remote

Configuration of manager to listen for events from the agents.

Options

connection

Specifies a type of incoming connection to accept: secure or syslog.

Default value

secure

Allowed values

secure, syslog

port

Specifies the port to use to listen for events.

Default value

1514 if secure, 514 if syslog

Allowed values

Any port number from 1 to 65535

protocol

Specifies the protocol to use. It is available for secure connections and syslog events.

Default value

tcp

Allowed values

udp, tcp

It is now possible to configure both UDP and TCP protocols to work simultaneously in the secure connections, this can be achieved by writing in the same configuration block the accepted protocols separated with a comma. For syslog connections, multiple protocols support require multiple configuration blocks since only one protocol per block is allowed.

allowed-ips

List of IP addresses that are allowed to send syslog messages to the server (one per line).

Default value

n/a

Allowed values

Any IP address or network

Note

It is necessary to list at least one IP address when using the syslog connection type.

denied-ips

List of IP addresses that are not allowed to send syslog messages to the server (one per line).

Default value

n/a

Allowed values

Any IP address or network

local_ip

Local ip address to use to listen for connections.

Default value

All interfaces

Allowed values

Any internal ip address

ipv6

Enables IPv6 support.

Default value

no

Allowed values

yes, no

queue_size

Sets the capacity of the remote daemon queue in number of agent events.

Default value

131072

Allowed values

Any number between 1 and 262144.

Note

The remote queue is only available for agent events, not syslog events. This option only works when the connection is set to secure.

rids_closing_time

Sets the time to close the RIDS files for agents that don't report new events in that time interval.

Default value

5m

Allowed values

A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days).

connection_overtake_time

New in version 4.5.2.

Sets the time to wait before considering a connection with a TCP client down when a new connection with the same key arrives. A value of 0 disables this assessment of connection activity.

Warning

The connection_overtake_time must be higher than the agent notify-time.

Default value

60

Allowed values

A number between 0 and 3600 (seconds).

Note

connection_overtake_time doesn't apply to connections with UDP clients.

agents

allow_higher_versions

New in version 4.6.0.

Accept agents with a later version than the current manager.

Default value

no

Allowed values

yes, no

Note

This option only works when connection is set to secure.

Example of configuration

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips>
  <local_ip>192.168.1.5</local_ip>
</remote>

<remote>
  <connection>secure</connection>
  <port>1514</port>
  <protocol>tcp,udp</protocol>
  <queue_size>16384</queue_size>
  <rids_closing_time>5m</rids_closing_time>
  <connection_overtake_time>600</connection_overtake_time>
  <agents>
    <allow_higher_versions>no</allow_higher_versions>
  </agents>
</remote>