Local configuration

The ossec.conf file is the main configuration file on the Wazuh manager, and it also plays a role on the agents. It is located at /var/ossec/etc/ossec.conf both in the manager and agent. It is recommended you back up this file before making changes to it, as an error in the configuration can completely prevent Wazuh services from starting up.

The ossec.conf file is in XML format, and all configuration options are nested in their appropriate section of the file. In this file, the outermost XML tag is <ossec_config>. For example, here is an example of the proper location of the alerts configuration section:

<ossec_config>
    <alerts>
        <!--
        alerts options here
        -->
    </alerts>
</ossec_config>

The agent.conf file is very similar to ossec.conf except that it is used to centrally distribute configuration information to agents. See more here.

Wazuh can be installed in two possible ways: the Wazuh manager uses the "server/manager" installation type and agents use the "agent" installation type.

Configuration sections

Supported installations

active-response

manager, agent

agentless

manager

alerts

manager

auth

manager

client

agent

client_buffer

agent

cluster

manager

command

manager

database_output

manager

email_alerts

manager

global

manager

integration

manager

labels

manager, agent

localfile

manager, agent

logging

manager, agent

remote

manager

reports

manager

rootcheck

manager, agent

ruleset

manager

syscheck

manager, agent

syslog_output

manager

wodle name="open-scap"

manager, agent

All of the above sections must be located within the top-level <ossec_config> tag.