Variables references

Elasticsearch

elasticsearch_cluster_name

Name of the Elasticsearch cluster

Default wazuh

elasticsearch_node_name

Name of the Elasticsearch node

Default node-1

elasticsearch_http_port

ElasticSearch listening port

Default 9200

elasticsearch_network_host

ElasticSearch, listening ip address

Default 127.0.0.1

elasticsearch_jvm_xms

JVM heap size

Default null

elastic_stack_version

Version of Elasticsearch to install

Default 7.10.2

elasticsearch_shards

Set number of shards for indices

Default 5

elasticsearch_replicas

Set number of shards for indices

Default 1

elasticsearch_install_java

When it's present will install Oracle Java.

Default yes

Kibana

elasticsearch_http_port

Elasticsearch node port.

Default 9200

elasticsearch_network_host

IP address or hostname of Elasticsearch node.

Default 127.0.0.1

kibana_server_host

Listening IP address of Kibana.

Default 0.0.0.0

kibana_server_port

Listening port of Kibana.

Default 5601

elastic_stack_version

Version of Kibana to install

Default 7.10.2

wazuh_version

Wazuh APP compatible version to install

Default 4.1.5

elasticsearch_network_host

Ip address or hostname of Elasticsearch node.

Default 127.0.0.1

elasticsearch_http_port

Port of Elasticsearch node.

Default 9200

elasticsearch_shards

Set number of shards for indices

Default 5

elasticsearch_replicas

Set number of shards for indices

Default 1

Filebeat

filebeat_version:

Filebeat version to install.

Default 7.10.2

filebeat_create_config:

Generate or not Filebeat config.

Default true

filebeat_output_elasticsearch_enabled:

Send output to Elasticsearch node(s).

Default false

filebeat_output_elasticsearch_hosts:

Elasticsearch node(s) to send output.

Example:

filebeat_output_elasticsearch_hosts:
- "localhost:9200"
- "10.1.1.10:9200"

filebeat_ssl_dir:

Set the folder containing SSL certs.

Default /etc/pki/root

filebeat_ssl_key_file:

Set certificate key filename.

Default null

Wazuh Manager

wazuh_manager_fqdn:

Set Wazuh Manager fqdn hostname.

Default wazuh-manager

wazuh_manager_config_overlay

Indicates if role should perform a hash_behaviour=merge at role runtime, similar to role-distributed ansible.cfg. This provides support for a partially defined wazuh_manager_config while also moving on from deprecated hash_behaviour

Default true

wazuh_manager_json_output

Configures the jsonout_output section from ossec.conf. This is a string, not a bool.

Default yes

wazuh_manager_alerts_log

Configures the alerts_log section from ossec.conf. This is a string, not a bool.

Default yes

wazuh_manager_logall

Configures the logall section from ossec.conf. This is a string, not a bool.

Default yes

wazuh_manager_email_notification

Configures the email_notification section from ossec.conf. This is a string, not a bool.

Default yes

wazuh_manager_mailto

Configures the email_to items from ossec.conf.

Default ['admin@example.net']

wazuh_manager_email_smtp_server

Configures the smtp_server section from ossec.conf.

Default smtp.example.wazuh.com

wazuh_manager_email_from

Configures the email_from section from ossec.conf.

Default ossecm@example.wazuh.com

wazuh_manager_email_maxperhour

Configures the email_maxperhour section from ossec.conf.

Default 12

wazuh_manager_email_queue_size

Configures the queue_size section from ossec.conf.

Default 131072

wazuh_manager_email_log_source

Configures the email_log_source section from ossec.conf.

Default alerts.log

wazuh_manager_globals

Configures the white_list section from ossec.conf.

Default:

wazuh_manager_globals:
  - '127.0.0.1'
  - '^localhost.localdomain$'
  - '127.0.0.53'

wazuh_manager_log_level

Configures the log_alert_level section from ossec.conf.

Default 3

wazuh_manager_email_level

Configures the email_alert_level section from ossec.conf.

Default 12

wazuh_manager_log_format

Configures log_format inside logging section from ossec.conf.

Default plain

wazuh_manager_extra_emails

Configures one or more email_alerts sections from ossec.conf.

Default:

wazuh_manager_extra_emails:
  - enable: false
    mail_to: 'recipient@example.wazuh.com'
    format: full
    level: 7
    event_location: null
    group: null
    do_not_delay: false
    do_not_group: false
    rule_id: null

wazuh_manager_connection

Configures one or more remote sections from ossec.conf.

Default:

wazuh_manager_connection:
  - type: 'secure'
    port: '1514'
    protocol: 'tcp'
    queue_size: 131072

wazuh_manager_reports

Configures one or more reports sections from ossec.conf.

Default:

wazuh_manager_reports:
  - enable: false
    category: 'syscheck'
    title: 'Daily report: File changes'
    email_to: 'recipient@example.wazuh.com'
    location: null
    group: null
    rule: null
    level: null
    srcip: null
    user: null
    showlogs: null

wazuh_manager_rootcheck

Configures the rootcheck section from ossec.conf.

Default:

wazuh_manager_rootcheck:
  frequency: 43200

wazuh_manager_openscap

Configures the wodle item named open-scap from ossec.conf.

Default:

wazuh_manager_openscap:
  disable: 'yes'
  timeout: 1800
  interval: '1d'
  scan_on_start: 'yes'

wazuh_manager_ciscat

Configures the wodle item named cis-cat from ossec.conf.

Default:

wazuh_manager_ciscat:
  disable: 'yes'
  install_java: 'yes'
  timeout: 1800
  interval: '1d'
  scan_on_start: 'yes'
  java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
  ciscat_path: 'wodles/ciscat'

wazuh_manager_osquery

Configures the wodle item named osquery from ossec.conf.

Default:

wazuh_manager_osquery:
  disable: 'yes'
  run_daemon: 'yes'
  log_path: '/var/log/osquery/osqueryd.results.log'
  config_path: '/etc/osquery/osquery.conf'
  ad_labels: 'yes'

wazuh_manager_syscollector

Configures the wodle item named syscollector from ossec.conf.

Default:

wazuh_manager_syscollector:
  disable: 'no'
  interval: '1h'
  scan_on_start: 'yes'
  hardware: 'yes'
  os: 'yes'
  network: 'yes'
  packages: 'yes'
  ports_no: 'yes'
  processes: 'yes'

wazuh_manager_monitor_aws

Configures the wodle item named aws-s3 from ossec.conf.

Default:

wazuh_manager_monitor_aws:
  disabled: 'yes'
  interval: '10m'
  run_on_start: 'yes'
  skip_on_error: 'yes'
  s3:
    - name: null
      bucket_type: null
      path: null
      only_logs_after: null
      access_key: null
      secret_key: null

wazuh_manager_sca

Configures the sca section from ossec.conf.

Default:

wazuh_manager_sca:
  enabled: 'yes'
  scan_on_start: 'yes'
  interval: '12h'
  skip_nfs: 'yes'
  day: ''
  wday: ''
  time: ''

wazuh_manager_vulnerability_detector

Configures the vulnerability-detector section from ossec.conf.

Default:

wazuh_manager_vulnerability_detector:
  enabled: 'no'
  interval: '5m'
  ignore_time: '6h'
  run_on_start: 'yes'
  providers:
    - enabled: 'no'
      os:
        - 'trusty'
        - 'xenial'
        - 'bionic'
      update_interval: '1h'
      name: '"canonical"'
    - enabled: 'no'
      os:
        - 'wheezy'
        - 'stretch'
        - 'jessie'
        - 'buster'
      update_interval: '1h'
      name: '"debian"'
    - enabled: 'no'
      update_from_year: '2010'
      update_interval: '1h'
      name: '"redhat"'
    - enabled: 'no'
      update_from_year: '2010'
      update_interval: '1h'
      name: '"nvd"'

wazuh_manager_syscheck

Configures the syscheck section from ossec.conf.

Default:

wazuh_manager_syscheck:
  disable: 'no'
  frequency: 43200
  scan_on_start: 'yes'
  auto_ignore: 'no'
  ignore:
    - /etc/mtab
    - /etc/hosts.deny
    - /etc/mail/statistics
    - /etc/random-seed
    - /etc/random.seed
    - /etc/adjtime
    - /etc/httpd/logs
    - /etc/utmpx
    - /etc/wtmpx
    - /etc/cups/certs
    - /etc/dumpdates
    - /etc/svc/volatile
  ignore_linux_type:
    - '.log$|.swp$'
  no_diff:
    - /etc/ssl/private.key
  directories:
    - dirs: /etc,/usr/bin,/usr/sbin
      checks: ''
    - dirs: /bin,/sbin,/boot
      checks: ''
  auto_ignore_frequency:
    frequency: 'frequency="10"'
    timeframe: 'timeframe="3600"'
    value: 'no'
  skip_nfs: 'yes'
  skip_dev: 'yes'
  skip_proc: 'yes'
  skip_sys: 'yes'
  process_priority: 10
  max_eps: 100
  sync_enabled: 'yes'
  sync_interval: '5m'
  sync_max_interval: '1h'
  sync_max_eps: 10

wazuh_manager_commands

Configures the command section from ossec.conf.

Default:

wazuh_manager_commands:
  - name: 'disable-account'
    executable: 'disable-account.sh'
    expect: 'user'
    timeout_allowed: 'yes'
  - name: 'restart-ossec'
    executable: 'restart-ossec.sh'
    expect: ''
  - name: 'firewall-drop'
    executable: 'firewall-drop.sh'
    expect: 'srcip'
    timeout_allowed: 'yes'
  - name: 'host-deny'
    executable: 'host-deny.sh'
    expect: 'srcip'
    timeout_allowed: 'yes'
  - name: 'route-null'
    executable: 'route-null.sh'
    expect: 'srcip'
    timeout_allowed: 'yes'
  - name: 'win_route-null'
    executable: 'route-null.cmd'
    expect: 'srcip'
    timeout_allowed: 'yes'
  - name: 'win_route-null-2012'
    executable: 'route-null-2012.cmd'
    expect: 'srcip'
    timeout_allowed: 'yes'
  - name: 'netsh'
    executable: 'netsh.cmd'
    expect: 'srcip'
    timeout_allowed: 'yes'
  - name: 'netsh-win-2016'
    executable: 'netsh-win-2016.cmd'
    expect: 'srcip'
    timeout_allowed: 'yes'

wazuh_manager_localfiles

Configures the localfile section from ossec.conf for each platform.

Default:

wazuh_manager_localfiles:
  common:
    - format: 'command'
      command: df -P
      frequency: '360'
    - format: 'full_command'
      command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
      alias: 'netstat listening ports'
      frequency: '360'
    - format: 'full_command'
      command: 'last -n 20'
      frequency: '360'
    - format: 'syslog'
      location: '/var/ossec/logs/active-responses.log'
  debian:
    - format: 'syslog'
      location: '/var/log/auth.log'
    - format: 'syslog'
      location: '/var/log/syslog'
    - format: 'syslog'
      location: '/var/log/dpkg.log'
    - format: 'syslog'
      location: '/var/log/kern.log'
  centos:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'syslog'
      location: '/var/log/maillog'
    - format: 'audit'
      location: '/var/log/audit/audit.log'

wazuh_manager_syslog_outputs

Configures the syslog_output section from ossec.conf.

Default:

wazuh_manager_syslog_outputs:
  - server: null
    port: null
    format: null

wazuh_manager_integrations

Configures the integration section from ossec.conf.

Default:

wazuh_manager_integrations:
  # slack
  - name: null
    hook_url: '<hook_url>'
    alert_level: 10
    alert_format: 'json'
    rule_id: null
  # pagerduty
  - name: null
    api_key: '<api_key>'
    alert_level: 12

wazuh_manager_labels

Configures the labels section from ossec.conf.

Default:

wazuh_manager_labels:
  enable: false
  list:
    - key: Env
      value: Production

wazuh_manager_ruleset

Configures the ruleset section from ossec.conf.

Default:

wazuh_manager_ruleset:
  rules_path: 'custom_ruleset/rules/'
  decoders_path: 'custom_ruleset/decoders/'
  cdb_lists:
    - 'audit-keys'
    - 'security-eventchannel'
    - 'amazon/aws-eventnames'

wazuh_manager_rule_exclude

Configures the rule_exclude section from ossec.conf.

Default:

wazuh_manager_rule_exclude:
  - '0215-policy_rules.xml'

wazuh_manager_authd

Configures the auth section from ossec.conf.

Default:

wazuh_manager_authd:
  enable: true
  port: 1515
  use_source_ip: 'no'
  force_insert: 'yes'
  force_time: 0
  purge: 'yes'
  use_password: 'no'
  limit_maxagents: 'yes'
  ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
  ssl_agent_ca: null
  ssl_verify_host: 'no'
  ssl_manager_cert: 'sslmanager.cert'
  ssl_manager_key: 'sslmanager.key'
  ssl_auto_negotiate: 'no'

wazuh_manager_cluster

Configures the cluster section from ossec.conf.

Default:

wazuh_manager_cluster:
  disable: 'yes'
  name: 'wazuh'
  node_name: 'manager_01'
  node_type: 'master'
  key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
  port: '1516'
  bind_addr: '0.0.0.0'
  nodes:
    - 'manager'
  hidden: 'no'

wazuh_manager_api

Configures the Wazuh API file called api.yaml.

Default:

wazuh_manager_api:
  bind_addr: 0.0.0.0
  port: 55000
  behind_proxy_server: no
  https: yes
  https_key: "api/configuration/ssl/server.key"
  https_cert: "api/configuration/ssl/server.crt"
  https_use_ca: False
  https_ca: "api/configuration/ssl/ca.crt"
  logging_level: "info"
  logging_path: "logs/api.log"
  cors: no
  cors_source_route: "*"
  cors_expose_headers: "*"
  cors_allow_headers: "*"
  cors_allow_credentials: no
  cache: yes
  cache_time: 0.750
  access_max_login_attempts: 5
  access_block_time: 300
  access_max_request_per_minute: 300
  use_only_authd: no
  drop_privileges: yes
  experimental_features: no

wazuh_api_user:

Wazuh API credentials.

Example:

wazuh_api_user:
- foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/
- bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1

Warning

We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.

wazuh_manager_config:

Stores the Wazuh Manager configuration. This variable is provided for backwards compatibility. Newer deployments should use the newly introduced variables described above.

Example:

wazuh_manager_config:
  json_output: 'yes'
  alerts_log: 'yes'
  logall: 'no'
  log_format: 'plain'
  cluster:
    disable: 'yes'
    name: 'wazuh'
    node_name: 'manager_01'
    node_type: 'master'
    key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
    interval: '2m'
    port: '1516'
    bind_addr: '0.0.0.0'
    nodes:
      - '172.17.0.2'
      - '172.17.0.3'
      - '172.17.0.4'
    hidden: 'no'
  connection:
    - type: 'secure'
      port: '1514'
      protocol: 'tcp'
  authd:
    enable: true
    port: 1515
    use_source_ip: 'no'
    force_insert: 'yes'
    force_time: 0
    purge: 'no'
    use_password: 'no'
    ssl_agent_ca: null
    ssl_verify_host: 'no'
    ssl_manager_cert: '/var/ossec/etc/sslmanager.cert'
    ssl_manager_key: '/var/ossec/etc/sslmanager.key'
    ssl_auto_negotiate: 'no'
  email_notification: 'no'
  mail_to:
    - 'admin@example.net'
  mail_smtp_server: localhost
  mail_from: wazuh-manager@example.com
  extra_emails:
    - enable: false
      mail_to: 'admin@example.net'
      format: full
      level: 7
      event_location: null
      group: null
      do_not_delay: false
      do_not_group: false
      rule_id: null
  reports:
    - enable: false
      category: 'syscheck'
      title: 'Daily report: File changes'
      email_to: 'admin@example.net'
      location: null
      group: null
      rule: null
      level: null
      srcip: null
      user: null
      showlogs: null
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    ignore:
      - /etc/mtab
      - /etc/mnttab
      - /etc/hosts.deny
      - /etc/mail/statistics
      - /etc/random-seed
      - /etc/random.seed
      - /etc/adjtime
      - /etc/httpd/logs
      - /etc/utmpx
      - /etc/wtmpx
      - /etc/cups/certs
      - /etc/dumpdates
      - /etc/svc/volatile
    no_diff:
      - /etc/ssl/private.key
    directories:
      - dirs: /etc,/usr/bin,/usr/sbin
        checks: 'check_all="yes"'
      - dirs: /bin,/sbin
        checks: 'check_all="yes"'
  rootcheck:
    frequency: 43200
  openscap:
    disable: 'no'
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
  cis_cat:
    disable: 'yes'
    install_java: 'yes'
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
    java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
    ciscat_path: '/var/ossec/wodles/ciscat'
    content:
      - type: 'xccdf'
        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
  log_level: 1
  email_level: 12
  localfiles:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'command'
      command: 'df -P'
      frequency: '360'
    - format: 'full_command'
      command: 'netstat -tln | grep -v 127.0.0.1 | sort'
      frequency: '360'
    - format: 'full_command'
      command: 'last -n 20'
      frequency: '360'
  globals:
    - '127.0.0.1'
    - '192.168.2.1'
  commands:
    - name: 'disable-account'
      executable: 'disable-account.sh'
      expect: 'user'
      timeout_allowed: 'yes'
    - name: 'restart-ossec'
      executable: 'restart-ossec.sh'
      expect: ''
      timeout_allowed: 'no'
    - name: 'win_restart-ossec'
      executable: 'restart-ossec.cmd'
      expect: ''
      timeout_allowed: 'no'
    - name: 'firewall-drop'
      executable: 'firewall-drop.sh'
      expect: 'srcip'
      timeout_allowed: 'yes'
    - name: 'host-deny'
      executable: 'host-deny.sh'
      expect: 'srcip'
      timeout_allowed: 'yes'
    - name: 'route-null'
      executable: 'route-null.sh'
      expect: 'srcip'
      timeout_allowed: 'yes'
    - name: 'win_route-null'
      executable: 'route-null.cmd'
      expect: 'srcip'
      timeout_allowed: 'yes'
  active_responses:
    - command: 'restart-ossec'
      location: 'local'
      rules_id: '100002'
    - command: 'win_restart-ossec'
      location: 'local'
      rules_id: '100003'
    - command: 'host-deny'
      location: 'local'
      level: 6
      timeout: 600
  syslog_outputs:
    - server: null
      port: null
      format: null

wazuh_agent_configs:

This store the different settings and profiles for centralized agent configuration via Wazuh Manager.

Example:

- type: os
  type_value: Linux
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    ignore:
    - /etc/mtab
    - /etc/mnttab
    - /etc/hosts.deny
    - /etc/mail/statistics
    - /etc/svc/volatile
    no_diff:
      - /etc/ssl/private.key
    directories:
      - dirs: /etc,/usr/bin,/usr/sbin
        checks: 'check_all="yes"'
      - dirs: /bin,/sbin
        checks: 'check_all="yes"'
  rootcheck:
    frequency: 43200
    cis_distribution_filename: null
  localfiles:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'syslog'
      location: '/var/log/maillog'
    - format: 'apache'
      location: '/var/log/httpd/error_log'
    - format: 'apache'
      location: '/var/log/httpd/access_log'
    - format: 'apache'
      location: '/var/ossec/logs/active-responses.log'
- type: os
  type_value: Windows
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    windows_registry:
      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
        arch: 'both'
      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
  localfiles:
    - format: 'Security'
      location: 'eventchannel'
    - format: 'System'
      location: 'eventlog'

cdb_lists:

Configure CDB lists used by the Wazuh Manager (located at ansible-wazuh-manager/vars/cdb_lists.yml).

Example:

cdb_lists:
- name: 'audit-keys'
  content: |
    audit-wazuh-w:write
    audit-wazuh-r:read
    audit-wazuh-a:attribute
    audit-wazuh-x:execute
    audit-wazuh-c:command

Warning

We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.

agentless_creeds:

Credentials and host(s) to be used by agentless feature.

Example:

agentless_creeds:
  - type: ssh_integrity_check_linux
    frequency: 3600
    host: root@example.net
    state: periodic
    arguments: '/bin /etc/ /sbin'
    passwd: qwerty

Warning

We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.

authd_pass:

Wazuh authd service password.

Example:

authd_pass: foobar

Wazuh Agent

wazuh_managers:

Set Wazuh Manager servers IP address, protocol, and port to be used by the agent. Regarding which Manager is used for registration, we can optionally indicate which one to use for registration by adding register set to true. If the register option is missing, first Manager on the list will be used for registration.

Example:

wazuh_managers:
- address: 172.16.24.56
  protocol: udp
- address: 192.168.10.15
  port: 1514
  protocol: tcp
  register: yes

wazuh_agent_nolog_sensible:

This variable indicates if we should add nolog option to tasks which output sensible information (like tokens).

Default true

wazuh_agent_api_validate:

After registering the agent through the REST API, validate that registration is correct.

Default true

Multiple profiles can be included, separated by a comma and a space, for example:

wazuh_agent_address:

Establish which IP address we want to associate with this agent. It can be an address or "any" This variable will supersede wazuh_agent_nat.

Default ansible_default_ipv4.address

wazuh_profile:

Configure what profiles this agent will have.

Default null

Multiple profiles can be included, separated by a comma and a space, for example:

wazuh_profile: "centos7, centos7-web"

wazuh_agent_authd:

Set the agent-authd facility. This will enable or not the automatic agent registration, you could set various options in accordance of the authd service configured in the Wazuh Manager. This Ansible role will use the address defined on registration_address as the authd registration server.

wazuh_agent_authd:
  registration_address: 10.1.1.12
  enable: false
  port: 1515
  ssl_agent_ca: null
  ssl_agent_cert: null
  ssl_agent_key: null
  ssl_auto_negotiate: 'no'

wazuh_notify_time

Set the <notify_time> option in the agent.

Default null

wazuh_time_reconnect

Set <time-reconnect> option in the agent.

Default null

wazuh_winagent_config

Set the Wazuh Agent installation regarding Windows hosts.

install_dir: 'C:\wazuh-agent\'
version: '2.1.1'
revision: '2'
repo: https://packages.wazuh.com/windows/
md5: fd9a3ce30cd6f9f553a1bc71e74a6c9f

wazuh_agent_enrollment

Configures the enrollment section from agent ossec.conf.

Example:

wazuh_agent_enrollment:
  enabled: ''
  manager_address: ''
  port: 1515
  agent_name: 'testname'
  groups: ''
  agent_address: ''
  ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
  server_ca_path: ''
  agent_certificate_path: ''
  agent_key_path: ''
  authorization_pass_path: /var/ossec/etc/authd.pass
  auto_method: 'no'
  delay_after_enrollment: 20
  use_source_ip: 'no'

wazuh_agent_client_buffer

Configures the client_buffer section from agent ossec.conf.

wazuh_agent_client_buffer:
  disable: 'no'
  queue_size: '5000'
  events_per_sec: '500'

wazuh_agent_rootcheck

Configures the rootcheck section from agent ossec.conf.

wazuh_agent_rootcheck:
  frequency: 43200

wazuh_agent_openscap

Configures the wodle item named open-scap from ossec.conf.

Default:

wazuh_agent_openscap:
  disable: 'yes'
  timeout: 1800
  interval: '1d'
  scan_on_start: 'yes'

wazuh_agent_cis_cat

Configures the wodle item named cis-cat from ossec.conf.

Default:

wazuh_agent_cis_cat:
  disable: 'yes'
  install_java: 'no'
  timeout: 1800
  interval: '1d'
  scan_on_start: 'yes'
  java_path: 'wodles/java'
  java_path_win: '\\server\jre\bin\java.exe'
  ciscat_path: 'wodles/ciscat'
  ciscat_path_win: 'C:\cis-cat'

wazuh_agent_osquery

Configures the wodle item named osquery from ossec.conf.

Default:

wazuh_agent_osquery:
  disable: 'yes'
  run_daemon: 'yes'
  bin_path_win: 'C:\Program Files\osquery\osqueryd'
  log_path: '/var/log/osquery/osqueryd.results.log'
  log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
  config_path: '/etc/osquery/osquery.conf'
  config_path_win: 'C:\Program Files\osquery\osquery.conf'
  add_labels: 'yes'

wazuh_agent_syscollector

Configures the wodle item named syscollector from ossec.conf.

Default:

wazuh_agent_syscollector:
  disable: 'no'
  interval: '1h'
  scan_on_start: 'yes'
  hardware: 'yes'
  os: 'yes'
  network: 'yes'
  packages: 'yes'
  ports_no: 'yes'
  processes: 'yes'

wazuh_agent_sca

Configures the sca section from ossec.conf.

Default:

wazuh_agent_sca:
  enabled: 'yes'
  scan_on_start: 'yes'
  interval: '12h'
  skip_nfs: 'yes'
  day: ''
  wday: ''
  time: ''

wazuh_agent_syscheck

Configures the syscheck section from ossec.conf.

Default:

wazuh_agent_syscheck:
  frequency: 43200
  scan_on_start: 'yes'
  auto_ignore: 'no'
  win_audit_interval: 60
  skip_nfs: 'yes'
  skip_dev: 'yes'
  skip_proc: 'yes'
  skip_sys: 'yes'
  process_priority: 10
  max_eps: 100
  sync_enabled: 'yes'
  sync_interval: '5m'
  sync_max_interval: '1h'
  sync_max_eps: 10
  ignore:
    - /etc/mtab
    - /etc/hosts.deny
    - /etc/mail/statistics
    - /etc/random-seed
    - /etc/random.seed
    - /etc/adjtime
    - /etc/httpd/logs
    - /etc/utmpx
    - /etc/wtmpx
    - /etc/cups/certs
    - /etc/dumpdates
    - /etc/svc/volatile
  ignore_linux_type:
    - '.log$|.swp$'
  ignore_win:
    - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
  no_diff:
    - /etc/ssl/private.key
  directories:
    - dirs: /etc,/usr/bin,/usr/sbin
      checks: ''
    - dirs: /bin,/sbin,/boot
      checks: ''
  win_directories:
    - dirs: '%WINDIR%'
      checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
    - dirs: '%WINDIR%\SysNative'
      checks: >-
        recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
        net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
    - dirs: '%WINDIR%\SysNative\drivers\etc%'
      checks: 'recursion_level="0"'
    - dirs: '%WINDIR%\SysNative\wbem'
      checks: 'recursion_level="0" restrict="WMIC.exe$"'
    - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
      checks: 'recursion_level="0" restrict="powershell.exe$"'
    - dirs: '%WINDIR%\SysNative'
      checks: 'recursion_level="0" restrict="winrm.vbs$"'
    - dirs: '%WINDIR%\System32'
      checks: >-
        recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
        netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
    - dirs: '%WINDIR%\System32\drivers\etc'
      checks: 'recursion_level="0"'
    - dirs: '%WINDIR%\System32\wbem'
      checks: 'recursion_level="0" restrict="WMIC.exe$"'
    - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
      checks: 'recursion_level="0" restrict="powershell.exe$"'
    - dirs: '%WINDIR%\System32'
      checks: 'recursion_level="0" restrict="winrm.vbs$"'
    - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
      checks: 'realtime="yes"'
  windows_registry:
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Policies'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Security'
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
      arch: "both"
  windows_registry_ignore:
    - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
    - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
    - key: '\Enum$'
      type: "sregex"

wazuh_agent_localfiles

Configures the localfile section from ossec.conf.

Default:

wazuh_agent_localfiles:
  debian:
    - format: 'syslog'
      location: '/var/log/auth.log'
    - format: 'syslog'
      location: '/var/log/syslog'
    - format: 'syslog'
      location: '/var/log/dpkg.log'
    - format: 'syslog'
      location: '/var/log/kern.log'
  centos:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'syslog'
      location: '/var/log/maillog'
    - format: 'audit'
      location: '/var/log/audit/audit.log'
  linux:
    - format: 'syslog'
      location: '/var/ossec/logs/active-responses.log'
    - format: 'full_command'
      command: 'last -n 20'
      frequency: '360'
    - format: 'command'
      command: df -P
      frequency: '360'
    - format: 'full_command'
      command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
      alias: 'netstat listening ports'
      frequency: '360'
  windows:
    - format: 'eventlog'
      location: 'Application'
    - format: 'eventchannel'
      location: 'Security'
      query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
    - format: 'eventlog'
      location: 'System'
    - format: 'syslog'
      location: 'active-response\active-responses.log'

wazuh_agent_labels

Configures the labels section from ossec.conf.

Default:

wazuh_agent_labels:
  enable: false
  list:
    - key: Env
      value: Production

wazuh_agent_active_response

Configures the active-response section from ossec.conf.

Default:

wazuh_agent_active_response:
  ar_disabled: 'no'
  ca_store: '/var/ossec/etc/wpk_root.pem'
  ca_store_win: 'wpk_root.pem'
  ca_verification: 'yes'

wazuh_agent_log_format

Configures the log_format section from ossec.conf.

Default: plain

wazuh_agent_config:

Wazuh Agent related configuration. This variable is provided for backwards compatibility. Newer deployments should use the newly introduced variables described above.

Example:

wazuh_agent_config:
  log_format: 'plain'
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    ignore:
      - /etc/mtab
      - /etc/mnttab
      - /etc/hosts.deny
      - /etc/mail/statistics
      - /etc/random-seed
      - /etc/random.seed
      - /etc/adjtime
      - /etc/httpd/logs
      - /etc/utmpx
      - /etc/wtmpx
      - /etc/cups/certs
      - /etc/dumpdates
      - /etc/svc/volatile
    no_diff:
      - /etc/ssl/private.key
    directories:
      - dirs: /etc,/usr/bin,/usr/sbin
        checks: 'check_all="yes"'
      - dirs: /bin,/sbin
        checks: 'check_all="yes"'
    windows_registry:
      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
        arch: 'both'
      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
  rootcheck:
    frequency: 43200
  openscap:
    disable: 'yes'
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
  cis_cat:
    disable: 'yes'
    install_java: 'yes'
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
    java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
    ciscat_path: '/var/ossec/wodles/ciscat'
    content:
      - type: 'xccdf'
        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
  localfiles:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'command'
      command: 'df -P'
      frequency: '360'
    - format: 'full_command'
      command: 'netstat -tln | grep -v 127.0.0.1 | sort'
      frequency: '360'
    - format: 'full_command'
      command: 'last -n 20'
      frequency: '360'

Warning

We recommend the use of Ansible Vault to protect authd credentials.

authd_pass:

Wazuh authd credentials for agent registration.

Example:

authd_pass: foobar