global

Global configuration generally applies to features that affect the system as a whole, rather than a specific component.

Options

alerts_log

This toggles the writing of alerts to /var/ossec/logs/alerts/alerts.log.

Default value	yes
Allowed values	yes, no

Warning

Disabling JSON and plain text formatted alerts simultaneously is not compatible with the integrator, syslog client or email features.

email_notification

This toggles the use of email alerting.

Default value	no
Allowed values	yes, no

email_to

This specifies the email recipient for alerts.

Note

A base configuration must be included in the section in order to use granular email configurations.

Default value	n/a
Allowed values	Any valid email address

Note that this section only allows for one email address. In case you want to add more than one, repeat the section as many times as required.

email_from

This specifies the “source” address contained in the email alerts.

Default value	n/a
Allowed values	Any valid email address

email_reply_to

This specifies the “reply-to” address contained in the email alerts.

Default value	n/a
Allowed values	Any valid email address

smtp_server

This option defines what SMTP server to use to deliver alerts.

Default value	n/a
Allowed values	Valid hostname or IP address. Full path to a sendmail-like executable.

helo_server

This option defines how the ThreatLockDown server identifies itself when sending mail.

Default value	notify.ossec.net
Allowed values	Any valid hostname.

email_maxperhour

This sets the maximum number of email alerts that can be sent per hour. All emails beyond this hourly threshold are then queued to be sent together in a single email at the end of the hour.

Note

At the end of the hour, the queued emails will be sent together in one email whether mail grouping is turned on or not.

Default value	12
Allowed values	Any number from 1 to 1000000

email_idsname

The name will be added to the email headers with the specified value.

Default value	n/a
Allowed values	Any name

email_log_source

This selects the alert file to be read from.

Default value	alerts.log
Allowed values	alerts.log or alerts.json

custom_alert_output

The values below may be used with this option to specify the format of the alerts that are written to alerts.log:

Variable name	Description
$TIMESTAMP	The time the event was processed by OSSEC.
$FTELL	Unknown
$RULEALERT	Unknown
$HOSTNAME	Hostname of the system generating the event.
$LOCATION	The file the log messages were saved to.
$RULEID	The rule id of the alert.
$RULELEVEL	The rule level of the alert.
$RULECOMMENT	Unknown
$SRCIP	The source IP specified in the log message.
$DSTUSER	The destination user specified in the log message.
$FULLLOG	The original log message.
$RULEGROUP	The group containing the rule.

stats

This sets the severity level for events that are generated by statistical analysis.

Default value	8
Allowed values	Any level from 0 to 16

logall

This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.log.

Default value	no
Allowed values	yes, no

logall_json

This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.json.

Default value	no
Allowed values	yes, no

memory_size

This sets the memory size for the event correlation engine.

Default value	8192
Allowed values	Any integer, but values less than 2048 will be replaced by 2048.

white_list

This specifies an IPv4/IPv6 address, netblock, or hostname that will not trigger an active response. Only one of those values may be specified for each <while_list> tag, but several values may be used by including multiple <white_list> tags. This configuration is compared against the extracted srcip field in the alert.

Default value	n/a
Allowed values	Any IPv4/IPv6 address, netblock (i.e.: 192.168.0.0/16) or hostname

Note

This option is only valid in server and local installs.

host_information

This sets the severity level for events generated by the host change monitor.

Default value	8
Allowed values	Can be used any level from 0 to 16

jsonout_output

This toggles the writing of JSON-formatted alerts to /var/ossec/logs/alerts/alerts.json which would include the same events that would be sent to alerts.log, only in JSON format.

Warning

Disabling jsonout_output disrupts the alerts indexing process. In a default installation, Filebeat reads the alerts.json file and sends this information to the ThreatLockDown indexer. If the writing to this file stops, alerts are no longer indexed.

Default value	yes
Allowed values	yes, no

prelude_output

This toggles Prelude output.

Default value	no
Allowed values	yes, no

prelude_log_level

The minimum alert level required to trigger prelude output.

Default value	0
Allowed values	Any integer from 0 to 16 inclusive

prelude_profile

The prelude client analyzer name.

Default value	OSSEC
Allowed values	Any valid prelude client analyzer.

zeromq_output

This enables ZeroMQ output.

Default value	n/a
Allowed values	yes, no

zeromq_uri

This specifies the ZeroMQ URI for the publisher socket to bind to.

Default value	n/a
Allowed values	This URI format is defined by the ZeroMQ project.

For example:

This will listen for ZeroMQ subscribers on IP address 127.0.0.1:11111.

<zeromq_uri>tcp://localhost:11111/</zeromq_uri>

This will listen on port 21212 for ZeroMQ subscribers, binding to the IP address assigned to eth0.

<zeromq_uri>tcp://eth0:21212/</zeromq_uri>

This will listen for ZeroMQ on the Unix Domain socket /alerts-zmq.

<zeromq_uri>ipc:///alerts-zmq</zeromq_uri>

geoipdb

This indicates the full path of the MaxMind GeoIP IPv4 database file.

Default value	n/a
Allowed values	Path to the GeoIP IPv4 database file location

For example:

<geoipdb>/etc/GeoLiteCity.dat</geoipdb>

rotate_interval

This option sets the interval between file rotation. The range of possible values is from 10m (10 minutes) to 1d (1 day).

Default value	0 (disabled)
Allowed values	A positive number that should end with a character indicating a time unit, such as: s (seconds), m (minutes), h (hours), d (days)

Note

The default minimum value 10m is set in the analysisd.min_rotate_interval option found in the internal configuration file /var/ossec/etc/internal_options.conf.

Example:

<rotate_interval>10h</rotate_interval>

max_output_size

This sets the size limit of alert files with a maximum allowed value of 1TiB and a minimum allowed value of 1MiB.

Default value	0 (disabled)
Allowed values	A positive number that should contain a suffix character indicating a size unit, such as M (mebibyte) and G (gibibyte).

Example:

<max_output_size>20M</max_output_size>

agents_disconnection_time

This sets the time after which the manager considers an agent as disconnected since its last keepalive.

Default value	10m
Allowed values	A positive number that should end with a character indicating a time unit, such as: s (seconds), m (minutes), h (hours), d (days). The minimum allowed is 1s.

Warning

This setting should always be greater than notify-time configured in the agents. This allows them to always notify the manager before it would consider them disconnected.

Example:

<agents_disconnection_time>1m</agents_disconnection_time>

agents_disconnection_alert_time

This sets the time after which an alert is generated since an agent was considered as disconnected. As this is a time-lapse after an agent is considered as disconnected because of the disconnection time, the minimum time frame to produce an alert taking the default values is 2m and 20s.

Default value	0s
Allowed values	A positive number that should end with a character indicating a time unit, such as: s (seconds), m (minutes), h (hours), d (days). The minimum allowed is 0s in order to generate an alert as soon as an agent is considered as disconnected.

Example:

<agents_disconnection_alert_time>1h</agents_disconnection_alert_time>

limits

This block configures the limits section.

limits\eps

Options
limits\eps

limits\eps

This block configures the events per second limitation functionality.

limits\eps\maximum
limits\eps\timeframe

Options	Allowed values
limits\eps\maximum	Zero or a positive number
limits\eps\timeframe	A positive number

Events per second limits example block:

<limits>
  <eps>
    <maximum>500</maximum>
    <timeframe>10</timeframe>
  </eps>
</limits>

limits\eps\maximum

Maximum number of events per second allowed to be processed by decoders.

Default value	0
Allowed values	A number between 0 and 100000. Zero to disable the functionality

limits\eps\timeframe

A positive number expressed in seconds that indicates the time period where the events per second processed are increased and restored.

Default value	10
Allowed values	A positive number between 1 and 3600

update_check

This setting toggles whether to query the external ThreatLockDown Cyber Threat Intelligence (CTI) service for any available ThreatLockDown updates.

Default value	yes
Allowed values	yes, no

forward_to

Specifies the name of the socket where the output will be redirected. The socket must be defined previously.

Default value	None
Allowed values	Any defined socket under `/var/ossec`

Example:

<socket>
  <name>custom_socket</name>
  <location>/var/ossec/custom.sock</location>
  <mode>tcp</mode>
</socket>

<forward_to>custom_socket</forward_to>

Configuration example

<global>
  <jsonout_output>yes</jsonout_output>
  <alerts_log>yes</alerts_log>
  <logall>no</logall>
  <logall_json>no</logall_json>
  <email_notification>no</email_notification>
  <smtp_server>smtp.example.wazuh.com</smtp_server>
  <email_from>wazuh@example.wazuh.com</email_from>
  <email_to>recipient@example.wazuh.com</email_to>
  <email_maxperhour>12</email_maxperhour>
  <email_log_source>alerts.log</email_log_source>
  <agents_disconnection_time>10m</agents_disconnection_time>
  <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  <update_check>yes</update_check>
</global>