chris/wazuh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
wazuh/configs/internal_options.conf
T
chris 90fba40de4 Upload files to "configs"
2026-05-29 19:02:57 +00:00

495 lines
15 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
#
# DO NOT TOUCH THIS FILE. The default configuration
# is at ossec.conf. More information at:
# https://documentation.wazuh.com
#
# This file should be handled with care. It contain
# run time modifications that can affect the use
# of ossec. Only change it if you know what you
# are doing. Again, look first at ossec.conf
# for most of the things you want to change.
# Analysisd default rule timeframe.
analysisd.default_timeframe=360
# Analysisd stats maximum diff.
analysisd.stats_maxdiff=999000
# Analysisd stats minimum diff.
analysisd.stats_mindiff=1250
# Analysisd stats percentage (how much to differ from average)
analysisd.stats_percent_diff=150
# Analysisd FTS list size.
analysisd.fts_list_size=32
# Analysisd FTS minimum string size.
analysisd.fts_min_size_for_str=14
# Analysisd Enable the firewall log (at logs/firewall/firewall.log)
# 1 to enable, 0 to disable.
analysisd.log_fw=1
# Maximum number of fields in a decoder (order tag) [32..1024]
analysisd.decoder_order_size=256
# Output GeoIP data at JSON alerts
analysisd.geoip_jsonout=0
# Maximum label cache age (margin seconds with no reloading) [0..60]
analysisd.label_cache_maxage=10
# Show hidden labels on alerts
analysisd.show_hidden_labels=0
# Maximum number of file descriptor that Analysisd can open [1024..1048576]
analysisd.rlimit_nofile=458752
# Minimum output rotate interval. This limits rotation by time and size. [10..86400]
analysisd.min_rotate_interval=600
# Number of event decoder threads
analysisd.event_threads=0
# Number of syscheck decoder threads
analysisd.syscheck_threads=0
# Number of syscollector decoder threads
analysisd.syscollector_threads=0
# Number of rootcheck decoder threads
analysisd.rootcheck_threads=0
# Number of security configuration assessment decoder threads
analysisd.sca_threads=0
# Number of hostinfo decoder threads
analysisd.hostinfo_threads=0
# Number of Windows event decoder threads
analysisd.winevt_threads=0
# Number of rule matching threads
analysisd.rule_matching_threads=0
# Number of database synchronization dispatcher threads [0..32]
analysisd.dbsync_threads=0
# Decoder event queue size
analysisd.decode_event_queue_size=16384
# Decode syscheck queue size
analysisd.decode_syscheck_queue_size=16384
# Decode syscollector queue size
analysisd.decode_syscollector_queue_size=16384
# Decode rootcheck queue size
analysisd.decode_rootcheck_queue_size=16384
# Decode security configuration assessment queue size
analysisd.decode_sca_queue_size=16384
# Decode hostinfo queue size
analysisd.decode_hostinfo_queue_size=16384
# Decode winevt queue size
analysisd.decode_winevt_queue_size=16384
# Decode Output queue
analysisd.decode_output_queue_size=16384
# Archives log queue size
analysisd.archives_queue_size=16384
# Statistical log queue size
analysisd.statistical_queue_size=16384
# Alerts log queue size
analysisd.alerts_queue_size=16384
# Firewall log queue size
analysisd.firewall_queue_size=16384
# FTS log queue size
analysisd.fts_queue_size=16384
# Database synchronization message queue size [0..2000000]
analysisd.dbsync_queue_size=16384
# Upgrade message queue size
analysisd.upgrade_queue_size=16384
# Interval for analysisd status file updating (seconds) [0..86400]
# 0 means disabled
analysisd.state_interval=5
# Logcollector file loop timeout (check every 2 seconds for file changes)
logcollector.loop_timeout=2
# Logcollector number of attempts to open a log file [2..998] (0=infinite)
logcollector.open_attempts=0
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=0
# Logcollector - File checking interval (seconds) [0..1024]
logcollector.vcheck_files=64
# Logcollector - Maximum number of lines to read from the same file [100..1000000]
# 0. Disable line burst limitation
logcollector.max_lines=10000
# Logcollector - Maximum number of files to be monitored [1..100000]
logcollector.max_files=1000
# Time to reattempt a socket connection after a failure [1..3600]
logcollector.sock_fail_time=300
# Logcollector - Number of input threads for reading files
logcollector.input_threads=4
# Logcollector - Output queue size [128..220000]
logcollector.queue_size=1024
# Sample log length limit for errors about large message [1..4096]
logcollector.sample_log_length=64
# Maximum number of file descriptor that Logcollector can open [1024..1048576]
# This value must be higher than logcollector.max_files
logcollector.rlimit_nofile=1100
# Force file handler reloading: close and reopen monitored files
# 0: Disabled
# 1: Enabled
logcollector.force_reload=0
# File reloading interval, in seconds, if force_reload=1 [1..86400]
# This interval must be greater or equal than vcheck_files.
logcollector.reload_interval=64
# File reloading delay (between close and open), in milliseconds [0..30000]
logcollector.reload_delay=1000
# Excluded files refresh interval, in seconds [1..172800]
logcollector.exclude_files_interval=86400
# State generation updating interval, in seconds [0..3600]
# 0 means state file creation and updating is disabled
logcollector.state_interval=60
# Logbuilder IP update interval [0..3600]
logcollector.ip_update_interval=60
# Remoted counter io flush.
remoted.recv_counter_flush=128
# Remoted compression averages printout.
remoted.comp_average_printout=19999
# Verify msg id (set to 0 to disable it)
remoted.verify_msg_id=0
# Don't exit when client.keys empty
remoted.pass_empty_keyfile=1
# Number of shared file sender threads
remoted.sender_pool=8
# Limit of parallel request dispatchers [1..4096]
remoted.request_pool=1024
# Timeout to reject a new request (seconds) [1..600]
remoted.request_timeout=10
# Timeout for request responses (seconds) [1..3600]
remoted.response_timeout=60
# Retransmission timeout seconds [0..60]
remoted.request_rto_sec=1
# Retransmission timeout milliseconds [0..999]
remoted.request_rto_msec=0
# Max. number of sending attempts [1..16]
remoted.max_attempts=4
# Shared files reloading interval (sec) [1..18000]
remoted.shared_reload=10
# Maximum number of file descriptor that Remoted can open [1024..1048576]
remoted.rlimit_nofile=458752
# Maximum time waiting for a client response in TCP (seconds) [1..60]
remoted.recv_timeout=1
# Merge shared configuration to be broadcasted to agents
# 0. Disable
# 1. Enable (default)
remoted.merge_shared=1
# Store the temporary shared configuration file on disk
# 0. No, store in memory (default)
# 1. Yes, store on disk
remoted.disk_storage=0
# Keys file reloading latency (seconds) [1..3600]
remoted.keyupdate_interval=10
# Number of parallel worker threads [1..16]
remoted.worker_pool=4
# Interval for remoted status file updating (seconds) [0..86400]
# 0 means disabled
remoted.state_interval=5
# Guess the group to which the agent belongs
# 0. No, do not guess (default)
# 1. Yes, do guess
remoted.guess_agent_group=0
# Receiving chunk size for TCP. We suggest using powers of two. [1024..16384]
remoted.receive_chunk=4096
# Sending chunk size for TCP. We suggest using powers of two. [512..16384]
remoted.send_chunk=4096
# Send buffer size for queue messages to send. We suggest using powers of two. [65536..1048576]
remoted.send_buffer_size=131072
# Sleep time to retry delivery to a client in TCP (seconds) [1..60]
remoted.send_timeout_to_retry=1
# Deallocate network buffers after usage.
# 0. Do not deallocate memory.
# 1. Shrink memory to the reception chunk.
# 2. Full memory deallocation.
remoted.buffer_relax=1
# Keepalive options
# Time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes [1..7200]
remoted.tcp_keepidle=30
# The time (in seconds) between individual keepalive probes [1..100]
remoted.tcp_keepintvl=10
# Maximum number of keepalive probes TCP should send before dropping the connection [1..50]
remoted.tcp_keepcnt=3
# Save control messages queue size, in messages [1024..1048576]
remoted.control_msg_queue_size=16384
# Router forwarding - Enable or disable forwarding messages
# 0. Enabled
# 1. Disabled
remoted.router_forwarding_disabled=0
# Timeout to execute remote requests [1..3600]
execd.request_timeout=60
# Max timeout to lock the restart [0..3600]
execd.max_restart_lock=600
# Maild strict checking (0=disabled, 1=enabled)
maild.strict_checking=1
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.grouping=1
# Maild full subject (0=disabled, 1=enabled)
maild.full_subject=0
# Maild display GeoIP data (0=disabled, 1=enabled)
maild.geoip=1
# Monitord day_wait. Amount of seconds to wait before rotating/compressing/signing [0..600]
# the files.
monitord.day_wait=10
# Monitord compress. (0=do not compress, 1=compress)
monitord.compress=1
# Monitord sign. (0=do not sign, 1=sign)
monitord.sign=1
# Monitord monitor_agents. (0=do not monitor, 1=monitor)
monitord.monitor_agents=1
# Rotate plain and JSON logs daily. (0=no, 1=yes)
monitord.rotate_log=1
# Days to keep old ossec.log files [0..500]
monitord.keep_log_days=31
# Size of internal log files to rotate them (Megabytes) [0..4096]
monitord.size_rotate=512
# Maximum number of rotations per day for internal logs [1..256]
monitord.daily_rotations=12
# Number of minutes for deleting a disconnected agent [0..9600]. (0=disabled)
monitord.delete_old_agents=0
# Syscheck perform a delay when dispatching real-time notifications so it avoids
# triggering on some temporary files like vim edits. (ms) [0..1000]
syscheck.rt_delay=5
# Maximum number of directories monitored for realtime on windows [1..1024]
syscheck.max_fd_win_rt=256
# Maximum number of directories monitored for who-data on Linux [1..4096]
syscheck.max_audit_entries=256
# Maximum level of recursivity allowed [1..320]
syscheck.default_max_depth=256
# Check interval of the symbolic links configured in the directories section [1..2592000]
syscheck.symlink_scan_interval=600
# Maximum file size for calcuting integrity hashes in MBytes [0..4095]
# A value of 0 MB means to disable this filter
syscheck.file_max_size=1024
# Rootcheck checking/usage speed. The default is to sleep 50 milliseconds
# per each PID or suspictious port.
rootcheck.sleep=50
# Time since the agent buffer is full to consider events flooding
agent.tolerance=15
# Level of occupied capacity in Agent buffer to trigger a warning message
agent.warn_level=90
# Level of occupied capacity in Agent buffer to come back to normal state
agent.normal_level=70
# Minimum events per second, configurable at XML settings [1..1000]
agent.min_eps=50
# Interval for agent status file updating (seconds) [0..86400]
# 0 means disabled
agent.state_interval=5
# Maximum time waiting for a server response in TCP (seconds) [1..600]
agent.recv_timeout=60
# Apply remote configuration
# 0. Disabled
# 1. Enabled
agent.remote_conf=1
# Database - maximum number of reconnect attempts
dbd.reconnect_attempts=10
# Wazuh modules - nice value for tasks. Lower value means higher priority
wazuh_modules.task_nice=10
# Wazuh modules - maximum number of events per second sent by each module [1..1000]
wazuh_modules.max_eps=100
# Wazuh modules - time for a process to quit before killing it [0..3600]
# 0: Kill immediately
wazuh_modules.kill_timeout=10
# Maximum number of file descriptor that Wazuh modules can open [1024..1048576]
wazuh_modules.rlimit_nofile=8192
# Wazuh database module settings
# Synchronize agent database with client.keys
wazuh_database.sync_agents=1
# Sync data in real time (supported on Linux only)
# 0. Disabled
# 1. Enabled (default)
wazuh_database.real_time=1
# Time interval between cycles (used only if real time disabled)
# Default: 60 seconds (1 minute). Max: 86400 seconds (1 day)
wazuh_database.interval=60
# Maximum queued events (for inotify)
# 0. Use system default
wazuh_database.max_queued_events=0
# Enable download module
# 0. Disabled
# 1. Enabled (default)
wazuh_download.enabled=1
# Number of worker threads (1..32)
wazuh_db.worker_pool_size=8
# Minimum time margin before committing (1..3600)
wazuh_db.commit_time_min=10
# Maximum time margin before committing (1..3600)
wazuh_db.commit_time_max=60
# Number of allowed open databases before closing (1..4096)
wazuh_db.open_db_limit=64
# Maximum number of file descriptor that WazuhDB can open [1024..1048576]
wazuh_db.rlimit_nofile=458752
# Indicates the max fragmentation allowed.
# [0..100]
wazuh_db.max_fragmentation=90
# Indicates the allowed fragmentation threshold.
# [0..100]
wazuh_db.fragmentation_threshold=75
# Indicates the allowed fragmentation difference between the last time the vacuum was performed and the current measurement.
# [0..100]
wazuh_db.fragmentation_delta=5
# Indicates the minimum percentage of free pages present in a database that can trigger a vacuum. [0..99]
wazuh_db.free_pages_percentage=0
# Interval for database fragmentation check, in seconds [1..30758400]
wazuh_db.check_fragmentation_interval=7200
# Wazuh Command Module - If it should accept remote commands from the manager
wazuh_command.remote_commands=0
# Wazuh default stack size for child threads in KiB (2048..65536)
wazuh.thread_stack_size=8192
# Security Configuration Assessment DB request interval in minutes [0..60]
# This option sets the maximum waiting time to resend a scan when the DB integrity check fails
sca.request_db_interval=5
# Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
# Local policies ignore this option
sca.remote_commands=0
# Default timeout for executed commands during a SCA scan in seconds [1..300]
sca.commands_timeout=30
# Network timeout for Authd clients
auth.timeout_seconds=1
auth.timeout_microseconds=0
# Vulnerability detector LRUs size
vulnerability-detection.translation_lru_size=2048
vulnerability-detection.osdata_lru_size=1000
vulnerability-detection.remediation_lru_size=2048
# Vulnerability detector - Enable or disable the scan manager
# 0. Enabled
# 1. Disabled
vulnerability-detection.disable_scan_manager=1
# Vulnerability detector - report queue size [0..2147483647]
# Unlimited = 0, Limited > 0
vulnerability-detection.report_queue_size=262144
# Debug options.
# Debug 0 -> no debug
# Debug 1 -> first level of debug
# Debug 2 -> full debugging
# Windows debug (used by the Windows agent)
windows.debug=0
# Syscheck (local, server and Unix agent)
syscheck.debug=0
# Remoted (server debug)
remoted.debug=0
# Analysisd (server or local)
analysisd.debug=0
# Auth daemon debug (server)
authd.debug=0
# Exec daemon debug (server, local or Unix agent)
execd.debug=0
# Monitor daemon debug (server, local or Unix agent)
monitord.debug=0
# Log collector (server, local or Unix agent)
logcollector.debug=0
# Integrator daemon debug (server, local or Unix agent)
integrator.debug=0
# Unix agentd
agent.debug=0
# Wazuh DB debug level
wazuh_db.debug=0
wazuh_modules.debug=0
# Wazuh Cluster debug level
wazuh_clusterd.debug=0
# EOF
Reference in New Issue View Git Blame Copy Permalink