All remote options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
OSSEC<ossec_config>
<remote>
<!--
remote options here
-->
</remote>
</ossec_config>
remote
connection
Specify the type of connection being enabled: secure or using syslog.
Default: secure
Allowed: secure/syslog
port
Specifies the port to listen for events.
Default:
- 1514: if connection is set to secure
- 514: if connection is set to syslog
Allowed: Any port number from 1 to 65535
protocol
Specifies the protocol to use for syslog events.
Default: udp
Allowed: udp or tcp
allowed-ips
List of IP addresses that are allowed to send syslog messages to the server (one per element).
Allowed: Any IP address or network
Note
It is necessary to allow at least one IP address when using the syslog connection type.
deny-ips
List of IP addresses that are not allowed to send syslog messages to the server(one per element).
Allowed: Any IP address or network
local_ip
Local ip address to listen for connections.
Default: all interfaces
Allowed: Any internal ip address
ipv6
Local ipv6 address to listen for connections.
Default: None
Allowed: Any IPv6 address.
Note
This is not well tested. For the time being I recommend using the full IPv6 address instead of one of the many shortcuts.