global
Global configuration generally applies to features that affect the system as a whole, rather than just one component.
Options
alerts_log
This enable or disable writing alerts to /var/ossec/logs/alerts/alerts.log
.
Default value |
yes |
Allowed values |
yes, no |
Warning
Disabling JSON and plain text formated alerts simultaneously is not compatible with the integrator, syslog client and email features.
email_notification
This enable or disables email alerting.
Default value |
no |
Allowed values |
yes, no |
email_to
This specifies the email recipient for alerts.
Note
To use granular email configurations, a base configuration is necessary in the section.
Default value |
n/a |
Allowed values |
Any valid email address |
Use this section repeatedly for multiple email addresses, once per addresses.
email_from
This controls the “source” address in email alerts.
Default value |
n/a |
Allowed values |
Any valid email address |
email_reply_to
This controls the “reply-to” address in email alerts.
Default value |
n/a |
Allowed values |
Any valid email address |
smtp_server
This controls what SMTP server to forward email alerts to for delivery.
Default value |
n/a |
Allowed values |
|
email_maxperhour
This specifies the maximum number of emails to be sent per hour. All emails in excess of this setting will be queued for later distribution.
Note
At the end of the hour any queued emails will be sent together in one email. This is true whether mail grouping is enabled or disabled.
Default value |
12 |
Allowed values |
Any number from 1 to 9999 |
email_idsname
The name will be added to the email headers with the specified value.
Default value |
n/a |
Allowed values |
Any name |
custom_alert_output
This specifies the format of alerts written to alerts.log
. Check the allowed values for custom_alert_output
in the following table:
Variable name |
Description |
---|---|
$TIMESTAMP |
The time the event was processed by OSSEC. |
$FTELL |
Unknown |
$RULEALERT |
Unknown |
$HOSTNAME |
Hostname of the system generating the event. |
$LOCATION |
The file the log messages was saved to. |
$RULEID |
The rule id of the alert. |
$RULELEVEL |
The rule level of the alert. |
$RULECOMMENT |
Unknown |
$SRCIP |
The source IP specified in the log message. |
$DSTUSER |
The destination user specified in the log message. |
$FULLLOG |
The original log message. |
$RULEGROUP |
The groups containing the rule. |
stats
This controls the severity level assigned to events generated by statistical analysis.
Default value |
8 |
Allowed values |
Any level from 0 to 16 |
logall
This controls whether or not to store all events received even when they do not trip a rule. This results in output to /var/ossec/logs/archives/archives.log
Default value |
no |
Allowed values |
yes or no |
memory_size
This sets the memory size for the event correlation engine.
Default value |
1024 |
Allowed values |
Any size from 16 to 5096 |
white_list
This is a list of IP addresses that should never be blocked with active response. Repeat this option for multiple IPs, one IP per line. This option is only valid in server and local installs.
Default value |
n/a |
Allowed values |
Any IP address or netblock |
host_information
The controls the severity level for events generated by the host change monitor.
Default value |
8 |
Allowed values |
Can be used any level from 0 to 16 |
jsonout_output
This enables/disables writing of JSON-formated alerts to /var/ossec/logs/alerts/alerts.json. This will include the same events that would be sent to alerts.log, but in JSON format.
Default value |
no |
Allowed values |
The options allowed are yes or no. |
prelude_output
Enables or disables Prelude output.
Default value |
yes |
Allowed values |
The options allowed are yes or no. |
picviz_output
Enable PicViz output.
Default value |
n/a |
Allowed values |
yes |
picviz_socket
This is the full path of the socket that Wazuh will write alerts/events to for PicViz to read.
Default value |
n/a |
Allowed values |
file and path that Wazuh will create and feed events to |
zeromq_output
Enable ZeroMQ output.
Default value |
n/a |
Allowed values |
The options allowed are yes or no. |
zeromq_uri
This is the ZeroMQ URI that the publisher socket will bind to.
Default value |
n/a |
Allowed values |
This URI format is defined by the ZeroMQ project. |
For example, this will listen for ZeroMQ subscribers on IP address 127.0.0.1:11111.
<zeromq_uri>tcp://localhost:11111/</zeromq_uri>
This will listen on port 21212 for ZeroMQ subscribers, binding to the IP address assigned to eth0.
<zeromq_uri>tcp://eth0:21212/</zeromq_uri>
This will listen for zeromq on the Unix Domain socket /alerts-zmq.
<zeromq_uri>ipc:///alerts-zmq</zeromq_uri>
geoip_db_path
This is the full path to the MaxMind GeoIP IPv4 database file.
Default value |
n/a |
Allowed values |
Path to the GeoIP IPv4 database file location |
Example
<geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path>
Default configuration
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
</global>