A pipeline for ingesting JumpCloud events into Wazuh
This integration is designed to be placed on a Wazuh Manager system to interact with the JumpCloud API in order to pull events
Events pulled from JumpCloud:
- System Events
- Directory Events
- SSO Events
- LDAP Events
- Radius Events
Events that do not match any rule are set to level 0 and therefore ignored by Wazuh.
Rules are found in rules/jumpcloud_rules.xml
- A valid JumpCloud API Key
- An installation of Wazuh
- SSH Access to your Wazuh Manager server
Note: Paths are examples, you can use any path you like
# Create directories
mkdir -p /opt/jumpcloud
# Download the latest release
wget https://github.com/lbrictson/wazuh-jumpcloud-integration/releases/download/0.0.3/wazuh-jumpcloud-integration -O /opt/jumpcloud/wazuh-jumpcloud-integration
# Setup the config file
wget https://raw.githubusercontent.com/lbrictson/wazuh-jumpcloud-integration/master/config/config.json -O /opt/jumpcloud/config.json
# Place your JumpCloud API Key in the config file
sed -i 's/this-is-not-a-real-key/YOUR-JUMPCLOUD-API-KEY-HERE/g' /opt/jumpcloud/config.json
# Note if you are running JumpCloud in multi tenant mode you will also need to include your org_id in the config file
# Reference this document: https://docs.jumpcloud.com/api/1.0/index.html#section/Multi-Tenant-Portal-Headers
# To add your org id (again only if multi tenant) open the config file with your favorite editor (vi in this case) and fill in the org_id field
vi /opt/jumpcloud/config.json
# Setup permissions
chmod +x /opt/jumpcloud/wazuh-jumpcloud-integration
chown -R root:wazuh /opt/jumpcloud
Once all the components are in place it is time to modify the Wazuh configuration
Always backup your configuration before making changes
# Edit the ossec.conf file to add the JumpCloud integration
vim /var/ossec/etc/ossec.conf
Add the following to the ossec.conf
file. Change any paths if you customized the installation location. Optionally change the interval, 5m will keep you under the JumpCloud API Rate limits
<wodle name="command">
<disabled>no</disabled>
<tag>jumpcloud</tag>
<command>/bin/bash -c "/opt/jumpcloud/wazuh-jumpcloud-integration /opt/jumpcloud/config.json /opt/jumpcloud/output.log"</command>
<interval>5m</interval>
<ignore_output>yes</ignore_output>
<run_on_start>yes</run_on_start>
</wodle>
Add a block to the ossec.conf
file to configure the JumpCloud log file. This instructs Wazuh to ingest the logs emitted by the integration
<localfile>
<log_format>json</log_format>
<location>/opt/jumpcloud/output.log</location>
</localfile>
Lastly add the ruleset
wget https://raw.githubusercontent.com/lbrictson/wazuh-jumpcloud-integration/main/rules/jumpcloud.xml -O /var/ossec/etc/rules/jumpcloud_rules.xml
chown wazuh:wazuh /var/ossec/etc/rules/jumpcloud_rules.xml
Restart the Wazuh Manager
systemctl restart wazuh-manager
Monitor the logs to see if the integration is working
tail -f /var/ossec/logs/ossec.log
If you are having issues with the integration you can run it manually to see what is happening
/opt/jumpcloud/wazuh-jumpcloud-integration /opt/jumpcloud/config.json /opt/jumpcloud/output.log
The integration program relies on the config.json file to locate the JumpCloud API key, additionally this file is automatically updated with the last successful time the integration was run.
Each time the integration runs it checks the config file, reads the last time and only gathers events since that time.
Events are emitted as JSON into the designated output file. Wazuh will then read the output file and ingest the events.
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Happy to accept requests to update and modify the rules to match more events