Enhancing Wazuh with Ollama: Boosting Cybersecurity (Part 3) -

Wazuh and Ollama: Part 3. Creating Integration Between Your Wazuh Cluster and Ollama

Wazuh offers vast and nearly limitless possibilities for integration with various systems. Even if a specific feature is missing, you can always create your own custom integration. Интеграции с внешними системами могут быть двух видов:

External API integrations: This method enables interaction with external systems via APIs to automate tasks. The data obtained can be used to create events in Wazuh or trigger other automated actions, enhancing the efficiency of threat monitoring and response.
Command: This method allows you to schedule commands or scripts for the automatic creation of events in Wazuh. I often use this approach when I need to gather data from sources that aren’t supported by default. It helps expand monitoring capabilities and integrate with non-standard systems.

To integrate with Ollama, we will use the External API integrations method.

We will develop an integrator that interacts with Ollama via its API, automating data processing.

The information gathered will be used to generate events in Wazuh and perform other automated actions.

External API integrations

Wazuh provides a straightforward mechanism for integrating with external APIs.

The setup process involves a few simple steps:

Create a script in /var/ossec/integrations/.
The script name should begin with custom-.
Add the new integration to ossec.conf.
Configure rules and decoders to process the data.
Restart Wazuh to apply the changes.

This process makes it easy to extend the functionality of ** ** by connecting it to third-party services for automated monitoring and event analysis.

Developing Integration Between Ollama and Wazuh

To simplify the development process, I will use Python — a flexible and convenient language, ideally suited for working with APIs and automating processes within Wazuh.

1. Working with Ollama via its API

To work with Ollama, we will use the official ollama library. Before getting started, make sure you have Python and pip installed, then install the library using the following command:

pip install ollama

The Ollama library is very easy to use. Let’s start by creating a basic function that interacts with Ollama and sends requests.

from ollama import chat

response = chat(model='llama3.2', messages=[
  {
    'role': 'user',
    'content': 'what is it Wazuh"?',
  },
])
print(response['message']['content'])

model='llama3.2' - LLM model name.
messages - prompt for sending to Ollama.
response - response from Ollama.
response['message']['content'] - response content.

In this example, we are sending a request to the llama3.2 model, which is one of the most popular models for text-based tasks.

The content we provide is the string “what is it Wazuh?”.

After executing the request, we receive a response that contains information about Wazuh.

By default, the library sends requests using localhost as the host and 11434 as the port.

However, if your Ollama server is hosted on a different address or port, you need to specify the appropriate values in the host and port parameters.

To do this, you can use the Client object, like this:

from ollama import Client

client = Client(
  host='http://123.123.123.1:11434',
)
response = client.chat(model='llama3.2', messages=[
  {
    'role': 'user',
    'content': 'what is it Wazuh"?',
  },
],)
print(response['message']['content'])

2. How can you work with Wazuh in Python?

There are several effective approaches for integrating with Wazuh via Python, and one of the simplest and fastest is direct interaction through the unix-socket.

This method allows you to connect to Wazuh without the need for complex network configuration, speeding up the process and ensuring greater stability.

To simplify the integration process with Wazuh and automate tasks, we will use the built-in Python interpreter that comes with Wazuh.

This eliminates the need to install external libraries or set up an additional environment, allowing you to quickly and efficiently configure the system for event handling and process automation in Wazuh.

Now, let’s get the path to Wazuh:

wazuh_path = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))

Then, the unix-socket will be located at:

socket_addr = "{0}/queue/sockets/queue".format(wazuh_path)

Now, we can try to create a function to send events to the unix-socket:

def send_event(msg):
    string = "1:somename:{0}".format(json.dumps(msg))
    sock = socket(AF_UNIX, SOCK_DGRAM)
    sock.connect(socket_addr)
    sock.send(string.encode())
    sock.close()

The structure of the string is as follows:

1: - This is the identifier and corresponds to the Wazuh manager.
somename: - A unique name.
{0}: - A JSON string with the message.

When an event is created in Wazuh according to predefined rules, it is sent through the Unix socket for further processing.

This process starts when the Wazuh manager calls the send_event function and passes the JSON string to it.

The string containing the event data is then sent to the Unix socket, enabling interaction with other services or integrations, such as Ollama.

How the Event Creation and Sending Process Works

Event Creation: When a rule is triggered in Wazuh, an event is created in JSON format. This event includes important data, such as the incident type, source, description, and additional parameters.
Calling the send_event Function: In response to the triggered rule, the Wazuh manager calls the send_event function, passing the generated JSON string.
Transmission via Unix Socket: This JSON string is then transmitted through the Unix socket.

The continuation of the integration will be presented in upcoming posts. Stay tuned for updates!