Local configuration (ossec.conf)

The ossec.conf file is the main configuration file on the Wazuh manager and it also plays an important role on the agents. It is located at /var/ossec/etc/ossec.conf both in the manager and agent on Linux machines. On Windows agents, we can find it at C:\Program Files (x86)\ossec-agent\ossec.conf. It is recommended that you back up this file before making changes to it, as an error in the configuration can prevent Wazuh services from starting up.

The ossec.conf file is in XML format and all of its configuration options are nested in their appropriate section of the file. In this file, the outermost XML tag is <ossec_config>. Here is an example of the proper location of the alerts configuration section:

        alerts options here

The agent.conf file is very similar to ossec.conf except that it is used to centrally distribute configuration information to agents. See more here.

Wazuh can be installed in two ways: as a manager by using the “server/manager” installation type and as an agent by using the “agent” installation type.

Configuration sections Supported installations
active-response manager, agent
agentless manager
alerts manager
auth manager
client agent
client_buffer agent
cluster manager
command manager
database_output manager
email_alerts manager
global manager
integration manager
labels manager, agent
localfile manager, agent
logging manager, agent
remote manager
reports manager
rootcheck manager, agent
sca manager, agent
ruleset manager
socket manager, agent
syscheck manager, agent
syslog_output manager
wodle name=”open-scap” manager, agent
wodle name=”command” manager, agent
wodle name=”cis-cat” manager, agent
wodle name=”aws-s3” manager
wodle name=”syscollector” manager, agent
wodle name=”vulnerability-detector” manager
wodle name=”osquery” manager, agent
wodle name=”docker-listener” manager, agent
wodle name=”azure-logs” manager
wodle name=”agent-key-polling” manager
fluent-forward manager, agent

All of the above sections must be located within the top-level <ossec_config> tag.