OSSEC-GUI/ossec.conf.cli

<!-- OSSEC example config -->

<ossec_config>
  <client>
    <server-ip>192.168.0.10</server-ip>
  </client>
  <global>
      <email_notification>yes</email_notification>
      <email_to>root@localhost</email_to>
      <smtp_server>127.0.0.1</smtp_server>
      <email_from>ossecm@localhost</email_from>
  </global>
  <syscheck>
    <!-- Frequency that syscheck is executed (default every 2 hours) -->
    <frequency>79200</frequency>
    <alert_new_files>yes</alert_new_files>
    <!-- Directories to check  (perform all possible verifications) -->
    <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/authlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/xferlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

</ossec_config>
first commit 2023-04-14 12:05:35 +02:00			`<!-- OSSEC example config -->`

			`<ossec_config>`
			`<client>`
			`<server-ip>192.168.0.10</server-ip>`
			`</client>`
			`<global>`
			`<email_notification>yes</email_notification>`
			`<email_to>root@localhost</email_to>`
			`<smtp_server>127.0.0.1</smtp_server>`
			`<email_from>ossecm@localhost</email_from>`
			`</global>`
			`<syscheck>`
			`<!-- Frequency that syscheck is executed (default every 2 hours) -->`
			`<frequency>79200</frequency>`
			`<alert_new_files>yes</alert_new_files>`
			`<!-- Directories to check (perform all possible verifications) -->`
			`<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>`
			`<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin,/boot</directories>`

			`<!-- Files/directories to ignore -->`
			`<ignore>/etc/mtab</ignore>`
			`<ignore>/etc/hosts.deny</ignore>`
			`<ignore>/etc/mail/statistics</ignore>`
			`<ignore>/etc/random-seed</ignore>`
			`<ignore>/etc/random.seed</ignore>`
			`<ignore>/etc/adjtime</ignore>`
			`<ignore>/etc/httpd/logs</ignore>`

			`<!-- Check the file, but never compute the diff -->`
			`<nodiff>/etc/ssl/private.key</nodiff>`
			`</syscheck>`

			`<rootcheck>`
			`<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>`
			`<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>`
			`</rootcheck>`

			`<localfile>`
			`<log_format>syslog</log_format>`
			`<location>/var/log/messages</location>`
			`</localfile>`

			`<localfile>`
			`<log_format>syslog</log_format>`
			`<location>/var/log/authlog</location>`
			`</localfile>`

			`<localfile>`
			`<log_format>syslog</log_format>`
			`<location>/var/log/auth.log</location>`
			`</localfile>`

			`<localfile>`
			`<log_format>syslog</log_format>`
			`<location>/var/log/secure</location>`
			`</localfile>`

			`<localfile>`
			`<log_format>syslog</log_format>`
			`<location>/var/log/xferlog</location>`
			`</localfile>`

			`<localfile>`
			`<log_format>syslog</log_format>`
			`<location>/var/log/maillog</location>`
			`</localfile>`

			`</ossec_config>`