This is the documentation for Wazuh 3.0. Check out the docs for the latest version of Wazuh!

global

XML section name

<global>
</global>

Global configuration generally applies to features that affect the system as a whole, rather than just one component.

Options

alerts_log

This enable or disable writing alerts to /var/ossec/logs/alerts/alerts.log.

Default value yes
Allowed values yes, no

Warning

Disabling JSON and plain text formated alerts simultaneously is not compatible with the integrator, syslog client and email features.

email_notification

This enable or disables email alerting.

Default value no
Allowed values yes, no

email_to

This specifies the email recipient for alerts.

Note

To use granular email configurations, a base configuration is necessary in the section.

Default value n/a
Allowed values Any valid email address

Use this section repeatedly for multiple email addresses, once per addresses.

email_from

This controls the “source” address in email alerts.

Default value n/a
Allowed values Any valid email address

email_reply_to

This controls the “reply-to” address in email alerts.

Default value n/a
Allowed values Any valid email address

smtp_server

This controls what SMTP server to forward email alerts to for delivery.

Default value n/a
Allowed values
  • Valid hostname or IP address.
  • Full path to a sendmail-like executable.

email_maxperhour

This specifies the maximum number of emails to be sent per hour. All emails in excess of this setting will be queued for later distribution.

Note

At the end of the hour any queued emails will be sent together in one email. This is true whether mail grouping is enabled or disabled.

Default value 12
Allowed values Any number from 1 to 9999

email_idsname

The name will be added to the email headers with the specified value.

Default value n/a
Allowed values Any name

custom_alert_output

This specifies the format of alerts written to alerts.log. Check the allowed values for custom_alert_output in the following table:

Variable name Description
$TIMESTAMP The time the event was processed by OSSEC.
$FTELL Unknown
$RULEALERT Unknown
$HOSTNAME Hostname of the system generating the event.
$LOCATION The file the log messages was saved to.
$RULEID The rule id of the alert.
$RULELEVEL The rule level of the alert.
$RULECOMMENT Unknown
$SRCIP The source IP specified in the log message.
$DSTUSER The destination user specified in the log message.
$FULLLOG The original log message.
$RULEGROUP The groups containing the rule.

stats

This controls the severity level assigned to events generated by statistical analysis.

Default value 8
Allowed values Any level from 0 to 16

logall

This controls whether or not to store all events received even when they do not trip a rule. This results in output to /var/ossec/logs/archives/archives.log

Default value no
Allowed values yes or no

memory_size

This sets the memory size for the event correlation engine.

Default value 1024
Allowed values Any size from 16 to 5096

white_list

This is a list of IP addresses that should never be blocked with active response. Repeat this option for multiple IPs, one IP per line. This option is only valid in server and local installs.

Default value n/a
Allowed values Any IP address or netblock

host_information

The controls the severity level for events generated by the host change monitor.

Default value 8
Allowed values Can be used any level from 0 to 16

jsonout_output

This enables/disables writing of JSON-formated alerts to /var/ossec/logs/alerts/alerts.json. This will include the same events that would be sent to alerts.log, but in JSON format.

Default value no
Allowed values The options allowed are yes or no.

prelude_output

Enables or disables Prelude output.

Default value yes
Allowed values The options allowed are yes or no.

zeromq_output

Enable ZeroMQ output.

Default value n/a
Allowed values The options allowed are yes or no.

zeromq_uri

This is the ZeroMQ URI that the publisher socket will bind to.

Default value n/a
Allowed values This URI format is defined by the ZeroMQ project.

For example, this will listen for ZeroMQ subscribers on IP address 127.0.0.1:11111.

<zeromq_uri>tcp://localhost:11111/</zeromq_uri>

This will listen on port 21212 for ZeroMQ subscribers, binding to the IP address assigned to eth0.

<zeromq_uri>tcp://eth0:21212/</zeromq_uri>

This will listen for zeromq on the Unix Domain socket /alerts-zmq.

<zeromq_uri>ipc:///alerts-zmq</zeromq_uri>

geoip_db_path

This is the full path to the MaxMind GeoIP IPv4 database file.

Default value n/a
Allowed values Path to the GeoIP IPv4 database file location

Example

<geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path>

Default configuration

<global>
  <jsonout_output>yes</jsonout_output>
  <alerts_log>yes</alerts_log>
  <logall>no</logall>
  <logall_json>no</logall_json>
  <email_notification>no</email_notification>
  <smtp_server>smtp.example.wazuh.com</smtp_server>
  <email_from>ossecm@example.wazuh.com</email_from>
  <email_to>recipient@example.wazuh.com</email_to>
  <email_maxperhour>12</email_maxperhour>
</global>