Internal configuration

The main configuration is located in the ossec.conf file, however some internal configuration features are located in the /var/ossec/etc/internal_options.conf file.

Generally, this file is reserved for debugging issues and for troubleshooting. Any error in this file may cause your installation to malfunction or fail to run.

Warning

This file will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf file.

Agent

agent.tolerance Description Number of seconds the agent is full before triggering a flooding alert.
Default value 15
Allowed value Any integer between 0 and 600.
agent.warn_level Description Percentage of occupied capacity in agent buffer to trigger a warning alert.
Default value 90
Allowed value Any integer between 1 and 100.
agent.normal_level Description Percentage of occupied capacity in agent buffer to return to normal state.
Default value 70
Allowed value Any integer between 0 and agent.warn_level - 1.
agent.min_eps Description Minimum events per second permitted in <client_buffer> configuration.
Default value 50
Allowed value Any integer between 1 and 1000.
agent.recv_timeout Description

Maximum number of seconds to wait for server response from the TCP client socket.

New in version 3.0.0.

Default value 60
Allowed value Any integer between 1 and 600.
agent.state_interval Description

Interval between the updates of the agent status file in seconds.

New in version 3.0.0.

Default value 5
Allowed values 0: Disable status file
Any other integer between 1 and 86400
agent.debug Description Run the unix agent’s processes in debug mode.
Default value 0
Allowed value 0: No debug output.
1: Standard debug output.
2: Verbose debug output.
agent.remote_conf Description

Apply or refuse remote configuration.

New in version 3.1.0.

Default value 1
Allowed value 0: Remote configuration is disable.
1: Remote configuration is enable.

Analysisd

analysisd.default_timeframe Description Default rule time-frame.
Default value 360
Allowed value Any integer between 60 and 360.
analysisd.stats_maxdiff Description Stats maximum diff.
Default value 999000
Allowed value Any integer between 10 and 999999.
analysisd.stats_mindiff Description Stats minimum diff.
Default value 1250
Allowed value Any integer between 10 and 999999.
analysisd.stats_percent_diff Description Stats percentage (how much to differ from average).
Default value 150
Allowed value Any integer between 5 and 9999.
analysisd.fts_list_size Description FTS list size.
Default value 32
Allowed value Any integer between 12 and 512.
analysisd.fts_min_size_for_str Description FTS minimum string size.
Default value 14
Allowed value Any integer between 6 and 128.
analysisd.log_fw Description Toggles firewall log on and off (at logs/firewall/firewall.log).
Default value 1
Allowed value 0, 1
analysisd.decoder_order_size Description Maximum number of fields in a decoder (order tag).
Default value 64
Allowed value Any integer between 10 and 64.
analysisd.geoip_jsonout Description Toggle to turn on or off output of GeoIP data in JSON alerts.
Default value 0
Allowed value 0, 1
analysisd.label_cache_maxage Description Number of in seconds without reload labels in cache from agents.
Default value 0
Allowed value Any integer between 0 and 60.
analysisd.show_hidden_labels Description Make hidden labels visible in alerts.
Default value 0
Allowed value 0, 1
analysisd.rlimit_nofile Description

Maximum number of file descriptors that Analysisd can open.

New in version 3.0.0.

Default value 16384
Allowed value Any integer between 1024 and 1048576.
analysisd.debug Description Debug level (manager installations).
Default value 0
Allowed value 0: No debug output.
1: Standard debug output.
2: Verbose debug output.
analysisd.min_rotate_interval Description

Minimum interval between log rotations.

Supersedes max_output_size option.

New in version 3.1.0.

Default value 600
Allowed value Any integer between 10 and 86400.
analysisd.event_threads Description Number of event decoder threads.
Default value 0
Allowed value 0: Sets the number of threads according to the number of cpu cores.
Any integer between 0 and 32.
analysisd.syscheck_threads Description Number of syshceck event decoder threads.
Default value 0
Allowed value 0: Sets the number of threads according to the number of cpu cores.
Any integer between 0 and 32.
analysisd.syscollector_threads Description Number of Syscollector event decoder threads.
Default value 0
Allowed value 0: Sets the number of threads according to the number of cpu cores.
Any integer between 0 and 32.
analysisd.rootcheck_threads Description Number of Rootcheck event decoder threads.
Default value 0
Allowed value 0: Sets the number of threads according to the number of cpu cores.
Any integer between 0 and 32.
analysisd.hostinfo_threads Description Number of hostinfo event decoder threads.
Default value 0
Allowed value 0: Sets the number of threads according to the number of cpu cores.
Any integer between 0 and 32.
analysisd.rule_matching_threads Description Number of rule matching threads.
Default value 0
Allowed value 0: Sets the number of threads according to the number of cpu cores.
Any integer between 0 and 32.
analysisd.decode_event_queue_size Description

Sets the decode event queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.decode_syscheck_queue_size Description

Sets the decode Syscheck queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.decode_syscollector_queue_size Description

Sets the decode Syscollector queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.decode_rootcheck_queue_size Description

Sets the decode Rootcheck queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.decode_hostinfo_queue_size Description

Sets the decode hostinfo queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.decode_output_queue_size Description

Sets the decode output queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.archives_queue_size Description

Sets the archives log queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.statistical_queue_size Description

Sets the statistical log queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.alerts_queue_size Description

Sets the alerts log queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.firewall_queue_size Description

Sets the firewall log queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.fts_queue_size Description

Sets the fts log queue size.

New in version 3.7.0.

Default value 16384
Allowed value Any integer between 128 and 2000000.
analysisd.state_interval Description

Sets the Analysisd interval for updating the state file in seconds.

New in version 3.7.0.

Default value 5
Allowed value Any integer between 0 and 86400.

Authd

authd.debug Description

Debug level.

New in version 3.4.0.

Default value 0
Allowed value 0: No debug output
1: Standard debug output
2: Verbose debug output
auth.timeout_seconds Description

Network timeout to automatically close connections (second part).

New in version 3.7.0.

Default value 1
Allowed value Any integer between 1 and 2147483647.
auth.timeout_microseconds Description

Network timeout to automatically close connections (microsecond part).

New in version 3.7.0.

Default value 0
Allowed value Any integer between 0 and 999999.

DBD

dbd.reconnect_attempts Description Number of times ossec-dbd will attempt to reconnect to the database.
Default value 10
Allowed value Any integer between 1 and 9999.

Execd

execd.request_timeout Description

Timeout in seconds to execute remote requests.

New in version 3.0.0.

Default Value 60
Allowed Value Any integer between 1 and 3600.
execd.max_restart_lock Description

Maximum timeout that the agent cannot restart while updating.

New in version 3.0.0.

Default Value 600
Allowed Value Any integer between 0 and 3600.
execd.debug Description

Debug level

New in version 3.4.0.

Default value 0
Allowed value 0: No debug output
1: Standard debug output
2: Verbose debug output

Integrator

integrator.debug Description

Debug level.

New in version 3.4.0.

Default value 0
Allowed value 0: No debug output
1: Standard debug output
2: Verbose debug output

Logcollector

logcollector.loop_timeout Description File polling interval.
Default value 2
Allowed value Any integer between 1 and 120
logcollector.open_attempts Description Number of attempts to open a log file. The value 0 means that the number of attempts is infinite.
Default value 8
Allowed value Any integer between 0 and 998
logcollector.remote_commands Description Toggles Logcollector to accept remote commands from the manager or not.
Default value 0
Allowed value 0: Disable remote commands
1: Enable remote commands
logcollector.vcheck_files Description File checking interval, in seconds.
Default value 64
Allowed value Any integer between 0 and 1024
logcollector.max_lines Description Maximum number of logs read from the same file in each iteration.
Default value 10000
Allowed value Any integer between 100 and 100000
logcollector.sample_log_length Description Sample log length limit for errors about large input logs.
Default value 64
Allowed value Any integer between 1 and 4096
logcollector.debug Description Debug level (used in manager or unix agent installations)
Default value 0
Allowed value 0: No debug output
1: Standard debug output
2: Verbose debug output
logcollector.input_threads Description Number of input threads reading files
Default value 4
Allowed value Any integer between 1 and 128
logcollector.queue_size Description Queue size for each type of socket
Default value 1024
Allowed value Any integer between 128 and 220000
logcollector.max_files Description

Maximum number of files to be monitored

New in version 3.6.0.

Default value 1000
Allowed value Any integer between 1 and 100000
logcollector.rlimit_nofile Description

Maximum number of file descriptors that Logcollector can open.

This value must be greater than or equal to (logcollector.max_files + 100).

New in version 3.7.0.

Default value 1100
Allowed value Any integer between 1024 and 1048576.
logcollector.force_reload Description

Force file handler reloading: close and reopen monitored files.

New in version 3.7.1.

Default value 0
Allowed value 0: Disabled
1: Enabled
logcollector.reload_interval Description

File reloading interval, in seconds.

This parameter only applies if logcollector.force_reload is set to 1.

New in version 3.7.1.

Default value 64
Allowed value Any integer between 1 and 86400.
logcollector.reload_delay Description

File reloading delay (between close and open), in milliseconds.

This parameter only applies if logcollector.force_reload is set to 1.

New in version 3.7.1.

Default value 1000
Allowed value Any integer between 0 and 30000.

Maild

maild.strict_checking Description Toggle to enable or disable strict checking.
Default value 1
Allowed value 0, 1
maild.grouping Description Toggle to enable or disable grouping of alerts into a single email.
Default value 1
Allowed value 0, 1
maild.full_subject Description Toggle to enable or disable full subject in alert emails.
Default value 0
Allowed value 0, 1
maild.geoip Description Toggle to enable or disable GeoIP data in alert emails.
Default value 1
Allowed value 0, 1

Monitord

monitord.day_wait Description Number of seconds to wait before compressing or signing the files.
Default value 10
Allowed value Any integer between 0 and 600.
monitord.compress Description Toggle to enable or disable log file compression.
Default value 1
Allowed value 0, 1
monitord.sign Description Toggle to enable or disable signing the log files.
Default value 1
Allowed value 0, 1
monitord.monitor_agents Description Toggle to enable or disable monitoring of agents.
Default value 1
Allowed value 0, 1
monitord.rotate_log Description

Toggle to enable or disable daily rotation of internal logs.

New in version 3.0.0.

Default value 1
Allowed value 0, 1
monitord.keep_log_days Description Number of days to keep rotated internal logs.
Default value 31
Allowed value Any integer between 0 and 500.
monitord.size_rotate Description

Maximum size in Megabytes of internal logs to trigger rotation.

New in version 3.0.0.

Default value 512
Allowed value Any integer between 0 and 4096.
monitord.daily_rotations Description

Maximum number of rotations per day for internal logs.

New in version 3.0.0.

Default value 12
Allowed value Any integer between 1 and 256.
monitord.debug Description

Debug level

New in version 3.4.0.

Default value 0
Allowed value 0: No debug output
1: Standard debug output
2: Verbose debug output

Remoted

remoted.recv_counter_flush Description Flush rate for the receive counter.
Default value 128
Allowed value Any integer between 10 and 999999.
remoted.comp_average_printout Description Compression averages printout.
Default value 19999
Allowed value Any integer between 10 and 999999.
remoted.verify_msg_id Description Toggle to enable or disable verification of msg id.
Default value 0
Allowed value 0, 1
remoted.pass_empty_keyfile Description Toggle to enable or disable acceptance of empty client.keys.
Default value 1
Allowed value 0, 1
remoted.sender_pool Description

Number of parallel threads to send the shared file.

New in version 3.0.0.

Default Value 8
Allowed Value Any integer between 1 and 64.
remoted.request_pool Description

Number of parallel threads to dispatch requests.

New in version 3.0.0.

Default Value 8
Allowed Value Any integer between 1 and 64.
remoted.request_timeout Description

Timeout in seconds to reject a new request.

New in version 3.0.0.

Default Value 10
Allowed Value Any integer between 1 and 600.
remoted.response_timeout Description

Timeout in seconds to reject a request response.

New in version 3.0.0.

Default Value 60
Allowed Value Any integer between 1 and 3600.
remoted.request_rto_sec Description

Re-transmission timeout in seconds for UDP.

New in version 3.0.0.

Default Value 1
Allowed Value Any integer between 0 and 60.
remoted.request_rto_msec Description

Re-transmission timeout in milliseconds for UDP.

New in version 3.0.0.

Default Value 0
Allowed Value Any integer between 0 and 999.
remoted.max_attempts Description

Maximum number of sending attempts.

New in version 3.0.0.

Default Value 4
Allowed Value Any integer between 1 and 16.
remoted.shared_reload Description

Number of seconds between reloading of shared files.

New in version 3.0.0.

Default Value 10
Allowed Value Any integer between 1 and 18000.
remoted.rlimit_nofile Description

Maximum number of file descriptors that Remoted can open.

New in version 3.0.0.

Default value 16384
Allowed value Any integer between 1024 and 1048576.
remoted.recv_timeout Description

Maximum number of seconds to wait for client response in TCP.

New in version 3.0.0.

Default value 1
Allowed value Any integer between 1 and 60.
remoted.send_timeout Description

Maximum number of seconds to wait for message delivery in TCP.

New in version 3.7.0.

Default value 1
Allowed value Any integer between 1 and 60.
remoted.worker_pool Description

Number of threads that process the payload reception

New in version 3.3.0.

Default value 4
Allowed value Any integer between 1 and 16
remoted.keyupdate_interval Description

Minimum delay (in seconds) between keys file reloading

New in version 3.3.0.

Default value 10
Allowed value Any integer between 1 and 3600
remoted.debug Description Debug level (manager installation)
Default value 0
Allowed value 0: No debug output.
1: Standard debug output.
2: Verbose debug output.
remoted.keyupdate_interval Description Keys file reloading latency (seconds)
Default value 10
Allowed value Any integer between 1 and 3600
remoted.worker_pool Description Number of parallel worker threads
Default value 4
Allowed value Any integer between 1 and 16
remoted.state_interval Description

Interval between the updates of the status file in seconds.

New in version 3.6.0.

Default value 5
Allowed values 0: Disable status file
Any other integer between 1 and 86400
remoted.guess_agent_group Description

Toggle to enable or disable the guessing of the group to which the agent belongs when registering it again.

New in version 3.7.1.

Default value 0
Allowed values 0, 1

Syscheck

syscheck.sleep Description Number of seconds to sleep after reading syscheck.sleep_after number of files.
Default value 1
Allowed value Any integer between 0 and 64
syscheck.sleep_after Description Number of files to read before sleeping for syscheck.sleep seconds.
Default value 100
Allowed value Any integer between 1 and 9999
syscheck.rt_delay Description

Time in milliseconds for delay between alerts in real-time.

New in version 3.4.0.

Default value 10
Allowed value Any integer between 1 and 1000
syscheck.max_fd_win_rt Description

Maximum numbers of directories can be configured in ossec.conf for Windows in realtime and whodata mode.

New in version 3.4.0.

Default value 256
Allowed value Any integer between 1 and 1024
syscheck.default_max_depth Description

Maximum level of recursion allowed while reading directories.

New in version 3.5.0.

Default value 256
Allowed value Any integer between 1 and 320
syscheck.debug Description Debug level (used in manager and Unix agent installations).
Default value 0
Allowed value 0: No debug output
1: Standard debug output
2: Verbose debug output

Rootcheck

rootcheck.sleep Description Number of milliseconds to sleep after reading one PID or suspicious port.
Default value 50
Allowed values Any integer between 0 and 1000.

Wazuh

wazuh.thread_stack_size Description Stack size assigned for child threads created in Wazuh (in KiB).
Default value 8192
Allowed values Any integer between 2048 and 65536

Wazuh Database

The Wazuh Database Synchronization Module starts automatically on the server and local profiles and requires no configuration, however, some optional settings are available.

The module uses inotify from Linux to monitor changes to every log file in real-time. Databases will be updated as soon as possible when a change is detected. If inotify is not supported, (for example, on operating systems other than Linux) every log file will be scanned continuously, looking for changes, with a default delay of one minute between scans.

How to disable the module

To disable the Wazuh Database Synchronization Module, the sync directives must be set to 0 in the etc/local_internal_options.conf file as shown below:

wazuh_database.sync_agents=0
wazuh_database.sync_syscheck=0
wazuh_database.sync_rootcheck=0

Once these settings have been adjusted, the file must be saved followed by a restart of Wazuh. With the above settings, the Database Synchronization Module will not be loaded when Wazuh starts.

wazuh_database.sync_agents Description Toggles synchronization of agent database with client.keys on or off.
Default value 1
Allowed value 0, 1
wazuh_database.sync_syscheck Description Toggles synchronization of FIM data with Syscheck database on or off.
Default value 0
Allowed value 0, 1
wazuh_database.sync_rootcheck Description Toggles synchronization of policy monitoring data with Rootcheck database on or off.
Default value 1
Allowed value 0, 1
wazuh_database.full_sync Description Toggles full data synchronization on or off.
Default value 0
Allowed value 0, 1
wazuh_database.real_time Description

Toggles synchronization of data in real-time (supported on Linux only) on and off.

New in version 3.0.0.

Default value 1
Allowed value 0, 1
wazuh_database.interval Description

Interval to sleep between cycles. (Only used if real tyme sync is disabled).

New in version 3.0.0.

Default value 60
Allowed value Any integer between 0 and 86400 (seconds).
wazuh_database.max_queued_events Description Maximum number of queued events (only used if inotify is available).
Default value 0 (use system default value).
Allowed value Any integer between 0 and 2147483647.

Wazuh Modules

wazuh_modules.task_nice Description Indicates the priority of the tasks. The lower the value, the higher the priority.
Default value 10
Allowed value Any integer between -20 and 19.
wazuh_modules.max_eps Description Maximum number of events per second sent by all Wazuh Module.
Default value 100
Allowed value Any integer between 1 and 1000
wazuh_modules.debug Description Debug level.
Default value 0
Allowed value 0: No debug output.
1: Standard debug output.
2: Verbose debug output.

Wazuh Command

wazuh_command.remote_commands Description Toggles whether Command Module should accept commands defined in the shared configuration or not.
Default value 0
Allowed value 0: Disable remote commands.
1: Enable remote commands.

Wazuh-db

wazuh_db.sock_queue_size Description Maximum number of pending connections
Default value 128
Allowed value Any integer between 1 and 1024
wazuh_db.worker_pool_size Description Number of worker threads
Default value 8
Allowed value Any integer between 1 and 32
wazuh_db.commit_time Description Time margin before committing the database
Default value 60
Allowed value Any integer between 1 and 3600
wazuh_db.open_db_limit Description Maximum number of allowed open databases before closing
Default value 64
Allowed value Any integer between 1 and 4096
wazuh_db.rlimit_nofile Description

Maximum number of file descriptors that Wazuh-DB can open.

New in version 3.7.0.

Default value 65536
Allowed value Any integer between 1024 and 1048576.
wazuh_db.debug Description Debug level
Default value 0
Allowed value 0: No debug output
1: Standard debug output
2: Verbose debug output

Windows

windows.debug Description Debug level (used in windows agent installations).
Default value 0
Allowed value 0: No debug output.
1: Standard debug output.
2: Verbose debug output.