Internal configuration
The main configuration is located in the ossec.conf file, however some internal configuration features are located in the /var/ossec/etc/internal_options.conf
file.
Generally, this file is reserved for debugging issues and for troubleshooting. Any error in this file may cause your installation to malfunction or fail to run.
Warning
This file will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf
file.
Agent
agent.tolerance |
Description |
Time in seconds since the agent is full until trigger a flooding alert. |
Default value |
15 |
|
Allowed value |
Any integer between 0 and 600. |
|
agent.warn_level |
Description |
Percentage of occupied capacity in Agent buffer to trigger a warning alert. |
Default value |
90 |
|
Allowed value |
Any integer between 1 and 100. |
|
agent.normal_level |
Description |
Percentage of occupied capacity in Agent buffer to come back to normal state. |
Default value |
70 |
|
Allowed value |
Any integer between 0 and agent.warn_level - 1. |
|
agent.min_eps |
Description |
Minimum events per second permited in |
Default value |
50 |
|
Allowed value |
Any integer between 1 and 1000. |
|
agent.debug |
Description |
Run the unix agent’s processes in debug mode. |
Default value |
0 |
|
Allowed value |
0 : No debug output |
|
1: Standard debug output |
||
2: Verbose debug outputNext,Previous |
Analysisd
analysisd.default_timeframe |
Description |
Analysisd default rule timeframe. |
Default value |
360 |
|
Allowed value |
Any integer between 60 and 360 |
|
analysisd.stats_maxdiff |
Description |
Analysisd stats maximum diff. |
Default value |
999000 |
|
Allowed value |
Any integer between 10 and 99999 |
|
analysisd.stats_mindiff |
Description |
Analysisd stats minimum diff. |
Default value |
1250 |
|
Allowed value |
Any integer between 10 and 999999 |
|
analysisd.stats_percent_diff |
Description |
Analysisd stats percentage (how much to differ from average). |
Default value |
150 |
|
Allowed value |
Any integer between 5 and 9999 |
|
analysisd.fts_list_size |
Description |
Analysisd FTS list size. |
Default value |
32 |
|
Allowed value |
Any integer between 12 and 512 |
|
analysisd.fts_min_size_for_str |
Description |
Analysisd FTS minimum string size. |
Default value |
14 |
|
Allowed value |
Any integer between 6 and 128 |
|
analysisd.log_fw |
Description |
Analysisd Enable the firewall log (at logs/firewall/firewall.log). |
Default value |
1 |
|
Allowed value |
0, 1 |
|
analysisd.decoder_order_size |
Description |
Maximum number of fields in a decoder (order tag). |
Default value |
64 |
|
Allowed value |
Any integer between 10 and 64 |
|
analysisd.geoip_jsonout |
Description |
Output GeoIP data at JSON alerts. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
analysisd.label_cache_maxage |
Description |
Time in seconds without reload labels in cache from agents. |
Default value |
0 |
|
Allowed value |
Any integer between 0 and 60. |
|
analysisd.show_hidden_labels |
Description |
Make hidden labels visible in alerts. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
analysisd.debug |
Description |
Debug level (manager installations) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
DBD
dbd.reconnect_attempts |
Description |
The number of times ossec-dbd will attempt to reconnect to the database. |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 9999 |
Logcollector
logcollector.loop_timeout |
Description |
File polling interval. |
Default value |
2 |
|
Allowed value |
Any integer between 1 and 120 |
|
logcollector.open_attempts |
Description |
Number of attempts to open a log file. |
Default value |
8 |
|
Allowed value |
Any integer between 2 and 298 |
|
logcollector.remote_commands |
Description |
Enable/disable Logcollector to accept remote commands from the manager. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
logcollector.vcheck_files |
Description |
Number of readings before checking files. |
Default value |
64 |
|
Allowed value |
Any integer between 0 and 1024 |
|
logcollector.max_lines |
Description |
Maximum number of logs read from the same file in each iteration. |
Default value |
10000 |
|
Allowed value |
Any integer between 100 and 100000. |
|
logcollector.debug |
Description |
Debug level (used in manager or unix agent installations) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Maild
maild.strict_checking |
Description |
Toggle to enable or disable strict checking. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
maild.grouping |
Description |
Toggle to enable or disable grouping of alerts into a single email. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
maild.full_subject |
Description |
Toggle to enable or disable full subject in alert emails. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
maild.geoip |
Description |
Toggle to enable or disable GeoIP data in alert emails. |
Default value |
1 |
|
Allowed value |
0, 1 |
Monitord
monitord.day_wait |
Description |
Amount of seconds to wait before compressing or signing the files. |
Default value |
10 |
|
Allowed value |
Any integer between 5 and 240 |
|
monitord.compress |
Description |
Toggle to enable or disable log file compression. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.sign |
Description |
Toggle to enable or disable signing the log files. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.monitor_agents |
Description |
Toggle to enable or disable monitoring of agents. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.keep_log_days |
Description |
Number of days to keep rotated internal logs. |
Default value |
31 |
|
Allowed value |
0, 500 |
Remoted
remoted.recv_counter_flush |
Description |
Flush rate for the receive counter. |
Default value |
128 |
|
Allowed value |
Any integer between 10 and 999999 |
|
remoted.comp_average_printout |
Description |
Compression averages printout. |
Default value |
19999 |
|
Allowed value |
Any integer between 10 and 999999 |
|
remoted.verify_msg_id |
Description |
Toggle to enable or disable verification of msg id. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
remoted.pass_empty_keyfile |
Description |
Toggle to enable or disable acceptance of empty client.keys. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
remoted.debug |
Description |
Debug level (manager installation) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Syscheck
syscheck.sleep |
Description |
Number of seconds to sleep after reading syscheck.sleep_after number of files. |
Default value |
2 |
|
Allowed value |
Any integer between 0 and 64 |
|
syscheck.sleep_after |
Description |
Number of files to read before sleeping for syscheck.sleep seconds. |
Default value |
15 |
|
Allowed value |
Any integer between 1 and 9999 |
|
syscheck.debug |
Description |
Debug level (used in manager and unix agent installations). |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug outputNext,Previous |
Rootcheck
rootcheck.sleep |
Description |
Number of milliseconds to sleep after reading one PID or suspicious port. New in version 2.1. |
Default value |
50 |
|
Allowed values |
Any integer from 0 to 50. |
Wazuh_database
The Wazuh core uses list-based databases to store information related to agent keys and FIM / Rootcheck event data. Such information is highly optimized to be handled by the core.
In order to provide well-structured data that could be accessed by the user or the Wazuh API, new SQLite-based databases have been introduced in the Wazuh manager. The Database Synchronization Module is a user-transparent component that collects the following information from the core:
Agent's name, address, encryption key, last connection time, operating system, agent version and shared configuration hash.
FIM data: creation, modification and deletion of regular files and Windows registry entries.
Rootcheck detected defects: issue message, first detection date and last alert time.
Static core settings, such as maximum permitted agents or SSL being enabled for Authd.
Note
The Wazuh Database Synchronization Module starts automatically on the server and local profiles and requires no configuration, however, some optional settings are available.
The module uses inotify from Linux to monitor changes to every log file in real-time. Databases will be updated as soon as possible when a change is detected. If inotify is not supported, (for example, on operating systems other than Linux) every log file will be scanned continuously, looking for changes, with a default delay of one minute between scans.
How to disable the module
To disable the Wazuh Database Synchronization Module, the sync directives must be set to 0 in the etc/local_internal_options.conf
file as shown below:
wazuh_database.sync_agents=0
wazuh_database.sync_syscheck=0
wazuh_database.sync_rootcheck=0
Once these settings have been adjusted, save the file and restart Wazuh. With the above settings, the Database Synchronization Module will not be loaded when Wazuh starts.
wazuh_database.sync_agents |
Description |
Synchronize agent database with client.keys. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.sync_syscheck |
Description |
Synchronize f.i.m. data with Syscheck database. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.sync_rootcheck |
Description |
Synchronize policy monitoring data with Rootcheck database. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.full_sync |
Description |
Full data synchronization. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
wazuh_database.sleep |
Description |
Interval to sleep between cycles. Only necessary if inotify not available. |
Default value |
60 |
|
Allowed value |
Any integer between 0 and 86400 (seconds) |
|
wazuh_database.max_queued_events |
Description |
Max number of queued events (only if inotify is available). |
Default value |
0 (use system default value) |
|
Allowed value |
Any integer between 0 and 2147483647 |
Wazuh_modules
wazuh_modules.task_nice |
Description |
Indicates the priority of the tasks. Lower Value, Higher priority. |
Default value |
10 |
|
Allowed value |
Any integer between -20 and 19 |
|
wazuh_modules.max_eps |
Description |
Maximum number of events per second sent by OpenSCAP Wazuh Module. |
Default value |
1000 |
|
Allowed value |
Any integer between 100 and 1000 |
|
wazuh_modules.debug |
Description |
Debug level |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug outputNext,Previous |
Windows
windows.debug |
Description |
Debug level (used in windows agent installations). |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug outputNext,Previous |