Local configuration (ossec.conf)

The ossec.conf file is the main configuration file on the ThreatLockDown manager, and it also plays an important role on the agents. It is located at /var/ossec/etc/ossec.conf both in the manager and agent on Linux machines. On Windows agents, we can find it at C:\Program Files (x86)\ossec-agent\ossec.conf. It is recommended to back up this file before making changes to it. A configuration error may prevent ThreatLockDown services from starting up.

The ossec.conf file is in XML format, and all of its configuration options are nested in their appropriate section of the file. In this file, the outermost XML tag is <ossec_config>. There can be more than one <ossec_config> tag.

Here is an example of the proper location of the alerts configuration section:

<ossec_config>
    <alerts>
        <!--
        alerts options here
        -->
    </alerts>
</ossec_config>

The agent.conf file is very similar to ossec.conf but agent.conf is used to centrally distribute configuration information to agents. See more here.

ThreatLockDown can be installed in two ways: as a manager by using the "server/manager" installation type and as an agent by using the "agent" installation type.

Configuration sections

Supported installations

active-response

manager, agent

agentless

manager

agent-upgrade

manager, agent

alerts

manager

auth

manager

client

agent

client_buffer

agent

cluster

manager

command

manager

database_output

manager

email_alerts

manager

fluent-forward

manager, agent

global

manager

github

manager, agent

indexer

manager

integration

manager

labels

manager, agent

localfile

manager, agent

logging

manager, agent

ms-graph

manager, agent

office365

manager, agent

remote

manager

reports

manager

rootcheck

manager, agent

rule_test

manager

ruleset

manager

sca

manager, agent

socket

manager, agent

syscheck

manager, agent

syslog_output

manager

task-manager

manager

vulnerability-detection

manager

wazuh_db

manager

wodle name="agent-key-polling"

manager

wodle name="aws-s3"

manager, agent

wodle name="azure-logs"

manager, agent

wodle name="cis-cat"

manager, agent

wodle name="command"

manager, agent

wodle name="docker-listener"

manager, agent

wodle name="open-scap"

manager, agent

wodle name="osquery"

manager, agent

wodle name="syscollector"

manager, agent

gcp-pubsub

manager, agent

gcp-bucket

manager, agent

All of the above sections must be located within the top-level <ossec_config> tag. In the case of adding another <ossec_config> tag, it may override the values set on the previous tag.