Here we describe a small Flask webhook service that receives anomaly alerts from an OpenSearch AD Monitor and writes concise, timestamped lines to a local log file. These entries can then be ingested by Wazuh (via a localfile block) for decoding, rule matching, and active response.
POST /notify) for OpenSearch alert callbacksperiodStart / periodEnd into your local time/var/log/ad_alerts.log/var/log/ad_alerts.logad_alerts_webhook.py onto your webhook host (e.g. the Wazuh manager or a separate app server). pip3 install flask
sudo touch /var/log/ad_alerts.log
sudo chmod 664 /var/log/ad_alerts.log
Edit the top of ad_alerts_webhook.py if you need to change:
LOG_FILE — path to the log fileHOST / PORT — which interface and port Flask should bind toBy default, the script runs on 0.0.0.0:8888.
python3 ad_alerts_webhook.py
In your OpenSearch AD Monitor, configure a Webhook action with:
{
"monitor": {
"name": ""
},
"trigger": {
"name": ""
},
"entity": "",
"periodStart": "",
"periodEnd": "",
"anomaly_grade": "",
"anomaly_confidence": ""
}
When the Monitor fires, OpenSearch will send exactly that JSON to your webhook.