Internal configuration
The main configuration is located in the ossec.conf
file, however some internal configuration features are located in the /var/ossec/etc/internal_options.conf
file.
Generally, this file is reserved for debugging issues and for troubleshooting. Any error in this file may cause your installation to malfunction or fail to run.
Warning
This file will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf
file.
Agent
agent.tolerance |
Description |
Number of seconds the agent is full before triggering a flooding alert. |
Default value |
15 |
|
Allowed value |
Any integer between 0 and 600. |
|
agent.warn_level |
Description |
Percentage of occupied capacity in agent buffer to trigger a warning alert. |
Default value |
90 |
|
Allowed value |
Any integer between 1 and 100. |
|
agent.normal_level |
Description |
Percentage of occupied capacity in agent buffer to return to normal state. |
Default value |
70 |
|
Allowed value |
Any integer between 0 and agent.warn_level - 1. |
|
agent.min_eps |
Description |
Minimum events per second permitted in |
Default value |
50 |
|
Allowed value |
Any integer between 1 and 1000. |
|
agent.recv_timeout |
Description |
Maximum number of seconds to wait for server response from the TCP client socket. |
Default value |
60 |
|
Allowed value |
Any integer between 1 and 600. |
|
agent.state_interval |
Description |
The interval between the updates of the agent status file in seconds. |
Default value |
5 |
|
Allowed values |
0: Disable status file |
|
Any other integer between 1 and 86400 |
||
agent.debug |
Description |
Run the Unix agent processes in debug mode. |
Default value |
0 |
|
Allowed value |
0: No debug output. |
|
1: Standard debug output. |
||
2: Verbose debug output. |
||
agent.remote_conf |
Description |
Apply or refuse remote configuration. |
Default value |
1 |
|
Allowed value |
0: Remote configuration is disabled. |
|
1: Remote configuration is enabled. |
Analysisd
analysisd.default_timeframe |
Description |
Default rule time-frame. |
Default value |
360 |
|
Allowed value |
Any integer between 60 and 360. |
|
analysisd.stats_maxdiff |
Description |
Stats maximum diff. |
Default value |
999000 |
|
Allowed value |
Any integer between 10 and 999999. |
|
analysisd.stats_mindiff |
Description |
Stats minimum diff. |
Default value |
1250 |
|
Allowed value |
Any integer between 10 and 999999. |
|
analysisd.stats_percent_diff |
Description |
Stats percentage (how much to differ from average). |
Default value |
150 |
|
Allowed value |
Any integer between 5 and 9999. |
|
analysisd.fts_list_size |
Description |
FTS list size. |
Default value |
32 |
|
Allowed value |
Any integer between 12 and 512. |
|
analysisd.fts_min_size_for_str |
Description |
FTS minimum string size. |
Default value |
14 |
|
Allowed value |
Any integer between 6 and 128. |
|
analysisd.log_fw |
Description |
Toggles firewall log on and off (at logs/firewall/firewall.log). |
Default value |
1 |
|
Allowed value |
0, 1 |
|
analysisd.decoder_order_size |
Description |
Maximum number of fields in a decoder (order tag). |
Default value |
256 |
|
Allowed value |
Any integer between 32 and 1024. |
|
analysisd.geoip_jsonout |
Description |
Toggle to turn on or off the output of GeoIP data in JSON alerts. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
analysisd.label_cache_maxage |
Description |
Number of in seconds without reloading labels in cache from agents. |
Default value |
10 |
|
Allowed value |
Any integer between 0 and 60. |
|
analysisd.show_hidden_labels |
Description |
Make hidden labels visible in alerts. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
analysisd.rlimit_nofile |
Description |
Maximum number of file descriptors that Analysisd can open. |
Default value |
458752 |
|
Allowed value |
Any integer between 1024 and 1048576. |
|
analysisd.debug |
Description |
Debug level (manager installations). |
Default value |
0 |
|
Allowed value |
0: No debug output. |
|
1: Standard debug output. |
||
2: Verbose debug output. |
||
analysisd.min_rotate_interval |
Description |
Minimum interval between log rotations. Supersedes max_output_size option. |
Default value |
600 |
|
Allowed value |
Any integer between 10 and 86400. |
|
analysisd.event_threads |
Description |
Number of event decoder threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.syscheck_threads |
Description |
Number of syscheck event decoder threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.syscollector_threads |
Description |
Number of Syscollector event decoder threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.rootcheck_threads |
Description |
Number of Rootcheck event decoder threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.sca_threads |
Description |
Number of SCA event decoder threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.hostinfo_threads |
Description |
Number of hostinfo event decoder threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.rule_matching_threads |
Description |
Number of rule matching threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.dbsync_threads |
Description |
Number of database synchronization dispatcher threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.winevt_threads |
Description |
Number of Windows event decoder threads. |
Default value |
0 |
|
Allowed value |
0: Sets the number of threads according to the number of CPU cores. |
|
Any integer between 0 and 32. |
||
analysisd.decode_event_queue_size |
Description |
Sets the decode event queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.decode_syscheck_queue_size |
Description |
Sets the decode Syscheck queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.decode_syscollector_queue_size |
Description |
Sets the decode Syscollector queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.decode_rootcheck_queue_size |
Description |
Sets the decode Rootcheck queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.decode_sca_queue_size |
Description |
Sets the decode SCA queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.decode_hostinfo_queue_size |
Description |
Sets the decode hostinfo queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.decode_output_queue_size |
Description |
Sets the decode output queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.decode_winevt_queue_size |
Description |
Sets the Windows event decode queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.archives_queue_size |
Description |
Sets the archives log queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.statistical_queue_size |
Description |
Sets the statistical log queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.alerts_queue_size |
Description |
Sets the alerts log queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.firewall_queue_size |
Description |
Sets the firewall log queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.fts_queue_size |
Description |
Sets the fts log queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.dbsync_queue_size |
Description |
Sets the database synchronization message queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.upgrade_queue_size |
Description |
Sets the upgrade message queue size. |
Default value |
16384 |
|
Allowed value |
Any integer between 128 and 2000000. |
|
analysisd.state_interval |
Description |
Sets the Analysisd interval for updating the state file in seconds. |
Default value |
5 |
|
Allowed value |
Any integer between 0 and 86400. |
Authd
authd.debug |
Description |
Debug level. |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
||
auth.timeout_seconds |
Description |
Network timeout to automatically close connections (second part). |
Default value |
1 |
|
Allowed value |
Any integer between 1 and 2147483647. |
|
auth.timeout_microseconds |
Description |
Network timeout to automatically close connections (microsecond part). |
Default value |
0 |
|
Allowed value |
Any integer between 0 and 999999. |
DBD
dbd.reconnect_attempts |
Description |
Number of times wazuh-dbd will attempt to reconnect to the database. |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 9999. |
Execd
execd.request_timeout |
Description |
Timeout in seconds to execute remote requests. |
Default Value |
60 |
|
Allowed Value |
Any integer between 1 and 3600. |
|
execd.max_restart_lock |
Description |
Maximum timeout that the agent cannot restart while updating. |
Default Value |
600 |
|
Allowed Value |
Any integer between 0 and 3600. |
|
execd.debug |
Description |
Debug level |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Integrator
integrator.debug |
Description |
Debug level. |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Logcollector
logcollector.loop_timeout |
Description |
File polling interval. |
Default value |
2 |
|
Allowed value |
Any integer between 1 and 120 |
|
logcollector.open_attempts |
Description |
Number of attempts to open a log file. The value 0 means that the number of attempts is infinite. |
Default value |
8 |
|
Allowed value |
Any integer between 0 and 998 |
|
logcollector.remote_commands |
Description |
Toggles Logcollector to accept remote commands from the manager or not. |
Default value |
0 |
|
Allowed value |
0: Disable remote commands |
|
1: Enable remote commands |
||
logcollector.vcheck_files |
Description |
File checking interval, in seconds. |
Default value |
64 |
|
Allowed value |
Any integer between 0 and 1024 |
|
logcollector.max_lines |
Description |
Maximum number of logs read from the same file in each iteration. |
Default value |
10000 |
|
Allowed value |
Any integer between 100 and 100000 |
|
logcollector.sample_log_length |
Description |
Sample log length limit for errors about large input logs. |
Default value |
64 |
|
Allowed value |
Any integer between 1 and 4096 |
|
logcollector.debug |
Description |
Debug level (used in manager or Unix agent installations) |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
||
logcollector.input_threads |
Description |
Number of input threads reading files |
Default value |
4 |
|
Allowed value |
Any integer between 1 and 128 |
|
logcollector.queue_size |
Description |
Queue size for each type of socket |
Default value |
1024 |
|
Allowed value |
Any integer between 128 and 220000 |
|
logcollector.max_files |
Description |
Maximum number of files to be monitored |
Default value |
1000 |
|
Allowed value |
Any integer between 1 and 100000 |
|
logcollector.sock_fail_time |
Description |
Time to reattempt a socket connection after a failure, in seconds. |
Default value |
300 |
|
Allowed value |
Any integer between 1 and 3600 |
|
logcollector.rlimit_nofile |
Description |
Maximum number of file descriptors that Logcollector can open. This value must be greater than or equal to (logcollector.max_files + 100). |
Default value |
1100 |
|
Allowed value |
Any integer between 1024 and 1048576. |
|
logcollector.force_reload |
Description |
Force file handler reloading: close and reopen monitored files. |
Default value |
0 |
|
Allowed value |
0: Disabled |
|
1: Enabled |
||
logcollector.reload_interval |
Description |
File reloading interval, in seconds. This parameter only applies if |
Default value |
64 |
|
Allowed value |
Any integer between 1 and 86400. |
|
logcollector.reload_delay |
Description |
File reloading delay (between close and open), in milliseconds. This parameter only applies if |
Default value |
1000 |
|
Allowed value |
Any integer between 0 and 30000. |
|
logcollector.exclude_files_interval |
Description |
Excluded files refresh interval, in seconds |
Default value |
86400 |
|
Allowed value |
Any integer between 1 and 172800 |
|
logcollector.state_interval |
Description |
Statistics generation interval, in seconds |
Default value |
60 |
|
Allowed values |
0: Disable statistics file generation. Statistics information will continue to be available through the API |
|
Any other integer between 1 and 3600. |
||
logcollector.ip_update_interval |
Description |
IP update interval, in seconds. This specifies how often the system IP is obtained when the out_format option is used. |
Default value |
60 |
|
Allowed values |
0: Disable. Host IP address collection is disabled. The agent doesn't periodically obtain the system IP address. |
|
Any other integer between 1 and 3600. Warning: Systems with extensive routing tables can suffer from high CPU usage. |
Maild
maild.strict_checking |
Description |
Toggle to enable or disable strict checking. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
maild.grouping |
Description |
Toggle to enable or disable grouping of alerts into a single email. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
maild.full_subject |
Description |
Toggle to enable or disable full subject in alert emails. |
Default value |
0 |
|
Allowed value |
0, 1 |
|
maild.geoip |
Description |
Toggle to enable or disable GeoIP data in alert emails. |
Default value |
1 |
|
Allowed value |
0, 1 |
Monitord
monitord.day_wait |
Description |
Number of seconds to wait before compressing or signing the files. |
Default value |
10 |
|
Allowed value |
Any integer between 0 and 600. |
|
monitord.compress |
Description |
Toggle to enable or disable log file compression. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.sign |
Description |
Toggle to enable or disable signing the log files. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.monitor_agents |
Description |
Toggle to enable or disable monitoring of agents. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.rotate_log |
Description |
Toggle to enable or disable daily rotation of internal logs. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
monitord.keep_log_days |
Description |
Number of days to keep rotated internal logs. |
Default value |
31 |
|
Allowed value |
Any integer between 0 and 500. |
|
monitord.size_rotate |
Description |
Maximum size in Megabytes of internal logs to trigger rotation. |
Default value |
512 |
|
Allowed value |
Any integer between 0 and 4096. |
|
monitord.daily_rotations |
Description |
Maximum number of rotations per day for internal logs. |
Default value |
12 |
|
Allowed value |
Any integer between 1 and 256. |
|
monitord.debug |
Description |
Debug level |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
||
monitord.delete_old_agents |
Description |
Number of minutes before deleting an old disconnected agent. This is a time-lapse after the agent is considered as disconnected because of the disconnection time. |
Default value |
0 |
|
Allowed value |
Any integer between 0 and 9600. |
Remoted
remoted.recv_counter_flush |
Description |
Flush rate for the receive counter. |
Default value |
128 |
|
Allowed value |
Any integer between 10 and 999999. |
|
remoted.comp_average_printout |
Description |
Compression averages printout. |
Default value |
19999 |
|
Allowed value |
Any integer between 10 and 999999. |
|
remoted.verify_msg_id |
Description |
Toggle to enable or disable verification of msg id. This setting doesn't work with multiple threads (worker_pool > 1). |
Default value |
0 |
|
Allowed value |
0, 1 |
|
remoted.pass_empty_keyfile |
Description |
Toggle to enable or disable acceptance of empty client.keys. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
remoted.sender_pool |
Description |
Number of parallel threads to send the shared file. |
Default Value |
8 |
|
Allowed Value |
Any integer between 1 and 64. |
|
remoted.request_pool |
Description |
Limit of parallel threads to dispatch requests. |
Default Value |
1024 |
|
Allowed Value |
Any integer between 1 and 4096. |
|
remoted.request_timeout |
Description |
Time (in seconds) the remote request listener rejects a new request. |
Default Value |
10 |
|
Allowed Value |
Any integer between 1 and 600. |
|
remoted.response_timeout |
Description |
Time (in seconds) the remote request listener rejects a request response. |
Default Value |
60 |
|
Allowed Value |
Any integer between 1 and 3600. |
|
remoted.request_rto_sec |
Description |
Re-transmission timeout in seconds for UDP. |
Default Value |
1 |
|
Allowed Value |
Any integer between 0 and 60. |
|
remoted.request_rto_msec |
Description |
Re-transmission timeout in milliseconds for UDP. |
Default Value |
0 |
|
Allowed Value |
Any integer between 0 and 999. |
|
remoted.max_attempts |
Description |
Maximum number of sending attempts. |
Default Value |
4 |
|
Allowed Value |
Any integer between 1 and 16. |
|
remoted.merge_shared |
Description |
Merge shared configuration to be broadcast to agents. |
Default Value |
1 (Enabled) |
|
Allowed Value |
1 (Enabled), 0 (Disabled) |
|
remoted.disk_storage |
Description |
Store the temporary shared configuration file on disk. |
Default Value |
0 (No, store in memory) |
|
Allowed Value |
1 (Yes, store on disk), 0 (No, store in memory) |
|
remoted.shared_reload |
Description |
Number of seconds between reloading of shared files. |
Default Value |
10 |
|
Allowed Value |
Any integer between 1 and 18000. |
|
remoted.rlimit_nofile |
Description |
Maximum number of file descriptors that Remoted can open. |
Default value |
16384 |
|
Allowed value |
Any integer between 1024 and 1048576. |
|
remoted.recv_timeout |
Description |
Maximum number of seconds to wait for client response in TCP. |
Default value |
1 |
|
Allowed value |
Any integer between 1 and 60. |
|
remoted.debug |
Description |
Debug level (manager installation) |
Default value |
0 |
|
Allowed value |
0: No debug output. |
|
1: Standard debug output. |
||
2: Verbose debug output. |
||
remoted.keyupdate_interval |
Description |
Keys file reloading latency (seconds) |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 3600 |
|
remoted.worker_pool |
Description |
Number of threads that process the payload reception |
Default value |
4 |
|
Allowed value |
Any integer between 1 and 16 |
|
remoted.state_interval |
Description |
Interval between the updates of the status file in seconds. |
Default value |
5 |
|
Allowed values |
0: Disable status file |
|
Any other integer between 1 and 86400 |
||
remoted.guess_agent_group |
Description |
Toggle to enable or disable the guessing of the group to which the agent belongs when registering it again. Note Since version 4.4.0, in a cluster architecture, this setting only applies to the master node. |
Default value |
0 |
|
Allowed values |
0, 1 |
|
remoted.receive_chunk |
Description |
Reception buffer size for TCP (bytes).
Amount of data that Remoted can receive per operation.
|
Default value |
4096 |
|
Allowed value |
Any other integer between 1024 and 16384.
Powers of two are suggested.
|
|
remoted.send_chunk |
Description |
Send buffer size for TCP (bytes).
Amount of data that Remoted can send per operation.
|
Default value |
4096 |
|
Allowed value |
Any other integer between 512 and 16384.
Powers of two are suggested.
|
|
remoted.send_buffer_size |
Description |
Send queue size for TCP (bytes).
Amount of data that Remoted can queue to send
(one queue per agent).
|
Default value |
131072 |
|
Allowed value |
Any other integer between 65536 and 1048576.
Powers of two are suggested.
|
|
remoted.send_timeout_to_retry |
Description |
Maximum number of seconds to wait before retrying to
queue a packet to send in TCP.
|
Default value |
1 |
|
Allowed value |
Any integer between 1 and 60.
|
|
remoted.buffer_relax |
Description |
Method for memory deallocation after accepting input data.
This option applies in TCP mode only.
|
Default value |
1 |
|
Allowed values |
0: Keep the memory for each TCP session. |
|
1: Shrink memory back to |
||
2: Fully deallocate memory after usage. |
||
remoted.tcp_keepidle |
Description |
Time (in seconds) the connection needs to remain idle
before TCP starts sending keepalive probes.
|
Default value |
30 |
|
Allowed value |
Any integer between 1 and 7200. |
|
remoted.tcp_keepintvl |
Description |
The time (in seconds) between individual keepalive probes. |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 100. |
|
remoted.tcp_keepcnt |
Description |
Maximum number of keepalive probes TCP should send before
dropping the connection.
|
Default value |
3 |
|
Allowed value |
Any integer between 1 and 50. |
Syscheck
syscheck.rt_delay |
Description |
Time in milliseconds for delay between alerts in real-time. |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 1000 |
|
syscheck.max_fd_win_rt |
Description |
Maximum numbers of directories can be configured in ossec.conf for Windows in realtime and whodata mode. |
Default value |
256 |
|
Allowed value |
Any integer between 1 and 1024 |
|
syscheck.max_audit_entries |
Description |
Maximum number of directories monitored for who-data on Linux. |
Default value |
256 |
|
Allowed value |
Any integer between 1 and 4096 |
|
syscheck.default_max_depth |
Description |
Maximum level of recursion allowed while reading directories. |
Default value |
256 |
|
Allowed value |
Any integer between 1 and 320 |
|
syscheck.symlink_scan_interval |
Description |
Check interval of the symbolic links configured in the directories section. |
Default value |
600 |
|
Allowed value |
Any integer between 1 and 2592000 |
|
syscheck.file_max_size |
Description |
Maximum file size for calculating integrity hashes (in mebibytes). |
Default value |
1024 |
|
Allowed value |
0: Unlimited |
|
Any integer between 0 and 4095 |
||
syscheck.debug |
Description |
Debug level (used in manager and Unix agent installations). |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Rootcheck
rootcheck.sleep |
Description |
Number of milliseconds to sleep after reading one PID or suspicious port. |
Default value |
50 |
|
Allowed values |
Any integer between 0 and 1000. |
Security Configuration Assessment
sca.request_db_interval |
Description |
In case of integrity fail, this is the maximum interval (minutes) to resend the scan information to the manager. |
Default value |
5 |
|
Allowed values |
Any integer between 1 and 60. |
|
sca.remote_commands |
Description |
Enable the execution of commands in policy files received from the manager (Files in etc/shared). |
Default value |
0 |
|
Allowed values |
1 (enabled) or 0 (disabled). |
|
sca.commands_timeout |
Description |
Timeout for the commands execution. |
Default value |
30 (seconds) |
|
Allowed values |
Any integer between 1 and 300. |
Vulnerability Detection
vulnerability-detection.translation_lru_size |
Description |
LRU cache size assigned for package translation process (in number of elements). |
Default value |
2048 |
|
Allowed values |
Any integer between 1 and 100000 |
|
vulnerability-detection.osdata_lru_size |
Description |
LRU cache size assigned for agents' OS data (in number of elements). |
Default value |
1000 |
|
Allowed values |
Any integer between 1 and 100000 |
|
vulnerability-detection.remediation_lru_size |
Description |
LRU cache size assigned for vulnerability remediation (in number of elements). |
Default value |
2048 |
|
Allowed values |
Any integer between 1 and 100000 |
Wazuh
wazuh.thread_stack_size |
Description |
Stack size assigned for child threads created in Wazuh (in KiB). |
Default value |
8192 |
|
Allowed values |
Any integer between 2048 and 65536 |
Wazuh Clusterd
wazuh_clusterd.debug |
Description |
Debug level. |
Default value |
0 |
|
Allowed value |
0: No debug output. |
|
1: Standard debug output. |
||
2: Verbose debug output. |
Wazuh Database
The Wazuh Database Synchronization Module starts automatically on the server and local profiles and requires no configuration, however, some optional settings are available.
The module uses inotify from Linux to monitor changes to every log file in real-time. Databases will be updated as soon as possible when a change is detected. If inotify is not supported, (for example, on operating systems other than Linux) every log file will be scanned continuously, looking for changes, with a default delay of one minute between scans.
How to disable the module
To disable the Wazuh Database Synchronization Module, the sync directives must be set to 0 in the etc/local_internal_options.conf
file as shown below:
wazuh_database.sync_agents=0
Once these settings have been adjusted, the file must be saved followed by a restart of Wazuh. With the above settings, the Database Synchronization Module will not be loaded when Wazuh starts.
wazuh_database.sync_agents |
Description |
Toggles synchronization of agent database with client.keys on or off. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.real_time |
Description |
Toggles synchronization of data in real-time (supported on Linux only) on and off. |
Default value |
1 |
|
Allowed value |
0, 1 |
|
wazuh_database.interval |
Description |
Interval to sleep between cycles. (Only used if real time sync is disabled). |
Default value |
60 |
|
Allowed value |
Any integer between 0 and 86400 (seconds). |
|
wazuh_database.max_queued_events |
Description |
Maximum number of queued events (only used if inotify is available). |
Default value |
0 (use system default value). |
|
Allowed value |
Any integer between 0 and 2147483647. |
Wazuh Modules
wazuh_modules.task_nice |
Description |
Indicates the priority of the tasks. The lower the value, the higher the priority. |
Default value |
10 |
|
Allowed value |
Any integer between -20 and 19. |
|
wazuh_modules.max_eps |
Description |
Maximum number of events per second sent by all Wazuh Module. |
Default value |
100 |
|
Allowed value |
Any integer between 1 and 1000 |
|
wazuh_modules.kill_timeout |
Description |
Time for a process to quit before being killed during Modulesd exiting, in seconds. |
Default value |
10 |
|
Allowed value |
0: Kill immediately |
|
Any integer between 1 and 3600 |
||
wazuh_modules.debug |
Description |
Debug level. |
Default value |
0 |
|
Allowed value |
0: No debug output. |
|
1: Standard debug output. |
||
2: Verbose debug output. |
Wazuh Command
wazuh_command.remote_commands |
Description |
Toggles whether Command Module should accept commands defined in the shared configuration or not. |
Default value |
0 |
|
Allowed value |
0: Disable remote commands. |
|
1: Enable remote commands. |
Wazuh-db
wazuh_db.worker_pool_size |
Description |
Number of worker threads |
Default value |
8 |
|
Allowed value |
Any integer between 1 and 32 |
|
wazuh_db.open_db_limit |
Description |
Maximum number of allowed open databases before closing |
Default value |
64 |
|
Allowed value |
Any integer between 1 and 4096 |
|
wazuh_db.rlimit_nofile |
Description |
Maximum number of file descriptors that Wazuh-DB can open. |
Default value |
65536 |
|
Allowed value |
Any integer between 1024 and 1048576. |
|
wazuh_db.commit_time_min |
Description |
Minimum time margin before committing. |
Default value |
10 |
|
Allowed value |
Any integer between 1 and 3600. |
|
wazuh_db.commit_time_max |
Description |
Maximum time margin before committing. |
Default value |
60 |
|
Allowed value |
Any integer between 1 and 3600. |
|
wazuh_db.max_fragmentation |
Description |
Maximum fragmentation allowed for a database. |
Default value |
90 |
|
Allowed value |
Any integer between 0 and 100. |
|
wazuh_db.fragmentation_threshold |
Description |
Indicates the allowed fragmentation threshold. |
Default value |
75 |
|
Allowed value |
Any integer between 0 and 100. |
|
wazuh_db.fragmentation_delta |
Description |
Indicates the allowed fragmentation difference between the last time
the vacuum was performed and the current measurement.
|
Default value |
5 |
|
Allowed value |
Any integer between 0 and 100. |
|
wazuh_db.free_pages_percentage |
Description |
Indicates the minimum percentage of free pages present in a database that
can trigger a vacuum.
|
Default value |
0 |
|
Allowed value |
Any integer between 0 and 99. |
|
wazuh_db.check_fragmentation_interval |
Description |
Interval for database fragmentation check, in seconds. |
Default value |
7200 |
|
Allowed value |
Any integer between 1 and 30758400. |
|
wazuh_db.debug |
Description |
Debug level |
Default value |
0 |
|
Allowed value |
0: No debug output |
|
1: Standard debug output |
||
2: Verbose debug output |
Wazuh-download
wazuh_download.enabled |
Description |
Enable download module |
Default value |
1 |
|
Allowed value |
0: Disable download module. |
|
1: Enable download module. |
Windows
windows.debug |
Description |
Debug level (used in windows agent installations). |
Default value |
0 |
|
Allowed value |
0: No debug output. |
|
1: Standard debug output. |
||
2: Verbose debug output. |