Background
We use OpenSearch Dashboard to visualize data from our honeypot. When we want to create alert, we’ve found out that OpenSearch Dashboard currently only support sending to Slack, Chime, Email, Amazon SNS or Custom Webhook. It does not have direct support for sending via telegram bot. For this to worked, we have to create some kind of workaround.
Prerequisites
You should have setup your telegram bot beforehand. There are plenty of tutorial on how to do it. This is one of the interesting tutorial that give explanation on how to setup a bot and connect it to a telegram group: https://sean-bradley.medium.com/get-telegram-chat-id-80b575520659
Solution
First, we need to understand the basic concept of creating alert in Open Search Dashboard. There are several important concepts:
- Monitor, this is where you create the query that run on schedule (example: every 15 minutes).
- Trigger, this is where you setup the threshold of when to send the alert. The threshold is based on the query from the “Monitor” before. Example is when your “Monitor” query check whether there is any new log inputted to OpenSearch in the last 15 minutes. Then in trigger you can set the threshold to send the alert when the result of the query is 0. When the threshold is “true”, it will trigger an action
- Action, this is where you setup the action after the trigger is “true”. In here you have to setup the channel and the message. The channel here currently only support Slack, Chime, Email, Amazon SNS or Custom Webhook.
As you might guessed it, this article will focused on the Channel creation to send alert to Telegram Messenger.
Our first attempt is the use the “Custom Webhook” option to send the alert to Telegram Bot. It did not worked because the format of the message that sent is different from the format that Telegram API required. The “custom webhook” send the message as body payload in a POST HTTP request, Telegram format is different from that. What we need is some kind of proxy to translate the request from OpenSearch Dashboard to request that Telegram API can processed.
Sending alert via Telegram
Below is the code example of the custom-app that translate the request for Telegram API. This code is using Spring Boot Starter Web 2.7.1 and Unirest 3.13.6.
For the complete code, you can check this repository.
Remarks
I hope that the explanation above is sufficient for you to start sending your OpenSearch Dashboard alert via Telegram messenger. If you have any questions or suggestions, please do give comments below, I will try to answer it the best as I can. Cheers!
References and related articles
