Internal configuration
The main configuration is located in the ossec.conf file, however some internal configuration features are located in the /var/ossec/etc/internal_options.conf
file.
Generally, this file is reserved for debugging issues and for troubleshooting. Any error in this file may cause your installation to malfunction or fail to run.
Warning
This file will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf
file.
Agent
agent.tolerance |
Description |
Time in seconds since the agent is full until trigger a flooding alert. |
Default value |
15 |
|
Allowed value |
Any integer between 0 and 600 |
|
agent.warn_level |
Description |
Percentage of occupied capacity in Agent buffer to trigger a warning alert. |
Default value |
90 |
|
Allowed value |
Any integer between 1 and 100 |
|
agent.normal_level |
Description |
Percentage of occupied capacity in Agent buffer to come back to normal state. |
Default value |
70 |
|
Allowed value |
Any integer between 0 and agent.warn_level - 1. |
|
agent.min_eps |
Description |
Minimum events per second permited in |
Default value |
50 |
|
Allowed value |
Any integer between 1 and 1000 |
|
agent.recv_timeout |
Description |
Maximum time (seconds) waiting for a server response by the TCP client socket. New in version 3.0.0. |
Default value |
60 |
|
Allowed value |
Any integer between 1 and 600 |
|
agent.state_interval |
Description |
Interval for agent status file updating in seconds. New in version 3.0.0. |
Default value |
5 |
|
Allowed value |
Any integer between 0 and 86400 |
|
agent.debug |
Description |
Run the unix agent’s processes in debug mode. |
Default value |
0 |
|
Allowed value |
0 : No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Analysisd
analysisd.default_timeframe |
Description |
Analysisd default rule timeframe. |
Default value |
360 |
|
Allowed value |
Any integer between 60 and 360 |
|
analysisd.stats_maxdiff |
Description |
Analysisd stats maximum diff. |
Default value |
999000 |
|
Allowed value |
Any integer between 10 and 999999 |
|
analysisd.stats_mindiff |
Description |
Analysisd stats minimum diff. |
Default value |
1250 |
|
Allowed value |
Any integer between 10 and 999999 |
|
analysisd.stats_percent_diff |
Description |
Analysisd stats percentage (how much to differ from average). |
Default value |
150 |
|
Allowed value |
Any integer between 5 and 9999 |
|
analysisd.fts_list_size |
Description |
Analysisd FTS list size. |
Default value |
32 |
|
Allowed value |
Any integer between 12 and 512 |
|
analysisd.fts_min_size_for_str |
Description |
Analysisd FTS minimum string size. |
Default value |
14 |
|
Allowed value |
Any integer between 6 and 128 |
|
analysisd.log_fw |
Description |
Analysisd Enable the firewall log (at logs/firewall/firewall.log). |
Default value |
1 |
|
Allowed value |
0, 1 |
|
analysisd.decoder_order_size |
Description |
Maximum number of fields in a decoder (order tag). |
Default value |
64 |
|
Allowed value |
Any integer between 10 and 64 |
|
analysisd.geoip_jsonout |
Description |
Output GeoIP data at JSON alerts. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
analysisd.label_cache_maxage |
Description |
Time in seconds without reload labels in cache from agents. |
Default value |
0 |
|
Allowed value |
Any integer between 0 and 60 |
|
analysisd.show_hidden_labels |
Description |
Make hidden labels visible in alerts. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
analysisd.rlimit_nofile |
Description |
Maximum number of file descriptor that Analysisd can open. New in version 3.0.0. |
Default value |
16384 |
|
Allowed value |
Any integer between 1024 and 2147483647 |
|
analysisd.debug |
Description |
Debug level (manager installations) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
DBD
dbd.reconnect_attempts |
Description |
The number of times ossec-dbd will attempt to reconnect to the database. |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 9999 |
Execd
execd.request_timeout |
Description |
Timeout in seconds to execute remote requests. New in version 3.0.0. |
Default Value |
60 |
|
Allowed Value |
Any integer between 1 and 3600 |
|
execd.max_restart_lock |
Description |
Max timeout where the agent cannot restart while updating. New in version 3.0.0. |
Default Value |
600 |
|
Allowed Value |
Any integer between 0 and 3600 |
Logcollector
logcollector.loop_timeout |
Description |
File polling interval. |
Default value |
2 |
|
Allowed value |
Any integer between 1 and 120 |
|
logcollector.open_attempts |
Description |
Number of attempts to open a log file. |
Default value |
8 |
|
Allowed value |
Any integer between 2 and 298 |
|
logcollector.remote_commands |
Description |
Enable/disable Logcollector to accept remote commands from the manager. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
logcollector.vcheck_files |
Description |
Number of readings before checking files. |
Default value |
64 |
|
Allowed value |
Any integer between 0 and 1024 |
|
logcollector.max_lines |
Description |
Maximum number of logs read from the same file in each iteration. |
Default value |
10000 |
|
Allowed value |
Any integer between 100 and 100000 |
|
logcollector.debug |
Description |
Debug level (used in manager or unix agent installations) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Maild
maild.strict_checking |
Description |
Toggle to enable or disable strict checking. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
maild.grouping |
Description |
Toggle to enable or disable grouping of alerts into a single email. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
maild.full_subject |
Description |
Toggle to enable or disable full subject in alert emails. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
maild.geoip |
Description |
Toggle to enable or disable GeoIP data in alert emails. |
Default value |
1 |
|
Allowed value |
0, 1 |
Monitord
monitord.day_wait |
Description |
Amount of seconds to wait before compressing or signing the files. |
Default value |
10 |
|
Allowed value |
Any integer between 0 and 600 |
|
monitord.compress |
Description |
Toggle to enable or disable log file compression. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.sign |
Description |
Toggle to enable or disable signing the log files. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.monitor_agents |
Description |
Toggle to enable or disable monitoring of agents. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.rotate_log |
Description |
Toggle to enable or disable daily rotation of internal logs. New in version 3.0.0. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.keep_log_days |
Description |
Number of days to keep rotated internal logs. |
Default value |
31 |
|
Allowed value |
Any integer between 0 and 500 |
|
monitord.size_rotate |
Description |
Maximum size of internal log files in Megabytes for rotating them. New in version 3.0.0. |
Default value |
512 |
|
Allowed value |
Any integer between 0 and 4096 |
|
monitord.daily_rotations |
Description |
Maximum number of rotations per day for internal logs. New in version 3.0.0. |
Default value |
12 |
|
Allowed value |
Any integer between 1 and 256 |
Remoted
remoted.recv_counter_flush |
Description |
Flush rate for the receive counter. |
Default value |
128 |
|
Allowed value |
Any integer between 10 and 999999 |
|
remoted.comp_average_printout |
Description |
Compression averages printout. |
Default value |
19999 |
|
Allowed value |
Any integer between 10 and 999999 |
|
remoted.verify_msg_id |
Description |
Toggle to enable or disable verification of msg id. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
remoted.pass_empty_keyfile |
Description |
Toggle to enable or disable acceptance of empty client.keys. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
remoted.sender_pool |
Description |
Number of parallel threads to send shared file. New in version 3.0.0. |
Default Value |
8 |
|
Allowed Value |
Any integer between 1 and 64 |
|
remoted.request_pool |
Description |
Number of parallel threads to dispatch requests. New in version 3.0.0. |
Default Value |
8 |
|
Allowed Value |
Any integer between 1 and 64 |
|
remoted.request_timeout |
Description |
Timeout in seconds to reject a new request. New in version 3.0.0. |
Default Value |
10 |
|
Allowed Value |
Any integer between 1 and 600 |
|
remoted.response_timeout |
Description |
Timeout (seconds) to reject a request response. New in version 3.0.0. |
Default Value |
60 |
|
Allowed Value |
Any integer between 1 and 3600 |
|
remoted.request_rto_sec |
Description |
Retransmission timeout in seconds for UDP. New in version 3.0.0. |
Default Value |
1 |
|
Allowed Value |
Any integer between 0 and 60 |
|
remoted.request_rto_msec |
Description |
Retransmission timeout in milliseconds for UDP. New in version 3.0.0. |
Default Value |
0 |
|
Allowed Value |
Any integer between 0 and 999 |
|
remoted.max_attempts |
Description |
Maximum number of sending attempts. New in version 3.0.0. |
Default Value |
4 |
|
Allowed Value |
Any integer between 1 and 16 |
|
remoted.shared_reload |
Description |
Time interval (seconds) to reload shared files. New in version 3.0.0. |
Default Value |
10 |
|
Allowed Value |
Any integer between 1 and 18000 |
|
remoted.rlimit_nofile |
Description |
Maximum number of file descriptor that Remoted can open. New in version 3.0.0. |
Default value |
16384 |
|
Allowed value |
Any integer between 1024 and 2147483647 |
|
remoted.recv_timeout |
Description |
Maximum time in seconds waiting for a client response in TCP. New in version 3.0.0. |
Default value |
1 |
|
Allowed value |
Any integer between 1 and 60 |
|
remoted.debug |
Description |
Debug level (manager installation) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Syscheck
syscheck.sleep |
Description |
Number of seconds to sleep after reading syscheck.sleep_after number of files. |
Default value |
2 |
|
Allowed value |
Any integer between 0 and 64 |
|
syscheck.sleep_after |
Description |
Number of files to read before sleeping for syscheck.sleep seconds. |
Default value |
15 |
|
Allowed value |
Any integer between 1 and 9999 |
|
syscheck.debug |
Description |
Debug level (used in manager and unix agent installations). |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Rootcheck
rootcheck.sleep |
Description |
Number of milliseconds to sleep after reading one PID or suspicious port. |
Default value |
50 |
|
Allowed values |
Any integer between 0 and 50 |
Wazuh_database
The Wazuh Database Synchronization Module starts automatically on the server and local profiles and requires no configuration. However, some optional settings are available.
The module uses inotify from Linux to monitor changes to every log file in real-time. Databases will be updated as soon as possible when a change is detected. If inotify is not supported, (for example, on operating systems other than Linux) every log file will be scanned continuously, looking for changes, with a default delay of one minute between scans.
How to disable the module
To disable the Wazuh Database Synchronization Module, the sync directives must be set to 0 in the etc/local_internal_options.conf
file as shown below:
wazuh_database.sync_agents=0
wazuh_database.sync_syscheck=0
wazuh_database.sync_rootcheck=0
Once these settings have been adjusted, save the file and restart Wazuh. With the above settings, the Database Synchronization Module will not be loaded when Wazuh starts.
wazuh_database.sync_agents |
Description |
Synchronize agent database with client.keys. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.sync_syscheck |
Description |
Synchronize f.i.m. data with Syscheck database. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
wazuh_database.sync_rootcheck |
Description |
Synchronize policy monitoring data with Rootcheck database. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.full_sync |
Description |
Full data synchronization. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
wazuh_database.real_time |
Description |
Synchronize data in real time (supported on Linux only). New in version 3.0.0. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.interval |
Description |
Interval to sleep between cycles. Only used if real tyme sync is disabled. New in version 3.0.0. |
Default value |
60 |
|
Allowed value |
Any integer between 0 and 86400 (seconds) |
|
wazuh_database.max_queued_events |
Description |
Max number of queued events (only if inotify is available). |
Default value |
0 (use system default value) |
|
Allowed value |
Any integer between 0 and 2147483647 |
Wazuh_modules
wazuh_modules.task_nice |
Description |
Indicates the priority of the tasks. Lower Value, Higher priority. |
Default value |
10 |
|
Allowed value |
Any integer between -20 and 19 |
|
wazuh_modules.max_eps |
Description |
Maximum number of events per second sent by OpenSCAP Wazuh Module. |
Default value |
1000 |
|
Allowed value |
Any integer between 100 and 1000 |
|
wazuh_modules.debug |
Description |
Debug level |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Windows
windows.debug |
Description |
Debug level (used in windows agent installations). |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |