Internal configuration

The main configuration is located in the ossec.conf file, however some internal configuration features are located in the /var/ossec/etc/internal_options.conf file.

Generally, this file is reserved for debugging issues and for troubleshooting. Any error in this file may cause your installation to malfunction or fail to run.

Warning

This file will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf file.

Agent

agent.tolerance

Description

Number of seconds the agent is full before triggering a flooding alert.

Default value

15

Allowed value

Any integer between 0 and 600

agent.warn_level

Description

Percentage of occupied capacity in agent buffer to trigger a warning alert.

Default value

90

Allowed value

Any integer between 1 and 100

agent.normal_level

Description

Percentage of occupied capacity in agent buffer to return to normal state.

Default value

70

Allowed value

Any integer between 0 and agent.warn_level - 1.

agent.min_eps

Description

Minimum events per second permitted in <client_buffer> configuration.

Default value

50

Allowed value

Any integer between 1 and 1000

agent.recv_timeout

Description

Maximum number of seconds to wait for server response from the TCP client socket.

New in version 3.0.0.

Default value

60

Allowed value

Any integer between 1 and 600

agent.state_interval

Description

Interval between the updates of the agent status file in seconds.

New in version 3.0.0.

Default value

5

Allowed value

Any integer between 0 and 86400

agent.debug

Description

Run the unix agent’s processes in debug mode.

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

agent.remote_conf

Description

Apply or refuse remote configuration.

New in version 3.1.0.

Default value

1

Allowed value

0: Remote configuration is disable.

1: Remote configuration is enable.

Analysisd

analysisd.default_timeframe

Description

Default rule time-frame.

Default value

360

Allowed value

Any integer between 60 and 360

analysisd.stats_maxdiff

Description

Stats maximum diff.

Default value

999000

Allowed value

Any integer between 10 and 999999

analysisd.stats_mindiff

Description

Stats minimum diff.

Default value

1250

Allowed value

Any integer between 10 and 999999

analysisd.stats_percent_diff

Description

Stats percentage (how much to differ from average).

Default value

150

Allowed value

Any integer between 5 and 9999

analysisd.fts_list_size

Description

FTS list size.

Default value

32

Allowed value

Any integer between 12 and 512

analysisd.fts_min_size_for_str

Description

FTS minimum string size.

Default value

14

Allowed value

Any integer between 6 and 128

analysisd.log_fw

Description

Toggles firewall log on and off (at logs/firewall/firewall.log).

Default value

1

Allowed value

0, 1

analysisd.decoder_order_size

Description

Maximum number of fields in a decoder (order tag).

Default value

64

Allowed value

Any integer between 10 and 64

analysisd.geoip_jsonout

Description

Toggle to turn on or off output of GeoIP data in JSON alerts.

Default value

0

Allowed value

0, 1

analysisd.label_cache_maxage

Description

Number of in seconds without reload labels in cache from agents.

Default value

0

Allowed value

Any integer between 0 and 60

analysisd.show_hidden_labels

Description

Make hidden labels visible in alerts.

Default value

0

Allowed value

0, 1

analysisd.rlimit_nofile

Description

Maximum number of file descriptors that Analysisd can open.

New in version 3.0.0.

Default value

16384

Allowed value

Any integer between 1024 and 2147483647

analysisd.debug

Description

Debug level (manager installations)

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

analysisd.min_rotate_interval

Description

Minimum interval between log rotations.

Supersedes max_output_size option.

New in version 3.1.0.

Default value

600

Allowed value

Any integer between 10 and 86400

Authd

authd.debug

Description

Debug level.

New in version 3.4.0.

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

DBD

dbd.reconnect_attempts

Description

Number of times ossec-dbd will attempt to reconnect to the database.

Default value

10

Allowed value

Any integer between 1 and 9999

Execd

execd.request_timeout

Description

Timeout in seconds to execute remote requests.

New in version 3.0.0.

Default Value

60

Allowed Value

Any integer between 1 and 3600

execd.max_restart_lock

Description

Maximum timeout that the agent cannot restart while updating.

New in version 3.0.0.

Default Value

600

Allowed Value

Any integer between 0 and 3600

execd.debug

Description

Debug level

New in version 3.4.0.

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

Integrator

integrator.debug

Description

Debug level.

New in version 3.4.0.

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

Logcollector

logcollector.loop_timeout

Description

File polling interval.

Default value

2

Allowed value

Any integer between 1 and 120

logcollector.open_attempts

Description

Number of attempts to open a log file.

Default value

8

Allowed value

Any integer between 2 and 298

logcollector.remote_commands

Description

Toggles Logcollector to accept remote commands from the manager or not.

Default value

0

Allowed value

0: Disable remote commands

1: Enable remote commands

logcollector.vcheck_files

Description

Number of readings before checking files.

Default value

64

Allowed value

Any integer between 0 and 1024

logcollector.max_lines

Description

Maximum number of logs read from the same file in each iteration.

Default value

10000

Allowed value

Any integer between 100 and 100000

logcollector.debug

Description

Debug level (used in manager or unix agent installations)

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

Maild

maild.strict_checking

Description

Toggle to enable or disable strict checking.

Default value

1

Allowed value

0, 1

maild.grouping

Description

Toggle to enable or disable grouping of alerts into a single email.

Default value

1

Allowed value

0, 1

maild.full_subject

Description

Toggle to enable or disable full subject in alert emails.

Default value

0

Allowed value

0, 1

maild.geoip

Description

Toggle to enable or disable GeoIP data in alert emails.

Default value

1

Allowed value

0, 1

Monitord

monitord.day_wait

Description

Number of seconds to wait before compressing or signing the files.

Default value

10

Allowed value

Any integer between 0 and 600

monitord.compress

Description

Toggle to enable or disable log file compression.

Default value

1

Allowed value

0, 1

monitord.sign

Description

Toggle to enable or disable signing the log files.

Default value

1

Allowed value

0, 1

monitord.monitor_agents

Description

Toggle to enable or disable monitoring of agents.

Default value

1

Allowed value

0, 1

monitord.rotate_log

Description

Toggle to enable or disable daily rotation of internal logs.

New in version 3.0.0.

Default value

1

Allowed value

0, 1

monitord.keep_log_days

Description

Number of days to keep rotated internal logs.

Default value

31

Allowed value

Any integer between 0 and 500

monitord.size_rotate

Description

Maximum size in Megabytes of internal logs to trigger rotation.

New in version 3.0.0.

Default value

512

Allowed value

Any integer between 0 and 4096

monitord.daily_rotations

Description

Maximum number of rotations per day for internal logs.

New in version 3.0.0.

Default value

12

Allowed value

Any integer between 1 and 256

monitord.debug

Description

Debug level

New in version 3.4.0.

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

Remoted

remoted.recv_counter_flush

Description

Flush rate for the receive counter.

Default value

128

Allowed value

Any integer between 10 and 999999

remoted.comp_average_printout

Description

Compression averages printout.

Default value

19999

Allowed value

Any integer between 10 and 999999

remoted.verify_msg_id

Description

Toggle to enable or disable verification of msg id.

Default value

0

Allowed value

0, 1

remoted.pass_empty_keyfile

Description

Toggle to enable or disable acceptance of empty client.keys.

Default value

1

Allowed value

0, 1

remoted.sender_pool

Description

Number of parallel threads to send the shared file.

New in version 3.0.0.

Default Value

8

Allowed Value

Any integer between 1 and 64

remoted.request_pool

Description

Number of parallel threads to dispatch requests.

New in version 3.0.0.

Default Value

8

Allowed Value

Any integer between 1 and 64

remoted.request_timeout

Description

Timeout in seconds to reject a new request.

New in version 3.0.0.

Default Value

10

Allowed Value

Any integer between 1 and 600

remoted.response_timeout

Description

Timeout in seconds to reject a request response.

New in version 3.0.0.

Default Value

60

Allowed Value

Any integer between 1 and 3600

remoted.request_rto_sec

Description

Re-transmission timeout in seconds for UDP.

New in version 3.0.0.

Default Value

1

Allowed Value

Any integer between 0 and 60

remoted.request_rto_msec

Description

Re-transmission timeout in milliseconds for UDP.

New in version 3.0.0.

Default Value

0

Allowed Value

Any integer between 0 and 999

remoted.max_attempts

Description

Maximum number of sending attempts.

New in version 3.0.0.

Default Value

4

Allowed Value

Any integer between 1 and 16

remoted.shared_reload

Description

Number of seconds between reloading of shared files.

New in version 3.0.0.

Default Value

10

Allowed Value

Any integer between 1 and 18000

remoted.rlimit_nofile

Description

Maximum number of file descriptors that Remoted can open.

New in version 3.0.0.

Default value

16384

Allowed value

Any integer between 1024 and 2147483647

remoted.recv_timeout

Description

Maximum number of seconds to wait for client response in TCP.

New in version 3.0.0.

Default value

1

Allowed value

Any integer between 1 and 60

remoted.debug

Description

Debug level (manager installation)

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

Syscheck

syscheck.sleep

Description

Number of seconds to sleep after reading syscheck.sleep_after number of files.

Default value

1

Allowed value

Any integer between 0 and 64

syscheck.sleep_after

Description

Number of files to read before sleeping for syscheck.sleep seconds.

Default value

100

Allowed value

Any integer between 1 and 9999

syscheck.debug

Description

Debug level (used in manager and unix agent installations).

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

syscheck.rt_delay

Description

Time in milliseconds for delay between alerts in real-time.

New in version 3.4.0.

Default value

10

Allowed value

Any integer between 1 and 1000

syscheck.max_fd_win_rt

Description

Maximum numbers of directories can be configured in ossec.conf for windows in realtime and whodata mode.

New in version 3.4.0.

Default value

256

Allowed value

Any integer between 1 and 1024

Rootcheck

rootcheck.sleep

Description

Number of milliseconds to sleep after reading one PID or suspicious port.

Default value

50

Allowed values

Any integer between 0 and 1000

Wazuh Database

The Wazuh Database Synchronization Module starts automatically on the server and local profiles and requires no configuration, however, some optional settings are available.

The module uses inotify from Linux to monitor changes to every log file in real-time. Databases will be updated as soon as possible when a change is detected. If inotify is not supported, (for example, on operating systems other than Linux) every log file will be scanned continuously, looking for changes, with a default delay of one minute between scans.

How to disable the module

To disable the Wazuh Database Synchronization Module, the sync directives must be set to 0 in the etc/local_internal_options.conf file as shown below:

wazuh_database.sync_agents=0
wazuh_database.sync_syscheck=0
wazuh_database.sync_rootcheck=0

Once these settings have been adjusted, the file must be saved followed by a restart of Wazuh. With the above settings, the Database Synchronization Module will not be loaded when Wazuh starts.

wazuh_database.sync_agents

Description

Toggles synchronization of agent database with client.keys on or off.

Default value

1

Allowed value

0, 1

wazuh_database.sync_syscheck

Description

Toggles synchronization of FIM data with Syscheck database on or off.

Default value

0

Allowed value

0, 1

wazuh_database.sync_rootcheck

Description

Toggles synchronization of policy monitoring data with Rootcheck database on or off.

Default value

1

Allowed value

0, 1

wazuh_database.full_sync

Description

Toggles full data synchronization on or off.

Default value

0

Allowed value

0, 1

wazuh_database.real_time

Description

Toggles synchronization of data in real-time (supported on Linux only) on and off.

New in version 3.0.0.

Default value

1

Allowed value

0, 1

wazuh_database.interval

Description

Interval to sleep between cycles. (Only used if real tyme sync is disabled.)

New in version 3.0.0.

Default value

60

Allowed value

Any integer between 0 and 86400 (seconds)

wazuh_database.max_queued_events

Description

Maximum number of queued events (only used if inotify is available).

Default value

0 (use system default value)

Allowed value

Any integer between 0 and 2147483647

Wazuh Modules

wazuh_modules.task_nice

Description

Indicates the priority of the tasks. The lower the value, the higher the priority.

Default value

10

Allowed value

Any integer between -20 and 19

wazuh_modules.max_eps

Description

Maximum number of events per second sent by all Wazuh Module.

Default value

1000

Allowed value

Any integer between 100 and 1000

wazuh_modules.debug

Description

Debug level

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output

Wazuh Command

wazuh_command.remote_commands

Description

Toggles whether Command Module should accept commands defined in the shared configuration or not.

Default value

0

Allowed value

0: Disable remote commands

1: Enable remote commands

Windows

windows.debug

Description

Debug level (used in windows agent installations).

Default value

0

Allowed value

0: No debug output

1: Standard debug output

2: Verbose debug output