commit 90fba40de438c731e8332acee36922cf19f11404
Author: Christopher Berger <chris@wittenberger.us>
Date:   Fri May 29 19:02:57 2026 +0000

    Upload files to "configs"

diff --git a/configs/filebeat.yml b/configs/filebeat.yml
new file mode 100644
index 0000000..bb38a5b
--- /dev/null
+++ b/configs/filebeat.yml
@@ -0,0 +1,43 @@
+# Wazuh - Filebeat configuration file
+output.elasticsearch.hosts:
+        - 127.0.0.1:9200
+#        - <elasticsearch_ip_node_2>:9200
+#        - <elasticsearch_ip_node_3>:9200
+
+output.elasticsearch:
+  protocol: https
+  username: ${username}
+  password: ${password}
+  ssl.certificate_authorities:
+    - /etc/filebeat/certs/root-ca.pem
+  ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
+  ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
+setup.template.json.enabled: true
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
+setup.ilm.overwrite: true
+setup.ilm.enabled: false
+
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false
+
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: /var/log/filebeat
+  name: filebeat
+  keepfiles: 7
+  permissions: 0644
+
+logging.metrics.enabled: false
+
+seccomp:
+  default_action: allow
+  syscalls:
+  - action: allow
+    names:
+    - rseq
diff --git a/configs/internal_options.conf b/configs/internal_options.conf
new file mode 100644
index 0000000..a4ec212
--- /dev/null
+++ b/configs/internal_options.conf
@@ -0,0 +1,494 @@
+# internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
+#
+# DO NOT TOUCH THIS FILE. The default configuration
+# is at ossec.conf. More information at:
+# https://documentation.wazuh.com
+#
+# This file should be handled with care. It contain
+# run time modifications that can affect the use
+# of ossec. Only change it if you know what you
+# are doing. Again, look first at ossec.conf
+# for most of the things you want to change.
+
+
+# Analysisd default rule timeframe.
+analysisd.default_timeframe=360
+# Analysisd stats maximum diff.
+analysisd.stats_maxdiff=999000
+# Analysisd stats minimum diff.
+analysisd.stats_mindiff=1250
+# Analysisd stats percentage (how much to differ from average)
+analysisd.stats_percent_diff=150
+# Analysisd FTS list size.
+analysisd.fts_list_size=32
+# Analysisd FTS minimum string size.
+analysisd.fts_min_size_for_str=14
+# Analysisd Enable the firewall log (at logs/firewall/firewall.log)
+# 1 to enable, 0 to disable.
+analysisd.log_fw=1
+# Maximum number of fields in a decoder (order tag) [32..1024]
+analysisd.decoder_order_size=256
+# Output GeoIP data at JSON alerts
+analysisd.geoip_jsonout=0
+# Maximum label cache age (margin seconds with no reloading) [0..60]
+analysisd.label_cache_maxage=10
+# Show hidden labels on alerts
+analysisd.show_hidden_labels=0
+# Maximum number of file descriptor that Analysisd can open [1024..1048576]
+analysisd.rlimit_nofile=458752
+# Minimum output rotate interval. This limits rotation by time and size. [10..86400]
+analysisd.min_rotate_interval=600
+# Number of event decoder threads
+analysisd.event_threads=0
+# Number of syscheck decoder threads
+analysisd.syscheck_threads=0
+# Number of syscollector decoder threads
+analysisd.syscollector_threads=0
+# Number of rootcheck decoder threads
+analysisd.rootcheck_threads=0
+# Number of security configuration assessment decoder threads
+analysisd.sca_threads=0
+# Number of hostinfo decoder threads
+analysisd.hostinfo_threads=0
+# Number of Windows event decoder threads
+analysisd.winevt_threads=0
+# Number of rule matching threads
+analysisd.rule_matching_threads=0
+# Number of database synchronization dispatcher threads [0..32]
+analysisd.dbsync_threads=0
+# Decoder event queue size
+analysisd.decode_event_queue_size=16384
+# Decode syscheck queue size
+analysisd.decode_syscheck_queue_size=16384
+# Decode syscollector queue size
+analysisd.decode_syscollector_queue_size=16384
+# Decode rootcheck queue size
+analysisd.decode_rootcheck_queue_size=16384
+# Decode security configuration assessment queue size
+analysisd.decode_sca_queue_size=16384
+# Decode hostinfo queue size
+analysisd.decode_hostinfo_queue_size=16384
+# Decode winevt queue size
+analysisd.decode_winevt_queue_size=16384
+# Decode Output queue
+analysisd.decode_output_queue_size=16384
+# Archives log queue size
+analysisd.archives_queue_size=16384
+# Statistical log queue size
+analysisd.statistical_queue_size=16384
+# Alerts log queue size
+analysisd.alerts_queue_size=16384
+# Firewall log queue size
+analysisd.firewall_queue_size=16384
+# FTS log queue size
+analysisd.fts_queue_size=16384
+# Database synchronization message queue size [0..2000000]
+analysisd.dbsync_queue_size=16384
+# Upgrade message queue size
+analysisd.upgrade_queue_size=16384
+# Interval for analysisd status file updating (seconds) [0..86400]
+# 0 means disabled
+analysisd.state_interval=5
+
+
+# Logcollector file loop timeout (check every 2 seconds for file changes)
+logcollector.loop_timeout=2
+
+# Logcollector number of attempts to open a log file [2..998] (0=infinite)
+logcollector.open_attempts=0
+
+# Logcollector - If it should accept remote commands from the manager
+logcollector.remote_commands=0
+
+# Logcollector - File checking interval (seconds) [0..1024]
+logcollector.vcheck_files=64
+
+# Logcollector - Maximum number of lines to read from the same file [100..1000000]
+# 0. Disable line burst limitation
+logcollector.max_lines=10000
+
+# Logcollector - Maximum number of files to be monitored [1..100000]
+logcollector.max_files=1000
+
+# Time to reattempt a socket connection after a failure [1..3600]
+logcollector.sock_fail_time=300
+
+# Logcollector - Number of input threads for reading files
+logcollector.input_threads=4
+
+# Logcollector - Output queue size [128..220000]
+logcollector.queue_size=1024
+
+# Sample log length limit for errors about large message [1..4096]
+logcollector.sample_log_length=64
+
+# Maximum number of file descriptor that Logcollector can open [1024..1048576]
+# This value must be higher than logcollector.max_files
+logcollector.rlimit_nofile=1100
+
+# Force file handler reloading: close and reopen monitored files
+# 0: Disabled
+# 1: Enabled
+logcollector.force_reload=0
+
+# File reloading interval, in seconds, if force_reload=1 [1..86400]
+# This interval must be greater or equal than vcheck_files.
+logcollector.reload_interval=64
+
+# File reloading delay (between close and open), in milliseconds [0..30000]
+logcollector.reload_delay=1000
+
+# Excluded files refresh interval, in seconds [1..172800]
+logcollector.exclude_files_interval=86400
+
+# State generation updating interval, in seconds [0..3600]
+# 0 means state file creation and updating is disabled
+logcollector.state_interval=60
+
+# Logbuilder IP update interval [0..3600]
+logcollector.ip_update_interval=60
+
+# Remoted counter io flush.
+remoted.recv_counter_flush=128
+
+# Remoted compression averages printout.
+remoted.comp_average_printout=19999
+
+# Verify msg id (set to 0 to disable it)
+remoted.verify_msg_id=0
+
+# Don't exit when client.keys empty
+remoted.pass_empty_keyfile=1
+
+# Number of shared file sender threads
+remoted.sender_pool=8
+
+# Limit of parallel request dispatchers [1..4096]
+remoted.request_pool=1024
+
+# Timeout to reject a new request (seconds) [1..600]
+remoted.request_timeout=10
+
+# Timeout for request responses (seconds) [1..3600]
+remoted.response_timeout=60
+
+# Retransmission timeout seconds [0..60]
+remoted.request_rto_sec=1
+
+# Retransmission timeout milliseconds [0..999]
+remoted.request_rto_msec=0
+
+# Max. number of sending attempts [1..16]
+remoted.max_attempts=4
+
+# Shared files reloading interval (sec) [1..18000]
+remoted.shared_reload=10
+
+# Maximum number of file descriptor that Remoted can open [1024..1048576]
+remoted.rlimit_nofile=458752
+
+# Maximum time waiting for a client response in TCP (seconds) [1..60]
+remoted.recv_timeout=1
+
+# Merge shared configuration to be broadcasted to agents
+# 0. Disable
+# 1. Enable (default)
+remoted.merge_shared=1
+
+# Store the temporary shared configuration file on disk
+# 0. No, store in memory (default)
+# 1. Yes, store on disk
+remoted.disk_storage=0
+
+# Keys file reloading latency (seconds) [1..3600]
+remoted.keyupdate_interval=10
+
+# Number of parallel worker threads [1..16]
+remoted.worker_pool=4
+
+# Interval for remoted status file updating (seconds) [0..86400]
+# 0 means disabled
+remoted.state_interval=5
+
+# Guess the group to which the agent belongs
+# 0. No, do not guess (default)
+# 1. Yes, do guess
+remoted.guess_agent_group=0
+
+# Receiving chunk size for TCP. We suggest using powers of two. [1024..16384]
+remoted.receive_chunk=4096
+
+# Sending chunk size for TCP. We suggest using powers of two. [512..16384]
+remoted.send_chunk=4096
+
+# Send buffer size for queue messages to send. We suggest using powers of two. [65536..1048576]
+remoted.send_buffer_size=131072
+
+# Sleep time to retry delivery to a client in TCP (seconds) [1..60]
+remoted.send_timeout_to_retry=1
+
+# Deallocate network buffers after usage.
+# 0. Do not deallocate memory.
+# 1. Shrink memory to the reception chunk.
+# 2. Full memory deallocation.
+remoted.buffer_relax=1
+
+# Keepalive options
+# Time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes [1..7200]
+remoted.tcp_keepidle=30
+# The time (in seconds) between individual keepalive probes [1..100]
+remoted.tcp_keepintvl=10
+# Maximum number of keepalive probes TCP should send before dropping the connection [1..50]
+remoted.tcp_keepcnt=3
+
+# Save control messages queue size, in messages [1024..1048576]
+remoted.control_msg_queue_size=16384
+
+# Router forwarding - Enable or disable forwarding messages
+# 0. Enabled
+# 1. Disabled
+remoted.router_forwarding_disabled=0
+
+# Timeout to execute remote requests [1..3600]
+execd.request_timeout=60
+
+# Max timeout to lock the restart [0..3600]
+execd.max_restart_lock=600
+
+# Maild strict checking (0=disabled, 1=enabled)
+maild.strict_checking=1
+
+# Maild grouping (0=disabled, 1=enabled)
+# Groups alerts within the same e-mail.
+maild.grouping=1
+
+# Maild full subject (0=disabled, 1=enabled)
+maild.full_subject=0
+
+# Maild display GeoIP data (0=disabled, 1=enabled)
+maild.geoip=1
+
+
+# Monitord day_wait. Amount of seconds to wait before rotating/compressing/signing [0..600]
+# the files.
+monitord.day_wait=10
+
+# Monitord compress. (0=do not compress, 1=compress)
+monitord.compress=1
+
+# Monitord sign. (0=do not sign, 1=sign)
+monitord.sign=1
+
+# Monitord monitor_agents. (0=do not monitor, 1=monitor)
+monitord.monitor_agents=1
+
+# Rotate plain and JSON logs daily. (0=no, 1=yes)
+monitord.rotate_log=1
+
+# Days to keep old ossec.log files [0..500]
+monitord.keep_log_days=31
+
+# Size of internal log files to rotate them (Megabytes) [0..4096]
+monitord.size_rotate=512
+
+# Maximum number of rotations per day for internal logs [1..256]
+monitord.daily_rotations=12
+
+# Number of minutes for deleting a disconnected agent [0..9600]. (0=disabled)
+monitord.delete_old_agents=0
+
+# Syscheck perform a delay when dispatching real-time notifications so it avoids
+# triggering on some temporary files like vim edits. (ms) [0..1000]
+syscheck.rt_delay=5
+
+# Maximum number of directories monitored for realtime on windows [1..1024]
+syscheck.max_fd_win_rt=256
+
+# Maximum number of directories monitored for who-data on Linux [1..4096]
+syscheck.max_audit_entries=256
+
+# Maximum level of recursivity allowed [1..320]
+syscheck.default_max_depth=256
+
+# Check interval of the symbolic links configured in the directories section [1..2592000]
+syscheck.symlink_scan_interval=600
+
+# Maximum file size for calcuting integrity hashes in MBytes [0..4095]
+# A value of 0 MB means to disable this filter
+syscheck.file_max_size=1024
+
+# Rootcheck checking/usage speed. The default is to sleep 50 milliseconds
+# per each PID or suspictious port.
+rootcheck.sleep=50
+
+# Time since the agent buffer is full to consider events flooding
+agent.tolerance=15
+# Level of occupied capacity in Agent buffer to trigger a warning message
+agent.warn_level=90
+# Level of occupied capacity in Agent buffer to come back to normal state
+agent.normal_level=70
+# Minimum events per second, configurable at XML settings [1..1000]
+agent.min_eps=50
+# Interval for agent status file updating (seconds) [0..86400]
+# 0 means disabled
+agent.state_interval=5
+
+# Maximum time waiting for a server response in TCP (seconds) [1..600]
+agent.recv_timeout=60
+
+# Apply remote configuration
+# 0. Disabled
+# 1. Enabled
+agent.remote_conf=1
+
+# Database - maximum number of reconnect attempts
+dbd.reconnect_attempts=10
+
+# Wazuh modules - nice value for tasks. Lower value means higher priority
+wazuh_modules.task_nice=10
+
+# Wazuh modules - maximum number of events per second sent by each module [1..1000]
+wazuh_modules.max_eps=100
+
+# Wazuh modules - time for a process to quit before killing it [0..3600]
+# 0: Kill immediately
+wazuh_modules.kill_timeout=10
+
+# Maximum number of file descriptor that Wazuh modules can open [1024..1048576]
+wazuh_modules.rlimit_nofile=8192
+
+# Wazuh database module settings
+
+# Synchronize agent database with client.keys
+wazuh_database.sync_agents=1
+
+# Sync data in real time (supported on Linux only)
+# 0. Disabled
+# 1. Enabled (default)
+wazuh_database.real_time=1
+
+# Time interval between cycles (used only if real time disabled)
+# Default: 60 seconds (1 minute). Max: 86400 seconds (1 day)
+wazuh_database.interval=60
+
+# Maximum queued events (for inotify)
+# 0. Use system default
+wazuh_database.max_queued_events=0
+
+# Enable download module
+# 0. Disabled
+# 1. Enabled (default)
+wazuh_download.enabled=1
+
+# Number of worker threads (1..32)
+wazuh_db.worker_pool_size=8
+
+# Minimum time margin before committing (1..3600)
+wazuh_db.commit_time_min=10
+
+# Maximum time margin before committing (1..3600)
+wazuh_db.commit_time_max=60
+
+# Number of allowed open databases before closing (1..4096)
+wazuh_db.open_db_limit=64
+
+# Maximum number of file descriptor that WazuhDB can open [1024..1048576]
+wazuh_db.rlimit_nofile=458752
+
+# Indicates the max fragmentation allowed.
+# [0..100]
+wazuh_db.max_fragmentation=90
+
+# Indicates the allowed fragmentation threshold.
+# [0..100]
+wazuh_db.fragmentation_threshold=75
+
+# Indicates the allowed fragmentation difference between the last time the vacuum was performed and the current measurement.
+# [0..100]
+wazuh_db.fragmentation_delta=5
+
+# Indicates the minimum percentage of free pages present in a database that can trigger a vacuum. [0..99]
+wazuh_db.free_pages_percentage=0
+
+# Interval for database fragmentation check, in seconds [1..30758400]
+wazuh_db.check_fragmentation_interval=7200
+
+# Wazuh Command Module - If it should accept remote commands from the manager
+wazuh_command.remote_commands=0
+
+# Wazuh default stack size for child threads in KiB (2048..65536)
+wazuh.thread_stack_size=8192
+
+# Security Configuration Assessment DB request interval in minutes [0..60]
+# This option sets the maximum waiting time to resend a scan when the DB integrity check fails
+sca.request_db_interval=5
+
+# Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
+# Local policies ignore this option
+sca.remote_commands=0
+
+# Default timeout for executed commands during a SCA scan in seconds [1..300]
+sca.commands_timeout=30
+
+# Network timeout for Authd clients
+auth.timeout_seconds=1
+auth.timeout_microseconds=0
+
+# Vulnerability detector LRUs size
+vulnerability-detection.translation_lru_size=2048
+vulnerability-detection.osdata_lru_size=1000
+vulnerability-detection.remediation_lru_size=2048
+
+# Vulnerability detector - Enable or disable the scan manager
+# 0. Enabled
+# 1. Disabled
+vulnerability-detection.disable_scan_manager=1
+
+# Vulnerability detector - report queue size [0..2147483647]
+# Unlimited = 0, Limited > 0
+vulnerability-detection.report_queue_size=262144
+
+# Debug options.
+# Debug 0 -> no debug
+# Debug 1 -> first level of debug
+# Debug 2 -> full debugging
+
+# Windows debug (used by the Windows agent)
+windows.debug=0
+
+# Syscheck (local, server and Unix agent)
+syscheck.debug=0
+
+# Remoted (server debug)
+remoted.debug=0
+
+# Analysisd (server or local)
+analysisd.debug=0
+
+# Auth daemon debug (server)
+authd.debug=0
+
+# Exec daemon debug (server, local or Unix agent)
+execd.debug=0
+
+# Monitor daemon debug (server, local or Unix agent)
+monitord.debug=0
+
+# Log collector (server, local or Unix agent)
+logcollector.debug=0
+
+# Integrator daemon debug (server, local or Unix agent)
+integrator.debug=0
+
+# Unix agentd
+agent.debug=0
+
+# Wazuh DB debug level
+wazuh_db.debug=0
+
+wazuh_modules.debug=0
+
+# Wazuh Cluster debug level
+wazuh_clusterd.debug=0
+
+# EOF
diff --git a/configs/local_decoder.xml b/configs/local_decoder.xml
new file mode 100644
index 0000000..e6dfa47
--- /dev/null
+++ b/configs/local_decoder.xml
@@ -0,0 +1,75 @@
+<!-- Local Decoders -->
+
+<!-- Modify it at your will. -->
+<!-- Copyright (C) 2015, Wazuh Inc. -->
+
+<!--
+  - Allowed static fields:
+  - location   - where the log came from (only on FTS)
+  - srcuser    - extracts the source username
+  - dstuser    - extracts the destination (target) username
+  - user       - an alias to dstuser (only one of the two can be used)
+  - srcip      - source ip
+  - dstip      - dst ip
+  - srcport    - source port
+  - dstport    - destination port
+  - protocol   - protocol
+  - id         - event id
+  - url        - url of the event
+  - action     - event action (deny, drop, accept, etc)
+  - status     - event status (success, failure, etc)
+  - extra_data - Any extra data
+-->
+
+<decoder name="pfsense-wrapped">
+  <prematch>filterlog</prematch>
+</decoder>
+
+<decoder name="pfsense-wrapped-fields">
+  <parent>pfsense-wrapped</parent>
+  <regex>filterlog\S* \S*,\S*,\S*,(\S*),\S*,\S*,(\S*),</regex>
+  <order>id,action</order>
+</decoder>
+
+<decoder name="pfsense-wrapped-fields">
+  <parent>pfsense-wrapped</parent>
+  <regex offset="after_regex">\S*,\S*,\S*,\S*,\S*,\S*,\S*,\S*,\S*,(\S*),\S*,(\S*),(\S*),</regex>
+  <order>protocol,srcip,dstip</order>
+</decoder>
+
+<decoder name="pfsense-wrapped-fields">
+  <parent>pfsense-wrapped</parent>
+  <regex offset="after_regex">(\d*),(\d*),\S*</regex>
+  <order>srcport,dstport</order>
+</decoder>
+
+<decoder name="pfsense-wrapped-fields">
+  <parent>pfsense-wrapped</parent>
+  <regex offset="after_regex">datalength=(\S*)|(\d*)</regex>
+  <order>length</order>
+</decoder>
+
+<decoder name="mailcow-journald-unwrap">
+  <prematch>postfix\(\d+\): \w+ \d+ \d+:\d+:\d+ \w+ \.+\(\d+\):</prematch>
+</decoder>
+
+<decoder name="mailcow-journald-unwrap-child">
+  <parent>mailcow-journald-unwrap</parent>
+  <regex offset="after_parent">\.+</regex>
+  <order>extra_data</order>
+</decoder>
+
+<!-- Gitea: matches lines like:
+     2026/05/29 14:19:59 routers/web/auth/auth.go:309:SignInPost() [W] Failed authentication attempt...
+     2026/05/29 14:19:59 HTTPRequest [I] router: completed POST /user/login for ...
+-->
+<decoder name="gitea">
+  <program_name>gitea</program_name>
+</decoder>
+
+<decoder name="gitea-auth-fail">
+  <parent>gitea</parent>
+  <prematch>Failed authentication attempt</prematch>
+  <regex>Failed authentication attempt for (\S+) from (\d+.\d+.\d+.\d+)</regex>
+  <order>user, srcip</order>
+</decoder>
diff --git a/configs/local_rules.xml b/configs/local_rules.xml
new file mode 100644
index 0000000..a46f077
--- /dev/null
+++ b/configs/local_rules.xml
@@ -0,0 +1,181 @@
+<!-- Local rules -->
+
+<!-- Modify it at your will. -->
+<!-- Copyright (C) 2015, Wazuh Inc. -->
+
+<!-- Example -->
+<group name="local,syslog,sshd,">
+
+  <!--
+  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
+  -->
+  <rule id="100001" level="5">
+    <if_sid>5716</if_sid>
+    <srcip>1.1.1.1</srcip>
+    <description>sshd: authentication failed from IP 1.1.1.1.</description>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
+  </rule>
+
+  <!-- Bridge rule: makes pfsense-wrapped decoder trigger the pfSense rule chain -->
+  <rule id="87699" level="0">
+    <decoded_as>pfsense-wrapped</decoded_as>
+    <description>pfSense wrapped syslog parent rule.</description>
+  </rule>
+
+  <rule id="87761" level="5">
+    <if_sid>87699</if_sid>
+    <action>block</action>
+    <description>pfSense firewall drop event (wrapped).</description>
+    <group>pfsense,firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
+  </rule>
+
+  <rule id="87762" level="10" frequency="18" timeframe="45" ignore="240">
+    <if_matched_sid>87761</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple pfSense firewall block events from same source (wrapped).</description>
+    <mitre>
+      <id>T1110</id>
+    </mitre>
+    <group>pfsense,</group>
+  </rule>
+
+</group>
+
+<group name="attack,">
+  <rule id="100100" level="10">
+    <if_group>web|attack|attacks</if_group>
+    <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
+    <description>IP address found in AlienVault reputation database.</description>
+  </rule>
+</group>
+
+<group name="dovecot,local,">
+  <rule id="100200" level="0">
+    <if_sid>9705</if_sid>
+    <match>watchdog@invalid</match>
+    <description>Dovecot: mailcow watchdog health check (ignored)</description>
+  </rule>
+
+  <rule id="100201" level="0">
+    <if_sid>9707</if_sid>
+    <match>rip=172.22.1.</match>
+    <description>Dovecot: mailcow watchdog IMAP probe disconnect (ignored)</description>
+  </rule>
+
+  <rule id="100202" level="0">
+    <if_sid>9706</if_sid>
+    <match>imap(IGNORED_EMAIL_ADDRESS)</match>
+    <description>Dovecot: own-mailbox routine session disconnect (ignored)</description>
+  </rule>
+
+  <rule id="100301" level="0">
+    <if_sid>9706</if_sid>
+    <match>managesieve-login: Disconnected: Connection closed (no auth attempts</match>
+    <description>Mailcow watchdog managesieve healthcheck - suppressed</description>
+  </rule>
+
+
+</group>
+
+<group name="dovecot,authentication_success,">
+  <rule id="100300" level="0" overwrite="no">
+    <if_sid>9701</if_sid>
+    <description>Dovecot successful login - suppressed (routine IMAP polling)</description>
+  </rule>
+</group>
+
+<group name="gitea,">
+  <!-- Parent rule: any Gitea event gets decoded but only fires if a child rule matches -->
+  <rule id="100400" level="0">
+    <decoded_as>gitea</decoded_as>
+    <description>Gitea event (parent)</description>
+  </rule>
+
+  <!-- Suppress polling/router/HTTP noise so it never reaches the alert log -->
+  <rule id="100401" level="0">
+    <if_sid>100400</if_sid>
+    <match>router: polling</match>
+    <description>Gitea: router polling - suppressed</description>
+  </rule>
+
+  <rule id="100402" level="0">
+    <if_sid>100400</if_sid>
+    <match>router: completed</match>
+    <description>Gitea: router completed request - suppressed</description>
+  </rule>
+
+  <!-- Failed login (matches your real captured line) -->
+  <rule id="100410" level="5">
+    <if_sid>100400</if_sid>
+    <match>Failed authentication attempt</match>
+    <description>Gitea: failed authentication attempt</description>
+    <group>authentication_failed,</group>
+    <mitre>
+      <id>T1110</id>
+    </mitre>
+  </rule>
+
+  <!-- Brute force: 5 failures from same source in 2 minutes -->
+  <rule id="100411" level="10" frequency="5" timeframe="120">
+    <if_matched_sid>100410</if_matched_sid>
+    <description>Gitea: possible brute force (5+ failed logins in 2 min)</description>
+    <group>authentication_failures,</group>
+    <mitre>
+      <id>T1110</id>
+    </mitre>
+  </rule>
+
+  <!-- Account lifecycle -->
+  <rule id="100420" level="5">
+    <if_sid>100400</if_sid>
+    <match>new user signed up|created user</match>
+    <description>Gitea: new user account created</description>
+  </rule>
+
+  <rule id="100421" level="7">
+    <if_sid>100400</if_sid>
+    <match>deleted user|DeleteUser</match>
+    <description>Gitea: user account deleted</description>
+  </rule>
+
+  <!-- SSH keys / tokens -->
+  <rule id="100430" level="5">
+    <if_sid>100400</if_sid>
+    <match>add public key|added SSH key|AddPublicKey</match>
+    <description>Gitea: SSH key added to account</description>
+  </rule>
+
+  <rule id="100431" level="3">
+    <if_sid>100400</if_sid>
+    <match>delete public key|deleted SSH key|DeletePublicKey</match>
+    <description>Gitea: SSH key removed from account</description>
+  </rule>
+
+  <rule id="100440" level="5">
+    <if_sid>100400</if_sid>
+    <match>access token|AccessToken</match>
+    <description>Gitea: access token activity</description>
+  </rule>
+
+  <!-- Password reset / recovery -->
+  <rule id="100450" level="5">
+    <if_sid>100400</if_sid>
+    <match>ResetPasswd|recover_account</match>
+    <description>Gitea: password reset / account recovery</description>
+  </rule>
+
+  <!-- Repo operations -->
+  <rule id="100460" level="7">
+    <if_sid>100400</if_sid>
+    <match>repository deleted|DeleteRepository</match>
+    <description>Gitea: repository deleted</description>
+  </rule>
+
+  <!-- 2FA events -->
+  <rule id="100470" level="5">
+    <if_sid>100400</if_sid>
+    <match>TwoFactor|two-factor|TOTP</match>
+    <description>Gitea: 2FA event</description>
+  </rule>
+
+</group>
diff --git a/configs/ossec.conf b/configs/ossec.conf
new file mode 100644
index 0000000..e70a560
--- /dev/null
+++ b/configs/ossec.conf
@@ -0,0 +1,356 @@
+<!--
+  Wazuh - Manager - Default configuration for amzn 2023
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <global>
+    <jsonout_output>yes</jsonout_output>
+    <alerts_log>yes</alerts_log>
+    <logall>yes</logall>
+    <logall_json>no</logall_json>
+    <email_notification>yes</email_notification>
+    <email_to>chris@wittenberger.us</email_to>
+    <smtp_server>localhost</smtp_server>
+    <email_from>YOUR_EMAIL</email_from>
+    <email_maxperhour>12</email_maxperhour>
+    <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>15m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+    <update_check>yes</update_check>
+  </global>
+
+  <alerts>
+    <log_alert_level>3</log_alert_level>
+    <email_alert_level>12</email_alert_level>
+  </alerts>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <remote>
+    <connection>secure</connection>
+    <port>1514</port>
+    <protocol>tcp</protocol>
+    <queue_size>131072</queue_size>
+  </remote>
+
+  <remote>
+    <connection>syslog</connection>
+    <port>514</port>
+    <protocol>udp</protocol>
+    <allowed-ips>10.0.0.0/8</allowed-ips>
+    <local_ip>WAZUH_SERVER_IP</local_ip>
+  </remote>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="yes">yes</ports>
+    <processes>yes</processes>
+    <users>yes</users>
+    <groups>yes</groups>
+    <services>yes</services>
+    <browser_extensions>yes</browser_extensions>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <vulnerability-detection>
+    <enabled>yes</enabled>
+    <index-status>yes</index-status>
+    <feed-update-interval>60m</feed-update-interval>
+  </vulnerability-detection>
+
+  <indexer>
+    <enabled>yes</enabled>
+    <hosts>
+      <host>https://127.0.0.1:9200</host>
+    </hosts>
+    <ssl>
+      <certificate_authorities>
+        <ca>/etc/filebeat/certs/root-ca.pem</ca>
+      </certificate_authorities>
+      <certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
+      <key>/etc/filebeat/certs/wazuh-server-key.pem</key>
+    </ssl>
+  </indexer>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Generate alert when new file detected -->
+    <alert_new_files>yes</alert_new_files>
+
+    <!-- Don't ignore files that change more than 'frequency' times -->
+    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>50</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Active response -->
+  <global>
+    <white_list>127.0.0.1</white_list>
+    <white_list>^localhost.localdomain$</white_list>
+    <white_list>WHITELISTED_IPs</white_list>
+  </global>
+
+  <command>
+    <name>disable-account</name>
+    <executable>disable-account</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
+  </command>
+
+  <command>
+    <name>firewall-drop</name>
+    <executable>firewall-drop</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>host-deny</name>
+    <executable>host-deny</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>route-null</name>
+    <executable>route-null</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null</name>
+    <executable>route-null.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh</name>
+    <executable>netsh.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <!--
+  <active-response>
+    active-response options here
+  </active-response>
+  -->
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+    <list>etc/lists/amazon/aws-eventnames</list>
+    <list>etc/lists/security-eventchannel</list>
+    <list>etc/lists/malicious-ioc/malware-hashes</list>
+    <list>etc/lists/malicious-ioc/malicious-ip</list>
+    <list>etc/lists/malicious-ioc/malicious-domains</list>
+
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+
+    <!-- Alienvault Reputation ruleset -->
+    <list>etc/lists/blacklist-alienvault</list>
+
+
+  </ruleset>
+
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
+  <!-- Configuration for wazuh-authd -->
+  <auth>
+    <disabled>no</disabled>
+    <port>1515</port>
+    <use_source_ip>no</use_source_ip>
+    <purge>yes</purge>
+    <use_password>no</use_password>
+    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+    <!-- <ssl_agent_ca></ssl_agent_ca> -->
+    <ssl_verify_host>no</ssl_verify_host>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
+    <ssl_auto_negotiate>no</ssl_auto_negotiate>
+  </auth>
+
+  <cluster>
+    <name>wazuh</name>
+    <node_name>node01</node_name>
+    <node_type>master</node_type>
+    <key></key>
+    <port>1516</port>
+    <bind_addr>0.0.0.0</bind_addr>
+    <nodes>
+        <node>NODE_IP</node>
+    </nodes>
+    <hidden>no</hidden>
+    <disabled>yes</disabled>
+  </cluster>
+
+  <integration>
+    <name>virustotal</name>
+    <api_key>f666033b4fdfbeede138a12aac51dd4345bd72261786f54c45c790bf6e4446ca</api_key>
+    <group>syscheck</group>
+    <rule_id>550,553,554</rule_id>
+    <alert_format>json</alert_format>
+  </integration>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>journald</log_format>
+    <location>journald</location>
+  </localfile>
+
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+</ossec_config>