Local configuration (ossec.conf)
The ossec.conf
file is the main configuration file on the Wazuh manager and it also plays an important role on the agents. It is located at /var/ossec/etc/ossec.conf
both in the manager and agent on Linux machines. On Windows agents, we can find it at C:\Program Files (x86)\ossec-agent\ossec.conf
. It is recommended that you back up this file before making changes to it, as an error in the configuration can prevent Wazuh services from starting up.
The ossec.conf
file is in XML format and all of its configuration options are nested in their appropriate section of the file. In this file, the outermost XML tag is <ossec_config>
. Here is an example of the proper location of the alerts configuration section:
<ossec_config>
<alerts>
<!--
alerts options here
-->
</alerts>
</ossec_config>
The agent.conf
file is very similar to ossec.conf
except that it is used to centrally distribute configuration information to agents. See more here.
Wazuh can be installed in two ways: as a manager by using the "server/manager" installation type and as an agent by using the "agent" installation type.
Configuration sections |
Supported installations |
---|---|
manager, agent |
|
manager |
|
manager |
|
manager |
|
agent |
|
agent |
|
manager |
|
manager |
|
manager |
|
manager |
|
manager |
|
manager |
|
manager, agent |
|
manager, agent |
|
manager, agent |
|
manager |
|
manager |
|
manager, agent |
|
manager, agent |
|
manager |
|
manager, agent |
|
manager, agent |
|
manager |
|
manager, agent |
|
manager, agent |
|
manager, agent |
|
manager |
|
manager, agent |
|
manager |
|
manager, agent |
|
manager, agent |
|
manager |
|
manager |
|
manager, agent |
All of the above sections must be located within the top-level <ossec_config>
tag.