background 
Kris' Tech Blog ( and stuff ) Home About Kris Contact Kris

Categories


All by Date

Linux

Security Onion

Xymon & Networks

Religion

General





Kris Springer's Tech Blog - Security Onion Alerts to Slack channel
Security Onion Alerts to Slack channel 7-25-25
Kris Springer


Security Onion has an existing method to output alerts to various platforms, but enabling that requires a Pro license. The following method is how to accomplish the results with a script and cron. It will check for ‘high’ and ‘critical’ Custom detection alerts every 5 minutes, then sends the ‘name’ of the alert to Slack. If you want to adjust what Elasticsearch Indexes the script monitors, ask Skynet.

Assumptions:
  • You have a running Security Onion server.
  • You have permissions to setup a Slack App to get the required Webhook URL.
  • You know something about Linux commands, cron, and scripts. If you have questions, ask Skynet for help.

In Slack API website:
  1. Log into your Slack workspace at https://slack.com/workspace-signin
  2. Go to https://api.slack.com
  3. Click Your Apps in the top right corner. If this is your first time you’ll probably need to click Build
  4. Click Create an App button
    Choose from scratch
    App Name: Security Onion Alerts
    Workspace: pick yours
  5. Click OAuth & Permissions from the sidebar
  6. Scroll down to the Bot Token Scopes section and click Add an OAuth Scope button and choose
    chat:write
    chat:write:customize
    users:write
  7. Optional: If you wish to restrict the use of this app so it only works from your Xymon Server’s IP range, scroll down to the ‘Restrict API Token Usage’ section and define your Xymon Server’s WAN IP, then click the ‘Save IP address ranges’ button.
  8. Scroll up and click the Install to Workspace button. You’ll be asked to Allow the app in your workspace.
  9. You now have the Webhook URL that’s required in the alert script below.
  10. You can also customize the app’s avatar icon and description if you wish. That’s in the ‘Basic Information’ section found on the left sidebar menu. I suggest this.
    App name: SO-Alert
    Description: Notifications from Security Onion Server
    Icon: upload your desired icon

In Slack app interface:
  1. Create new channel where alerts will be sent. It can be private or public.
    We’ll call ours security-onion
  2. Add the new app to the channel by typing /invite and choosing Add apps to this channel and searching for your app name

In Security Onion Manager:
  1. Log into Manager's terminal. View your path. You'll need to know this later for the cron command.
    Mine is /home/soadmin 
    pwd
  2. Create the following script and enter the required cred's and webhook url. You'll need an SO user/pass with at least 'auditor' role for the script to query Alerts. I setup a user via the SOC web gui just for this purpose. 
    sudo nano alerts-to-slack.sh
    #!/bin/bash # Elasticsearch URL and index ES_URL="https://localhost:9200" INDEX=".ds-logs-detections*" # Elasticsearch credentials USERNAME="ENTER-HERE" PASSWORD="ENTER-HERE" # Slack webhook URL for Slack channel = security-onion SLACK_WEBHOOK_URL="ENTER-HERE" # Calculate the current time and the time 5 minutes ago current_time=$(date -u +"%Y-%m-%dT%H:%M:%SZ") start_time=$(date -u -d '5 minutes ago' +"%Y-%m-%dT%H:%M:%SZ") # Elasticsearch query with time range filter read -r -d '' QUERY <<-EOF { "query": { "bool": { "must": [ { "terms": { "event.severity_label": ["high", "critical"] } }, { "range": { "@timestamp": { "gte": "$start_time", "lte": "$current_time" } } } ] } }, "_source": ["rule.name"] } EOF # Execute the query with authentication and skip SSL verification response=$(curl -s -u "$USERNAME:$PASSWORD" -k -X POST "$ES_URL/$INDEX/_search" -H 'Content-Type: application/json' -d "$QUERY") # Check if the curl command was successful if [ $? -ne 0 ]; then echo "Error: Failed to connect to Elasticsearch" exit 1 fi # Check if the response contains hits hits=$(echo "$response" | jq '.hits.total.value') if [ "$hits" -eq "0" ]; then echo "No high or critical severity events found in the last 5 minutes." exit 0 fi # Parse and display the 'rule.name' fields rule_names=$(echo "$response" | jq -r '.hits.hits[]._source.rule.name') # Display the parsed rule names if [ -z "$rule_names" ]; then echo "No high or critical severity event names found." else echo "Parsed rule names (last 5 minutes):" echo "$rule_names" # Send the alert to Slack slack_message="<https://so.yourdomain.com|SO Server> detected a :skull_and_crossbones: \n$rule_names" curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$slack_message\"}" "$SLACK_WEBHOOK_URL" echo "Alert sent to Slack." fi
  3. Make it executable 
    sudo chmod +x alerts-to-slack.sh
  4. Run it to test 
    sudo ./alerts-to-slack.sh
  5. Set it as a Cron job with root access 
    sudo crontab -e
    */5 * * * * /home/soadmin/alerts-to-slack.sh
  6. The script should now be running every 5 minutes, so test a ‘high’ or ‘critical’ alert in SO and see if Slack gets notified. A failed gui login will flag a red alert. If you want to adjust what Elasticsearch Indexes the script monitors, ask Skynet.






© Copyright 2025 WarriorSon Productions. All rights reserved.