All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
OSSEC<ossec_config>
<global>
<!--
Global options here
-->
</global>
</ossec_config>
global
email_notification
Enable or disable e-mail alerting.
Default: no
Allowed: yes/no
email_to
E-mail recipient of the alerts.
Allowed: Any valid e-mail address
Note
To use granular email configurations, a base configuration is necessary in the
<global>section.email_from
E-mail “source” of the alerts.
Allowed: Any valid e-mail address
email_reply_to
New in version 3.0.
E-mail “Reply-to” of the alerts.
Allowed: Any valid e-mail address
smtp_server
SMTP server.
Allowed: Any valid hostname or IP Address
Note
If the smtp_server entry contains a hostname, /etc/resolv.conf will probably have to be copied to OSSEC’s etc directory (/var/ossec/etc by default).
email_maxperhour
Specifies the maximum number of e-mails to be sent per hour. All emails in excess of this setting will be queued for later distribution.
Default: 12
Allowed: Any number from 1 to 9999
Note
At the end of the hour any queued emails will be sent together in one email. This is true whether the mail grouping is enabled or disabled.
email_idsname
If set, “X-IDS-OSSEC: ” will be added to the email headers with the specified value.
Allowed: Any name
Note
This was added in OSSEC 2.8.
custom_alert_output
Specifies the format of alerts written to the logfile.
Variables: "$TIMESTAMP" - The time the event was processed by OSSEC. "$FTELL" - Unknown "$RULEALERT" - Unknown "$HOSTNAME" - Hostname of the system generating the event. "$LOCATION" - The file the log messages was saved to. "$RULEID" - The rule id of the alert. "$RULELEVEL" - The rule level of the alert. "$RULECOMMENT" - Unknown "$SRCIP" - The source IP specified in the log message. "$DSTUSER" - The destination user specified in the log message. "$FULLLOG" - The original log message. "$RULEGROUP" - The groups containing the rule.stats
Alerting level for the events generated by the statistical analysis.
Default: 8
Allowed: Any level from 0 to 16
logall
States if we should store all the events received.
Default: no
Allowed: yes/no
memory_size
Sets the memory size for the event correlation.
Default: 1024
Allowed: Any size from 16 to 5096
white_list
List of IP addresses that should never be blocked by the active response (one per element). This option is only valid in server and local installs.
Multiples Allowed: yes
Allowed: Any IP address or netblock
host_information
Alerting level for the events generated by the host change monitor.
Default: 8
Allowed: Any level from 0 to 16
jsonout_output
New in version 2.9.0.
Enable or disable writing of json-formated alerts at /var/ossec/logs/alerts/alerts.json
Default: no
Allowed: yes/no
prelude_output
Enables or disables prelude output.
Default: no
Allowed: yes/no
zeromq_output
Enable ZeroMQ Output
Warning
ZeroMQ is experimental and will likely change drastically from version to version.
Allowed: yes/no
zeromq_uri
This is zeromq URI that the publisher socket will bind to.
Warning
This URI format is defined by the ZeroMQ project.
<zeromq_uri>tcp://localhost:11111/</zeromq_uri>This will listen for zeromq subscribers on ip address 127.0.0.1 port 11111
<zeromq_uri>tcp://eth0:21212/</zeromq_uri>This will listen for zeromq subscribers on the ip address assigned to eth0 port 21212
<zeromq_uri>ipc:///alerts-zmq</zeromq_uri>This will listen for zeromq on the Unix Domain socket /alerts-zmq.
geoip_db_path
The full path to the GeoIP IPv4 database file location.
Example:
<geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path>geoip6_db_path
The full path to the GeoIP IPv6 database file location.
Example:
<geoip6_db_path>/etc/GeoLiteCity.dat</geoip6_db_path>md5_whitelist
New in version 3.0.
Define an sqlite database for white listed MD5 hashes.
Example:
<global> <md5_whitelist>/rules/lists/md5whitelist.db</md5_whitelist> </global>