The Wazuh Manager’s primary configuration file lives atDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt
Use this file to discover all available pages before exploring further.
config/wazuh_cluster/wazuh_manager.conf in the repository. It is bind-mounted into the wazuh.manager container at /wazuh-config-mount/etc/ossec.conf. Any change to this file requires a container restart to take effect:
<ossec_config> blocks, each grouping related settings. The sections below document every block in the order they appear in the file.
The
docker-listener wodle is enabled on the Manager. This means the Manager itself monitors Docker daemon events directly — container start, stop, pause, and die events are forwarded to the indexer as Wazuh alerts without requiring a separate agent on the Docker host.Configuration Sections
Global Settings (<global>)
Global Settings (<global>)
The
A second
<global> block controls alerting output formats, email notifications, and agent disconnection behaviour.| Parameter | Value | Description |
|---|---|---|
jsonout_output | yes | Write alerts to alerts.json in JSON format |
alerts_log | yes | Write alerts to alerts.log in plain text |
logall | yes | Archive all received events, not just those that match rules |
logall_json | yes | Archive all events in JSON format |
email_notification | no | Email alerting is disabled by default |
smtp_server | smtp.example.wazuh.com | SMTP server (used when email is enabled) |
email_from | wazuh@example.wazuh.com | Sender address for email alerts |
email_to | recipient@example.wazuh.com | Recipient address for email alerts |
email_maxperhour | 12 | Maximum emails sent per hour |
email_log_source | alerts.log | Log file used as the email alert source |
agents_disconnection_time | 10m | Time after which a silent agent is considered disconnected |
agents_disconnection_alert_time | 0 | Delay before firing the disconnection alert (0 = immediate) |
<global> block later in the file defines the active-response IP whitelist:| Parameter | Value | Description |
|---|---|---|
white_list | 127.0.0.1 | Loopback address is never blocked by active response |
white_list | ^localhost.localdomain$ | Localhost hostname is never blocked |
Alerts
Alerts
The
Wazuh rule levels range from 0 (informational) to 15 (critical). Setting
<alerts> block sets threshold levels for log and email output.| Parameter | Value | Description |
|---|---|---|
log_alert_level | 3 | Minimum rule severity level written to alerts.log and alerts.json |
email_alert_level | 12 | Minimum rule severity level that triggers an email notification |
log_alert_level: 3 keeps low-noise informational events out of the alerts files. The email threshold of 12 means only high-severity events generate emails.Agent Communication (<remote>)
Agent Communication (<remote>)
The
Port 1514/TCP must be reachable from all agent hosts. In the Docker Compose stack this port is published on the host and agents connect to it directly.
<remote> block defines how the Manager accepts incoming connections from enrolled agents.| Parameter | Value | Description |
|---|---|---|
connection | secure | Encrypted, authenticated agent-to-manager communication |
port | 1514 | TCP port the Manager listens on for agent traffic |
protocol | tcp | Transport protocol |
queue_size | 131072 | Internal event queue depth (number of events buffered before processing) |
Internal Logging (<logging>)
Internal Logging (<logging>)
The
<logging> block controls the format of Wazuh’s own internal log output written to /var/ossec/logs/ossec.log.| Parameter | Value | Description |
|---|---|---|
log_format | plain | Write internal logs in plain text format. Alternatives are json or plain,json |
Rootcheck (Policy Monitoring)
Rootcheck (Policy Monitoring)
Rootcheck performs host-based anomaly and policy checks — scanning for rootkits, suspicious files, hidden processes, and configuration issues.
| Parameter | Value | Description |
|---|---|---|
disabled | no | Rootcheck is active |
check_files | yes | Scan for suspicious files using the rootkit database |
check_trojans | yes | Compare binaries against the known-trojan list |
check_dev | yes | Scan /dev for unusual device files |
check_sys | yes | Check system call entries and /proc |
check_pids | yes | Detect hidden processes |
check_ports | yes | Detect hidden network ports |
check_if | yes | Check network interfaces for promiscuous mode |
frequency | 43200 | Run every 12 hours |
rootkit_files | etc/rootcheck/rootkit_files.txt | Rootkit file signatures database |
rootkit_trojans | etc/rootcheck/rootkit_trojans.txt | Trojan signatures database |
skip_nfs | yes | Skip NFS-mounted directories to avoid slow scans |
Docker Listener Wodle
Docker Listener Wodle
The
Container
docker-listener wodle subscribes to the Docker daemon event stream on the Manager host and forwards container lifecycle events directly to the Indexer as Wazuh alerts.| Parameter | Value | Description |
|---|---|---|
disabled | no | Docker event monitoring is active |
start, stop, die, pause, and unpause events from the host are captured without requiring a separate Wazuh agent on the Docker host.System Inventory (syscollector wodle)
System Inventory (syscollector wodle)
The
syscollector wodle periodically collects a hardware and software inventory of the Manager host and forwards it to the Indexer for storage and search.| Parameter | Value | Description |
|---|---|---|
disabled | no | Syscollector is active |
interval | 1h | Full inventory scan every hour |
scan_on_start | yes | Run an inventory scan immediately on Wazuh startup |
hardware | yes | Collect CPU, memory, and board details |
os | yes | Collect OS name, version, and kernel |
network | yes | Collect network interfaces, addresses, and routes |
packages | yes | Collect installed package list |
ports (all=yes) | yes | Collect all open ports, including non-listening ones |
processes | yes | Collect running process list |
max_eps | 10 | Maximum inventory events sent per second to avoid indexer overload |
Security Configuration Assessment (SCA)
Security Configuration Assessment (SCA)
SCA runs policy checks against configuration benchmarks and reports compliance failures as alerts.
The Manager uses the built-in policy files from
| Parameter | Value | Description |
|---|---|---|
enabled | yes | SCA is active |
scan_on_start | yes | Run a full policy scan at startup |
interval | 12h | Re-scan every 12 hours |
skip_nfs | yes | Skip NFS-mounted paths during scanning |
ruleset/sca/. To add custom policies, place .yml files in etc/shared/ on the Manager and reference them from agent group configurations.Vulnerability Detection
Vulnerability Detection
The vulnerability detection engine correlates the syscollector package inventory against CVE feeds to identify vulnerable software versions.
The Manager connects to the Wazuh Indexer over
| Parameter | Value | Description |
|---|---|---|
enabled | yes | Vulnerability detection is active |
index-status | yes | Index vulnerability status records in the Wazuh Indexer |
feed-update-interval | 60m | Refresh CVE feeds every 60 minutes |
https://wazuh.indexer:9200 using the certificates configured in the <indexer> block:| TLS Setting | Path |
|---|---|
| CA certificate | /etc/ssl/root-ca.pem |
| Client certificate | /etc/ssl/filebeat.pem |
| Client key | /etc/ssl/filebeat.key |
File Integrity Monitoring (syscheck)
File Integrity Monitoring (syscheck)
Syscheck monitors files and directories for unexpected changes, generating alerts when content, permissions, or ownership are modified.Scan Settings
Monitored Directories
Ignored PathsThe following paths are excluded from FIM to reduce alert noise from files that change legitimately:
Nodiff
| Parameter | Value | Description |
|---|---|---|
frequency | 43200 | Full scan every 12 hours |
scan_on_start | yes | Run an immediate scan on startup |
alert_new_files | yes | Alert when a new file appears in a monitored directory |
auto_ignore | no (freq=10, timeframe=3600) | Never auto-ignore frequently changed files |
process_priority | 10 | Nice value — run at lower CPU priority |
max_eps | 100 | Maximum FIM events per second |
skip_nfs | yes | Skip NFS mounts |
skip_dev | yes | Skip /dev |
skip_proc | yes | Skip /proc |
skip_sys | yes | Skip /sys |
| Path | Notes |
|---|---|
/etc, /usr/bin, /usr/sbin | System configuration and administrative binaries |
/bin, /sbin, /boot | Core binaries and bootloader files |
| Ignored Path | Reason |
|---|---|
/etc/mtab | Updated on every mount/unmount |
/etc/hosts.deny | Modified by active-response rules |
/etc/mail/statistics | Mail statistics updated frequently |
/etc/random-seed | Updated on shutdown/boot |
/etc/random.seed | Updated on shutdown/boot |
/etc/adjtime | Updated by hardware clock synchronization |
/etc/httpd/logs | Log directory (high-frequency writes) |
/etc/utmpx | Login record file |
/etc/wtmpx | Login record file |
/etc/cups/certs | Printer certificates |
/etc/dumpdates | Updated after each dump |
/etc/svc/volatile | Volatile service state |
*.log, *.swp (regex) | Log and editor swap files |
/etc/ssl/private.key is monitored for changes but its content is never included in alerts — the diff is suppressed to prevent private key material from appearing in logs.Synchronization| Parameter | Value | Description |
|---|---|---|
enabled | yes | Database synchronization is active |
interval | 5m | Sync the FIM database every 5 minutes |
max_interval | 1h | Maximum interval between forced syncs |
max_eps | 10 | Maximum sync events per second |
Active Response Commands
Active Response Commands
These
<command> blocks define the executables available for active response rules. Commands are referenced by name in <active-response> rule blocks.| Command Name | Executable | Timeout Allowed | Description |
|---|---|---|---|
disable-account | disable-account | yes | Lock a local user account |
restart-wazuh | restart-wazuh | — | Restart the Wazuh agent on the target host |
firewall-drop | firewall-drop | yes | Block an IP via iptables/firewalld |
host-deny | host-deny | yes | Add an IP to /etc/hosts.deny |
route-null | route-null | yes | Null-route an IP (Linux) |
win_route-null | route-null.exe | yes | Null-route an IP (Windows) |
netsh | netsh.exe | yes | Block an IP with Windows netsh firewall |
The
<active-response> trigger block is currently commented out in wazuh_manager.conf. To activate automated blocking, uncomment and configure it with the command name, location, level threshold, and optional timeout. See the Wazuh active response documentation for rule configuration examples.Log Analysis (localfile)
Log Analysis (localfile)
Three
A separate
<localfile> entries configure the Manager to periodically run system commands and treat their output as log events for analysis.| Command | Format | Frequency | Description |
|---|---|---|---|
df -P | command | 360s | Disk utilization per filesystem in POSIX format |
netstat -tulpn | sed ... | full_command | 360s | Listening TCP/UDP ports, aliased as netstat listening ports |
last -n 20 | full_command | 360s | Last 20 login entries |
<ossec_config> block appends the active responses log as a syslog source:| Location | Format | Description |
|---|---|---|
/var/ossec/logs/active-responses.log | syslog | Records every active response action taken by the Manager |
Ruleset
Ruleset
The
Rules
Excluded Rule File
Rule TesterThe
<ruleset> block tells the Manager where to find decoder and rule files.Decoders| Path | Type |
|---|---|
ruleset/decoders | Wazuh built-in decoders |
etc/decoders | User-defined custom decoders |
| Path | Type |
|---|---|
ruleset/rules | Wazuh built-in rules |
etc/rules | User-defined custom rules |
0215-policy_rules.xml is excluded from loading. This file contains legacy policy rules superseded by the SCA engine — excluding it prevents duplicate alerts.CDB Lists| List | Usage |
|---|---|
etc/lists/audit-keys | Auditd key identifiers |
etc/lists/amazon/aws-eventnames | AWS CloudTrail event names |
etc/lists/security-eventchannel | Windows Security event channel IDs |
etc/lists/malicious-ioc/malicious-ip | Known malicious IP addresses |
etc/lists/malicious-ioc/malicious-domains | Known malicious domain names |
etc/lists/malicious-ioc/malware-hashes | Malware file hashes |
<rule_test> block enables the interactive rule testing engine (used by ossec-logtest):| Parameter | Value |
|---|---|
enabled | yes |
threads | 1 |
max_sessions | 64 |
session_timeout | 15m |
Agent Authentication (<auth>)
Agent Authentication (<auth>)
The
<auth> block configures wazuh-authd, the agent registration daemon.| Parameter | Value | Description |
|---|---|---|
disabled | no | Authd is running |
port | 1515 | TCP port agents connect to for enrollment |
use_source_ip | no | Register agents by name, not source IP |
purge | yes | Remove deleted agent keys from the keystore |
use_password | no | No shared password required for enrollment |
ciphers | HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH | OpenSSL cipher string — strong ciphers only |
ssl_verify_host | no | Agent’s hostname is not verified against its certificate CN |
ssl_manager_cert | etc/sslmanager.cert | Manager’s TLS certificate for authd |
ssl_manager_key | etc/sslmanager.key | Manager’s TLS private key for authd |
ssl_auto_negotiate | no | Do not auto-negotiate SSL version |
Cluster Configuration
Cluster Configuration
The
<cluster> block defines the Wazuh cluster identity for this node.| Parameter | Value | Description |
|---|---|---|
name | wazuh | Cluster name — must match on all nodes |
node_name | node01 | Unique name for this node |
node_type | master | This node is the cluster master |
key | <cluster-key> | Shared secret key for inter-node authentication — must be identical on all cluster nodes |
port | 1516 | TCP port for inter-node cluster communication |
bind_addr | 0.0.0.0 | Listen on all interfaces |
nodes > node | wazuh.manager | List of cluster node addresses |
hidden | no | Node is visible in cluster status |
disabled | yes | Clustering is disabled — single-node deployment |
Full Configuration File
The completewazuh_manager.conf for reference: