config/wazuh/manager/ossec.conf · soc-automation-lab

67 lines · text

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
  </global>
 
  <alerts>
    <log_alert_level>3</log_alert_level>
  </alerts>
 
  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>
 
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <force>
      <enabled>yes</enabled>
      <after_registration_time>1h</after_registration_time>
    </force>
    <purge>yes</purge>
    <use_password>no</use_password>
  </auth>
 
  <ruleset>
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
    <list>etc/lists/cti-malicious-ip</list>
    <list>etc/lists/cti-malicious-domain</list>
    <list>etc/lists/cti-malware-hash</list>
  </ruleset>
 
  <integration>
    <name>custom-thehive</name>
    <hook_url>SET_FROM_ENV_SHUFFLE_WEBHOOK_URL</hook_url>
    <level>10</level>
    <alert_format>json</alert_format>
  </integration>
 
  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
 
  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>100210</rules_id>
    <timeout>600</timeout>
  </active-response>
 
  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
  </vulnerability-detection>
</ossec_config>

1	<ossec_config>
2	<global>
3	<jsonout_output>yes</jsonout_output>
4	<alerts_log>yes</alerts_log>
5	<logall>no</logall>
6	<logall_json>no</logall_json>
7	<email_notification>no</email_notification>
8	</global>
9
10	<alerts>
11	<log_alert_level>3</log_alert_level>
12	</alerts>
13
14	<remote>
15	<connection>secure</connection>
16	<port>1514</port>
17	<protocol>tcp</protocol>
18	<queue_size>131072</queue_size>
19	</remote>
20
21	<auth>
22	<disabled>no</disabled>
23	<port>1515</port>
24	<use_source_ip>no</use_source_ip>
25	<force>
26	<enabled>yes</enabled>
27	<after_registration_time>1h</after_registration_time>
28	</force>
29	<purge>yes</purge>
30	<use_password>no</use_password>
31	</auth>
32
33	<ruleset>
34	<decoder_dir>ruleset/decoders</decoder_dir>
35	<rule_dir>ruleset/rules</rule_dir>
36	<decoder_dir>etc/decoders</decoder_dir>
37	<rule_dir>etc/rules</rule_dir>
38	<list>etc/lists/cti-malicious-ip</list>
39	<list>etc/lists/cti-malicious-domain</list>
40	<list>etc/lists/cti-malware-hash</list>
41	</ruleset>
42
43	<integration>
44	<name>custom-thehive</name>
45	<hook_url>SET_FROM_ENV_SHUFFLE_WEBHOOK_URL</hook_url>
46	<level>10</level>
47	<alert_format>json</alert_format>
48	</integration>
49
50	<command>
51	<name>firewall-drop</name>
52	<executable>firewall-drop</executable>
53	<timeout_allowed>yes</timeout_allowed>
54	</command>
55
56	<active-response>
57	<command>firewall-drop</command>
58	<location>local</location>
59	<rules_id>100210</rules_id>
60	<timeout>600</timeout>
61	</active-response>
62
63	<vulnerability-detection>
64	<enabled>yes</enabled>
65	<index-status>yes</index-status>
66	</vulnerability-detection>
67	</ossec_config>