Wazuh server class

class wazuh::server


SMTP mail server.


Email to address. ['user1@mycompany.com','user2@mycompany.com']


Email from address.

Default ossec@${domain}


Enable or disable active-response.

Default true


Enable rootcheck.

Default true


Frequency that the rootcheck is going to be executed (in seconds).

Default 36000


Look for the presence of hidden ports.

Default true


Scan the whole filesystem looking for unusual files and permission problems.

Default true


Alerting level for the events generated by the host change monitor (from 0 to 16).

Default 8


Alerting level for the events generated by the statistical analysis (from 0 to 16).

Default 8


Threshold defining minimum severity for a rule to fire an email alert. Some rules circumvent this threshold (alert_email option).

Default 7


Specify paths to ignore ossec scan

Default []


Define paths to ossec scan


Allow white listing of IP addresses.

Default []


Using it, after enabling the Wazuh ruleset (either manually or via the automated script), take a look at the changes made to the ossec.conf file. You will need to put these same changes into the "$ossec_extra_rules_config" array parameter when calling the wazuh::server class.

Default []


Define path log files to scan with ossec


Whether or not to send email notifications.

Default yes


Global Configuration with maximum number of emails per hour.

Default 12


Define email ID name

Default undef


Frequency that syscheck is executed default every 22 hours

Default 79200


Specifies if syscheck will ignore files that change too often (after the third change)

Default yes


Command to run to prevent prelinking from creating false positives.


This option can potentially impact performance negatively. The configured command will be run for each and every file checked.

Default false


Set service provider to Redhat on Redhat systems.

Default $::ossec::params::ossec_service_provide


Port to allow communication between manager and agents.

Default: '1514'


Modified client.pp and server.pp to accept package versions as a parameter.

Default installed


Install Wazuh through Wazuh repositories.

Default true


Install epel repo and inotify-tools

Default true


Manage client keys option.

Default true


Define password for agent-auth

Default undef


A comma separated list of increasing timeouts in minutes for repeat offenders.

There can be a maximum of 5 entries.

Default empty


Allows a Wazuh manager to send the OSSEC alerts to one or more syslog servers

Default false


The IP Address of the syslog server.

Default undef


Format of alert output.

Default undef


Enable openscap configuration in ossec.conf

Default false


Allow to use a custom local_decoder.xml in the manager.

Default wazuh/local_decoder.xml.erb


Allow to use a custom local_rules.xml in the manager.

Default wazuh/local_rules.xml.erb


Enable the configuration to deploy through agent.conf

Default `wazuh/ossec_shared_agent.conf.erb


Follow the instructions on ossec-scanpaths.

Default [ {'path' => '/etc,/usr/bin,/usr/sbin', 'report_changes' => 'no', 'realtime' => 'no'}, {'path' => '/bin,/sbin', 'report_changes' => 'yes', 'realtime' => 'yes'} ]


Consequently, if you add or remove any of the Wazuh rules later on, you'll need to ensure you add/remove the appropriate bits in the $ossec_extra_rules_config array parameter as well.

function wazuh::email_alert


Email to send to.


An array of rule group names.

Default false


No email will be sent for alerts with a severity below the global $ossec_email_alert_level, unless the rule has alert_email set.

function wazuh::command


Human readable name for wazuh::activeresponse usage.


Name of the executable. OSSEC comes preloaded with disable-account.sh, host-deny.sh, ipfw.sh, pf.sh, route-null.sh, firewall-drop.sh, ipfw_mac.sh, ossec-tweeter.sh, restart-ossec.sh.


Default srcip


Default true

function wazuh::activeresponse


Human readable name for wazuh::activeresponse usage.


It can be set to local, server, defined-agent, all.

Default local


Can take values between 0 and 16.

Default 7


List of rule IDs.

Default []


Usually active response blocks for a certain amount of time.

Default 300


A comma separated list of increasing timeouts in minutes for repeat offenders. There can be a maximum of 5 entries.

Default empty

function wazuh::addlog


Configure Wazuh log name


Path to log file.

Default false


Path to log file.


The OSSEC log_format of the file.

Default syslog