Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt

Use this file to discover all available pages before exploring further.

The Wazuh Manager’s primary configuration file lives at config/wazuh_cluster/wazuh_manager.conf in the repository. It is bind-mounted into the wazuh.manager container at /wazuh-config-mount/etc/ossec.conf. Any change to this file requires a container restart to take effect:
docker compose restart wazuh.manager
The file is composed of multiple <ossec_config> blocks, each grouping related settings. The sections below document every block in the order they appear in the file.
The docker-listener wodle is enabled on the Manager. This means the Manager itself monitors Docker daemon events directly — container start, stop, pause, and die events are forwarded to the indexer as Wazuh alerts without requiring a separate agent on the Docker host.

Configuration Sections

The <global> block controls alerting output formats, email notifications, and agent disconnection behaviour.
ParameterValueDescription
jsonout_outputyesWrite alerts to alerts.json in JSON format
alerts_logyesWrite alerts to alerts.log in plain text
logallyesArchive all received events, not just those that match rules
logall_jsonyesArchive all events in JSON format
email_notificationnoEmail alerting is disabled by default
smtp_serversmtp.example.wazuh.comSMTP server (used when email is enabled)
email_fromwazuh@example.wazuh.comSender address for email alerts
email_torecipient@example.wazuh.comRecipient address for email alerts
email_maxperhour12Maximum emails sent per hour
email_log_sourcealerts.logLog file used as the email alert source
agents_disconnection_time10mTime after which a silent agent is considered disconnected
agents_disconnection_alert_time0Delay before firing the disconnection alert (0 = immediate)
A second <global> block later in the file defines the active-response IP whitelist:
ParameterValueDescription
white_list127.0.0.1Loopback address is never blocked by active response
white_list^localhost.localdomain$Localhost hostname is never blocked
The <alerts> block sets threshold levels for log and email output.
ParameterValueDescription
log_alert_level3Minimum rule severity level written to alerts.log and alerts.json
email_alert_level12Minimum rule severity level that triggers an email notification
Wazuh rule levels range from 0 (informational) to 15 (critical). Setting log_alert_level: 3 keeps low-noise informational events out of the alerts files. The email threshold of 12 means only high-severity events generate emails.
The <remote> block defines how the Manager accepts incoming connections from enrolled agents.
ParameterValueDescription
connectionsecureEncrypted, authenticated agent-to-manager communication
port1514TCP port the Manager listens on for agent traffic
protocoltcpTransport protocol
queue_size131072Internal event queue depth (number of events buffered before processing)
Port 1514/TCP must be reachable from all agent hosts. In the Docker Compose stack this port is published on the host and agents connect to it directly.
The <logging> block controls the format of Wazuh’s own internal log output written to /var/ossec/logs/ossec.log.
ParameterValueDescription
log_formatplainWrite internal logs in plain text format. Alternatives are json or plain,json
Rootcheck performs host-based anomaly and policy checks — scanning for rootkits, suspicious files, hidden processes, and configuration issues.
ParameterValueDescription
disablednoRootcheck is active
check_filesyesScan for suspicious files using the rootkit database
check_trojansyesCompare binaries against the known-trojan list
check_devyesScan /dev for unusual device files
check_sysyesCheck system call entries and /proc
check_pidsyesDetect hidden processes
check_portsyesDetect hidden network ports
check_ifyesCheck network interfaces for promiscuous mode
frequency43200Run every 12 hours
rootkit_filesetc/rootcheck/rootkit_files.txtRootkit file signatures database
rootkit_trojansetc/rootcheck/rootkit_trojans.txtTrojan signatures database
skip_nfsyesSkip NFS-mounted directories to avoid slow scans
The docker-listener wodle subscribes to the Docker daemon event stream on the Manager host and forwards container lifecycle events directly to the Indexer as Wazuh alerts.
ParameterValueDescription
disablednoDocker event monitoring is active
Container start, stop, die, pause, and unpause events from the host are captured without requiring a separate Wazuh agent on the Docker host.
The syscollector wodle periodically collects a hardware and software inventory of the Manager host and forwards it to the Indexer for storage and search.
ParameterValueDescription
disablednoSyscollector is active
interval1hFull inventory scan every hour
scan_on_startyesRun an inventory scan immediately on Wazuh startup
hardwareyesCollect CPU, memory, and board details
osyesCollect OS name, version, and kernel
networkyesCollect network interfaces, addresses, and routes
packagesyesCollect installed package list
ports (all=yes)yesCollect all open ports, including non-listening ones
processesyesCollect running process list
max_eps10Maximum inventory events sent per second to avoid indexer overload
SCA runs policy checks against configuration benchmarks and reports compliance failures as alerts.
ParameterValueDescription
enabledyesSCA is active
scan_on_startyesRun a full policy scan at startup
interval12hRe-scan every 12 hours
skip_nfsyesSkip NFS-mounted paths during scanning
The Manager uses the built-in policy files from ruleset/sca/. To add custom policies, place .yml files in etc/shared/ on the Manager and reference them from agent group configurations.
The vulnerability detection engine correlates the syscollector package inventory against CVE feeds to identify vulnerable software versions.
ParameterValueDescription
enabledyesVulnerability detection is active
index-statusyesIndex vulnerability status records in the Wazuh Indexer
feed-update-interval60mRefresh CVE feeds every 60 minutes
The Manager connects to the Wazuh Indexer over https://wazuh.indexer:9200 using the certificates configured in the <indexer> block:
TLS SettingPath
CA certificate/etc/ssl/root-ca.pem
Client certificate/etc/ssl/filebeat.pem
Client key/etc/ssl/filebeat.key
Syscheck monitors files and directories for unexpected changes, generating alerts when content, permissions, or ownership are modified.Scan Settings
ParameterValueDescription
frequency43200Full scan every 12 hours
scan_on_startyesRun an immediate scan on startup
alert_new_filesyesAlert when a new file appears in a monitored directory
auto_ignoreno (freq=10, timeframe=3600)Never auto-ignore frequently changed files
process_priority10Nice value — run at lower CPU priority
max_eps100Maximum FIM events per second
skip_nfsyesSkip NFS mounts
skip_devyesSkip /dev
skip_procyesSkip /proc
skip_sysyesSkip /sys
Monitored Directories
PathNotes
/etc, /usr/bin, /usr/sbinSystem configuration and administrative binaries
/bin, /sbin, /bootCore binaries and bootloader files
Ignored PathsThe following paths are excluded from FIM to reduce alert noise from files that change legitimately:
Ignored PathReason
/etc/mtabUpdated on every mount/unmount
/etc/hosts.denyModified by active-response rules
/etc/mail/statisticsMail statistics updated frequently
/etc/random-seedUpdated on shutdown/boot
/etc/random.seedUpdated on shutdown/boot
/etc/adjtimeUpdated by hardware clock synchronization
/etc/httpd/logsLog directory (high-frequency writes)
/etc/utmpxLogin record file
/etc/wtmpxLogin record file
/etc/cups/certsPrinter certificates
/etc/dumpdatesUpdated after each dump
/etc/svc/volatileVolatile service state
*.log, *.swp (regex)Log and editor swap files
Nodiff/etc/ssl/private.key is monitored for changes but its content is never included in alerts — the diff is suppressed to prevent private key material from appearing in logs.Synchronization
ParameterValueDescription
enabledyesDatabase synchronization is active
interval5mSync the FIM database every 5 minutes
max_interval1hMaximum interval between forced syncs
max_eps10Maximum sync events per second
These <command> blocks define the executables available for active response rules. Commands are referenced by name in <active-response> rule blocks.
Command NameExecutableTimeout AllowedDescription
disable-accountdisable-accountyesLock a local user account
restart-wazuhrestart-wazuhRestart the Wazuh agent on the target host
firewall-dropfirewall-dropyesBlock an IP via iptables/firewalld
host-denyhost-denyyesAdd an IP to /etc/hosts.deny
route-nullroute-nullyesNull-route an IP (Linux)
win_route-nullroute-null.exeyesNull-route an IP (Windows)
netshnetsh.exeyesBlock an IP with Windows netsh firewall
The <active-response> trigger block is currently commented out in wazuh_manager.conf. To activate automated blocking, uncomment and configure it with the command name, location, level threshold, and optional timeout. See the Wazuh active response documentation for rule configuration examples.
Three <localfile> entries configure the Manager to periodically run system commands and treat their output as log events for analysis.
CommandFormatFrequencyDescription
df -Pcommand360sDisk utilization per filesystem in POSIX format
netstat -tulpn | sed ...full_command360sListening TCP/UDP ports, aliased as netstat listening ports
last -n 20full_command360sLast 20 login entries
A separate <ossec_config> block appends the active responses log as a syslog source:
LocationFormatDescription
/var/ossec/logs/active-responses.logsyslogRecords every active response action taken by the Manager
The <ruleset> block tells the Manager where to find decoder and rule files.Decoders
PathType
ruleset/decodersWazuh built-in decoders
etc/decodersUser-defined custom decoders
Rules
PathType
ruleset/rulesWazuh built-in rules
etc/rulesUser-defined custom rules
Excluded Rule File0215-policy_rules.xml is excluded from loading. This file contains legacy policy rules superseded by the SCA engine — excluding it prevents duplicate alerts.CDB Lists
ListUsage
etc/lists/audit-keysAuditd key identifiers
etc/lists/amazon/aws-eventnamesAWS CloudTrail event names
etc/lists/security-eventchannelWindows Security event channel IDs
etc/lists/malicious-ioc/malicious-ipKnown malicious IP addresses
etc/lists/malicious-ioc/malicious-domainsKnown malicious domain names
etc/lists/malicious-ioc/malware-hashesMalware file hashes
Rule TesterThe <rule_test> block enables the interactive rule testing engine (used by ossec-logtest):
ParameterValue
enabledyes
threads1
max_sessions64
session_timeout15m
The <auth> block configures wazuh-authd, the agent registration daemon.
ParameterValueDescription
disablednoAuthd is running
port1515TCP port agents connect to for enrollment
use_source_ipnoRegister agents by name, not source IP
purgeyesRemove deleted agent keys from the keystore
use_passwordnoNo shared password required for enrollment
ciphersHIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTHOpenSSL cipher string — strong ciphers only
ssl_verify_hostnoAgent’s hostname is not verified against its certificate CN
ssl_manager_certetc/sslmanager.certManager’s TLS certificate for authd
ssl_manager_keyetc/sslmanager.keyManager’s TLS private key for authd
ssl_auto_negotiatenoDo not auto-negotiate SSL version
The <cluster> block defines the Wazuh cluster identity for this node.
ParameterValueDescription
namewazuhCluster name — must match on all nodes
node_namenode01Unique name for this node
node_typemasterThis node is the cluster master
key<cluster-key>Shared secret key for inter-node authentication — must be identical on all cluster nodes
port1516TCP port for inter-node cluster communication
bind_addr0.0.0.0Listen on all interfaces
nodes > nodewazuh.managerList of cluster node addresses
hiddennoNode is visible in cluster status
disabledyesClustering is disabled — single-node deployment
This is a single-node deployment. To enable a multi-node cluster, set <disabled>no</disabled>, add worker node addresses to the <nodes> list, and ensure the same <key> is configured on all nodes. Worker nodes must have <node_type>worker</node_type> set in their own <cluster> blocks.

Full Configuration File

The complete wazuh_manager.conf for reference:
<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>wazuh@example.wazuh.com</email_from>
    <email_to>recipient@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <wodle name="docker-listener">
    <disabled>no</disabled>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="yes">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://wazuh.indexer:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/ssl/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/ssl/filebeat.pem</certificate>
      <key>/etc/ssl/filebeat.key</key>
    </ssl>
  </indexer>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>100</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_interval>1h</max_interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
  </global>

  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <!--
  <active-response>
    active-response options here
  </active-response>
  -->

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/malicious-ioc/malicious-ip</list>
    <list>etc/lists/malicious-ioc/malicious-domains</list>
    <list>etc/lists/malicious-ioc/malware-hashes</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
  </rule_test>

  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key><cluster-key></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>wazuh.manager</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

</ossec_config>

Build docs developers (and LLMs) love