Advanced settings
In this section, we describe different advanced settings that can provide greater control and flexibility over how the FIM module works.
Who-data monitoring
The who-data functionality allows the FIM module to obtain information about who made modifications to a monitored file. This information contains the user who made the changes to the monitored files and the program name or process used.
Who-data monitoring on Linux
How it works
The who-data monitoring functionality uses the Linux Audit subsystem to get information about who makes the changes in a monitored directory. These changes produce audit events. The FIM module processes the audit events and reports them to the ThreatLockDown server. This functionality expands on the realtime attribute replacing it. This means that whodata is real-time monitoring with the who-data information added.
Configuration
You need to install the audit daemon if you don’t have it already installed on your endpoint.
# yum install audit
For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service.
# yum install audispd-plugins
# systemctl restart auditd
# apt-get install auditd
For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service.
# apt-get install audispd-plugins
# systemctl restart auditd
# apk add audit=3.1.1-r0
# rc-update add auditd default
# cp /usr/sbin/audisp-af_unix /sbin/audisp-af_unix
# rc-service auditd restart
Perform the following steps to enable who-data monitoring. In this example, you configure who-data monitoring for /etc directory.
Edit the ThreatLockDown agent
/var/ossec/etc/ossec.confconfiguration file and add the configuration below:<syscheck> <directories check_all="yes" whodata="yes">/etc</directories> </syscheck>
Once you add this configuration, restart the ThreatLockDown agent to apply the changes. This will add an audit rule for the monitored directory:
# systemctl restart wazuh-agent
Execute the following command to check if the audit rule for monitoring the selected directory is applied:
# auditctl -l | grep wazuh_fim
From the output, you can see the rule was added:
auditctl -w /etc -p wa -k wazuh_fimNote
When the ThreatLockDown agent service stops, it removes the rule. You can use the same command to check that it removed the rule successfully.
Alert fields
The following table establishes a correspondence between audit fields and their equivalent fields in an alert when who-data is enabled.
Audit field
Alert field
Fields description
User
audit.user.id
audit.user.name
Contain information about who started the process that modified the monitored file.
Login user
audit.login_user.id
audit.login_user.name
Contain information about the user who started the session. They correspond respectively to the login UID and login name. Upon login, this ID is assigned to a user and is inherited by every process, even when the user's identity changes.
Effective user
audit.effective_user.id
audit.effective_user.name
Contain the effective ID and name of the user who started the process that modified the monitored file. When a user executes a command using sudo, the effective user ID changes to 0 and the effective user name becomes root.
Group
audit.group.id
audit.group.name
Contain the group ID and group name of the user who started the process that modified the monitored file.
Process ID
audit.process.id
Contains the ID of the process used to modify the monitored file.
Process name
audit.process.name
Contains the name of the process used to modify the monitored file.
Process ppid
audit.process.ppid
Contains the parent process ID of the process used to modify the monitored file.
Example: Monitor changes in the /etc/hosts.allow file on Linux
Perform the following steps to configure the FIM module to get the information about who makes changes to /etc/hosts.allow file.
Edit the ThreatLockDown agent
/var/ossec/etc/ossec.confconfiguration file and add the/etc/hosts.allowfile for monitoring:... <syscheck> ... <directories check_all="yes" whodata="yes" report_changes="yes">/etc/hosts.allow</directories> ... </syscheck> ...
Restart the ThreatLockDown agent to apply the configuration changes:
# systemctl restart wazuh-agent
Test the configuration
Create the user
smithon a Linux endpoint:# useradd smith
Log out of the Linux endpoint and log in as
smith.Add a new IP address, such as
192.168.32.5in/etc/hosts.allowfile on the Linux endpoint.# nano /etc/hosts.allow
Visualize the alert
Navigate to File Integrity Monitoring on the ThreatLockDown dashboard to view the alert generated when the FIM module detects changes in the monitored file.
Expand the alert to view more information. In the alert fields below, you can see the user smith added a new IP address to the /etc/hosts.allow file using the nano text editor with root privileges.
Alert in JSON:
{ "syscheck": { "size_before": "411", "uname_after": "root", "mtime_after": "2023-02-06T18:21:50", "size_after": "423", "gid_after": "0", "md5_before": "d0cfb796d371b0182cd39d589b1c1ce3", "diff": "10c10\n< \n---\n> 192.168.32.5\n", "sha256_before": "9eadbcd7ec16f4e5961ad2035c0228de7c22b2ba0f6761df63b1b3d9bad9d0a7", "mtime_before": "2023-02-06T18:21:33", "mode": "whodata", "path": "/etc/hosts.allow", "sha1_after": "a488ebb6fb615aa58c3cbf2363fd50e6f12b1990", "changed_attributes": [ "size", "mtime", "md5", "sha1", "sha256" ], "gname_after": "root", "audit": { "process": { "parent_name": "/usr/bin/bash", "cwd": "/home/smith", "parent_cwd": "/home/smith", "name": "/usr/bin/nano", "id": "18451", "ppid": "13824" }, "login_user": { "name": "smith", "id": "1001" }, "effective_user": { "name": "root", "id": "0" }, "user": { "name": "root", "id": "0" }, "group": { "name": "root", "id": "0" } }, "uid_after": "0", "perm_after": "rw-r--r--", "event": "modified", "md5_after": "56bf94e8c0b0ff9c5efb258d85d68bba", "sha1_before": "2964c8d9f69c7261de20877392bc7393d471f4ed", "sha256_after": "be0f64dc44ddc87f6ba4922e124078071cd65d27d9e25f988d5c9b4c8fa60ca0", "inode_after": 263955 }, "agent": { "ip": "192.168.33.157", "name": "Ubuntu20.04", "id": "014" }, "manager": { "name": "wazuh" }, "rule": { "mail": false, "level": 7, "description": "Integrity checksum changed.", "groups": [ "ossec", "syscheck", "syscheck_entry_modified", "syscheck_file" ], "nist_800_53": [ "SI.7" ], "gdpr": [ "II_5.1.f" ], "firedtimes": 171, "mitre": { "technique": [ "Stored Data Manipulation" ], "id": [ "T1565.001" ], "tactic": [ "Impact" ] }, "id": "550", "gpg13": [ "4.11" ] }, "decoder": { "name": "syscheck_integrity_changed" }, "full_log": "File '/etc/hosts.allow' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '411' to '423'\nOld modification time was: '1675696893', now it is '1675696910'\nOld md5sum was: 'd0cfb796d371b0182cd39d589b1c1ce3'\nNew md5sum is : '56bf94e8c0b0ff9c5efb258d85d68bba'\nOld sha1sum was: '2964c8d9f69c7261de20877392bc7393d471f4ed'\nNew sha1sum is : 'a488ebb6fb615aa58c3cbf2363fd50e6f12b1990'\nOld sha256sum was: '9eadbcd7ec16f4e5961ad2035c0228de7c22b2ba0f6761df63b1b3d9bad9d0a7'\nNew sha256sum is : 'be0f64dc44ddc87f6ba4922e124078071cd65d27d9e25f988d5c9b4c8fa60ca0'\n", }
Who-data monitoring on Windows
How it works
The who-data monitoring functionality uses the Microsoft Windows auditing subsystem. It gets the related information about who makes modifications in a monitored directory. These changes produce audit events. The FIM module processes these events and reports them to the ThreatLockDown server. This feature is only compatible with Windows operating systems later than Windows Vista.
Configuration
To enable the who-data feature, you must declare the tag whodata="yes" within the directories block in the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file. You need to properly configure the Local Audit Policies and the System Access Control List (SACLs) of each monitored directory. ThreatLockDown automatically performs these configurations for the directory to monitor.
... <syscheck> ... <directories check_all="yes" whodata="yes">C:\test</directories> ... </syscheck> ...
The FIM module configures the required Local Audit Policies and SACLs when launched. However, other services might change this configuration which would prevent who-data from receiving the monitored events. To overcome this, FIM detects this configuration change and switches all the directories monitoring with who-data to real-time mode. The two available mechanisms to detect these configuration changes are:
ThreatLockDown monitors specific events (ID 4719) that Windows generates when one of the Audit Policies is modified (Success removed).
Periodically, ThreatLockDown checks that the Audit Policies and the SACLs are configured as expected. You can modify the frequency of this verification with windows_audit_interval.
If your Windows OS version is later than Windows Vista but the system didn’t automatically configure the audit policies, see the Manual configuration of the Windows Audit Policies guide.
The following table establishes a correspondence between audit fields and their equivalent fields in an alert when who-data is enabled:
Audit field
Alert field
Fields description
User
audit.user.id audit.user.name
Contain the ID and name of the user who started the process that modified the monitored file.
Process id
audit.process.id
Contain the ID of the process used to modify the monitored file.
Process name
audit.process.name
Contain the name of the process used to modify the monitored file.
Example: Monitor changes in a text file on Windows
Perform the following steps to configure the FIM module. This configuration gets the information about the user and the process that modified the monitored file.
Edit the ThreatLockDown agent
C:\Program Files (x86)\ossec-agent\ossec.confconfiguration file and add theDocumentsdirectory for FIM monitoring. The configuration ensures that the FIM module records who-data information and also reports the exact changes made to text files:<syscheck> <directories check_all="yes" whodata="yes" report_changes="yes">C:\Users\*\Documents</directories> </syscheck>
Restart the ThreatLockDown agent using PowerShell with administrator privileges to apply the changes:
Restart-Service -Name wazuh
Test the configuration
Create a text file
audit_docu.txtin theDocumentsfolder using Notepad.Add the text “Hello” and save the changes.
Visualize the alert
Navigate to File Integrity Monitoring on the ThreatLockDown dashboard and find the alert generated when the FIM module detects changes in the monitored directory.
Expand the alert with rule.id:550 to view all the information. In the alert fields below, you can see the user wazuh added the word “Hello” to the audit_docu.txt file using the Notepad text editor.
Alert in JSON:
{ "_index": "wazuh-alerts-4.x-2023.04.18", "_id": "ZcS6lIcB57JzuUZxyH13", "_version": 1, "_score": null, "_source": { "syscheck": { "size_before": "0", "uname_after": "wazuh", "mtime_after": "2023-04-18T17:17:58", "size_after": "5", "md5_before": "d41d8cd98f00b204e9800998ecf8427e", "diff": "---\n> Hello\n", "win_perm_after": [ { "allowed": [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name": "SYSTEM" }, { "allowed": [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name": "Administrators" }, { "allowed": [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name": "wazuh" } ], "sha256_before": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "mtime_before": "2023-04-18T17:17:54", "mode": "whodata", "path": "c:\\users\\wazuh\\documents\\audit_docu.txt", "sha1_after": "f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0", "changed_attributes": [ "size", "mtime", "md5", "sha1", "sha256" ], "audit": { "process": { "name": "C:\\Windows\\System32\\notepad.exe", "id": "5672" }, "user": { "name": "wazuh", "id": "S-1-5-21-1189703717-396825564-3703043190-1000" } }, "attrs_after": [ "ARCHIVE" ], "uid_after": "S-1-5-21-1189703717-396825564-3703043190-1000", "event": "modified", "md5_after": "8b1a9953c4611296a827abf8c47804d7", "sha1_before": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "sha256_after": "185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969" }, "input": { "type": "log" }, "agent": { "ip": "192.168.33.132", "name": "Windows10", "id": "021" }, "manager": { "name": "wazuh" }, "rule": { "mail": false, "level": 7, "pci_dss": [ "11.5" ], "hipaa": [ "164.312.c.1", "164.312.c.2" ], "tsc": [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description": "Integrity checksum changed.", "groups": [ "ossec", "syscheck", "syscheck_entry_modified", "syscheck_file" ], "nist_800_53": [ "SI.7" ], "gdpr": [ "II_5.1.f" ], "firedtimes": 2, "mitre": { "technique": [ "Stored Data Manipulation" ], "id": [ "T1565.001" ], "tactic": [ "Impact" ] }, "id": "550", "gpg13": [ "4.11" ] }, "location": "syscheck", "decoder": { "name": "syscheck_integrity_changed" }, "id": "1681827479.1689265", "full_log": "File 'c:\\users\\wazuh\\documents\\audit_docu.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '5'\nOld modification time was: '1681827474', now it is '1681827478'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : '8b1a9953c4611296a827abf8c47804d7'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969'\n", "timestamp": "2023-04-18T17:17:59.498+0300" }, "fields": { "syscheck.mtime_after": [ "2023-04-18T17:17:58.000Z" ], "syscheck.mtime_before": [ "2023-04-18T17:17:54.000Z" ], "timestamp": [ "2023-04-18T14:17:59.498Z" ] }, }
Manual configuration of the Windows Audit Policies
For Windows versions later than Windows Vista and Windows Server 2008, when you monitor a file or directory with the whodata option, ThreatLockDown automatically configures the Local Audit Policies and the System Access Control List (SACL) for the file or directory. If this is not done automatically or you have an earlier version of Windows such as Windows Vista and Windows Server 2008, you have to manually configure the audit policies and the SACL.
Local Audit Policies in Windows
To manually configure the audit policies needed to run FIM in who-data mode, you need to activate the logging of successful events.
On the Run dialog box (win + R), open the Local Group Policy Editor using the following command:
gpedit.msc
Configure the Audit Events field to Success for the following policies:
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit Handle Manipulation
If your system doesn't allow configuring subcategories through Advanced Audit Policy Configuration, configure the Security Setting field to Success for the following policy:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object access
System Access Control List (SACL) in Windows
A system access control list (SACL) enables administrators to log attempts to access a secured object. You can check and modify SACLs of each monitored directory through Properties, selecting the Security tab, and clicking on Advanced:
It's necessary to have a Success entry in the Auditing tab:
If there is no Success entry, click on Add, to create it with these advanced permissions:
Tuning audit to deal with a flood of who-data events
On the ThreatLockDown side, the syscheck.rt_delay variable in the internal FIM configuration helps to prevent the loss of events by setting a delay between alerts. You can configure this variable in the /var/ossec/etc/internal_options.conf file on the ThreatLockDown server. The allowed value for this variable is a numerical value. You must set the delay in milliseconds. To process who-data events faster, decrease this numerical value.
Windows installation directory monitoring
In 64-bit architecture systems, you can locate 32-bit and 64-bit DLLs in a special way.
System32is reserved for 64-bit DLLs.SysWOW64is reserved for all 32-bit DLLs.
Furthermore, 32-bit processes running in 64-bit environments access System32 through a virtual folder called Sysnative.
We disabled this redirection and you can access System32 directly. Monitoring %WINDIR%/System32 and %WINDIR%/Sysnative directories is equivalent and ThreatLockDown shows the path %WINDIR%/System32 in the alerts. SysWOW64 is a different directory. To monitor %WINDIR%/SysWOW64, you must add it to the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file.
You can monitor the Windows special directories %WINDIR%/System32 and %WINDIR%/SysWOW64 directories by configuring them with any of the FIM modes. For example:
Scheduled scan
<syscheck> <directories>%WINDIR%/System32</directories> <directories>%WINDIR%/SysWOW64</directories> </syscheck>
Real-time
<syscheck> <directories realtime="yes">%WINDIR%/System32</directories> <directories realtime="yes">%WINDIR%/SysWOW64</directories> </syscheck>
Who-data
<syscheck> <directories whodata="yes">%WINDIR%/System32</directories> <directories whodata="yes">%WINDIR%/SysWOW64</directories> </syscheck>
Recursion level
You can configure the maximum recursion level allowed for a specific directory by using the recursion_level attribute of the directories option. The recursion_level value must be an integer between 0 and 320.
In the configuration example below, you can see how to set the recursion_level of the folder_test directory to 3. Replace FILEPATH/OF/MONITORED/DIRECTORY with your own file paths.
Add the following settings to the ThreatLockDown agent configuration file:
Linux:
/var/ossec/etc/ossec.confWindows:
C:\Program Files (x86)\ossec-agent\ossec.confmacOS:
/Library/Ossec/etc/ossec.conf
<syscheck> <directories check_all="yes" recursion_level="3">FILEPATH/OF/MONITORED/DIRECTORY</directories> </syscheck>
Restart the ThreatLockDown agent with administrator privilege to apply any configuration change:
Linux:
systemctl restart wazuh-agentWindows:
Restart-Service -Name wazuhmacOS:
/Library/Ossec/bin/wazuh-control restart
If you have the following directory structure and the above setting with recursion_level="3", FIM then generates alerts for file_3.txt and all files up to FILEPATH/OF/MONITORED/DIRECTORY/level_1/level_2/level_3/ but not for any files in the directory deeper than level_3.
FILEPATH/OF/MONITORED/DIRECTORY ├── file_0.txt └── level_1 ├── file_1.txt └── level_2 ├── file_2.txt └── level_3 ├── file_3.txt └── level_4 ├── file_4.txt └── level_5 └── file_5.txt
To disable the recursion and generate the alerts only for the files in the monitored folder, you need to set the recursion_level value to 0.
If you don’t specify recursion_level, it’s set to 256. This is the default value defined by syscheck.default_max_depth in the internal options configuration file.
Process priority
To adjust the CPU usage of the FIM module on the monitored endpoint, use the process_priority option in the agent configuration. You can configure process priority on Windows, Linux, and macOS operating systems.
The process priority scale for the ThreatLockDown FIM module ranges from -20 to 19 for each agent. The default process_priority value is set to 10. Setting the process_priority value in an agent higher than the default, gives its FIM module lower priority, fewer CPU resources, and makes it run slower.
You need to edit the ThreatLockDown agent /var/ossec/etc/ossec.conf configuration file to configure the process priority of the ThreatLockDown FIM module.
In the configuration example below the FIM module of the agent gets the minimum process priority:
Add the following settings to the ThreatLockDown agent configuration file:
Linux:
/var/ossec/etc/ossec.confWindows:
C:\Program Files (x86)\ossec-agent\ossec.confmacOS:
/Library/Ossec/etc/ossec.conf
<syscheck> <process_priority>19</process_priority> </syscheck>
Restart the ThreatLockDown agent with administrator privilege to apply any configuration change:
Linux:
systemctl restart wazuh-agentWindows:
Restart-Service -Name wazuhmacOS:
/Library/Ossec/bin/wazuh-control restart
Setting the process_priority value lower than the default gives the FIM module higher priority, more CPU resources, and makes it run faster. In the configuration example below the FIM module has the maximum process priority.
Add the following settings to the ThreatLockDown agent configuration file:
Linux:
/var/ossec/etc/ossec.confWindows:
C:\Program Files (x86)\ossec-agent\ossec.confmacOS:
/Library/Ossec/etc/ossec.conf
<syscheck> <process_priority>-20</process_priority> </syscheck>
Restart the ThreatLockDown agent with administrator privilege to apply any configuration change:
Linux:
systemctl restart wazuh-agentWindows:
Restart-Service -Name wazuhmacOS:
/Library/Ossec/bin/wazuh-control restart
Database storage
ThreatLockDown uses a SQLite database to store information related to FIM events such as information about creation, modification, and deletion of regular files. When the ThreatLockDown agent starts, the FIM module performs a first scan and generates the database for the agent. By default, the database on the agent is saved on disk to the file /var/ossec/queue/fim/db.
You can configure the database storage options by using the database attribute. The allowed values for the database attribute are disk and memory. These storage options are available on Windows, macOS, and Linux operating systems.
In the configuration example below, we set the database location to memory.
Add the following settings to the ThreatLockDown agent configuration file:
Linux:
/var/ossec/etc/ossec.confWindows:
C:\Program Files (x86)\ossec-agent\ossec.confmacOS:
/Library/Ossec/etc/ossec.conf
<syscheck> <database>memory</database> </syscheck>
Restart the ThreatLockDown agent with administrator privilege to apply any configuration change:
Linux:
systemctl restart wazuh-agentWindows:
Restart-Service -Name wazuhmacOS:
/Library/Ossec/bin/wazuh-control restart
In the configuration example below, we set the database location to disk.
Add the following settings to the ThreatLockDown agent configuration file:
Linux:
/var/ossec/etc/ossec.confWindows:
C:\Program Files (x86)\ossec-agent\ossec.confmacOS:
/Library/Ossec/etc/ossec.conf
<syscheck> <database>disk</database> </syscheck>
Restart the ThreatLockDown agent with administrator privilege to apply any configuration change:
Linux:
systemctl restart wazuh-agentWindows:
Restart-Service -Name wazuhmacOS:
/Library/Ossec/bin/wazuh-control restart
The main advantage of using an in-memory database is the performance, as reading and writing operations are faster than performing them on disk. The corresponding disadvantage is that the memory must be sufficient to store the data.
Synchronization
The FIM module keeps the ThreatLockDown agent and the ThreatLockDown server databases synchronized with each other through synchronization messages. It always updates the file inventory in the ThreatLockDown server with the data available to the ThreatLockDown agent.
Whenever the ThreatLockDown agent service restarts, the module rebuilds the FIM database of the agent, runs a full scan, and synchronizes the result updating the file inventory in the ThreatLockDown server. The module synchronizes directories monitored with the realtime or whodata options immediately, while others require a full scan before synchronization takes place. The module doesn’t report to the ThreatLockDown server changes in the monitored files performed while the service was not running. If you restart the agent after the last scheduled scan, it also discards any event before the restart.
You can see below the default synchronization setting on the /var/ossec/etc/ossec.conf configuration file:
<syscheck> <synchronization> <enabled>yes</enabled> <interval>5m</interval> <max_interval>1h</max_interval> <response_timeout>30</response_timeout> <queue_size>16384</queue_size> <max_eps>10</max_eps> </synchronization> </syscheck>
The table below explains the supported attributes of the synchronization option:
Attribute
Default value
Allowed values
Description
enabled
yes
yes, no
Enables FIM database synchronizations.
interval
5m
Any number greater than or equal to 0. Allowed suffixes (s, m, h, d)
Sets the starting number of seconds to wait for a new database synchronization attempt. If synchronization fails the value gets duplicated up to the
max_intervalvalue.max_interval
1h
Any number greater than or equal to the interval. Allowed suffixes (s, m, h, d).
Specifies the maximum number of seconds to wait between every inventory synchronization attempt.
response_timeout
30
Any number greater than or equal to 0.
Specifies the minimum time in seconds that must elapse before considering a message sent to the manager as timed-out. If the agent message times out, the module starts a new synchronization session.
queue_size
16384
Integer number between 2 and 1000000.
Specifies the queue size of the manager synchronization responses.
response_timeout
10
Integer number between 0 and 1000000. 0 means disabled.
Sets the maximum synchronization message throughput.