Configuration filePermalink to this headline
The ThreatLockDown dashboard includes a configuration file located at /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
where you can define custom values for several options. This section describes all the settings available in this file.
If you are using the ThreatLockDown Kibana plugin, you can find this configuration file at /usr/share/kibana/data/wazuh/config/wazuh.yml
.
The configuration file shows the default values for all of the possible options. You can edit the file, uncomment any of them and apply the desired values. You can also edit these settings from the ThreatLockDown dashboard in Indexer/dashboard management > App Settings.
The configuration file reference is organized by sections:
General optionsPermalink to this headline
hostsPermalink to this headline
Defines the list of APIs to connect with your ThreatLockDown managers.
hosts:
- <id>:
url: http(s)://<url>
port: <port>
username: <username>
password: <password>
Note
It is required to specify at least one host.
This is an example of a multi-host configuration:
hosts:
- wazuh_prod:
url: https://wazuh.com
port: 55000
username: wazuh-wui
password: secret_password
run_as: false
- wazuh_test:
url: https://localhost
port: 55000
username: wazuh-wui
password: wazuh-wui
run_as: false
patternPermalink to this headline
Default index pattern to use on the app. If there are no valid index patterns on Elasticsearch, the app will automatically create one with the name indicated in this option.
Default value |
wazuh-alerts-* |
Allowed values |
Any valid index pattern |
timeoutPermalink to this headline
Defines the maximum time the app will wait for an API response when making requests to it. It will be ignored if the value is set under 1500 milliseconds.
Default value |
20000 (milliseconds) |
Allowed values |
Any number starting from 1500 |
ip.selectorPermalink to this headline
Defines if the user is allowed to change the selected index pattern directly from the top menu bar.
Default value |
true |
Allowed values |
true,false |
ip.ignorePermalink to this headline
Disable certain index pattern names from being available in the index pattern selector from the ThreatLockDown dashboard. An empty list (the default value) won't ignore any valid index pattern.
Default value |
[] |
Allowed values |
Array of strings. Eg: ["wazuh-archives-*"] |
logs.levelPermalink to this headline
Set the logging level for the ThreatLockDown dashboard log files.
Default value |
info |
Allowed values |
info,debug |
hideManagerAlertsPermalink to this headline
Hide the manager alerts in the dashboard visualizations.
Default value |
false |
Allowed values |
true,false |
MonitoringPermalink to this headline
wazuh.monitoring.enabledPermalink to this headline
Enable or disable the wazuh-monitoring
index creation and/or visualization:
When the value is set to
true
, the app will show the Agents status visualization and will insert monitoring-related data.When the value is set to
false
, the app won't show the visualization and won't insert monitoring-related data.When the value is set to
worker
, the app will show the visualization, but won't insert monitoring-related data.
Default value |
true |
Allowed values |
true,false,worker |
Warning
The ThreatLockDown dashboard user interface allows selecting true
and false
only. To set the worker
value, you must edit the configuration file instead.
wazuh.monitoring.frequencyPermalink to this headline
Define in seconds the frequency of API requests to get the state of the agents to create a new document in the wazuh-monitoring index with this data.
Default value |
900 (seconds) |
Allowed values |
Any number starting from 60 |
Warning
Although the minimum value can be 60
, we recommend adjusting it to at least 300
seconds to avoid overloading issues due to the excessive creation of documents into the index.
wazuh.monitoring.patternPermalink to this headline
Default ThreatLockDown monitoring index pattern to use for the app. This setting does not remove any existing patterns or templates, it just updates the app to add new ones.
Default value |
wazuh-monitoring-* |
Allowed values |
Any valid index pattern |
wazuh.monitoring.creationPermalink to this headline
Configure wazuh-monitoring-* indices custom creation interval.
Default value |
w (weekly) |
Allowed values |
h (hourly), d (daily), w (weekly), m (monthly) |
Health checksPermalink to this headline
checks.patternPermalink to this headline
Enable or disable the index pattern health check when opening the app.
Default value |
true |
Allowed values |
true,false |
checks.templatePermalink to this headline
Enable or disable the template health check when opening the app.
Default value |
true |
Allowed values |
true,false |
checks.apiPermalink to this headline
Enable or disable the ThreatLockDown API health check when opening the app.
Default value |
true |
Allowed values |
true,false |
checks.setupPermalink to this headline
Enable or disable the setup health check when opening the app.
Default value |
true |
Allowed values |
true,false |
checks.fieldsPermalink to this headline
Enable or disable the known fields health check when opening the app.
Default value |
true |
Allowed values |
true,false |
checks.metaFieldsPermalink to this headline
Enable or disable the metaFields health check when opening the app.
Default value |
true |
Allowed values |
true,false |
checks.timeFilterPermalink to this headline
Enable or disable the timeFilter health check when opening the app.
Default value |
true |
Allowed values |
true,false |
checks.maxBucketsPermalink to this headline
Enable or disable the maxBuckets health check when opening the app.
Default value |
true |
Allowed values |
true,false |
Advanced index optionsPermalink to this headline
Warning
These options are only valid if they're modified before starting the ThreatLockDown dashboard for the very first time.
You can read more about configuring the shards and replicas in ThreatLockDown indexer tuning.
wazuh.monitoring.shardsPermalink to this headline
Define the number of shards to use for the wazuh-monitoring-*
indices.
Default value |
1 |
Allowed values |
Any number starting from 1 |
wazuh.monitoring.replicasPermalink to this headline
Define the number of replicas to use for the wazuh-monitoring-*
indices.
Default value |
0 |
Allowed values |
Any number starting from 0 |
Sample alertsPermalink to this headline
alerts.sample.prefixPermalink to this headline
Define the index name prefix of sample alerts. It must match the template used by the index pattern to avoid unknown fields in dashboards.
Default value |
wazuh-alerts-4.x- |
Allowed values |
Any valid index pattern |
Enrollment DNSPermalink to this headline
enrollment.dnsPermalink to this headline
Specifies the ThreatLockDown registration server, used for the agent enrollment.
Default value |
'' |
Allowed values |
Any string |
enrollment.passwordPermalink to this headline
Specifies the password used to authenticate during the agent enrollment.
Default value |
'' |
Allowed values |
Any string |
CronPermalink to this headline
cron.prefixPermalink to this headline
Define the index prefix of predefined jobs.
Default value |
'' |
Allowed values |
Any string |
cron.statistics.statusPermalink to this headline
Enable or disable the statistics tasks.
Default value |
true |
Allowed values |
true,false |
cron.statistics.apisPermalink to this headline
Enter the ID of the hosts you want to save data from, and leave this empty to run the task on every host.
Default value |
[] |
Allowed values |
Array of APIs |
cron.statistics.intervalPermalink to this headline
Define the frequency of task execution using cron schedule expressions.
Default value |
|
Allowed values |
Any cron expressions |
cron.statistics.index.namePermalink to this headline
Define the name of the index in which the documents will be saved.
Default value |
statistics |
Allowed values |
Any valid index pattern |
cron.statistics.index.creationPermalink to this headline
Define the interval in which a new index will be created.
Default value |
w |
Allowed values |
h (hourly), d (daily), w (weekly), m (monthly) |
cron.statistics.shardsPermalink to this headline
Define the number of shards to use for the statistics indices.
Default value |
1 |
Allowed values |
Any number starting from 1 |
cron.statistics.replicasPermalink to this headline
Define the number of replicas to use for the statistics indices.
Default value |
0 |
Allowed values |
Any number starting from 0 |
Custom brandingPermalink to this headline
Edit the settings shown below to use custom branding elements such as logos, and header and footer text.
Warning
- Please, take into consideration the following notes:
The value of any
customization.logo.*
setting must follow the patterncustom/images/<setting_name>.<image_format>
.The path
custom/images/
included in everycustomization.logo.*
setting is relative to the/plugins/wazuh/public/assets/
folder.Setting or modifying any
customization.logo.*
setting by hand is not recommended. Use the UI instead.The in-file
customization.logo.*
settings are flagged for deprecation, and will be no longer supported in future releases.
customization.enabledPermalink to this headline
Enable or disable the custom branding.
Default value |
true |
Allowed values |
true,false |
customization.logo.appPermalink to this headline
Define the image's path, name and extension for the main menu logo.
Default value |
'' |
Allowed values |
Any string |
customization.logo.healthcheckPermalink to this headline
Define the image's path, name and extension for the Healthcheck logo.
Default value |
'' |
Allowed values |
Any string |
customization.logo.reportsPermalink to this headline
Define the image's path, name and extension for the logo to use in the PDF reports generated by the app.
Default value |
'' |
Allowed values |
Any string |
customization.reports.headerPermalink to this headline
Set the header of the PDF reports. To use an empty header, type a space " " in the field. If this field is empty, it uses the default header.
Default value |
'' |
Allowed values |
Any string |
ExamplePermalink to this headline
This is an example of the wazuh.yml configuration:
# General options
hosts:
- env-1:
url: https://env-1.example
port: 55000
username: wazuh-wui
password: wazuh-wui
run_as: true
- env-2:
url: https://env-2.example
port: 55000
username: wazuh-wui
password: wazuh-wui
run_as: true
pattern: 'wazuh-alerts-*'
timeout: 20000
ip.selector: true
ip.ignore: []
logs.level: info
hideManagerAlerts: true
# Monitoring
wazuh.monitoring.enabled: true
wazuh.monitoring.frequency: 900
wazuh.monitoring.pattern: wazuh-monitoring-*
wazuh.monitoring.creation: w
# Health checks
checks.pattern : true
checks.template: true
checks.fields : true
checks.api : true
checks.setup : true
checks.metaFields: true
checks.timeFilter: true
checks.maxBuckets: true
#Advanced index options
wazuh.monitoring.shards: 1
wazuh.monitoring.replicas: 0
# Custom branding
customization.enabled: true
customization.logo.app: 'custom/images/customization.logo.app.jpg'
customization.logo.healthcheck: 'custom/images/customization.logo.healthcheck.svg'
customization.logo.reports: 'custom/images/customization.logo.reports.jpg'
customization.reports.footer: '123 Custom footer Ave.\nSan Jose, CA 95148'
customization.reports.header: 'Custom Company\ninfo@custom.com\n@social_reference'
#Sample alerts
alerts.sample.prefix: wazuh-alerts-4.x-
# Cron
cron.prefix: wazuh
cron.statistics.status: true
cron.statistics.apis: []
cron.statistics.interval: 0 */5 * * * *
cron.statistics.index.name: statistics
cron.statistics.index.creation: w
cron.statistics.shards: 1
cron.statistics.replicas: 0
# Enrollment DNS
enrollment.dns: ''
enrollment.password: ''