Step-by-step Guide: “Wazuh-osTicket” Integration

Create by: Syed Jawad Ali Shah

Wazuh-osTicket Integration Guide

Table of Contents
1. Introduction
1. Overview of osTicket
2. Benefits of osTicket
3. Why Integrate with Wazuh?
2. Installing osTicket
1. Prerequisites
2. Installation Steps
3. Integrating Wazuh with osTicket
1. Prerequisites
2. Step 1: Configure osTicket API
3. Step 2: Create Integration Scripts
4. Step 3: Configure Wazuh
5. Step 4: Test the Integration
6. Step 5: Troubleshooting
4. Conclusion
5. References

1. Introduction
1.1 Overview of osTicket
osTicket is a robust, open-source helpdesk and ticketing system designed to streamline the
management of support requests and internal issues. Its intuitive web-based interface
enables efficient ticket submission and management, making it ideal for IT support,
customer service, and incident response.

1.2 Benefits of osTicket

• Cost-Effective: Free, open-source platform with no licensing fees.
• Customizable: Supports custom fields, forms, and workflows for tailored solutions.
• User-Friendly: Provides intuitive portals for end-users and staff.
• Automated: Features auto-responses, ticket filters, and escalations to optimize
processes.
• API-Enabled: Offers a REST API for seamless integration with external systems.
• Scalable: Handles high ticket volumes for organizations of all sizes.
• Community-Driven: Backed by comprehensive documentation and an active
community (osTicket Documentation, osTicket Forums).
1.3 Why Integrate with Wazuh?
Wazuh is an open-source security monitoring platform excelling in intrusion detection, log
analysis, and threat detection. Integrating Wazuh with osTicket automates the creation of
support tickets for security alerts, enhancing incident response. Key benefits include:
• Automation: Converts Wazuh alerts (e.g., failed logins, malware detection) into
osTicket tickets.
• Rapid Response: Enables real-time ticketing for swift action.
• Centralized Workflow: Combines security monitoring with ticketing for
streamlined management.
• Accountability: Tracks incident handling and resolution via tickets.
• Flexible Workflows: Routes and escalates alerts based on severity.
This integration is critical for organizations like DIAMATIX, a Wazuh Premium Partner, to
strengthen security operations.

2. Installing osTicket
This section provides a step-by-step guide to installing osTicket on an Ubuntu 22.04/24.04
server at http://10.10.11.195. Adjust commands for other distributions as needed.

2.1 Prerequisites
Requirement Details
Server Ubuntu 22.04/24.04, 2GB RAM, 2 CPUs, 20GB disk space
Network Reachable at 10.10.11.195:80 (your IP here)
Root Access Required for installation
Dependencies Apache/Nginx, PHP, MySQL/MariaDB

2.2 Installation Steps

1. Update the System:

sudo apt update && sudo apt upgrade -y

2. Install Dependencies:

sudo apt install -y apache2 mariadb-server php php-cli php-mysql php-gd

php-imap php-intl php-json php-curl php-mbstring php-xml php-zip unzip

3. Configure MySQL/MariaDB:

– Secure the installation:

sudo mysql_secure_installation

Follow prompts to set a root password and secure settings.

 – Create a database and user:

sudo mysql -u root -p

CREATE DATABASE osticket_db;

CREATE USER 'osticket_user'@'localhost' IDENTIFIED BY 'StrongPass
word123!';
GRANT ALL PRIVILEGES ON osticket_db.* TO 'osticket_user'@'localho
st';
FLUSH PRIVILEGES;
EXIT;

Replace StrongPassword123! with a secure password.

4. Download osTicket:
cd /tmp
wget https://github.com/osTicket/osTicket/releases/download/v1.18/osTic
ket-v1.18.zip
unzip osTicket-v1.18.zip
sudo mv upload /var/www/html/osticket

5. Set Permissions:
sudo chown -R www-data:www-data /var/www/html/osticket
sudo chmod -R 755 /var/www/html/osticket

6. Configure Apache:

– Create a virtual host:

sudo nano /etc/apache2/sites-available/osticket.conf

Add:
<VirtualHost *:80>
ServerName 10.10.11.195
DocumentRoot /var/www/html/osticket
<Directory /var/www/html/osticket>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/osticket_error.log
CustomLog ${APACHE_LOG_DIR}/osticket_access.log combined
</VirtualHost>

– Enable the site:

 sudo a2ensite osticket.conf
sudo a2enmod rewrite
sudo systemctl restart apache2

7. Run the osTicket Web Installer:

– Navigate to http://10.10.11.195/setup in a browser.

– Follow the wizard:

• System Settings: Set helpdesk name and URL.

• Database Settings:
– Database: osticket_db
– Username: osticket_user
– Password: StrongPassword123!
• Complete the installation.

osTicket Setup Wizard: System and Database Settings at http://10.10.11.195/setup.

8. Secure Configuration File:

sudo mv /var/www/html/osticket/include/ost-config.php /var/www/html/ost

icket/include/ost-config.php.bak
sudo chmod 644 /var/www/html/osticket/include/ost-config.php.bak

9. Access osTicket:
– Admin Panel: http://10.10.11.195/scp
 – User Portal: http://10.10.11.195
– Use admin credentials set during installation.

osTicket Admin Panel (http://10.10.11.195/scp) and User Portal (http://10.10.11.195).

10. Troubleshooting:

– Check Apache logs:

tail -f /var/log/apache2/osticket_error.log

– Verify MySQL:

sudo systemctl status mariadb

3. Integrating Wazuh with osTicket

This section details the integration tested on May 15, 2025, with osTicket at
http://10.10.11.195 and Wazuh Manager at 10.10.11.100. It uses active response to
trigger custom-osticket.sh for rules 5715 (SSH authentication success) and 5716 (SSH
authentication failure).

3.1 Prerequisites
Requirement Details
osTicket Installed at http://10.10.11.195 with API key
7FF72F0C79A3D691128555D105F61793
Wazuh Running manager at 10.10.110.100(your Wazuh server IP Here)
Network Wazuh Manager must reach http://10.10.11.195:80
Requirement Details
Permissions Root or wazuh group access on Wazuh server

3.2 Step 1: Configure osTicket API

1. Log in to osTicket Admin Panel:
– Access http://10.10.110.195/scp.
– Navigate to Admin Panel → Manage → API Keys.

2. Verify/Create API Key:

– Ensure API key 7FF72F0C79A3D691128555D105F61793 is active.

– Set allowed IP to 10.10.110.100.
– Enable Can Create Tickets (XML/JSON/EMAIL).
Configuring API Key in osTicket Admin Panel for Wazuh Integration.

3. Notes:

– Include header X-API-Key: 7FF72F0C79A05F61793 in requests.

– Configure X-Forwarded-For for 10.10.110.100 if behind a reverse proxy.
4. Test API:
curl -X POST http://10.10.110.195/api/tickets.json \
-H "X-API-Key: Your API KEY HERE" \
-H "Content-Type: application/json" \
-d '{"alert": true, "autorespond": false, "source": "API", "name": "Tes
t User", "email": "test@wazuh.com", "subject": "Test Ticket", "message"
: "This is a test ticket from Wazuh", "ip": "10.10.110.100"}'

Expected: 201 Created with a ticket ID (e.g., 137661).

3.3 Step 2: Create Integration Scripts

3.3.1 Shell Script: /var/ossec/integrations/custom-osticket.sh

1. Create the file:

nano /var/ossec/integrations/custom-osticket.sh

Add:
 #!/bin/sh

WPYTHON_BIN="/var/ossec/framework/python/bin/python3"
WAZUH_PATH="/var/ossec"
PYTHON_SCRIPT="/var/ossec/integrations/custom-osticket.py"

${WPYTHON_BIN} ${PYTHON_SCRIPT} "$@"

2. Set permissions:

chmod 750 /var/ossec/integrations/custom-osticket.sh

chown root:wazuh /var/ossec/integrations/custom-osticket.sh

3.3.2 Python Script: /var/ossec/integrations/custom-osticket.py

1. Create the file:

nano /var/ossec/integrations/custom-osticket.py

Add:

import json
import os
import sys
import requests

# Global vars
debug_enabled = False
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
json_alert = {}
LOG_FILE = f'{pwd}/logs/integrations.log'

def main(args):
global debug_enabled
if len(args) < 4:
print('# ERROR: Wrong arguments')
sys.exit(2)
debug_enabled = len(args) > 4 and args[4] == 'debug'
process_args(args)
def process_args(args):
alert_file_location, api_key, hook_url = args[1], args[2], args[3]
if not is_valid_url(hook_url):
debug(f"# ERROR: Invalid Hook URL: {hook_url}")
sys.exit(5)
json_alert = load_alert(alert_file_location)
ticket_data = generate_ticket_data(json_alert)
send_ticket(ticket_data, api_key, hook_url)

def generate_ticket_data(alert):
subject = f"Alert: {alert['rule'].get('description', 'No descriptio
n')}"
message = alert.get('full_log', 'No log available')
ticket_data = {
"alert": True,
"autorespond": False,
"source": "API",
"name": "Wazuh Integration",
"email": "alert@wazuh.com",
"phone": "123456789",
"subject": subject,
"message": f"data:text/html,MESSAGE <b>{message}</b>",
"ip": "Your Wazuh Manager IP"
}
return ticket_data

def send_ticket(ticket_data, api_key, hook_url):

headers = {
'Content-Type': 'application/json',
'X-API-Key': api_key
}
response = requests.post(hook_url, data=json.dumps(ticket_data), he
aders=headers)
if response.status_code != 201:
debug(f"# ERROR: Failed to create ticket. Status Code: {respons
e.status_code}")
raise Exception(f"Failed to create ticket, status code: {respon
se.status_code}")
debug(f"# Ticket created successfully with response: {response.text
}")

def load_alert(file_path):
try:
with open(file_path) as alert_file:
return json.load(alert_file)
except FileNotFoundError:
debug(f"# ERROR: Alert file {file_path} doesn't exist")
sys.exit(6)
except json.decoder.JSONDecodeError as e:
debug(f"Failed to parse JSON alert: {e}")
 sys.exit(7)

def is_valid_url(url):
from urllib.parse import urlparse
parsed_url = urlparse(url)
return all([parsed_url.scheme, parsed_url.netloc])

def debug(msg):
if debug_enabled:
print(msg)
with open(LOG_FILE, "a") as f:
f.write(msg + '\n')

if __name__ == "__main__":
main(sys.argv)

2. Set permissions:
chmod 750 /var/ossec/integrations/custom-osticket.py
chown root:wazuh /var/ossec/integrations/custom-osticket.py

3.4 Step 3: Configure Wazuh

1. Edit ossec.conf:

nano /var/ossec/etc/ossec.conf

– Add within an <ossec_config> section:

 <ossec_config>
<command>
<name>osticket-integration</name>
<executable>custom-osticket.sh</executable>
<extra_args>/var/ossec/logs/alerts/alerts.json 7FF72F0C79A3D6
91128555D105F61793 http://10.10.110.195/api/tickets.json debug</e
xtra_args>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>osticket-integration</command>
<location>local</location>
<rules_id>5715</rules_id>
</active-response>
</ossec_config>

Editing /var/ossec/etc/ossec.conf with Active Response Configuration and Validating with

verify-agent-conf.

2. Verify local_rules.xml:

– Ensure the existing rule is unchanged:

cat /var/ossec/etc/rules/local_rules.xml

Should match:
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->

<group name="local,syslog,sshd,">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
 <srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</de
scription>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</
group>
</rule>
</group>

– If modified, restore it:

nano /var/ossec/etc/rules/local_rules.xml

Add the above content.

– Set permissions:

chmod 640 /var/ossec/etc/rules/local_rules.xml

chown root:wazuh /var/ossec/etc/rules/local_rules.xml

Verifying Existing Rule 100001 in /var/ossec/etc/rules/local_rules.xml.

3. Validate Configuration:

/var/ossec/bin/verify-agent-conf

4. Restart Wazuh Manager:

systemctl restart wazuh-manager

Verify:
systemctl status wazuh-manager

3.5 Step 4: Test the Integration

1. Verify Previous Test:

– Test conducted on May 15, 2025:

/var/ossec/integrations/custom-osticket.sh /tmp/test_alert.json 7
FF72F0C79A3D691128555D105F61793 http://10.10.110.195/api/tickets.
json debug

Output: # Ticket created successfully with response: 137661

– Check ticket ID 137661 at http://10.10.110.195/scp.

Manual Test Output and Ticket 900679 in osTicket Admin Panel.

2. Test with Real Alerts:

– Trigger SSH authentication success (5715):

ssh Wazuh@10.10.11.100

– Trigger SSH authentication failure (5716):

ssh invaliduser@10.10.110.100

– Check alerts:

tail -f /var/ossec/logs/alerts/alerts.log | grep -E "5715|5716"

– Verify tickets at http://10.10.11.195/scp.

– [Insert Screenshot: Wazuh Alerts and Tickets]

Wazuh Alerts for Rules 5715 and 5716 and Corresponding osTicket Tickets.

3. Monitor Logs:

tail -f /var/ossec/logs/integrations.log
tail -f /var/ossec/logs/ossec.log

3.6 Step 5: Troubleshooting

• Wazuh Manager Fails:

– Check:

journalctl -xeu wazuh-manager.service

[Insert Screenshot: Wazuh Manager Logs]

Checking Wazuh Manager Errors with journalctl -xeu wazuh-manager.service.

• No Tickets Generated:
– Verify wazuh-execd:

tail -f /var/ossec/logs/ossec.log | grep execd

– Test as wazuh user:

 sudo -u wazuh /var/ossec/integrations/custom-osticket.sh /var/oss
ec/logs/alerts/alerts.json 7FF72F0C79A3D691128555D105F61793 http:
//10.10.11.195/api/tickets.json debug

– Check integration logs:

tail -f /var/ossec/logs/integrations.log

Monitoring Integration Logs for Ticket Creation Issues.

– Use logtest:
/var/ossec/bin/wazuh-logtest

Input: May 15 12:25:07 Wazuh2 sshd-session[76661]: Accepted

password for Wazuh from 10.10.110.156 port 63080 ssh2

• ossec.conf Error:

– Share the <ossec_config> section if XML errors persist:

cat /var/ossec/etc/ossec.conf | grep -A 10 -B 10 "<ossec_config>"

Note: If automatic ticket generation fails, ensure wazuh-execd is running and the
API key is correctly configured. Contact DIAMATIX support for persistent issues.

4. Conclusion
This guide enables seamless integration of Wazuh with osTicket, security incident ticketing
as demonstrated by ticket. By following the osTicket installation, active response
configuration for rules 5715 and 5716, and troubleshooting steps, organizations can
enhance incident response efficiency.