# internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
#
# DO NOT TOUCH THIS FILE. The default configuration
# is at ossec.conf. More information at:
# https://documentation.wazuh.com
#
# This file should be handled with care. It contain
# run time modifications that can affect the use
# of ossec. Only change it if you know what you
# are doing. Again, look first at ossec.conf
# for most of the things you want to change.


# Analysisd default rule timeframe.
analysisd.default_timeframe=360
# Analysisd stats maximum diff.
analysisd.stats_maxdiff=999000
# Analysisd stats minimum diff.
analysisd.stats_mindiff=1250
# Analysisd stats percentage (how much to differ from average)
analysisd.stats_percent_diff=150
# Analysisd FTS list size.
analysisd.fts_list_size=32
# Analysisd FTS minimum string size.
analysisd.fts_min_size_for_str=14
# Analysisd Enable the firewall log (at logs/firewall/firewall.log)
# 1 to enable, 0 to disable.
analysisd.log_fw=1
# Maximum number of fields in a decoder (order tag) [32..1024]
analysisd.decoder_order_size=256
# Output GeoIP data at JSON alerts
analysisd.geoip_jsonout=0
# Maximum label cache age (margin seconds with no reloading) [0..60]
analysisd.label_cache_maxage=10
# Show hidden labels on alerts
analysisd.show_hidden_labels=0
# Maximum number of file descriptor that Analysisd can open [1024..1048576]
analysisd.rlimit_nofile=458752
# Minimum output rotate interval. This limits rotation by time and size. [10..86400]
analysisd.min_rotate_interval=600
# Number of event decoder threads
analysisd.event_threads=0
# Number of syscheck decoder threads
analysisd.syscheck_threads=0
# Number of syscollector decoder threads
analysisd.syscollector_threads=0
# Number of rootcheck decoder threads
analysisd.rootcheck_threads=0
# Number of security configuration assessment decoder threads
analysisd.sca_threads=0
# Number of hostinfo decoder threads
analysisd.hostinfo_threads=0
# Number of Windows event decoder threads
analysisd.winevt_threads=0
# Number of rule matching threads
analysisd.rule_matching_threads=0
# Number of database synchronization dispatcher threads [0..32]
analysisd.dbsync_threads=0
# Decoder event queue size
analysisd.decode_event_queue_size=16384
# Decode syscheck queue size
analysisd.decode_syscheck_queue_size=16384
# Decode syscollector queue size
analysisd.decode_syscollector_queue_size=16384
# Decode rootcheck queue size
analysisd.decode_rootcheck_queue_size=16384
# Decode security configuration assessment queue size
analysisd.decode_sca_queue_size=16384
# Decode hostinfo queue size
analysisd.decode_hostinfo_queue_size=16384
# Decode winevt queue size
analysisd.decode_winevt_queue_size=16384
# Decode Output queue
analysisd.decode_output_queue_size=16384
# Archives log queue size
analysisd.archives_queue_size=16384
# Statistical log queue size
analysisd.statistical_queue_size=16384
# Alerts log queue size
analysisd.alerts_queue_size=16384
# Firewall log queue size
analysisd.firewall_queue_size=16384
# FTS log queue size
analysisd.fts_queue_size=16384
# Database synchronization message queue size [0..2000000]
analysisd.dbsync_queue_size=16384
# Upgrade message queue size
analysisd.upgrade_queue_size=16384
# Interval for analysisd status file updating (seconds) [0..86400]
# 0 means disabled
analysisd.state_interval=5


# Logcollector file loop timeout (check every 2 seconds for file changes)
logcollector.loop_timeout=2

# Logcollector number of attempts to open a log file [2..998] (0=infinite)
logcollector.open_attempts=0

# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=0

# Logcollector - File checking interval (seconds) [0..1024]
logcollector.vcheck_files=64

# Logcollector - Maximum number of lines to read from the same file [100..1000000]
# 0. Disable line burst limitation
logcollector.max_lines=10000

# Logcollector - Maximum number of files to be monitored [1..100000]
logcollector.max_files=1000

# Time to reattempt a socket connection after a failure [1..3600]
logcollector.sock_fail_time=300

# Logcollector - Number of input threads for reading files
logcollector.input_threads=4

# Logcollector - Output queue size [128..220000]
logcollector.queue_size=1024

# Sample log length limit for errors about large message [1..4096]
logcollector.sample_log_length=64

# Maximum number of file descriptor that Logcollector can open [1024..1048576]
# This value must be higher than logcollector.max_files
logcollector.rlimit_nofile=1100

# Force file handler reloading: close and reopen monitored files
# 0: Disabled
# 1: Enabled
logcollector.force_reload=0

# File reloading interval, in seconds, if force_reload=1 [1..86400]
# This interval must be greater or equal than vcheck_files.
logcollector.reload_interval=64

# File reloading delay (between close and open), in milliseconds [0..30000]
logcollector.reload_delay=1000

# Excluded files refresh interval, in seconds [1..172800]
logcollector.exclude_files_interval=86400

# State generation updating interval, in seconds [0..3600]
# 0 means state file creation and updating is disabled
logcollector.state_interval=60

# Logbuilder IP update interval [0..3600]
logcollector.ip_update_interval=60

# Remoted counter io flush.
remoted.recv_counter_flush=128

# Remoted compression averages printout.
remoted.comp_average_printout=19999

# Verify msg id (set to 0 to disable it)
remoted.verify_msg_id=0

# Don't exit when client.keys empty
remoted.pass_empty_keyfile=1

# Number of shared file sender threads
remoted.sender_pool=8

# Limit of parallel request dispatchers [1..4096]
remoted.request_pool=1024

# Timeout to reject a new request (seconds) [1..600]
remoted.request_timeout=10

# Timeout for request responses (seconds) [1..3600]
remoted.response_timeout=60

# Retransmission timeout seconds [0..60]
remoted.request_rto_sec=1

# Retransmission timeout milliseconds [0..999]
remoted.request_rto_msec=0

# Max. number of sending attempts [1..16]
remoted.max_attempts=4

# Shared files reloading interval (sec) [1..18000]
remoted.shared_reload=10

# Maximum number of file descriptor that Remoted can open [1024..1048576]
remoted.rlimit_nofile=458752

# Maximum time waiting for a client response in TCP (seconds) [1..60]
remoted.recv_timeout=1

# Merge shared configuration to be broadcasted to agents
# 0. Disable
# 1. Enable (default)
remoted.merge_shared=1

# Store the temporary shared configuration file on disk
# 0. No, store in memory (default)
# 1. Yes, store on disk
remoted.disk_storage=0

# Keys file reloading latency (seconds) [1..3600]
remoted.keyupdate_interval=10

# Number of parallel worker threads [1..16]
remoted.worker_pool=4

# Interval for remoted status file updating (seconds) [0..86400]
# 0 means disabled
remoted.state_interval=5

# Guess the group to which the agent belongs
# 0. No, do not guess (default)
# 1. Yes, do guess
remoted.guess_agent_group=0

# Receiving chunk size for TCP. We suggest using powers of two. [1024..16384]
remoted.receive_chunk=4096

# Sending chunk size for TCP. We suggest using powers of two. [512..16384]
remoted.send_chunk=4096

# Send buffer size for queue messages to send. We suggest using powers of two. [65536..1048576]
remoted.send_buffer_size=131072

# Sleep time to retry delivery to a client in TCP (seconds) [1..60]
remoted.send_timeout_to_retry=1

# Deallocate network buffers after usage.
# 0. Do not deallocate memory.
# 1. Shrink memory to the reception chunk.
# 2. Full memory deallocation.
remoted.buffer_relax=1

# Keepalive options
# Time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes [1..7200]
remoted.tcp_keepidle=30
# The time (in seconds) between individual keepalive probes [1..100]
remoted.tcp_keepintvl=10
# Maximum number of keepalive probes TCP should send before dropping the connection [1..50]
remoted.tcp_keepcnt=3

# Save control messages queue size, in messages [1024..1048576]
remoted.control_msg_queue_size=16384

# Router forwarding - Enable or disable forwarding messages
# 0. Enabled
# 1. Disabled
remoted.router_forwarding_disabled=0

# Timeout to execute remote requests [1..3600]
execd.request_timeout=60

# Max timeout to lock the restart [0..3600]
execd.max_restart_lock=600

# Maild strict checking (0=disabled, 1=enabled)
maild.strict_checking=1

# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.grouping=1

# Maild full subject (0=disabled, 1=enabled)
maild.full_subject=0

# Maild display GeoIP data (0=disabled, 1=enabled)
maild.geoip=1


# Monitord day_wait. Amount of seconds to wait before rotating/compressing/signing [0..600]
# the files.
monitord.day_wait=10

# Monitord compress. (0=do not compress, 1=compress)
monitord.compress=1

# Monitord sign. (0=do not sign, 1=sign)
monitord.sign=1

# Monitord monitor_agents. (0=do not monitor, 1=monitor)
monitord.monitor_agents=1

# Rotate plain and JSON logs daily. (0=no, 1=yes)
monitord.rotate_log=1

# Days to keep old ossec.log files [0..500]
monitord.keep_log_days=31

# Size of internal log files to rotate them (Megabytes) [0..4096]
monitord.size_rotate=512

# Maximum number of rotations per day for internal logs [1..256]
monitord.daily_rotations=12

# Number of minutes for deleting a disconnected agent [0..9600]. (0=disabled)
monitord.delete_old_agents=0

# Syscheck perform a delay when dispatching real-time notifications so it avoids
# triggering on some temporary files like vim edits. (ms) [0..1000]
syscheck.rt_delay=5

# Maximum number of directories monitored for realtime on windows [1..1024]
syscheck.max_fd_win_rt=256

# Maximum number of directories monitored for who-data on Linux [1..4096]
syscheck.max_audit_entries=256

# Maximum level of recursivity allowed [1..320]
syscheck.default_max_depth=256

# Check interval of the symbolic links configured in the directories section [1..2592000]
syscheck.symlink_scan_interval=600

# Maximum file size for calcuting integrity hashes in MBytes [0..4095]
# A value of 0 MB means to disable this filter
syscheck.file_max_size=1024

# Rootcheck checking/usage speed. The default is to sleep 50 milliseconds
# per each PID or suspictious port.
rootcheck.sleep=50

# Time since the agent buffer is full to consider events flooding
agent.tolerance=15
# Level of occupied capacity in Agent buffer to trigger a warning message
agent.warn_level=90
# Level of occupied capacity in Agent buffer to come back to normal state
agent.normal_level=70
# Minimum events per second, configurable at XML settings [1..1000]
agent.min_eps=50
# Interval for agent status file updating (seconds) [0..86400]
# 0 means disabled
agent.state_interval=5

# Maximum time waiting for a server response in TCP (seconds) [1..600]
agent.recv_timeout=60

# Apply remote configuration
# 0. Disabled
# 1. Enabled
agent.remote_conf=1

# Database - maximum number of reconnect attempts
dbd.reconnect_attempts=10

# Wazuh modules - nice value for tasks. Lower value means higher priority
wazuh_modules.task_nice=10

# Wazuh modules - maximum number of events per second sent by each module [1..1000]
wazuh_modules.max_eps=100

# Wazuh modules - time for a process to quit before killing it [0..3600]
# 0: Kill immediately
wazuh_modules.kill_timeout=10

# Maximum number of file descriptor that Wazuh modules can open [1024..1048576]
wazuh_modules.rlimit_nofile=8192

# Wazuh database module settings

# Synchronize agent database with client.keys
wazuh_database.sync_agents=1

# Sync data in real time (supported on Linux only)
# 0. Disabled
# 1. Enabled (default)
wazuh_database.real_time=1

# Time interval between cycles (used only if real time disabled)
# Default: 60 seconds (1 minute). Max: 86400 seconds (1 day)
wazuh_database.interval=60

# Maximum queued events (for inotify)
# 0. Use system default
wazuh_database.max_queued_events=0

# Enable download module
# 0. Disabled
# 1. Enabled (default)
wazuh_download.enabled=1

# Number of worker threads (1..32)
wazuh_db.worker_pool_size=8

# Minimum time margin before committing (1..3600)
wazuh_db.commit_time_min=10

# Maximum time margin before committing (1..3600)
wazuh_db.commit_time_max=60

# Number of allowed open databases before closing (1..4096)
wazuh_db.open_db_limit=64

# Maximum number of file descriptor that WazuhDB can open [1024..1048576]
wazuh_db.rlimit_nofile=458752

# Indicates the max fragmentation allowed.
# [0..100]
wazuh_db.max_fragmentation=90

# Indicates the allowed fragmentation threshold.
# [0..100]
wazuh_db.fragmentation_threshold=75

# Indicates the allowed fragmentation difference between the last time the vacuum was performed and the current measurement.
# [0..100]
wazuh_db.fragmentation_delta=5

# Indicates the minimum percentage of free pages present in a database that can trigger a vacuum. [0..99]
wazuh_db.free_pages_percentage=0

# Interval for database fragmentation check, in seconds [1..30758400]
wazuh_db.check_fragmentation_interval=7200

# Wazuh Command Module - If it should accept remote commands from the manager
wazuh_command.remote_commands=0

# Wazuh default stack size for child threads in KiB (2048..65536)
wazuh.thread_stack_size=8192

# Security Configuration Assessment DB request interval in minutes [0..60]
# This option sets the maximum waiting time to resend a scan when the DB integrity check fails
sca.request_db_interval=5

# Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
# Local policies ignore this option
sca.remote_commands=0

# Default timeout for executed commands during a SCA scan in seconds [1..300]
sca.commands_timeout=30

# Network timeout for Authd clients
auth.timeout_seconds=1
auth.timeout_microseconds=0

# Vulnerability detector LRUs size
vulnerability-detection.translation_lru_size=2048
vulnerability-detection.osdata_lru_size=1000
vulnerability-detection.remediation_lru_size=2048

# Vulnerability detector - Enable or disable the scan manager
# 0. Enabled
# 1. Disabled
vulnerability-detection.disable_scan_manager=1

# Vulnerability detector - report queue size [0..2147483647]
# Unlimited = 0, Limited > 0
vulnerability-detection.report_queue_size=262144

# Debug options.
# Debug 0 -> no debug
# Debug 1 -> first level of debug
# Debug 2 -> full debugging

# Windows debug (used by the Windows agent)
windows.debug=0

# Syscheck (local, server and Unix agent)
syscheck.debug=0

# Remoted (server debug)
remoted.debug=0

# Analysisd (server or local)
analysisd.debug=0

# Auth daemon debug (server)
authd.debug=0

# Exec daemon debug (server, local or Unix agent)
execd.debug=0

# Monitor daemon debug (server, local or Unix agent)
monitord.debug=0

# Log collector (server, local or Unix agent)
logcollector.debug=0

# Integrator daemon debug (server, local or Unix agent)
integrator.debug=0

# Unix agentd
agent.debug=0

# Wazuh DB debug level
wazuh_db.debug=0

wazuh_modules.debug=0

# Wazuh Cluster debug level
wazuh_clusterd.debug=0

# EOF