working and the connectivity is ok. However, the problem seems to be related to the Github API and how the audit logs are read, instead of the Wazuh side since you obtain the same response by the API request directly.

I've found this issue already closed in our repository https://github.com/wazuh/wazuh/issues/7660 that mentions the following:

If this endpoint is accessed for an organization not part of the Enterprise plan or by an account that is not an owner GitHub will reply with a 404.

Is it possible that being a dummy organization for your PoC it is not included in the Enterprise plan?

Take into account the following comment as well:

GitHub Apps must have the organization_administration read permission to use this endpoint.

chemamartinez avatar Sep 19 '22 15:09 chemamartinez

Greetings @chemamartinez Thanks a lot for your patience.

I find this -> If this endpoint is accessed for an organization not part of the Enterprise plan or by an account that is not an owner GitHub will reply with a 404.

to be the real issue as non Enterprise plan accounts cannot use Audit log API from GitHub, and hence Wazuh was was unable to pick it up.

  • I confirm that by using Enterprise plan org and PAT for the same. Wazuh was able to pick up all the audit logs in no time.

That answers my query!

Sahil-Nference avatar Oct 12 '22 07:10 Sahil-Nference

can we get logs in trial plan for 30 days

P-JAYAPRADHA avatar Jun 09 '23 09:06 P-JAYAPRADHA