ossec.conf¶
The configuration for OSSEC is mostly held in ossec.conf. It is written in loose XML, and consists of a number of sections.
global¶
The <global> section is valid on Server and Local installations only.
email_notification¶
enable or disable email alerting.
Default: no
Allowed: yes/no
Enable email_notification
<email_notification>yes</email_notification>Disable email_notification
<email_notification>no</email_notification>
email_to¶
Email address alerts are sent to.
Allowed: Any valid email address.
Set an email address
<email_to>security@example.com</email_to>
email_from¶
Email address the alert emails will come from.
Allowed: Any valid email address.
Set an email address
<email_from>ossec@example.com</email_from>
reply_to¶
New in version 3.0.
Email “Reply-to” for alert emails.
Allowed: Any valid email address.
Set an email address
<reply_to>team@example.com</reply_to>
smtp_server¶
Hostname or IP address alert emails will be sent to.
Allowed: IP address or hostname of an smtp server.
Set the SMTP server to an IP address
<smtp_server>10.0.0.25</smtp_server>Set the SMTP server to a hostname
<smtp_server>mail.example.com</smtp_server>
email_maxperhour¶
The maximum number of emails that can be sent per hour. Emails in excess of this will be queued for later distribution.
Default: 12
Allowed: 1-9999
Note
At the end of the hour any queued emails will be sent together. This is true whether email grouping is enabled or disabled.
Set the maximum numer of emails per hour
<email_maxperhour>700<email_maxperhour>
custom_alert_output¶
Specifies a custom format for alerts written to the alerts.log file.
Variables: "$TIMESTAMP" - The time the event was processed by OSSEC. "$FTELL" - Unknown "$RULEALERT" - Unknown "$HOSTNAME" - Hostname of the system generating the event. "$LOCATION" - The file the log messages was saved to. "$RULEID" - The rule id of the alert. "$RULELEVEL" - The rule level of the alert. "$RULECOMMENT" - Unknown "$SRCIP" - The source IP specified in the log message. "$DSTUSER" - The destination user specified in the log message. "$FULLLOG" - The original log message. "$RULEGROUP" - The groups containing the rule.Note
Some OSSEC daemons rely on the standard alerts log format to functon properly. Using a custom log format may prevent ossec-maild or others from working.
stats¶
Alerting level for the events generated by the statistical analysis.
Default: 8
Allowed: Any level from 0-16
Note
XXX I actually have no idea what this does, and the description makes no sense.
logall¶
If enabled, ossec-analysisd will log all messages it receives to the archives.log file. The log messages will be prefixed with OSSEC meta-data before being written.
Default: no
Allowed: yes/no
Turn on the logall option
<logall>yes</logall>
memory_size¶
Sets the memory size for event correlation.
Default: 1024
Allowed: Any size from 16 to 5096
Note
XXX Here is another one I don’t understand.
allow_list¶
List of IP addresses that should never be blocked by active response. One host should be specified per instance of allow_list. Multiple allow_list options can be specified.
Allowed: Any IP address or netblock
Valid on:* Server and Local
Allow an IP address
<allow_list>192.168.1.100</allow_list>Allow an IP block
<allow_list>10.0.0.0/24</allow_list>
host_information¶
Alerting level for events generated by the host change monitor.
Default: 8
Allowed: Any level from 0-16
jsonout_output¶
New in version 2.9.0.
Enable or disable alert logging in a json format. Alerts will be saved to alerts.json.
Default: no
Allowed: yes/no
Valid on:* Server and Local
prelude_output¶
Deprecated since version 3.4.
Enables or disables output to Prelude-IDS.
Default: no
Allowed: yes/no
Warning
Support for this is rarely tested, and may not work. Consider it deprecated.
zeromq_output¶
zeromq_url¶
The URI for the ZeroMQ publisher socket.
Allowed: URI as specified by the format used by the ZeroMQ project.
Note
The format of this URI is specified by the ZeroMQ project. XXX Find the specification and link to it.
Examples:
Listen on localhost, tcp port 11111:
<zeromq_uri>tcp://localhost:11111/</zeromq_uri>Listen on tcp port 21212 on all IP addresses assigned to eth0:
<zeromq_uri>tcp://eth0:21212/</zeromq_uri>Listen on the Unix Domain Socket /alerts-zmq:
<zeromq_uri>ipc:///alerts-zmq</zeromq_uri>
geoip_db_path¶
The full path to hte GeoIP IPv4 database file.
Example:
<geoip_db_path>/etc/GeoListeCity.dat</geoip_db_path>
geoip6_db_path¶
The full path to hte GeoIP IPv6 database file.
Example:
<geoip6_db_path>/etc/GeoListeCity.dat</geoip6_db_path>
md5_whitelist¶
New in version 3.0.
Defines an SQLite database for white listed MD5 hashes. The path should begin at the root of the OSSEC installation (/var/ossec by default)..
Example:
<md5_whitelist>/rules/lists/md5whitelist.db</md5_whitelist>
client¶
Settings defining how an OSSEC agent interacts with the OSSEC management server. The <client> section is valid on Agents only.
server-ip¶
Specifies the IP address of the OSSEC management server.
Allowed: Any valid IP address
server-hostname¶
Specifies the hostname of the OSSEC management server.
Allowed: Any valid hostname
port¶
Specifies the port used by the OSSEC management server.
Default: 1514/udp
Allowed: Any port number
config-profile¶
Specifies the profile to be used by the agent. The profiles are defined in the agent.conf on the OSSEC management server. Multiple profiles can be specified, separated by a comma and a space.
Allowed: Valid profile name
notify_time¶
Specifies the time in seconds between messages sent to the OSSEC management server.
Note
XXX More details needed.
time-reconnect¶
Time in seconds until a reconnection attempt is made. This should be set to a number greater than notify_time.
Note
XXX More details needed.
remote¶
Settings defining the configuration of ossec-remoted on the OSSEC management server.
connection¶
Specifies the type of connection ossec-remoted will accept. Two types of connections are accepted:
- secure Messages from agents are encrypted and authenticated. Uses UDP.
- syslog Messages from devices are not encrypted or authenticated. Can use UDP or TCP
Default: secure
Allowed: secure or syslog
port¶
The port utilized by ossec-remoted.
Default: 1514 for secure, 514 for syslog
Allowed: Any port number
protocol¶
The protocol used by ossec-remoted for syslog messages.
Default: udp
Allowed: udp or tcp
allowed-ips¶
A list of IP addresses that are permitted to send syslog messages to ossec-remoted. Each instance of allowed-ips can specify one IP address. Multiple instances are permitted.
Allowed: Any IP address or network
Note
If using the syslog connection type, at least one IP address must be specified.
deny-ips¶
A list of IP addresses that are not permitted to send syslog messages to ossec-remoted. Each instance of deny-ips can specify one IP address. Multiple instances are permitted.
Allowed:* Any IP address or network
local_ip¶
The local IP address ossec-remoted will listen on.
Default: All interfaces
Allowed: Any local IP address
ipv6¶
The local IPv6 address ossec-remoted will listen on.
Default: None
Allowed: Any local IPv6 address
syscheck¶
Settings controlling the file integrity monitoring features in OSSEC. Most settings should be configured on the system they apply to, but settings that are only valid on the management server or local installs have been marked as such.
directories¶
The <directories> option specifies which directories ossec-syscheckd will monitor. Multiple directories can be specified per instance, separated with a comma. Windows drive letters without directories are not valid, at a minimum . should be included (D:.). These settings are local to the system they are configured on.
Default: /etc,/usr/bin,/usr/sbin,/bin,/sbin
Attributes:
check_all:
The directories are monitored for changes in file hash, size, owner, group, and permissions. This can be over ridden by setting each specific option to no. The current specific checks are: check_md5sum, check_sha1sum, check_size, check_owner, chek_group, and check_perm.
Value: yes/no
check_sum:
Check the md5 and sha1 hashes of the monitored files.
Value: yes
check_sha1sum:
Check the sha1 hash.
Value: yes
check_md5sum:
Check the md5 hash.
Value: yes
check_size:
Check the size.
Value: yes
check_owner:
Check the owner.
Value: yes
check_group:
Check the group.
Value: yes
check_perm:
Check the permissions.
Value: yes
realtime:
Enable realtime monitoring of files on Linux and Windows systems.
Value: yes
report_changes:
Report changes to a file with diffs of the changes made. The diffs could include sensitive information. This option is limited to text files only.
Value: yes
restrict:
A string that will limit the checks to files containing the specified string in the file name.
Value: Any directory or file name (but not a path)
no_recurse:
New in version 3.2.
Do not recurse into the defined directory. yes unintuitively disables recursion.
Value: yes
ignore¶
List of files or directories to be ignored. One entry per instance of ignore. Multiple instances can be defined.
Attributes:
type:
This a simple regex pattern to filter out files.
Value: sregex
Allowed: Any directory or file name.
frequency¶
The frequency at which full system scans will be performed (in seconds). Frequency should be no lower than 300 seconds, and larger for larger groups of files.
Default: 21600
Allowed: Time in seconds between scans.
nodiff¶
New in version 3.0.
List of files where track changes will be disabled. This option can be used to not send diffs for sensitive files.
Attributes:
- type:
- This is a simple regex pattern to filter out files from the diff function.
Value: sregex
scantime¶
Time to run the scans (can be in the formats of 21pm, 8:30, 12am, etc).
Allowed: Time to run the scan
Note
This may delay the initialization of realtime scans.
scan_day¶
Day of the week to run the scans.
Allowed: Day of the week
auto_ignore¶
After 3 changes to a file, further changes to a file will be ignored. Setting auto_ignore to no will disable this.
Default: yes
Allowed: yes/no
Valid on: Server and Local installations
alert_new_files¶
By default syscheck will not trigger an alert on file creation. Setting alert_new_files to yes will make it do so.
Default: no
Allowed: yes/no
Valid on: Server and Local installations
Note
New files will only be detected on a full scan, this option does not affect realtime operations.
scan_on_start¶
Controls whether ossec-syscheckd will perform a full scan when it is started.
Default: yes
Allowed: yes/no
windows_registry¶
Specifies entries to be monitored in the Windows registry. One entry per instance of this options. Multiple instances can be used.
Allowed: Any registry path
Note
New entries will not trigger alerts, only changes to existing entries.
registry_ignore¶
List of registry entries to be ignore. One entry per instance of this option. Multiple instances can be specified.
Allowed: Any registry path
prefilter_cmd¶
Command to run to prevent prelinking from creating false positives.
Example:
<prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>Note
This option can negatively impact performance. The configured command will be run for each file checked.
skip_nfs¶
New in version 2.9.0.
This option will prevent ossec-syscheckd from scanning network mounted filesystems. This option is only valid on Linux, FreeBSD, and OpenBSD (added in v3.3) systems. Currently skip_nfs will abort checks running on files stored on CIFS and NFS mount points.
Default: no
Allowed: yes/no
rootcheck¶
Settings controlling the rootcheck functionality in OSSEC.
base_directory¶
The base path prepended to a number of options. Usually the installation path for OSSEC. It will modify the folling options:
- rootkit_files
- rootkit_trojans
- windows_malware
- windows_audit
- windows_apps
- systems_audit
Allowed: Directory path
Default: /var/ossec
rootkit_files¶
Specifies the location of the rootkit files database.
Default: /etc/shared/rootkit_files.txt
Allowed: A file with the rootkit files signatures
rootkit_trojans¶
Specifies the location of the rootkit trojans database.
Default: /etc/shared/rootkit_trojans.txt
Allowed: A file with the trojans signatures
windows_audit¶
Specifies the location of the Windows audit database.
Default: ./shared/win_audit_rcl.txt
Allowed: A file with the Windows audit signatures
system_audit¶
Specifies the location of the system audit database. One entry per instance of this option. This option can be specified multiple times.
Default: /etc/shared/system_audit_rcl.txt, /etc/shared/cis_debian_linux_rcl.txt, /etc/shared/cis_rhel_linux_rcl.txt, /etc/shared/cis_rhel5_linux_rcl.txt
Allowed: A file with system audit signatures
windows_apps¶
Specifies the location of the Windows application audit database.
Default: ./shared/win_applications_rcl.txt
Allowed: A file with Windows application signatures
windows_malware¶
Specifies the location of the Windows malware database.
Default: ./shared/win_malware_rcl.txt
Allowed: A file with Windows malware audit database.
scanall¶
Can force rootcheck to scan the entire system. This may trigger false positives.
Default: no
Allowed: yes/no
Note
XXX More information needed.
frequency¶
Frequency (in seconds) between rootcheck scans.
Default: 36000
Allowed: Time in seconds
disabled¶
Disable the rootcheck functionality.
Default: no
Allowed: yes/no
check_dev¶
Enable or disable checking for files in /dev.
Default: yes
Allowed: yes/no
check_files¶
Enable or disable checks based on the rootkit files.
Default: yes
Allowed: yes/no
Note
XXX Need to research.
check_if¶
Enable or disable checking the network interfaces.
Default: yes
Allowed: yes/no
check_pids¶
Enable or disable checking process IDs.
Default: yes
Allowed: yes/no
check_ports¶
Enable or disable checking network ports.
Default: yes
Allowed: yes/no
check_sys¶
Enable or disable checking the filesystem.
Default: yes
Allowed: yes/no
Note
XXX More info needed
check_trojans¶
Enable or disable checking for trojans.
Default: yes
Allowed: yes/no
check_unixaudit¶
Enable or disable checking for unix issues.
Default: yes
Allowed: yes/no
check_winapps¶
Enable or disable checking Windows applications.
Default: yes
Allowed: yes/no
check_winaudit¶
Enable or disable checking Windows audit.
Default: yes
Allowed: yes/no
check_winmalware¶
Enable or disable checking Windows malware.
Default: yes
Allowed: yes/no
skip_nfs¶
New in version 2.9.0.
If enabled, this options prevents rootcheck from scanning network filesystems. Currently works on Linux, FreeBSD, and OpenBSD (support added in v3.3). If enabled, it will abort checks running on CIFS and NFS mounts.
Default: no
Allowed: yes/no
localfile¶
Settings specifying the location and format of logs for ingestion.
location¶
Specifies the location of a log file for ingestion.
Default: Multiple
Allowed: Path to a log file
log_format¶
Specifies the format of the log file. OSSEC assumes the logs are in the default format and have not been customized.
Allowed:
syslog
syslog is used for plain text files with one log message per line. The log messages do not have to be in a syslog format.
snort-full
Snort’s full text output format.
snort-fast
Snort’s fast text output format.
squid
Squid’s default log format.
iis
Microsoft IIS log format.
eventlog
Microsoft Windows eventlog format.
eventchannel
New in version 2.8.
Microsoft Windows eventlog format, using the EventApi. This should allow OSSEC to monitor both “Windows” eventlogs and the more recent “Applications and Services” logs.
mysql_log
MySQL’s log format.
postgresql_log
Postgresql’s log format.
nmapg
Nmap’s grepable log format.
apache
Apache’s default log format.
command
This log format will run a command (as root). Each line of the output will be treated as a separate log.
Warning
Cannot be specified in the agent.conf
full_command
This log format rill run a command as root, and treat the entire output as a single log message.
Warning
Cannot be specified in the agent.conf
djb-multilog
Daniel J. Bernstein’s multilog output.
multi-line
This format type is for log messages consisting of multiple lines. The number of lines used per message should be the same, and the number of lines should be specified in the format:
<log_format>multi-line: 3</log_format>multi-line_indented
This log format accepts logs spanning multiple lines with subsequent lines beginning with either a space or tab.
<log_format>multi-line_indented</log_format>
command¶
The command to be run when using ithe command or full_command log_format.
Allowed: Any command with arguments
command_alias¶
An alias for a command to help with identification. This alias will replace the command in the log output.
Example:
The following alias:
<alias>usb-check</alias>would change the output from:
ossec: output: 'reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR':to:
ossec: output: 'usb-check':Allowed: Any string
check_diff¶
Store the output of an event in an internal database, and compare new output to the previous. If the output has changed an alert will be triggered.
only-future-events¶
Only read log messages starting from the time the log is opened. By default ossec-logcollector will read events from the beginning of the log or from the message it last read.
Allowed: yes
Note
This only applies to eventchannel log sources.
query¶
Specifies an XPATH query following the event schema in order to filter the events OSSEC will process. See Microsoft’s documentation for more details.
Example:
The following configuration will only process events with an ID of 7040:
<localfile> <location>System</location> <log_format>eventchannel</log_format> <query>Event/System[EventID=7040]</query> </localfile>Note
This only applies to eventchannel log sources.
rules¶
Settings specifying rule locations. These settings are only valid on a Server or Local installation.
include¶
Load a single rule file. The rule files are stored in rules/, relative to the install location of OSSEC.
Allowed: File name of a rule file.
rule¶
Load a single rule file.
Note
This is an alias for include.
rule_dir¶
Specifies a directory containing rule files. The rule files will be loaded alphebetically.
Attributes:
pattern: is a regex match string used to filter the files in the directory.
Default: Regex _rules.xml$ is used if no other pattern is specified.
Allowed: Path to a directory of rule files, relative to the OSSEC installation location.
decoder¶
Specifies the path to a decoder file to be used by ossec-analysisd. If no decoders are specified in the ossec.conf the default etc/decoder.xml and etc/local_decoder.xml are used. If a decoder is specified with decoder or decoder_dir the default decoder.xml and local_decoder.xml will not be used.
Allowed: Path to a decoder file relative to OSSEC’s install location.
decoder_dir¶
Specifies the path to a directory containing decoder files. Files will be loaded in alphebetical order.
Attributes:
pattern: is a regex match string used to filter the files in the directory.
Default: Regex .xml$ is used if no other pattern is specified.
Allowed: Path to a directory of rule files, relative to the OSSEC installation location.
list¶
Specifies a single cdb reference for inclusion by other rules. File extensions should not be included.
Example:
For a cdb list named blocked_hosts.txt use:
<list>rules/lists/blocked_hosts</list>
command¶
Definitions for commands available to the active response system.
name¶
Specifies the name of the command.
executable¶
Specifies the executable to be run. The executable must be a file (with exec permissions) inside active-response/bin relative to the OSSEC install location.
expect¶
Specifies the information gathered from a log via decoding to send to the command. Common options are srcip and username.
timeout_allowed¶
Specifies if the command supports a timeout. After the timeout period the command will attempt to reverse changes it has made (delete firewall rules or entries in hosts.deny).
active-response¶
disabled¶
Disables active response if set to yes. Active response defaults to enabled on Unix-like systems and disabled on Windows. Setting disabled to yes on an OSSEC management server will disable all active response. Disabling it on an agent will only disable it for that agent.
command¶
Specifies the command to be run when the active response is triggered.
location¶
Specifies where the active response will be run.
Available options:
- local: the agent that generated the event
- server: the OSSEC management server
- defined-agent: on a specific agent
- all: all agents
agent_id¶
Specifies the agent ID to run the active response on when using defined-agent as the location.
level¶
The active response will be executed on any event of the specified level or higher.
rules_group¶
The active response will be executed on any alert with the specified group. Multiple groups can be defined, separated with the pipe (|) character.
rules_id¶
The active response will be executed on any alert with the specified rule ID. Multiple IDs can be specified separated by a comma.
timeout¶
Specifies the amount of time, in seconds, before an active response will attempt to reverse its actions. For example IPs can be unblocked or entries removed from the hosts.deny file.
repeated_offenders¶
A comma separated list or increasing timeouts (in minutes) for repeat offenders. There can be a maximum of 5 entries.
Valid on: Agent and Local
alerts¶
Settings related to alert logging and notifications.
The <alerts> section is valid on Server and Local installations only.
email_alert_level¶
Minimum alert level for email notification.
Default: 7
Allowed: Any level from 1-16
Note
This is the minimm level for an alert to trigger an email. This will over ride granular email alert levels. Individual rules can over ride this with the alert_by_email option.
log_alert_level¶
Minimum alert level to record an alert in alerts.log.
Default: 1
Allowed: Any level from 1-16
use_geoip¶
Enable or disable GeoIP lookups.
Default: no
Allowed: yes/no
email_alerts¶
Settings for which alerts should trigger emails.
email_to¶
The recipient address of alert emails.
Allowed: A valid email address
level¶
The minimum alert level for an email.
Allowed: Any alert level 0-16
Note
level should be set to or above teh email_alert_level in the alerts section of the configuration.
group¶
Specifies a group that an alert must match for an email to be sent. Multiple groups can be specified with a pipe (|) character.
Allowed: One or more groups
event_location¶
An alert must match this event_location for an email to be sent. Only one event_location may be specified, the last entry will be used.
Allowed: Any single agent name, hostname, ip address, or log file
format¶
Specifies the format of the email.
Options:
- full: normal emails
rule_id¶
Option to send granular emails based on the rule id.
Allowed: One or more rule IDs, separated by a comma and a space.
do_not_delay¶
Option to send the email immediately.
Example:
<do_not_delay />
do_not_group¶
Option to not group alerts in an email.
Example:
<do_not_group />
syslog_output¶
OSSEC is able to forward alerts via syslog in a number of formats. These options are for use on a Server or Local installation.
server¶
Specifies the IP address of the syslog server.
port¶
Specifies the port of the syslog server.
level¶
Specifies the minimum alert level for alerts to be forwarded.
group¶
Alerts belonging to the configured group will be forwarded. Multiple groups can be specified, separated with the pipe (|) character.
rule_id¶
Alerts matching the configured rule ID will be forwarded.
location¶
Alerts from this location will be forwarded.
use_fqdn¶
By default OSSEC truncates the hostname at the first period (.) when generating syslog messages. Setting this option to yes will force it to use the full hostname of the server.
Default: no
Allowed: yes/no
format¶
ossec-csyslogd can send alerts in multiple formats. The default format is a standard syslog message.
Available options:
- default: Default syslog messages
- CEF: ArcSight Common Event Format
- json: JSON
- splunk: A format for use with Splunk
database_output¶
OSSEC can store alerts in MySQL or PostgreSQL databases. These options are for use on a Server or Local installation.
Note
OSSEC must be compiled with database support for ossec-dbd to function.
hostname¶
IP address of the database server.
username¶
The username for accessing the database.
password¶
The password for the user connecting to the database.
database¶
The database where alerts will be stored.
type¶
The type of database: MySQL or PostgreSQL.
agentless¶
Configures scripts to be run against systems where an agent cannot be installed.
type¶
The type of check to be run on the agentless system.
Available options:
- ssh_integrity_check_bsd: Perform a file integrity check via ssh on BSD
- ssh_integrity_check_linux: Perform a file integrity check via ssh on Linux
- ssh_generic_diff: Run a command and compare the output to previous command runs
- ssh_pixconfig_diff: Compare the current running Cisco PIX configuration to previous invocations
frequency¶
Specifies the time in seconds between each check.
host¶
Specifies the username and host to be checked.
Example:
<host>root@linux.server.example.com</host>
state¶
Specifies whether the checks are periodic or periodic_diff.
Available options:
- periodic: The output from the script is processes by the OSSEC management server
- periodic_diff: The output of the script is compared to previous invocations
arguments¶
Specifies the arguments passed to the script.
reports¶
Configuration for automated daily reports. This is only valid on Server and Local installations.
group¶
Filter by group or category.
categories¶
Filter by group or category. This is the same as the group option above.
rule¶
Filter on a specific Rule ID.
level¶
Filter by minimum rule level.
location¶
Filter by the log location or agent name.
srcip¶
Filter by the source ip recorded in an alert.
user¶
Filter by the user name in an alert. This will match both srcuser and dstuser.
title¶
Specify the title of the report. This is a required option.
email_to¶
The email address the completed report is sent to. This is a required option.
showlogs¶
If showlogs is set to yes the relevant logs will be included in the report. This is set to no by default.