ossec.conf: Remote Options¶

Overview¶

remote options are available in the the following installation types:

All remote options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <remote>
        <!--
        remote options here
        -->
    </remote>
</ossec_config>

connection¶

Specify the type of connection being enabled: secure or using syslog.

Default: secure

Allowed: secure/syslog

port¶

Specifies the port to listen for events.

Default:

Allowed: Any port number from 1 to 65535

protocol¶

Specifies the protocol to use for syslog events.

Default: udp

Allowed: udp or tcp

allowed-ips¶

List of IP addresses that are allowed to send syslog messages to the server (one per element).

Allowed: Any IP address or network

Note

It is necessary to allow at least one IP address when using the syslog connection type.

deny-ips¶

List of IP addresses that are not allowed to send syslog messages to the server(one per element).

Allowed: Any IP address or network

local_ip¶

Local ip address to listen for connections.

Default: all interfaces

Allowed: Any internal ip address

ipv6¶

Local ipv6 address to listen for connections.

Default: None

Allowed: Any IPv6 address.

Note

This is not well tested. For the time being I recommend using the full IPv6 address instead of one of the many shortcuts.