ossec.conf: Remote Options

Overview

Supported types

remote options are available in the the following installation types:

• server

Location

All remote options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <remote>
        <!--
        remote options here
        -->
    </remote>
</ossec_config>

Options

• remote

  • connection

    Specify the type of connection being enabled: secure or using syslog.

    Default: secure

    Allowed: secure/syslog

  • port

    Specifies the port to listen for events.

    Default:

    • 1514: if connection is set to secure

    • 514: if connection is set to syslog

    Allowed: Any port number from 1 to 65535

  • protocol

    Specifies the protocol to use for syslog events.

    Default: udp

    Allowed: udp or tcp

  • allowed-ips

    List of IP addresses that are allowed to send syslog messages to the server (one per element).

    Allowed: Any IP address or network

    Note

    It is necessary to allow at least one IP address when using the syslog connection type.

  • deny-ips

    List of IP addresses that are not allowed to send syslog messages to the server(one per element).

    Allowed: Any IP address or network

  • local_ip

    Local ip address to listen for connections.

    Default: all interfaces

    Allowed: Any internal ip address

  • ipv6

    Local ipv6 address to listen for connections.

    Default: None

    Allowed: Any IPv6 address.

    Note

    This is not well tested. For the time being I recommend using the full IPv6 address instead of one of the many shortcuts.

  • crypto_accept

    Specifies the encryption methods accepted by the manager.

    Default: any

    Allowed: aes, blowfish, any