ossec.conf: Global options

Overview

Supported types

Global options are available in the the following installation types:

• server
• local

Location

All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <global>
        <!--
        Global options here
        -->
    </global>
</ossec_config>

Options

global

email_notification

Enable or disable e-mail alerting.

Default: no

Allowed: yes/no

email_to

E-mail recipient of the alerts.

Allowed: Any valid e-mail address

email_from

E-mail “source” of the alerts.

Allowed: Any valid e-mail address

smtp_server

SMTP server.

Allowed: Any valid hostname or IP Address

email_maxperhour

Specifies the maximum number of e-mails to be sent per hour. All emails in excess of this setting will be queued for later distribution.

Default: 12

Allowed: Any number from 1 to 9999

stats

Alerting level for the events generated by the statistical analysis.

Default: 8

Allowed: Any level from 0 to 16

logall

States if we should store all the events received.

Default: no

Allowed: yes/no

memory_size

Sets the memory size for the event correlation.

Default: 1024

Allowed: Any size from 16 to 5096

white_list

List of IP addresses that should never be blocked by the active response (one per element).

Multiples Allowed: yes

Allowed: Any IP address or netblock

host_infomation

Alerting level for the events generated by the host change monitor.

Default: 8

Allowed: Any level from 0 to 16

prelude_output

Enables or disables prelude output.

Default: no

Allowed: yes/no

picviz_output

Enable picviz output.

Warning

PicViz is experimental.

Allowed: yes

picviz_socket

The full path of the socket that ossec will write alerts/events to. This will then be read by picviz for processing.

Allowed: File and path that ossec will create and feed events to.