All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
<ossec_config>
<global>
<!--
Global options here
-->
</global>
</ossec_config>
Enable or disable e-mail alerting.
Default: no
Allowed: yes/no
E-mail recipient of the alerts.
Allowed: Any valid e-mail address
Note
To use granular email configurations, a base configuration is necessary in the <global> section.
E-mail “source” of the alerts.
Allowed: Any valid e-mail address
New in version 3.0.
E-mail “Reply-to” of the alerts.
Allowed: Any valid e-mail address
SMTP server.
Allowed: Any valid hostname or IP Address
Note
If the smtp_server entry contains a hostname, /etc/resolv.conf will probably have to be copied to OSSEC’s etc directory (/var/ossec/etc by default).
Specifies the maximum number of e-mails to be sent per hour. All emails in excess of this setting will be queued for later distribution.
Default: 12
Allowed: Any number from 1 to 9999
Note
At the end of the hour any queued emails will be sent together in one email. This is true whether the mail grouping is enabled or disabled.
If set, “X-IDS-OSSEC: ” will be added to the email headers with the specified value.
Allowed: Any name
Note
This was added in OSSEC 2.8.
Specifies the format of alerts written to the logfile.
Variables:
"$TIMESTAMP" - The time the event was processed by OSSEC.
"$FTELL" - Unknown
"$RULEALERT" - Unknown
"$HOSTNAME" - Hostname of the system generating the event.
"$LOCATION" - The file the log messages was saved to.
"$RULEID" - The rule id of the alert.
"$RULELEVEL" - The rule level of the alert.
"$RULECOMMENT" - Unknown
"$SRCIP" - The source IP specified in the log message.
"$DSTUSER" - The destination user specified in the log message.
"$FULLLOG" - The original log message.
"$RULEGROUP" - The groups containing the rule.
Alerting level for the events generated by the statistical analysis.
Default: 8
Allowed: Any level from 0 to 16
States if we should store all the events received.
Default: no
Allowed: yes/no
Sets the memory size for the event correlation.
Default: 1024
Allowed: Any size from 16 to 5096
List of IP addresses that should never be blocked by the active response (one per element). This option is only valid in server and local installs.
Multiples Allowed: yes
Allowed: Any IP address or netblock
Alerting level for the events generated by the host change monitor.
Default: 8
Allowed: Any level from 0 to 16
New in version 2.9.0.
Enable or disable writing of json-formated alerts at /var/ossec/logs/alerts/alerts.json
Default: no
Allowed: yes/no
Enables or disables prelude output.
Default: no
Allowed: yes/no
Enable ZeroMQ Output
Warning
ZeroMQ is experimental and will likely change drastically from version to version.
Allowed: yes/no
This is zeromq URI that the publisher socket will bind to.
Warning
This URI format is defined by the ZeroMQ project.
<zeromq_uri>tcp://localhost:11111/</zeromq_uri>
This will listen for zeromq subscribers on ip address 127.0.0.1 port 11111
<zeromq_uri>tcp://eth0:21212/</zeromq_uri>
This will listen for zeromq subscribers on the ip address assigned to eth0 port 21212
<zeromq_uri>ipc:///alerts-zmq</zeromq_uri>
This will listen for zeromq on the Unix Domain socket /alerts-zmq.
The full path to the GeoIP IPv4 database file location.
Example:
<geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path>