Wazuh manager class

$ossec_alert_level

Sets the minimum severity level for alerts stored in /var/ossec/logs/alerts.log and/or /var/ossec/logs/alerts.json.

3

Integer

$ossec_auth_disabled

Toggles the execution of the Auth daemon on or off.

no

String

$ossec_auth_use_source_ip

Toggles the use of the client's source IP address or the use of "any" to add an agent.

yes

String

$ossec_auth_use_password

Toggles shared password authentication on or off.

no

String

$ossec_auth_ssl_verify_host

Toggles source host verification on and off when a CA certificate is specified. This means that the client source IP address will be validated using the Common Name field.

no

String

$ossec_auth_ssl_manager_key

Specifies the full path to the server's SSL key.

/var/ossec/etc/sslmanager.key

String

$ossec_cluster_name

Specifies the name of the cluster this node belongs to.

wazuh

String

$ossec_cluster_node_type

Specifies the role of the node.

master

String

$ossec_cluster_port

Specifies the port to use for the cluster communications.

1516

String

$ossec_cluster_nodes

Lists all master nodes in the cluster using the <node> tag for each one.

['NODE_IP']

String

$ossec_cluster_disabled

Toggles whether the cluster is enabled or not. If this value is set to yes, the cluster won't start.

yes

String

$ossec_emailnotification

Whether or not to send email notifications. If this variable is not set to true, the email tags will not be added to /var/ossec/etc/ossec.conf.

false

Boolean

$ossec_smtp_server

SMTP mail server.

Depends on ossec_emailnotification

smtp.example.wazuh.com

String

$ossec_email_maxperhour

Global Configuration with the maximum number of emails per hour.

Depends on ossec_emailnotification

12

Integer

$ossec_email_idsname

Define email ID name

undef

String

$ossec_remote_connection

Specifies a type of incoming connection to accept: secure or syslog.

secure

String

$ossec_remote_protocol

Specifies the protocol to use. It is available for secure connections and syslog events.

tcp

String

$ossec_remote_allowed_ips

IP address that is allowed to send syslog messages to the server.

Needed if ossec_remote_connection is set to syslog

undef

String

$ossec_local_files

Files list for log analysis

These files are listed in params_manager.pp in section $default_local_files.

n/a

List

$configure_rootcheck

Enables rootcheck section render on this host.

true

Boolean

$ossec_rootcheck_check_files

Enable the rootcheck checkfiles option.

yes

String

$ossec_rootcheck_check_dev

Enable rootcheck checkdev option.

yes

String

$ossec_rootcheck_check_pids

Enable rootcheck checkpids option.

yes

String

$ossec_rootcheck_check_if

Enable rootcheck checkif option.

yes

String

$ossec_rootcheck_ignore_list

List of files or directories to be ignored. These files and directories will be ignored during scans.

[]

String

$ossec_rootcheck_rootkit_trojans

Change the location of the rootkit trojan's database.

'etc/shared/rootkit_trojans.txt'

String

$ossec_rootcheck_system_audit

Specifies the path to an audit definition file for Unix-like systems.

[]

String

$configure_syscheck

Enables syscheck section rendering on this host. If this variable is not set to true, the complete syscheck tag will not be added to /var/ossec/etc/ossec.conf.

true

Boolean

$ossec_syscheck_frequency

Enables the syscheck section render on this host.

43200

String

$ossec_syscheck_auto_ignore

Specifies whether or not syscheck will ignore files that change too many times (manager only).

undef

String

$ossec_syscheck_realtime_directories_1

This will enable real-time/continuous monitoring on directories listed on ossec_syscheck_directories_1. The real-time settings work with directories, not individual files.

no

String

$ossec_syscheck_directories_2

List of directories to be monitored. The directories should be comma-separated

'/etc,/usr/bin,/usr/sbin'

String

$ossec_syscheck_whodata_directories_2

This will enable who-data monitoring on directories listed on ossec_syscheck_directories_2.

no

String

$ossec_syscheck_ignore_list

List of files or directories to be ignored. Ignored files and directories are still scanned, but the results are not reported.

['/etc/mtab','/etc/hosts.deny','/etc/mail/statistics','/etc/random-seed','/etc/random.seed','/etc/adjtime','/etc/httpd/logs','/etc/utmpx','/etc/wtmpx','/etc/cups/certs','/etc/dumpdates','/etc/svc/volatile','/sys/kernel/security','/sys/kernel/debug','/dev/core',]

List

$ossec_syscheck_ignore_type_2

Another simple regex pattern to filter out files.

'.log$|.swp$'

String

$ossec_syscheck_process_priority

Sets the nice value for the syscheck process. The nice value determines how a process should be with CPU time; higher values make it wait more, lower values make it run faster.

10

String

$ossec_syscheck_synchronization_interval

Specifies the initial number of seconds between every inventory synchronization. If synchronization fails, the value will be duplicated until it reaches the value of max_interval.

5m

String

$ossec_syscheck_synchronization_max_interval

Specifies the maximum number of seconds between every inventory synchronization.

1h

String

$syslog_output

Allows a Wazuh manager to send the OSSEC alerts to one or more syslog servers. If this variable is not set to true, the complete syslog_output tag will not be added to /var/ossec/etc/ossec.conf.

false

Boolean

$syslog_output_port

The port to forward alerts to.

Depends on syslog_output

514

Integer

$syslog_output_format

Format of alert output.

Depends on syslog_output

undef

String

$configure_vulnerability_detection

Enables Vulnerability detection section rendering on this host. If this variable is not set to true, the complete vulnerability-detection tag will not be added to /var/ossec/etc/ossec.conf.

yes

String

$vulnerability_detection_index_status

Enables indexing of vulnerability inventory data.

Depends on configure_vulnerability_detection

yes

String

$vulnerability_detection_feed_update_interval

Time interval for periodic feed updates.

Depends on configure_vulnerability_detection

60m

String

$vulnerability_indexer_enabled

Enables the Vulnerability detection indexer module. Depends on configure_vulnerability_indexer

Depends on configure_vulnerability_indexer

yes

String

$vulnerability_indexer_hosts_port

Port of Wazuh indexer.

Depends on configure_vulnerability_indexer

9200

String

Depends on configure_vulnerability_indexer

$vulnerability_indexer_ssl_key

Path of Filebeat key. Depends on configure_vulnerability_indexer

Depends on configure_vulnerability_indexer

/etc/filebeat/certs/filebeat-key.pem

String

$wazuh_api_host

IP address or hostname of the Wazuh manager where the Wazuh API is running.

['0.0.0.0', '::'] | List

$wazuh_api_https_enabled

Enable or disable SSL (https) in the Wazuh API.

true

String

$wazuh_api_https_cert

File with the certificate.

server.crt (in api/configuration/ssl)

String

$wazuh_api_https_ca

Certificate of the Certificate Authority (CA).

ca.crt (in api/configuration/ssl)

String

$wazuh_api_logs_format

Set the format of the Wazuh API logs.

plain

String

$wazuh_api_cors_source_route

Sources for which the resources will be available. For example, http://client.example.org.

"*"

String

$wazuh_api_cors_allow_headers

Specifies which HTTP headers can be used during the actual request.

"*"

String

$wazuh_api_cache_enabled

Enables or disables caching for certain API responses (currently, all /rules endpoints)

true

String

$wazuh_api_access_max_login_attempts

Set a maximum number of login attempts during a specified block_time number of seconds.

5

Integer

$wazuh_api_access_max_request_per_minute

Establish a maximum number of requests the Wazuh API can handle per minute (does not include authentication requests). If the number of requests for a given minute is exceeded, all incoming requests (from any user) will be blocked. This feature can be disabled by setting its value to 0.

300

Integer

$wazuh_api_experimental_features

Enable features under development

false

String

$configure_wodle_osquery

Enables the Wodle osquery section rendering on this host. If this variable is not set to true, the complete osquery wodle tag will not be added to /var/ossec/etc/ossec.conf.

true

Boolean

$wodle_osquery_run_daemon

Makes the module run osqueryd as a subprocess or lets the module monitor the results log without running Osquery.

Depends on configure_wodle_osquery

yes

String

$wodle_osquery_config_path

Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running.

Depends on configure_wodle_osquery

'/etc/osquery/osquery.conf'

String

$wodle_syscollector_disabled

Disable the Syscollector wodle.

no

String

$wodle_syscollector_scan_on_start

Run a system scan immediately when the service is started.

yes

String

$wodle_syscollector_os

Enables the OS scan.

yes

String

$wodle_syscollector_packages

Enables the scan of the packages.

yes

String

$wodle_syscollector_processes

Enables the scan of the processes.

yes

String

$server_package_version

Modifies the client.pp and server.pp Puppet configuration files to accept package versions as a parameter.

4.14.0-1

String

$manage_client_keys

Manage client keys option.

true

String

$local_rules_template

Allow using a custom /var/ossec/etc/rules/local_rules.xml in the manager.

wazuh/local_rules.xml.erb

String

$alert_email

Email to send to.

n/a

String

$command_name

Human-readable name for wazuh::activeresponse usage.

n/a

String

$timeout_allowed

Specifies whether Active response commands should timeout or not.

true

Boolean

$active_response_name

Human readable name for wazuh::activeresponse usage.

n/a

String

$active_response_command

Links the active-response to the command.

n/a

String

$active_response_level

Can take values between 0 and 16.

n/a

Integer

$active_response_rules_id

List of rule IDs.

[]

List

$active_response_repeated_offenders

Sets timeouts in minutes for repeat offenders. This list of increasing timeouts can contain a maximum of 5 entries.

empty

List