Internal configuration
The main configuration is located in the ossec.conf
file, however some internal configuration features are located in the /var/ossec/etc/internal_options.conf
file.
Generally, this file is reserved for debugging issues and for troubleshooting. Any error in this file may cause your installation to malfunction or fail to run.
Warning
This file will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf
file.
Agent
agent.tolerance |
Description |
Number of seconds the agent is full before triggering a flooding alert. |
Default value |
15 |
|
Allowed value |
Any integer between 0 and 600 |
|
agent.warn_level |
Description |
Percentage of occupied capacity in agent buffer to trigger a warning alert. |
Default value |
90 |
|
Allowed value |
Any integer between 1 and 100 |
|
agent.normal_level |
Description |
Percentage of occupied capacity in agent buffer to return to normal state. |
Default value |
70 |
|
Allowed value |
Any integer between 0 and agent.warn_level - 1. |
|
agent.min_eps |
Description |
Minimum events per second permitted in |
Default value |
50 |
|
Allowed value |
Any integer between 1 and 1000 |
|
agent.recv_timeout |
Description |
Maximum number of seconds to wait for server response from the TCP client socket. New in version 3.0.0. |
Default value |
60 |
|
Allowed value |
Any integer between 1 and 600 |
|
agent.state_interval |
Description |
Interval between the updates of the agent status file in seconds. New in version 3.0.0. |
Default value |
5 |
|
Allowed value |
Any integer between 0 and 86400 |
|
agent.debug |
Description |
Run the unix agent’s processes in debug mode. |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
||
agent.remote_conf |
Description |
Apply or refuse remote configuration. New in version 3.1.0. |
Default value |
1 |
|
Allowed value |
0: Remote configuration is disable. |
|
1: Remote configuration is enable. |
Analysisd
analysisd.default_timeframe |
Description |
Default rule time-frame. |
Default value |
360 |
|
Allowed value |
Any integer between 60 and 360 |
|
analysisd.stats_maxdiff |
Description |
Stats maximum diff. |
Default value |
999000 |
|
Allowed value |
Any integer between 10 and 999999 |
|
analysisd.stats_mindiff |
Description |
Stats minimum diff. |
Default value |
1250 |
|
Allowed value |
Any integer between 10 and 999999 |
|
analysisd.stats_percent_diff |
Description |
Stats percentage (how much to differ from average). |
Default value |
150 |
|
Allowed value |
Any integer between 5 and 9999 |
|
analysisd.fts_list_size |
Description |
FTS list size. |
Default value |
32 |
|
Allowed value |
Any integer between 12 and 512 |
|
analysisd.fts_min_size_for_str |
Description |
FTS minimum string size. |
Default value |
14 |
|
Allowed value |
Any integer between 6 and 128 |
|
analysisd.log_fw |
Description |
Toggles firewall log on and off (at logs/firewall/firewall.log). |
Default value |
1 |
|
Allowed value |
0, 1 |
|
analysisd.decoder_order_size |
Description |
Maximum number of fields in a decoder (order tag). |
Default value |
64 |
|
Allowed value |
Any integer between 10 and 64 |
|
analysisd.geoip_jsonout |
Description |
Toggle to turn on or off output of GeoIP data in JSON alerts. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
analysisd.label_cache_maxage |
Description |
Number of in seconds without reload labels in cache from agents. |
Default value |
0 |
|
Allowed value |
Any integer between 0 and 60 |
|
analysisd.show_hidden_labels |
Description |
Make hidden labels visible in alerts. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
analysisd.rlimit_nofile |
Description |
Maximum number of file descriptors that Analysisd can open. New in version 3.0.0. |
Default value |
16384 |
|
Allowed value |
Any integer between 1024 and 2147483647 |
|
analysisd.debug |
Description |
Debug level (manager installations) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
||
analysisd.min_rotate_interval |
Description |
Minimum interval between log rotations. Supersedes max_output_size option. New in version 3.1.0. |
Default value |
600 |
|
Allowed value |
Any integer between 10 and 86400 |
Authd
authd.debug |
Description |
Debug level. New in version 3.4.0. |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
DBD
dbd.reconnect_attempts |
Description |
Number of times ossec-dbd will attempt to reconnect to the database. |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 9999 |
Execd
execd.request_timeout |
Description |
Timeout in seconds to execute remote requests. New in version 3.0.0. |
Default Value |
60 |
|
Allowed Value |
Any integer between 1 and 3600 |
|
execd.max_restart_lock |
Description |
Maximum timeout that the agent cannot restart while updating. New in version 3.0.0. |
Default Value |
600 |
|
Allowed Value |
Any integer between 0 and 3600 |
|
execd.debug |
Description |
Debug level New in version 3.4.0. |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Integrator
integrator.debug |
Description |
Debug level. New in version 3.4.0. |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Logcollector
logcollector.loop_timeout |
Description |
File polling interval. |
Default value |
2 |
|
Allowed value |
Any integer between 1 and 120 |
|
logcollector.open_attempts |
Description |
Number of attempts to open a log file. |
Default value |
8 |
|
Allowed value |
Any integer between 2 and 298 |
|
logcollector.remote_commands |
Description |
Toggles Logcollector to accept remote commands from the manager or not. |
Default value |
0 |
|
Allowed value |
0: Disable remote commands |
|
1: Enable remote commands |
||
logcollector.vcheck_files |
Description |
Number of readings before checking files. |
Default value |
64 |
|
Allowed value |
Any integer between 0 and 1024 |
|
logcollector.max_lines |
Description |
Maximum number of logs read from the same file in each iteration. |
Default value |
10000 |
|
Allowed value |
Any integer between 100 and 100000 |
|
logcollector.debug |
Description |
Debug level (used in manager or unix agent installations) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Maild
maild.strict_checking |
Description |
Toggle to enable or disable strict checking. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
maild.grouping |
Description |
Toggle to enable or disable grouping of alerts into a single email. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
maild.full_subject |
Description |
Toggle to enable or disable full subject in alert emails. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
maild.geoip |
Description |
Toggle to enable or disable GeoIP data in alert emails. |
Default value |
1 |
|
Allowed value |
0, 1 |
Monitord
monitord.day_wait |
Description |
Number of seconds to wait before compressing or signing the files. |
Default value |
10 |
|
Allowed value |
Any integer between 0 and 600 |
|
monitord.compress |
Description |
Toggle to enable or disable log file compression. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.sign |
Description |
Toggle to enable or disable signing the log files. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.monitor_agents |
Description |
Toggle to enable or disable monitoring of agents. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.rotate_log |
Description |
Toggle to enable or disable daily rotation of internal logs. New in version 3.0.0. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.keep_log_days |
Description |
Number of days to keep rotated internal logs. |
Default value |
31 |
|
Allowed value |
Any integer between 0 and 500 |
|
monitord.size_rotate |
Description |
Maximum size in Megabytes of internal logs to trigger rotation. New in version 3.0.0. |
Default value |
512 |
|
Allowed value |
Any integer between 0 and 4096 |
|
monitord.daily_rotations |
Description |
Maximum number of rotations per day for internal logs. New in version 3.0.0. |
Default value |
12 |
|
Allowed value |
Any integer between 1 and 256 |
|
monitord.debug |
Description |
Debug level New in version 3.4.0. |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Remoted
remoted.recv_counter_flush |
Description |
Flush rate for the receive counter. |
Default value |
128 |
|
Allowed value |
Any integer between 10 and 999999 |
|
remoted.comp_average_printout |
Description |
Compression averages printout. |
Default value |
19999 |
|
Allowed value |
Any integer between 10 and 999999 |
|
remoted.verify_msg_id |
Description |
Toggle to enable or disable verification of msg id. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
remoted.pass_empty_keyfile |
Description |
Toggle to enable or disable acceptance of empty client.keys. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
remoted.sender_pool |
Description |
Number of parallel threads to send the shared file. New in version 3.0.0. |
Default Value |
8 |
|
Allowed Value |
Any integer between 1 and 64 |
|
remoted.request_pool |
Description |
Number of parallel threads to dispatch requests. New in version 3.0.0. |
Default Value |
8 |
|
Allowed Value |
Any integer between 1 and 64 |
|
remoted.request_timeout |
Description |
Timeout in seconds to reject a new request. New in version 3.0.0. |
Default Value |
10 |
|
Allowed Value |
Any integer between 1 and 600 |
|
remoted.response_timeout |
Description |
Timeout in seconds to reject a request response. New in version 3.0.0. |
Default Value |
60 |
|
Allowed Value |
Any integer between 1 and 3600 |
|
remoted.request_rto_sec |
Description |
Re-transmission timeout in seconds for UDP. New in version 3.0.0. |
Default Value |
1 |
|
Allowed Value |
Any integer between 0 and 60 |
|
remoted.request_rto_msec |
Description |
Re-transmission timeout in milliseconds for UDP. New in version 3.0.0. |
Default Value |
0 |
|
Allowed Value |
Any integer between 0 and 999 |
|
remoted.max_attempts |
Description |
Maximum number of sending attempts. New in version 3.0.0. |
Default Value |
4 |
|
Allowed Value |
Any integer between 1 and 16 |
|
remoted.shared_reload |
Description |
Number of seconds between reloading of shared files. New in version 3.0.0. |
Default Value |
10 |
|
Allowed Value |
Any integer between 1 and 18000 |
|
remoted.rlimit_nofile |
Description |
Maximum number of file descriptors that Remoted can open. New in version 3.0.0. |
Default value |
16384 |
|
Allowed value |
Any integer between 1024 and 2147483647 |
|
remoted.recv_timeout |
Description |
Maximum number of seconds to wait for client response in TCP. New in version 3.0.0. |
Default value |
1 |
|
Allowed value |
Any integer between 1 and 60 |
|
remoted.debug |
Description |
Debug level (manager installation) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Syscheck
syscheck.sleep |
Description |
Number of seconds to sleep after reading syscheck.sleep_after number of files. |
Default value |
1 |
|
Allowed value |
Any integer between 0 and 64 |
|
syscheck.sleep_after |
Description |
Number of files to read before sleeping for syscheck.sleep seconds. |
Default value |
100 |
|
Allowed value |
Any integer between 1 and 9999 |
|
syscheck.debug |
Description |
Debug level (used in manager and unix agent installations). |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
||
syscheck.rt_delay |
Description |
Time in milliseconds for delay between alerts in real-time. New in version 3.4.0. |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 1000 |
|
syscheck.max_fd_win_rt |
Description |
Maximum numbers of directories can be configured in ossec.conf for windows in realtime and whodata mode. New in version 3.4.0. |
Default value |
256 |
|
Allowed value |
Any integer between 1 and 1024 |
Rootcheck
rootcheck.sleep |
Description |
Number of milliseconds to sleep after reading one PID or suspicious port. |
Default value |
50 |
|
Allowed values |
Any integer between 0 and 1000 |
Wazuh Database
The Wazuh Database Synchronization Module starts automatically on the server and local profiles and requires no configuration, however, some optional settings are available.
The module uses inotify from Linux to monitor changes to every log file in real-time. Databases will be updated as soon as possible when a change is detected. If inotify is not supported, (for example, on operating systems other than Linux) every log file will be scanned continuously, looking for changes, with a default delay of one minute between scans.
How to disable the module
To disable the Wazuh Database Synchronization Module, the sync directives must be set to 0 in the etc/local_internal_options.conf
file as shown below:
wazuh_database.sync_agents=0
wazuh_database.sync_syscheck=0
wazuh_database.sync_rootcheck=0
Once these settings have been adjusted, the file must be saved followed by a restart of Wazuh. With the above settings, the Database Synchronization Module will not be loaded when Wazuh starts.
wazuh_database.sync_agents |
Description |
Toggles synchronization of agent database with client.keys on or off. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.sync_syscheck |
Description |
Toggles synchronization of FIM data with Syscheck database on or off. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
wazuh_database.sync_rootcheck |
Description |
Toggles synchronization of policy monitoring data with Rootcheck database on or off. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.full_sync |
Description |
Toggles full data synchronization on or off. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
wazuh_database.real_time |
Description |
Toggles synchronization of data in real-time (supported on Linux only) on and off. New in version 3.0.0. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.interval |
Description |
Interval to sleep between cycles. (Only used if real tyme sync is disabled.) New in version 3.0.0. |
Default value |
60 |
|
Allowed value |
Any integer between 0 and 86400 (seconds) |
|
wazuh_database.max_queued_events |
Description |
Maximum number of queued events (only used if inotify is available). |
Default value |
0 (use system default value) |
|
Allowed value |
Any integer between 0 and 2147483647 |
Wazuh Modules
wazuh_modules.task_nice |
Description |
Indicates the priority of the tasks. The lower the value, the higher the priority. |
Default value |
10 |
|
Allowed value |
Any integer between -20 and 19 |
|
wazuh_modules.max_eps |
Description |
Maximum number of events per second sent by all Wazuh Module. |
Default value |
1000 |
|
Allowed value |
Any integer between 100 and 1000 |
|
wazuh_modules.debug |
Description |
Debug level |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Wazuh Command
wazuh_command.remote_commands |
Description |
Toggles whether Command Module should accept commands defined in the shared configuration or not. |
Default value |
0 |
|
Allowed value |
0: Disable remote commands |
|
1: Enable remote commands |
Windows
windows.debug |
Description |
Debug level (used in windows agent installations). |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |