Variables references
Wazuh indexer
Variable:
indexer_cluster_nameDescription: Name of the Indexer cluster.
Default value:
wazuhVariable:
indexer_node_nameDescription: Name of the Indexer node.
Default value:
node-1Variable:
indexer_http_portDescription: Indexer listening port.
Default value:
9200Variable:
indexer_network_hostDescription: Indexer listening IP address.
Default value:
127.0.0.1Variable:
indexer_jvm_xmsDescription: JVM heap size.
Default value:
nullWazuh dashboard
Variable:
indexer_http_portDescription: Indexer node port.
Default value:
9200Variable:
indexer_network_hostDescription: IP address or hostname of Indexer node.
Default value:
127.0.0.1Variable:
dashboard_server_hostDescription: Listening IP address of the Wazuh dashboard.
Default value:
0.0.0.0Variable:
dashboard_server_portDescription: Listening port of the Wazuh dashboard.
Default value:
443Variable:
wazuh_versionDescription: Wazuh APP compatible version to install.
Default value:
4.5.4Filebeat
Variable:
filebeat_versionDescription: Filebeat version to install.
Default value:
7.10.2Variable:
filebeat_create_configDescription: Generate or not Filebeat config.
Default value:
trueVariable:
filebeat_output_indexer_hostsDescription: Indexer node(s) to send output.
Example:
filebeat_output_indexer_hosts:
- "localhost:9200"
- "10.1.1.10:9200"
Variable:
filebeat_ssl_dirDescription: Set the folder containing SSL certs.
Default value:
/etc/pki/rootWazuh Manager
Variable:
wazuh_manager_fqdnDescription: Set Wazuh Manager fqdn hostname.
Default value:
wazuh-managerVariable:
wazuh_manager_config_overlayDescription: Indicates if the role(s) should perform a
hash_behaviour=merge at role runtime, similar to role-distributed ansible.cfg. This provides support for a partially defined wazuh_manager_config while also moving on from the deprecated hash_behaviour.Default value:
trueVariable:
wazuh_manager_json_outputDescription: Configures the jsonout_output section in
ossec.conf. This is a string, not a bool.Default value:
yesVariable:
wazuh_manager_alerts_logDescription: Configures the alerts_log section in
ossec.conf. This is a string, not a bool.Default value:
yesVariable:
wazuh_manager_logallDescription: Configures the logall section in
ossec.conf. This is a string, not a bool.Default value:
yesVariable:
wazuh_manager_email_notificationDescription: Configures the email_notification section in
ossec.conf. This is a string, not a bool.Default value:
yesVariable:
wazuh_manager_mailtoDescription: Configures the email_to items in
ossec.conf.Default value:
[‘admin@example.net’]Variable:
wazuh_manager_email_smtp_serverDescription: Configures the smtp_server section in
ossec.conf.Default value:
smtp.example.wazuh.comVariable:
wazuh_manager_email_fromDescription: Configures the email_from section in
ossec.conf.Default value:
wazuh@example.wazuh.comVariable:
wazuh_manager_email_maxperhourDescription: Configures the email_maxperhour section in
ossec.conf.Default value:
12Variable:
wazuh_manager_email_queue_sizeDescription: Configures the queue_size section from
ossec.conf.Default value:
131072Variable:
wazuh_manager_email_log_sourceDescription: Configures the email_log_source section from
ossec.conf.Default value:
alerts.logVariable:
wazuh_manager_globalsDescription: Configures the white_list section from
ossec.conf.Default values:
wazuh_manager_globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
Variable:
wazuh_manager_log_levelDescription: Configures the log_alert_level section from
ossec.conf.Default value:
3Variable:
wazuh_manager_email_levelDescription: Configures the email_alert_level section from
ossec.conf.Default value:
12Variable:
wazuh_manager_log_formatDescription: Configures log_format inside logging section from
ossec.conf.Default value:
plainVariable:
wazuh_manager_extra_emailsDescription: Configures one or more email_alerts sections from
ossec.conf.Default values:
wazuh_manager_extra_emails:
- enable: false
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
Variable:
wazuh_manager_connectionDescription: Configures one or more remote sections from
ossec.conf.Default values:
wazuh_manager_connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
Variable:
wazuh_manager_reportsDescription: Configures one or more reports sections from
ossec.conf.Default values:
wazuh_manager_reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'recipient@example.wazuh.com'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
Variable:
wazuh_manager_rootcheckDescription: Configures the rootcheck section from
ossec.conf.Default value:
wazuh_manager_rootcheck:
frequency: 43200
Variable:
wazuh_manager_openscapDefault values:
wazuh_manager_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
Variable:
wazuh_manager_ciscatDefault value:
wazuh_manager_ciscat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
Variable:
wazuh_manager_osqueryDefault values:
wazuh_manager_osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
Variable:
wazuh_manager_syscollectorDefault values:
wazuh_manager_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
Variable:
wazuh_manager_monitor_awsDefault values:
wazuh_manager_monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
Variable:
wazuh_manager_scaDescription: Configures the sca section from
ossec.conf.Default values:
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
Variable:
wazuh_manager_vulnerability_detectorDescription: Configures the vulnerability-detector section from
ossec.conf.Default values:
wazuh_manager_vulnerability_detector:
enabled: 'no'
interval: '5m'
min_full_scan_interval: '6h'
run_on_start: 'yes'
providers:
- enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_interval: '1h'
name: '"nvd"'
Variable:
wazuh_manager_syscheckDescription: Configures the syscheck section from
ossec.conf.Default values:
wazuh_manager_syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
Variable:
wazuh_manager_commandsDescription: Configures the command section from
ossec.conf.Default values:
wazuh_manager_commands:
- name: 'disable-account'
executable: 'disable-account'
timeout_allowed: 'yes'
- name: 'restart-wazuh'
executable: 'restart-wazuh'
- name: 'firewall-drop'
executable: 'firewall-drop'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.exe'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.exe'
timeout_allowed: 'yes'
- name: 'netsh-win-2016'
executable: 'netsh-win-2016.cmd'
timeout_allowed: 'yes'
Variable:
wazuh_manager_localfilesDescription: Configures the localfile section from
ossec.conf for each platform.Default values:
wazuh_manager_localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
Variable:
wazuh_manager_syslog_outputsDescription: Configures the syslog_output section from
ossec.conf.Default values:
wazuh_manager_syslog_outputs:
- server: null
port: null
format: null
Variable:
wazuh_manager_integrationsDescription: Configures the integration section from
ossec.conf.Default values:
wazuh_manager_integrations:
# slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
# pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
Variable:
wazuh_manager_labelsDescription: Configures the labels section from
ossec.conf.Default values:
wazuh_manager_labels:
enable: false
list:
- key: Env
value: Production
Variable:
wazuh_manager_rulesetDescription: Configures the ruleset section from
ossec.conf.Default values:
wazuh_manager_ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
Variable:
wazuh_manager_rule_excludeDescription: Configures the rule_exclude section from
ossec.conf.Default values:
wazuh_manager_rule_exclude:
- '0215-policy_rules.xml'
Variable:
wazuh_manager_authdDescription: Configures the auth section from
ossec.conf.Default values:
wazuh_manager_authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'yes'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
wazuh_manager_cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
Variable:
wazuh_manager_apiDescription: Configures the Wazuh API file called
api.yaml.Default values:
wazuh_manager_api:
bind_addr: 0.0.0.0
port: 55000
https: yes
https_key: "server.key"
https_cert: "server.crt"
https_use_ca: False
https_ca: "ca.crt"
logging_level: "info"
cors: no
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
drop_privileges: yes
experimental_features: no
Variable:
wazuh_api_userDescription: Wazuh API credentials.
Example:
wazuh_api_user:
- foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/
- bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1
Warning
We recommend the use of Ansible Vault to protect Wazuh agentless and authd credentials.
Variable:
wazuh_manager_configDescription: Stores the Wazuh Manager configuration. This variable is provided for backward compatibility. Newer deployments should use the newly introduced variables described above.
Example:
wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
log_format: 'plain'
cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
interval: '2m'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- '172.17.0.2'
- '172.17.0.3'
- '172.17.0.4'
hidden: 'no'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'no'
use_password: 'no'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'etc/sslmanager.cert'
ssl_manager_key: 'etc/sslmanager.key'
ssl_auto_negotiate: 'no'
email_notification: 'no'
mail_to:
- 'admin@example.net'
mail_smtp_server: localhost
mail_from: wazuh-manager@example.com
extra_emails:
- enable: false
mail_to: 'admin@example.net'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'admin@example.net'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
openscap:
disable: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: '/var/ossec/wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
log_level: 1
email_level: 12
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: 'netstat -tln | grep -v 127.0.0.1 | sort'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
globals:
- '127.0.0.1'
- '192.168.2.1'
commands:
- name: 'disable-account'
executable: 'disable-account'
timeout_allowed: 'yes'
- name: 'restart-wazuh'
executable: 'restart-wazuh'
timeout_allowed: 'no'
- name: 'win_restart-wazuh'
executable: 'restart-wazuh.exe'
timeout_allowed: 'no'
- name: 'firewall-drop'
executable: 'firewall-drop'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.exe'
timeout_allowed: 'yes'
active_responses:
- command: 'restart-wazuh'
location: 'local'
rules_id: '100002'
- command: 'win_restart-wazuh'
location: 'local'
rules_id: '100003'
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
syslog_outputs:
- server: null
port: null
format: null
Variable:
wazuh_agent_configsDescription: This stores the different settings and profiles for centralized agent configuration via Wazuh Manager.
Example:
- type: os
type_value: Linux
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
cis_distribution_filename: null
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'apache'
location: '/var/log/httpd/error_log'
- format: 'apache'
location: '/var/log/httpd/access_log'
- format: 'apache'
location: '/var/ossec/logs/active-responses.log'
- type: os
type_value: Windows
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
localfiles:
- format: 'Security'
location: 'eventchannel'
- format: 'System'
location: 'eventlog'
Variable:
cdb_listsDescription: Configure CDB lists used by the Wazuh Manager.
Example:
cdb_lists:
- name: 'audit-keys'
content: |
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command
Warning
We recommend the use of Ansible Vault to protect Wazuh agentless and authd credentials.
Variable:
agentless_credsDescription: Credentials and host(s) to be used by agentless feature.
Example:
agentless_creds:
- type: ssh_integrity_check_linux
frequency: 3600
host: root@example.net
state: periodic
arguments: '/bin /etc/ /sbin'
passwd: qwerty
Warning
We recommend the use of Ansible Vault to protect Wazuh agentless and authd credentials.
Variable:
authd_passDescription: Wazuh authd service password.
Example:
authd_pass: foobar
Wazuh Agent
Variable:
wazuh_managersDescription: Set the Wazuh Manager servers IP address, protocol, and port to be used by the agent. If a specific manager is used for registration, we can indicate which one it is by adding the register option set to true. If the register option is missing, the first manager on the list will be used for registration.
Example:
wazuh_managers:
- address: 172.16.24.56
protocol: udp
- address: 192.168.10.15
port: 1514
protocol: tcp
register: yes
Variable:
wazuh_agent_nolog_sensible:Description: This variable indicates if the nolog option should be added to tasks which output sensitive information (like tokens).
Default value:
trueVariable:
wazuh_agent_api_validateDescription: After registering the agent through the REST API, validate that registration is correct.
Default value:
trueVariable:
wazuh_agent_addressDescription: Establish which IP address we want to associate with this agent. It can be an address or “any” This variable will supersede wazuh_agent_nat.
Default value:
ansible_default_ipv4.addressVariable:
wazuh_profileDescription: Configure what profiles this agent will have.
Default value:
nullMultiple profiles can be included, separated by a comma and a space, for example:
wazuh_profile: "centos7, centos7-web"
Variable:
wazuh_agent_authdDescription: Set the agent-authd facility. This will enable or not the automatic agent registration, you could set various options in accordance with the authd service configured in the Wazuh Manager. This Ansible role will use the address defined on
registration_address as the authd registration server.Example:
wazuh_agent_authd: registration_address: 10.1.1.12 enable: false port: 1515 ssl_agent_ca: null ssl_agent_cert: null ssl_agent_key: null ssl_auto_negotiate: 'no'
Variable:
wazuh_notify_timeDescription: Set the
<notify_time> option in the agent.Default value:
nullVariable:
wazuh_time_reconnectDescription: Set
<time-reconnect> option in the agent.Default value:
nullVariable:
wazuh_winagent_configDescription: Set the Wazuh Agent installation regarding Windows hosts.
Example:
install_dir: 'C:\wazuh-agent\'
version: '2.1.1'
revision: '2'
repo: https://packages.wazuh.com/windows/
md5: fd9a3ce30cd6f9f553a1bc71e74a6c9f
Variable:
wazuh_agent_enrollmentDescription: Configures the enrollment section in the agent
ossec.conf.Example:
wazuh_agent_enrollment:
enabled: ''
manager_address: ''
port: 1515
agent_name: 'testname'
groups: ''
agent_address: ''
ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
server_ca_path: ''
agent_certificate_path: ''
agent_key_path: ''
authorization_pass_path: /var/ossec/etc/authd.pass
auto_method: 'no'
delay_after_enrollment: 20
use_source_ip: 'no'
Variable:
wazuh_agent_client_bufferDescription: Configures the client_buffer section from agent
ossec.conf.Example:
wazuh_agent_client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
Variable:
wazuh_agent_rootcheckDescription: Configures the rootcheck section from agent
ossec.conf.Example:
wazuh_agent_rootcheck:
frequency: 43200
Variable:
wazuh_agent_openscapDefault values:
wazuh_agent_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
Variable:
wazuh_agent_cis_catDefault values:
wazuh_agent_cis_cat:
disable: 'yes'
install_java: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: 'wodles/java'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: 'wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
Variable:
wazuh_agent_osqueryDefault values:
wazuh_agent_osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: 'yes'
Variable:
wazuh_agent_syscollectorDefault values:
wazuh_agent_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_agent_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
Variable:
wazuh_agent_syscheckDescription: Configures the syscheck section from
ossec.conf.Default values:
wazuh_agent_syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
win_audit_interval: 60
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
- /etc/ssl/private.key
Variable:
wazuh_agent_localfilesDescription: Configures the localfile section from
ossec.conf.Default values:
wazuh_agent_localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
linux:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
windows:
- format: 'eventlog'
location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'
Variable:
wazuh_agent_labelsDescription: Configures the labels section from
ossec.conf.Default values:
wazuh_agent_labels:
enable: false
list:
- key: Env
value: Production
Variable:
wazuh_agent_active_responseDescription: Configures the active-response section from
ossec.conf.Default values:
wazuh_agent_active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
ca_store_win: 'wpk_root.pem'
ca_verification: 'yes'
Variable:
wazuh_agent_log_formatDescription: Configures the log_format section from
ossec.conf.Default value:
plainVariable:
wazuh_agent_configDescription: Wazuh Agent related configuration. This variable is provided for backward compatibility. Newer deployments should use the newly introduced variables described above.
Example:
wazuh_agent_config:
log_format: 'plain'
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
rootcheck:
frequency: 43200
Warning
We recommend the use of Ansible Vault to protect authd credentials.
Variable:
authd_passDescription: Wazuh authd credentials for agent registration.
Example:
authd_pass: foobar