rotation alerts
11 views
Skip to first unread message
WiFi
11:13 AM (12 hours ago) 11:13 AM
to Wazuh | Mailing List
I need to configure log rotation so that when the alerts.json and alerts.log files reach a size of 20GB, they are immediately archived. I have configured some values, and the files are being moved, but they are not being compressed.
OSSEC.CONF
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<rotate_interval>1h</rotate_interval>
<max_output_size>20G</max_output_size>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>......</smtp_server>
<email_from> ...... </email_from>
<email_to> ...... </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
# internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
#
# DO NOT TOUCH THIS FILE. The default configuration
# is at ossec.conf. More information at:
# https://documentation.wazuh.com
#
# This file should be handled with care. It contain
# run time modifications that can affect the use
# of ossec. Only change it if you know what you
# are doing. Again, look first at ossec.conf
# for most of the things you want to change.
# Analysisd default rule timeframe.
analysisd.default_timeframe=360
# Analysisd stats maximum diff.
analysisd.stats_maxdiff=999000
# Analysisd stats minimum diff.
analysisd.stats_mindiff=1250
# Analysisd stats percentage (how much to differ from average)
analysisd.stats_percent_diff=150
# Analysisd FTS list size.
analysisd.fts_list_size=32
# Analysisd FTS minimum string size.
analysisd.fts_min_size_for_str=14
# Analysisd Enable the firewall log (at logs/firewall/firewall.log)
# 1 to enable, 0 to disable.
analysisd.log_fw=1
# Maximum number of fields in a decoder (order tag) [32..1024]
analysisd.decoder_order_size=256
# Output GeoIP data at JSON alerts
analysisd.geoip_jsonout=0
# Maximum label cache age (margin seconds with no reloading) [0..60]
analysisd.label_cache_maxage=10
# Show hidden labels on alerts
analysisd.show_hidden_labels=0
# Maximum number of file descriptor that Analysisd can open [1024..1048576]
analysisd.rlimit_nofile=458752
# Minimum output rotate interval. This limits rotation by time and size. [10..86400]
analysisd.min_rotate_interval=10
# Number of event decoder threads
analysisd.event_threads=0
# Number of syscheck decoder threads
analysisd.syscheck_threads=0
# Number of syscollector decoder threads
analysisd.syscollector_threads=0
# Number of rootcheck decoder threads
analysisd.rootcheck_threads=0
# Number of security configuration assessment decoder threads
analysisd.sca_threads=0
# Number of hostinfo decoder threads
analysisd.hostinfo_threads=0
# Number of Windows event decoder threads
analysisd.winevt_threads=0
# Number of rule matching threads
analysisd.rule_matching_threads=0
# Number of database synchronization dispatcher threads [0..32]
analysisd.dbsync_threads=0
# Decoder event queue size
analysisd.decode_event_queue_size=16384
# Decode syscheck queue size
analysisd.decode_syscheck_queue_size=16384
# Decode syscollector queue size
analysisd.decode_syscollector_queue_size=16384
# Decode rootcheck queue size
analysisd.decode_rootcheck_queue_size=16384
# Decode security configuration assessment queue size
analysisd.decode_sca_queue_size=16384
# Decode hostinfo queue size
analysisd.decode_hostinfo_queue_size=16384
# Decode winevt queue size
analysisd.decode_winevt_queue_size=16384
# Decode Output queue
analysisd.decode_output_queue_size=16384
# Archives log queue size
analysisd.archives_queue_size=16384
# Statistical log queue size
analysisd.statistical_queue_size=16384
# Alerts log queue size
analysisd.alerts_queue_size=16384
# Firewall log queue size
analysisd.firewall_queue_size=16384
# FTS log queue size
analysisd.fts_queue_size=16384
# Database synchronization message queue size [0..2000000]
analysisd.dbsync_queue_size=16384
# Upgrade message queue size
analysisd.upgrade_queue_size=16384
# Interval for analysisd status file updating (seconds) [0..86400]
# 0 means disabled
analysisd.state_interval=5
# Logcollector file loop timeout (check every 2 seconds for file changes)
logcollector.loop_timeout=2
# Logcollector number of attempts to open a log file [2..998] (0=infinite)
logcollector.open_attempts=0
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=0
# Logcollector - File checking interval (seconds) [0..1024]
logcollector.vcheck_files=64
# Logcollector - Maximum number of lines to read from the same file [100..1000000]
# 0. Disable line burst limitation
logcollector.max_lines=10000
# Logcollector - Maximum number of files to be monitored [1..100000]
logcollector.max_files=1000
# Time to reattempt a socket connection after a failure [1..3600]
logcollector.sock_fail_time=300
# Logcollector - Number of input threads for reading files
logcollector.input_threads=4
# Logcollector - Output queue size [128..220000]
logcollector.queue_size=1024
# Sample log length limit for errors about large message [1..4096]
logcollector.sample_log_length=64
# Maximum number of file descriptor that Logcollector can open [1024..1048576]
# This value must be higher than logcollector.max_files
logcollector.rlimit_nofile=1100
# Force file handler reloading: close and reopen monitored files
# 0: Disabled
# 1: Enabled
logcollector.force_reload=0
# File reloading interval, in seconds, if force_reload=1 [1..86400]
# This interval must be greater or equal than vcheck_files.
logcollector.reload_interval=64
# File reloading delay (between close and open), in milliseconds [0..30000]
logcollector.reload_delay=1000
# Excluded files refresh interval, in seconds [1..172800]
logcollector.exclude_files_interval=86400
# State generation updating interval, in seconds [0..3600]
# 0 means state file creation and updating is disabled
logcollector.state_interval=60
# Logbuilder IP update interval [0..3600]
logcollector.ip_update_interval=60
# Remoted counter io flush.
remoted.recv_counter_flush=128
# Remoted compression averages printout.
remoted.comp_average_printout=19999
# Verify msg id (set to 0 to disable it)
remoted.verify_msg_id=0
# Don't exit when client.keys empty
remoted.pass_empty_keyfile=1
# Number of shared file sender threads
remoted.sender_pool=8
# Limit of parallel request dispatchers [1..4096]
remoted.request_pool=1024
# Timeout to reject a new request (seconds) [1..600]
remoted.request_timeout=10
# Timeout for request responses (seconds) [1..3600]
remoted.response_timeout=60
# Retransmission timeout seconds [0..60]
remoted.request_rto_sec=1
# Retransmission timeout milliseconds [0..999]
remoted.request_rto_msec=0
# Max. number of sending attempts [1..16]
remoted.max_attempts=4
# Shared files reloading interval (sec) [1..18000]
remoted.shared_reload=10
# Maximum number of file descriptor that Remoted can open [1024..1048576]
remoted.rlimit_nofile=458752
# Maximum time waiting for a client response in TCP (seconds) [1..60]
remoted.recv_timeout=1
# Merge shared configuration to be broadcasted to agents
# 0. Disable
# 1. Enable (default)
remoted.merge_shared=1
# Store the temporary shared configuration file on disk
# 0. No, store in memory (default)
# 1. Yes, store on disk
remoted.disk_storage=0
# Keys file reloading latency (seconds) [1..3600]
remoted.keyupdate_interval=10
# Number of parallel worker threads [1..16]
remoted.worker_pool=4
# Interval for remoted status file updating (seconds) [0..86400]
# 0 means disabled
remoted.state_interval=5
# Guess the group to which the agent belongs
# 0. No, do not guess (default)
# 1. Yes, do guess
remoted.guess_agent_group=0
# Receiving chunk size for TCP. We suggest using powers of two. [1024..16384]
remoted.receive_chunk=4096
# Sending chunk size for TCP. We suggest using powers of two. [512..16384]
remoted.send_chunk=4096
# Send buffer size for queue messages to send. We suggest using powers of two. [65536..1048576]
remoted.send_buffer_size=131072
# Sleep time to retry delivery to a client in TCP (seconds) [1..60]
remoted.send_timeout_to_retry=1
# Deallocate network buffers after usage.
# 0. Do not deallocate memory.
# 1. Shrink memory to the reception chunk.
# 2. Full memory deallocation.
remoted.buffer_relax=1
# Keepalive options
# Time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes [1..7200]
remoted.tcp_keepidle=30
# The time (in seconds) between individual keepalive probes [1..100]
remoted.tcp_keepintvl=10
# Maximum number of keepalive probes TCP should send before dropping the connection [1..50]
remoted.tcp_keepcnt=3
# Timeout to execute remote requests [1..3600]
execd.request_timeout=60
# Max timeout to lock the restart [0..3600]
execd.max_restart_lock=600
# Maild strict checking (0=disabled, 1=enabled)
maild.strict_checking=1
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.grouping=1
# Maild full subject (0=disabled, 1=enabled)
maild.full_subject=0
# Maild display GeoIP data (0=disabled, 1=enabled)
maild.geoip=1
# Monitord day_wait. Amount of seconds to wait before rotating/compressing/signing [0..600]
# the files.
monitord.day_wait=10
# Monitord compress. (0=do not compress, 1=compress)
monitord.compress=1
# Monitord sign. (0=do not sign, 1=sign)
monitord.sign=1
# Monitord monitor_agents. (0=do not monitor, 1=monitor)
monitord.monitor_agents=1
# Rotate plain and JSON logs daily. (0=no, 1=yes)
monitord.rotate_log=1
# Days to keep old ossec.log files [0..500]
monitord.keep_log_days=31
# Size of internal log files to rotate them (Megabytes) [0..4096]
monitord.size_rotate=1
# Maximum number of rotations per day for internal logs [1..256]
monitord.daily_rotations=256
# Number of minutes for deleting a disconnected agent [0..9600]. (0=disabled)
monitord.delete_old_agents=0
# Syscheck perform a delay when dispatching real-time notifications so it avoids
# triggering on some temporary files like vim edits. (ms) [0..1000]
syscheck.rt_delay=5
# Maximum number of directories monitored for realtime on windows [1..1024]
syscheck.max_fd_win_rt=256
# Maximum number of directories monitored for who-data on Linux [1..4096]
syscheck.max_audit_entries=256
# Maximum level of recursivity allowed [1..320]
syscheck.default_max_depth=256
# Check interval of the symbolic links configured in the directories section [1..2592000]
syscheck.symlink_scan_interval=600
# Maximum file size for calcuting integrity hashes in MBytes [0..4095]
# A value of 0 MB means to disable this filter
syscheck.file_max_size=1024
# Rootcheck checking/usage speed. The default is to sleep 50 milliseconds
# per each PID or suspictious port.
rootcheck.sleep=50
# Time since the agent buffer is full to consider events flooding
agent.tolerance=15
# Level of occupied capacity in Agent buffer to trigger a warning message
agent.warn_level=90
# Level of occupied capacity in Agent buffer to come back to normal state
agent.normal_level=70
# Minimum events per second, configurable at XML settings [1..1000]
agent.min_eps=50
# Interval for agent status file updating (seconds) [0..86400]
# 0 means disabled
agent.state_interval=5
# Maximum time waiting for a server response in TCP (seconds) [1..600]
agent.recv_timeout=60
# Apply remote configuration
# 0. Disabled
# 1. Enabled
agent.remote_conf=1
# Database - maximum number of reconnect attempts
dbd.reconnect_attempts=10
# Wazuh modules - nice value for tasks. Lower value means higher priority
wazuh_modules.task_nice=10
# Wazuh modules - maximum number of events per second sent by each module [1..1000]
wazuh_modules.max_eps=100
# Wazuh modules - time for a process to quit before killing it [0..3600]
# 0: Kill immediately
wazuh_modules.kill_timeout=10
# Wazuh database module settings
# Synchronize agent database with client.keys
wazuh_database.sync_agents=1
# Sync data in real time (supported on Linux only)
# 0. Disabled
# 1. Enabled (default)
wazuh_database.real_time=1
# Time interval between cycles (used only if real time disabled)
# Default: 60 seconds (1 minute). Max: 86400 seconds (1 day)
wazuh_database.interval=60
# Maximum queued events (for inotify)
# 0. Use system default
wazuh_database.max_queued_events=0
# Enable download module
# 0. Disabled
# 1. Enabled (default)
wazuh_download.enabled=1
# Number of worker threads (1..32)
wazuh_db.worker_pool_size=8
# Minimum time margin before committing (1..3600)
wazuh_db.commit_time_min=10
# Maximum time margin before committing (1..3600)
wazuh_db.commit_time_max=60
# Number of allowed open databases before closing (1..4096)
wazuh_db.open_db_limit=64
# Maximum number of file descriptor that WazuhDB can open [1024..1048576]
wazuh_db.rlimit_nofile=458752
# Indicates the max fragmentation allowed.
# [0..100]
wazuh_db.max_fragmentation=90
# Indicates the allowed fragmentation threshold.
# [0..100]
wazuh_db.fragmentation_threshold=75
# Indicates the allowed fragmentation difference between the last time the vacuum was performed and the current measurement.
# [0..100]
wazuh_db.fragmentation_delta=5
# Indicates the minimum percentage of free pages present in a database that can trigger a vacuum. [0..99]
wazuh_db.free_pages_percentage=0
# Interval for database fragmentation check, in seconds [1..30758400]
wazuh_db.check_fragmentation_interval=7200
# Wazuh Command Module - If it should accept remote commands from the manager
wazuh_command.remote_commands=0
# Wazuh default stack size for child threads in KiB (2048..65536)
wazuh.thread_stack_size=8192
# Security Configuration Assessment DB request interval in minutes [0..60]
# This option sets the maximum waiting time to resend a scan when the DB integrity check fails
sca.request_db_interval=5
# Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
# Local policies ignore this option
sca.remote_commands=0
# Default timeout for executed commands during a SCA scan in seconds [1..300]
sca.commands_timeout=30
# Network timeout for Authd clients
auth.timeout_seconds=1
auth.timeout_microseconds=0
# Vulnerability detector LRUs size
vulnerability-detection.translation_lru_size=2048
vulnerability-detection.osdata_lru_size=1000
vulnerability-detection.remediation_lru_size=2048
# Vulnerability detector - Enable or disable the scan manager
# 0. Enabled
# 1. Disabled
vulnerability-detection.disable_scan_manager=1
# Debug options.
# Debug 0 -> no debug
# Debug 1 -> first level of debug
# Debug 2 -> full debugging
# Windows debug (used by the Windows agent)
windows.debug=0
# Syscheck (local, server and Unix agent)
syscheck.debug=0
# Remoted (server debug)
remoted.debug=0
# Analysisd (server or local)
analysisd.debug=0
# Auth daemon debug (server)
authd.debug=0
# Exec daemon debug (server, local or Unix agent)
execd.debug=0
# Monitor daemon debug (server, local or Unix agent)
monitord.debug=0
# Log collector (server, local or Unix agent)
logcollector.debug=0
# Integrator daemon debug (server, local or Unix agent)
integrator.debug=0
# Unix agentd
agent.debug=0
# Wazuh DB debug level
wazuh_db.debug=0
wazuh_modules.debug=0
# Wazuh Cluster debug level
wazuh_clusterd.debug=0
# EOF
OSSEC.CONF
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<rotate_interval>1h</rotate_interval>
<max_output_size>20G</max_output_size>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>......</smtp_server>
<email_from> ...... </email_from>
<email_to> ...... </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
# internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
#
# DO NOT TOUCH THIS FILE. The default configuration
# is at ossec.conf. More information at:
# https://documentation.wazuh.com
#
# This file should be handled with care. It contain
# run time modifications that can affect the use
# of ossec. Only change it if you know what you
# are doing. Again, look first at ossec.conf
# for most of the things you want to change.
# Analysisd default rule timeframe.
analysisd.default_timeframe=360
# Analysisd stats maximum diff.
analysisd.stats_maxdiff=999000
# Analysisd stats minimum diff.
analysisd.stats_mindiff=1250
# Analysisd stats percentage (how much to differ from average)
analysisd.stats_percent_diff=150
# Analysisd FTS list size.
analysisd.fts_list_size=32
# Analysisd FTS minimum string size.
analysisd.fts_min_size_for_str=14
# Analysisd Enable the firewall log (at logs/firewall/firewall.log)
# 1 to enable, 0 to disable.
analysisd.log_fw=1
# Maximum number of fields in a decoder (order tag) [32..1024]
analysisd.decoder_order_size=256
# Output GeoIP data at JSON alerts
analysisd.geoip_jsonout=0
# Maximum label cache age (margin seconds with no reloading) [0..60]
analysisd.label_cache_maxage=10
# Show hidden labels on alerts
analysisd.show_hidden_labels=0
# Maximum number of file descriptor that Analysisd can open [1024..1048576]
analysisd.rlimit_nofile=458752
# Minimum output rotate interval. This limits rotation by time and size. [10..86400]
analysisd.min_rotate_interval=10
# Number of event decoder threads
analysisd.event_threads=0
# Number of syscheck decoder threads
analysisd.syscheck_threads=0
# Number of syscollector decoder threads
analysisd.syscollector_threads=0
# Number of rootcheck decoder threads
analysisd.rootcheck_threads=0
# Number of security configuration assessment decoder threads
analysisd.sca_threads=0
# Number of hostinfo decoder threads
analysisd.hostinfo_threads=0
# Number of Windows event decoder threads
analysisd.winevt_threads=0
# Number of rule matching threads
analysisd.rule_matching_threads=0
# Number of database synchronization dispatcher threads [0..32]
analysisd.dbsync_threads=0
# Decoder event queue size
analysisd.decode_event_queue_size=16384
# Decode syscheck queue size
analysisd.decode_syscheck_queue_size=16384
# Decode syscollector queue size
analysisd.decode_syscollector_queue_size=16384
# Decode rootcheck queue size
analysisd.decode_rootcheck_queue_size=16384
# Decode security configuration assessment queue size
analysisd.decode_sca_queue_size=16384
# Decode hostinfo queue size
analysisd.decode_hostinfo_queue_size=16384
# Decode winevt queue size
analysisd.decode_winevt_queue_size=16384
# Decode Output queue
analysisd.decode_output_queue_size=16384
# Archives log queue size
analysisd.archives_queue_size=16384
# Statistical log queue size
analysisd.statistical_queue_size=16384
# Alerts log queue size
analysisd.alerts_queue_size=16384
# Firewall log queue size
analysisd.firewall_queue_size=16384
# FTS log queue size
analysisd.fts_queue_size=16384
# Database synchronization message queue size [0..2000000]
analysisd.dbsync_queue_size=16384
# Upgrade message queue size
analysisd.upgrade_queue_size=16384
# Interval for analysisd status file updating (seconds) [0..86400]
# 0 means disabled
analysisd.state_interval=5
# Logcollector file loop timeout (check every 2 seconds for file changes)
logcollector.loop_timeout=2
# Logcollector number of attempts to open a log file [2..998] (0=infinite)
logcollector.open_attempts=0
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=0
# Logcollector - File checking interval (seconds) [0..1024]
logcollector.vcheck_files=64
# Logcollector - Maximum number of lines to read from the same file [100..1000000]
# 0. Disable line burst limitation
logcollector.max_lines=10000
# Logcollector - Maximum number of files to be monitored [1..100000]
logcollector.max_files=1000
# Time to reattempt a socket connection after a failure [1..3600]
logcollector.sock_fail_time=300
# Logcollector - Number of input threads for reading files
logcollector.input_threads=4
# Logcollector - Output queue size [128..220000]
logcollector.queue_size=1024
# Sample log length limit for errors about large message [1..4096]
logcollector.sample_log_length=64
# Maximum number of file descriptor that Logcollector can open [1024..1048576]
# This value must be higher than logcollector.max_files
logcollector.rlimit_nofile=1100
# Force file handler reloading: close and reopen monitored files
# 0: Disabled
# 1: Enabled
logcollector.force_reload=0
# File reloading interval, in seconds, if force_reload=1 [1..86400]
# This interval must be greater or equal than vcheck_files.
logcollector.reload_interval=64
# File reloading delay (between close and open), in milliseconds [0..30000]
logcollector.reload_delay=1000
# Excluded files refresh interval, in seconds [1..172800]
logcollector.exclude_files_interval=86400
# State generation updating interval, in seconds [0..3600]
# 0 means state file creation and updating is disabled
logcollector.state_interval=60
# Logbuilder IP update interval [0..3600]
logcollector.ip_update_interval=60
# Remoted counter io flush.
remoted.recv_counter_flush=128
# Remoted compression averages printout.
remoted.comp_average_printout=19999
# Verify msg id (set to 0 to disable it)
remoted.verify_msg_id=0
# Don't exit when client.keys empty
remoted.pass_empty_keyfile=1
# Number of shared file sender threads
remoted.sender_pool=8
# Limit of parallel request dispatchers [1..4096]
remoted.request_pool=1024
# Timeout to reject a new request (seconds) [1..600]
remoted.request_timeout=10
# Timeout for request responses (seconds) [1..3600]
remoted.response_timeout=60
# Retransmission timeout seconds [0..60]
remoted.request_rto_sec=1
# Retransmission timeout milliseconds [0..999]
remoted.request_rto_msec=0
# Max. number of sending attempts [1..16]
remoted.max_attempts=4
# Shared files reloading interval (sec) [1..18000]
remoted.shared_reload=10
# Maximum number of file descriptor that Remoted can open [1024..1048576]
remoted.rlimit_nofile=458752
# Maximum time waiting for a client response in TCP (seconds) [1..60]
remoted.recv_timeout=1
# Merge shared configuration to be broadcasted to agents
# 0. Disable
# 1. Enable (default)
remoted.merge_shared=1
# Store the temporary shared configuration file on disk
# 0. No, store in memory (default)
# 1. Yes, store on disk
remoted.disk_storage=0
# Keys file reloading latency (seconds) [1..3600]
remoted.keyupdate_interval=10
# Number of parallel worker threads [1..16]
remoted.worker_pool=4
# Interval for remoted status file updating (seconds) [0..86400]
# 0 means disabled
remoted.state_interval=5
# Guess the group to which the agent belongs
# 0. No, do not guess (default)
# 1. Yes, do guess
remoted.guess_agent_group=0
# Receiving chunk size for TCP. We suggest using powers of two. [1024..16384]
remoted.receive_chunk=4096
# Sending chunk size for TCP. We suggest using powers of two. [512..16384]
remoted.send_chunk=4096
# Send buffer size for queue messages to send. We suggest using powers of two. [65536..1048576]
remoted.send_buffer_size=131072
# Sleep time to retry delivery to a client in TCP (seconds) [1..60]
remoted.send_timeout_to_retry=1
# Deallocate network buffers after usage.
# 0. Do not deallocate memory.
# 1. Shrink memory to the reception chunk.
# 2. Full memory deallocation.
remoted.buffer_relax=1
# Keepalive options
# Time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes [1..7200]
remoted.tcp_keepidle=30
# The time (in seconds) between individual keepalive probes [1..100]
remoted.tcp_keepintvl=10
# Maximum number of keepalive probes TCP should send before dropping the connection [1..50]
remoted.tcp_keepcnt=3
# Timeout to execute remote requests [1..3600]
execd.request_timeout=60
# Max timeout to lock the restart [0..3600]
execd.max_restart_lock=600
# Maild strict checking (0=disabled, 1=enabled)
maild.strict_checking=1
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.grouping=1
# Maild full subject (0=disabled, 1=enabled)
maild.full_subject=0
# Maild display GeoIP data (0=disabled, 1=enabled)
maild.geoip=1
# Monitord day_wait. Amount of seconds to wait before rotating/compressing/signing [0..600]
# the files.
monitord.day_wait=10
# Monitord compress. (0=do not compress, 1=compress)
monitord.compress=1
# Monitord sign. (0=do not sign, 1=sign)
monitord.sign=1
# Monitord monitor_agents. (0=do not monitor, 1=monitor)
monitord.monitor_agents=1
# Rotate plain and JSON logs daily. (0=no, 1=yes)
monitord.rotate_log=1
# Days to keep old ossec.log files [0..500]
monitord.keep_log_days=31
# Size of internal log files to rotate them (Megabytes) [0..4096]
monitord.size_rotate=1
# Maximum number of rotations per day for internal logs [1..256]
monitord.daily_rotations=256
# Number of minutes for deleting a disconnected agent [0..9600]. (0=disabled)
monitord.delete_old_agents=0
# Syscheck perform a delay when dispatching real-time notifications so it avoids
# triggering on some temporary files like vim edits. (ms) [0..1000]
syscheck.rt_delay=5
# Maximum number of directories monitored for realtime on windows [1..1024]
syscheck.max_fd_win_rt=256
# Maximum number of directories monitored for who-data on Linux [1..4096]
syscheck.max_audit_entries=256
# Maximum level of recursivity allowed [1..320]
syscheck.default_max_depth=256
# Check interval of the symbolic links configured in the directories section [1..2592000]
syscheck.symlink_scan_interval=600
# Maximum file size for calcuting integrity hashes in MBytes [0..4095]
# A value of 0 MB means to disable this filter
syscheck.file_max_size=1024
# Rootcheck checking/usage speed. The default is to sleep 50 milliseconds
# per each PID or suspictious port.
rootcheck.sleep=50
# Time since the agent buffer is full to consider events flooding
agent.tolerance=15
# Level of occupied capacity in Agent buffer to trigger a warning message
agent.warn_level=90
# Level of occupied capacity in Agent buffer to come back to normal state
agent.normal_level=70
# Minimum events per second, configurable at XML settings [1..1000]
agent.min_eps=50
# Interval for agent status file updating (seconds) [0..86400]
# 0 means disabled
agent.state_interval=5
# Maximum time waiting for a server response in TCP (seconds) [1..600]
agent.recv_timeout=60
# Apply remote configuration
# 0. Disabled
# 1. Enabled
agent.remote_conf=1
# Database - maximum number of reconnect attempts
dbd.reconnect_attempts=10
# Wazuh modules - nice value for tasks. Lower value means higher priority
wazuh_modules.task_nice=10
# Wazuh modules - maximum number of events per second sent by each module [1..1000]
wazuh_modules.max_eps=100
# Wazuh modules - time for a process to quit before killing it [0..3600]
# 0: Kill immediately
wazuh_modules.kill_timeout=10
# Wazuh database module settings
# Synchronize agent database with client.keys
wazuh_database.sync_agents=1
# Sync data in real time (supported on Linux only)
# 0. Disabled
# 1. Enabled (default)
wazuh_database.real_time=1
# Time interval between cycles (used only if real time disabled)
# Default: 60 seconds (1 minute). Max: 86400 seconds (1 day)
wazuh_database.interval=60
# Maximum queued events (for inotify)
# 0. Use system default
wazuh_database.max_queued_events=0
# Enable download module
# 0. Disabled
# 1. Enabled (default)
wazuh_download.enabled=1
# Number of worker threads (1..32)
wazuh_db.worker_pool_size=8
# Minimum time margin before committing (1..3600)
wazuh_db.commit_time_min=10
# Maximum time margin before committing (1..3600)
wazuh_db.commit_time_max=60
# Number of allowed open databases before closing (1..4096)
wazuh_db.open_db_limit=64
# Maximum number of file descriptor that WazuhDB can open [1024..1048576]
wazuh_db.rlimit_nofile=458752
# Indicates the max fragmentation allowed.
# [0..100]
wazuh_db.max_fragmentation=90
# Indicates the allowed fragmentation threshold.
# [0..100]
wazuh_db.fragmentation_threshold=75
# Indicates the allowed fragmentation difference between the last time the vacuum was performed and the current measurement.
# [0..100]
wazuh_db.fragmentation_delta=5
# Indicates the minimum percentage of free pages present in a database that can trigger a vacuum. [0..99]
wazuh_db.free_pages_percentage=0
# Interval for database fragmentation check, in seconds [1..30758400]
wazuh_db.check_fragmentation_interval=7200
# Wazuh Command Module - If it should accept remote commands from the manager
wazuh_command.remote_commands=0
# Wazuh default stack size for child threads in KiB (2048..65536)
wazuh.thread_stack_size=8192
# Security Configuration Assessment DB request interval in minutes [0..60]
# This option sets the maximum waiting time to resend a scan when the DB integrity check fails
sca.request_db_interval=5
# Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
# Local policies ignore this option
sca.remote_commands=0
# Default timeout for executed commands during a SCA scan in seconds [1..300]
sca.commands_timeout=30
# Network timeout for Authd clients
auth.timeout_seconds=1
auth.timeout_microseconds=0
# Vulnerability detector LRUs size
vulnerability-detection.translation_lru_size=2048
vulnerability-detection.osdata_lru_size=1000
vulnerability-detection.remediation_lru_size=2048
# Vulnerability detector - Enable or disable the scan manager
# 0. Enabled
# 1. Disabled
vulnerability-detection.disable_scan_manager=1
# Debug options.
# Debug 0 -> no debug
# Debug 1 -> first level of debug
# Debug 2 -> full debugging
# Windows debug (used by the Windows agent)
windows.debug=0
# Syscheck (local, server and Unix agent)
syscheck.debug=0
# Remoted (server debug)
remoted.debug=0
# Analysisd (server or local)
analysisd.debug=0
# Auth daemon debug (server)
authd.debug=0
# Exec daemon debug (server, local or Unix agent)
execd.debug=0
# Monitor daemon debug (server, local or Unix agent)
monitord.debug=0
# Log collector (server, local or Unix agent)
logcollector.debug=0
# Integrator daemon debug (server, local or Unix agent)
integrator.debug=0
# Unix agentd
agent.debug=0
# Wazuh DB debug level
wazuh_db.debug=0
wazuh_modules.debug=0
# Wazuh Cluster debug level
wazuh_clusterd.debug=0
# EOF
Reply all
Reply to author
Forward
0 new messages