Enhancing Wazuh with Ollama: Boosting Cybersecurity (Part 3)

Wazuh and Ollama: Part 3. Creating Integration Between Your Wazuh Cluster and Ollama

Series Navigation:

Part 1: Introduction & Benefits
Part 2: Deploying Wazuh
Part 3: Creating Integration (you are here)
Part 4: Configuration & Implementation

Wazuh offers vast and nearly limitless possibilities for integration with various systems. Even if a specific feature is missing, you can always create your own custom integration.

Understanding Wazuh Integration Methods

External integrations with Wazuh can be implemented in two primary ways:

1. External API integrations

Official Documentation
Enables interaction with external systems via APIs to automate tasks
Data obtained can create events in Wazuh or trigger automated actions
Enhances efficiency of threat monitoring and response

2. Command-based integrations

Official Documentation
Schedule commands or scripts for automatic event creation in Wazuh
Useful for gathering data from non-standard sources
Expands monitoring capabilities for custom systems

Choosing the Integration Method

To integrate with Ollama, we will use the External API integrations method.

We will develop an integrator that:

Interacts with Ollama via its REST API
Automates security event data processing
Generates enriched events in Wazuh
Triggers automated response actions

External API Integration Overview

Wazuh provides a straightforward mechanism for integrating with external APIs.

The setup process involves a few simple steps:

Create a script in /var/ossec/integrations/.
The script name should begin with custom-.
Add the new integration to ossec.conf.
Configure rules and decoders to process the data.
Restart Wazuh to apply the changes.

This process makes it easy to extend the functionality of Wazuh by connecting it to third-party services for automated monitoring and event analysis.

Developing the Ollama-Wazuh Integration

To simplify the development process, I will use Python — a flexible and convenient language, ideally suited for working with APIs and automating processes within Wazuh.

Working with the Ollama API

To work with Ollama, we will use the official ollama library. Before getting started, make sure you have Python and pip installed, then install the library using the following command:

pip install ollama

The Ollama library is very easy to use. Let’s start by creating a basic function that interacts with Ollama and sends requests.

from ollama import chat

response = chat(model='llama3.2', messages=[
  {
    'role': 'user',
    'content': 'what is it Wazuh"?',
  },
])
print(response['message']['content'])

model='llama3.2' - LLM model name.
messages - prompt for sending to Ollama.
response - response from Ollama.
response['message']['content'] - response content.

In this example, we are sending a request to the llama3.2 model, which is one of the most popular models for text-based tasks.

The content we provide is the string “what is it Wazuh?”.

After executing the request, we receive a response that contains information about Wazuh.

By default, the library sends requests using localhost as the host and 11434 as the port.

However, if your Ollama server is hosted on a different address or port, you need to specify the appropriate values in the host and port parameters.

To do this, you can use the Client object, like this:

from ollama import Client

client = Client(
  host='http://123.123.123.1:11434',
)
response = client.chat(model='llama3.2', messages=[
  {
    'role': 'user',
    'content': 'what is it Wazuh"?',
  },
],)
print(response['message']['content'])

Integrating with Wazuh via Python

There are several effective approaches for integrating with Wazuh via Python, and one of the simplest and fastest is direct interaction through the unix-socket.

This method allows you to connect to Wazuh without the need for complex network configuration, speeding up the process and ensuring greater stability.

To simplify the integration process with Wazuh and automate tasks, we will use the built-in Python interpreter that comes with Wazuh.

This eliminates the need to install external libraries or set up an additional environment, allowing you to quickly and efficiently configure the system for event handling and process automation in Wazuh.

Now, let’s get the path to Wazuh:

wazuh_path = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))

Then, the unix-socket will be located at:

socket_addr = "{0}/queue/sockets/queue".format(wazuh_path)

Now, we can try to create a function to send events to the unix-socket:

def send_event(msg):
    string = "1:somename:{0}".format(json.dumps(msg))
    sock = socket(AF_UNIX, SOCK_DGRAM)
    sock.connect(socket_addr)
    sock.send(string.encode())
    sock.close()

The structure of the string is as follows:

1: - This is the identifier and corresponds to the Wazuh manager.
somename: - A unique name.
{0}: - A JSON string with the message.

When an event is created in Wazuh according to predefined rules, it is sent through the Unix socket for further processing.

This process starts when the Wazuh manager calls the send_event function and passes the JSON string to it.

The string containing the event data is then sent to the Unix socket, enabling interaction with other services or integrations, such as Ollama.

How the Event Creation and Sending Process Works

Event Creation: When a rule is triggered in Wazuh, an event is created in JSON format. This event includes important data, such as the incident type, source, description, and additional parameters.
Calling the send_event Function: In response to the triggered rule, the Wazuh manager calls the send_event function, passing the generated JSON string.
Transmission via Unix Socket: This JSON string is then transmitted through the Unix socket.

The continuation of the integration will be presented in upcoming posts. Stay tuned for updates!