Wazuh agent class
class wazuh::agent
This contains variables that can be used to configure the Wazuh agent.
Active-Response variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Enables Active Response on this host. |
|
Boolean |
|
Toggles the active-response capability on and off. |
|
String |
|
This option enables or disables the WPK validation using the root CA certificate. If this parameter is set to no, the agent will accept any WPK package from the manager. |
|
String |
|
Sets timeouts in minutes for repeat offenders. This list of increasing timeouts can contain a maximum of 5 entries. |
|
Integer |
Agent enrollment variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Enables/disables agent enrollment. If this variable is not set to ' |
|
String |
|
Hostname or IP address of the manager where the agent will be enrolled. |
|
String |
|
Specifies the port on which the manager will send enrollment requests. Depends on |
|
String |
|
Specifies the agent name that will be used for enrollment. Depends on |
|
String |
|
Group name to which the agent belongs. Depends on |
|
String |
|
Force IP address from the agent. The manager will extract the source IP address from the enrollment message if this is not set. Depends on |
|
String |
|
Override SSL used ciphers. Depends on |
|
String |
|
Used for manager verification. If no CA certificate is set, the server will not be verified. Depends on
|
|
String |
|
Required when agent verification is enabled in the manager. Depends on |
|
String |
|
Required when agent verification is enabled in the manager. Depends on |
|
String |
|
Enrollment password. Depends on |
|
String |
|
Required when enrollment is using password verification. Depends on |
|
String |
|
Auto negotiates the most secure common SSL/TLS method with the manager, use " Depends on |
|
String |
|
Specifies the time agents should wait after a successful registration. Related parameter |
|
String |
|
Force the manager to compute the IP address from the agent message. Depends on |
|
String |
Client variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Specifies the IP address or the hostname of the Wazuh manager to report. |
|
String |
|
Specifies the IP address or the hostname of the Wazuh manager against which to register. It is used to run the agent-auth tool. |
n/a |
String |
|
Specifies the port to send events to the manager. This must match the associated listening port configured on the Wazuh manager. |
|
String |
|
Specifies the protocol to use when connecting to the manager. |
|
String |
|
The number of connection retries. |
|
String |
|
Time interval between connection attempts (seconds). |
|
String |
|
Specifies the time in seconds between agent check-ins to the manager. |
|
String |
|
Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the
|
|
String |
|
Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager. |
|
String |
|
Choose the encryption of the messages that the agent sends to the manager. |
|
String |
|
Sets the capacity of the agent buffer in number of events. |
|
Integer |
|
Specifies the number of events sent to the manager per second. |
|
String |
Localfile variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Files list for log analysis These files are listed in |
Depends on the OS family. |
List |
Rootcheck variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Disable rootcheck on this host (Linux). |
|
String |
|
Enable the rootcheck checkfiles option. |
|
String |
|
Enable rootcheck checktrojans option. |
|
String |
|
Enable rootcheck checkdev option. |
|
String |
|
Enable the rootcheck checksys option. |
|
String |
|
Enable rootcheck checkpids option. |
|
String |
|
Enable the rootcheck checkports option. |
|
String |
|
Enable rootcheck check_if option. |
|
String |
|
How often the rootcheck scan will run (in seconds). |
|
String |
|
List of files or directories to be ignored. These files and directories will be ignored during scans. |
|
List |
|
Change the location of the rootkit files database. |
|
String |
|
Change the location of the rootkit trojan's database. |
|
String |
|
Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, |
|
String |
|
Specifies the path to an audit definition file for Unix-like systems. |
|
List |
|
Disables rootcheck if the host has a Windows OS. |
|
String |
|
Specifies the path to a Windows application definition file. |
|
String |
|
Specifies the path to a Windows malware definitions file. |
|
String |
SCA variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Enables SCA section render on this host. |
|
boolean |
|
Enable SCA on this host (Amazon Linux 2). Depends on |
|
String |
|
The SCA module will perform the scan immediately when started (Amazon Linux 2). Depends on |
|
String |
|
The interval between module executions. Depends on |
|
String |
|
Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, Depends on |
|
String |
|
A list of policies to run assessments can be included in this section. Depends on |
|
List |
|
The SCA module will perform the scan immediately when started (RHEL). Depends on |
|
String |
|
The interval between module executions. Depends on |
|
String |
|
Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, Depends on |
|
String |
|
A list of policies to run assessments can be included in this section. Depends on |
|
List |
|
The SCA module will perform the scan immediately when started (Linux). Depends on |
|
String |
|
The interval between module executions. Depends on |
|
String |
|
Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, Depends on |
|
String |
|
A list of policies to run assessments can be included in this section. Depends on |
|
List |
Syscheck variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Enables syscheck section rendering on this host. If this variable is not set to 'true', the complete |
|
Boolean |
|
Disables syscheck on this host. |
|
String |
|
Enables syscheck section rendering on this host. |
|
String |
|
Specifies if syscheck scans immediately when started. |
|
String |
|
Specifies whether or not syscheck will ignore files that change too many times (manager only). |
|
String |
|
List of directories to be monitored. The directories should be comma-separated. |
|
String |
|
This will enable real-time/continuous monitoring on directories listed on |
|
String |
|
This will enable who-data monitoring on directories listed on |
|
String |
|
List of directories to be monitored. The directories should be comma-separated. |
|
String |
|
This will enable real-time/continuous monitoring on directories listed on |
|
String |
|
This will enable who-data monitoring on directories listed on |
|
String |
|
Report file changes. This is limited to text files at this time. |
|
String |
|
List of files or directories to be ignored. Ignored files and directories are still being scanned, but the results are not reported. |
|
String |
|
Simple regex pattern to filter out files. |
|
String |
|
Another simple regex pattern to filter out files. |
|
String |
|
Sets the nice value for the syscheck process. |
|
String |
|
Specifies whether there will be periodic inventory synchronizations or not. |
|
String |
|
Specifies the initial number of seconds between every inventory synchronization. If synchronization fails, the value will
be duplicated until it reaches the value of |
|
String |
|
Sets the maximum synchronization message throughput. |
|
String |
|
Specifies the maximum number of seconds between every inventory synchronization. |
|
String |
|
Specifies if syscheck should scan network-mounted filesystems. This option works on Linux and FreeBSD systems.
Currently, |
|
String |
Wodle osquery variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Enables the Wodle osquery section rendering on this host. If this variable is not set to ' |
|
String |
|
Disables the osquery wodle. |
|
String |
|
Makes the module run osqueryd as a subprocess or let the module monitor the results log without running Osquery. |
|
String |
|
This defines the full path to the results log written by Osquery. |
|
String |
|
Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running. |
|
String |
|
Add the agent labels defined as decorators. |
|
String |
Wodle Syscollector
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Disable the Syscollector wodle. |
|
String |
|
Time between system scans. |
|
String |
|
Run a system scan immediately when the service is started. |
|
String |
|
Enables the hardware scan. |
|
String |
|
Enables the scan of the OS. |
|
String |
|
Enables the network scan. |
|
String |
|
Enables the scan of the packages. |
|
String |
|
Enables the scanning of the ports. |
|
String |
|
Enables the scan of the processes. |
|
String |
Misc Variables
Parameter |
Description |
Default value |
Data type |
|---|---|---|---|
|
Defines the package name using |
|
String |
|
Defines package version |
|
String |
|
Whether to install a SELinux policy to allow rotation of OSSEC logs. |
|
Boolean |
|
Configure agent name. |
|
String |
|
Install Wazuh through Wazuh repositories. |
|
Boolean |
|
Manage client keys option. |
|
String |
|
Define a password for agent-auth |
|
String |