Integrate Correlator functionality into OpenCanary

[Neleus]

How to exclude some logs from Alerting?
I'm using opencanary.logger.SocketJSONHandler in my OpenCanary conf.
To my email I've received next Alerts
{"dst_host": "192.168.1.121", "dst_port": "445", "local_time": "2022-07-19 11:09:28.443132", "local_time_adjusted": "2022-07-19 11:09:28.443529", "logdata": {"DF": "", "ID": "49799", "IN": "eth0", "LEN": "60", "MAC": "XX:XX:XX:XX:XX:XX", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "64", "URGP": "0", "WINDOW": "65535"}, "logtype": 5001, "node_id": "opencanary-node1", "src_host": "192.168.1.11", "src_port": "38610", "utc_time": "2022-07-19 11:09:28.443409"}
But I want to receive like this
{"dst_host": "192.168.1.121", "dst_port": "445", "local_time": "2022-07-19 11:09:28", "node_id": "opencanary-node1", "src_host": "192.168.1.11", "}
How to manage this Alert logs? Where are logs template can be edited?
Thanks for help.

[Neleus]

As I understand all templates are located in modules directory (opencanary/modules/portscan.py for example)
But how to manage Alert notifications as I describe upper need Your help to resolve.

[jayjb]

Hi @Survial,

We usually recommend Opencanary Correlator to help with alerting since Opencanary can produce a lot of logs. You can read about it over here. It is part of our roadmap to build in better alert handling and clean up the logs a bit, but we haven't got there yet.

[Neleus]

@jayjb
Opencanary Correlator uses old Python version 2.7 but on 3+ Python it doesn't work (it's a big problem).
It would be perfect to update it to Python3.
Thanks.

[manincharge]

Survial, you can run both simultaneously. A bit of a hassle, but doable.

[jayjb]

Hi @Survial,

Ye thats a good point; updating it to work with python3 would be useful. Im nervous the time spent on that, would be better spent on building in some better alert handling within the Opencanary project.

[Marco-ITSM]

Hi @jayjb,

are there any news on correlator/python3 support or better alert handling in Opencanary?

[dr-yurii]

I recommend using the n8n automation tool, and send all notifications from Opencanary to n8n.
With n8n you can sort the notifications.

[jayjb]

Hi @Marco-ITSM,

Currently, we haven't got enough person power available to put someone on this. We did actually have someone try do it but the result wasn't exactly what we wanted so we haven't shared it.

At this point, I am convinced that completely integrating Opencanary with Correlator would be a better option. Running two projects together to achieve a goal feels cumbersome.