Wazuh agent class

`class wazuh::agent`

This contains variables that can be used to configure the Wazuh agent.

Active-Response variables

Parameter	Description	Default value	Data type
`$configure_active_response`	Enables Active Response on this host.	`true`	Boolean
`$active_response_disabled`	Toggles the active-response capability on and off.	`no`	String
`$active_response_ca_verification`	This option enables or disables the WPK validation using the root CA certificate. If this parameter is set to no, the agent will accept any WPK package from the manager.	`yes`	String
`$active_response_repeated_offenders`	Sets timeouts in minutes for repeat offenders. This list of increasing timeouts can contain a maximum of 5 entries.	`[]`	Integer

Agent enrollment variables

Parameter	Description	Default value	Data type
`$wazuh_enrollment_enabled`	Enables/disables agent enrollment. If this variable is not set to '`yes` ', the complete enrollment tag will not be added to `/var/ossec/etc/ossec.conf`.	`undef`	String
`$wazuh_enrollment_manager_address`	Hostname or IP address of the manager where the agent will be enrolled.	`undef`	String
`$wazuh_enrollment_port`	Specifies the port on which the manager will send enrollment requests. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_agent_name`	Specifies the agent name that will be used for enrollment. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_groups`	Group name to which the agent belongs. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_agent_address`	Force IP address from the agent. The manager will extract the source IP address from the enrollment message if this is not set. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_ssl_cipher`	Override SSL used ciphers. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_server_ca_path`	Used for manager verification. If no CA certificate is set, the server will not be verified. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_agent_cert_path`	Required when agent verification is enabled in the manager. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_agent_key_path`	Required when agent verification is enabled in the manager. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_auth_pass`	Enrollment password. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_auth_pass_path`	Required when enrollment is using password verification. Depends on `wazuh_enrollment_enabled`	`'/var/ossec/etc/authd.pass'`	String
`$wazuh_enrollment_auto_method`	Auto negotiates the most secure common SSL/TLS method with the manager, use "`yes` " for auto negotiate or "`no` " for TLS v1.2 only. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_delay_after_enrollment`	Specifies the time agents should wait after a successful registration. Related parameter `delay_after_enrollment` Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_use_source_ip`	Force the manager to compute the IP address from the agent message. Depends on `wazuh_enrollment_enabled`	`undef`	String

Client variables

Parameter	Description	Default value	Data type
`$wazuh_reporting_endpoint`	Specifies the IP address or the hostname of the Wazuh manager to report.	`undef`	String
`$wazuh_register_endpoint`	Specifies the IP address or the hostname of the Wazuh manager against which to register.	n/a	String
`$ossec_port`	Specifies the port to send events to the manager. This must match the associated listening port configured on the Wazuh manager.	`1514`	String
`$ossec_protocol`	Specifies the protocol to use when connecting to the manager.	`tcp`	String
`$wazuh_max_retries`	The number of connection retries.	`5`	String
`$wazuh_retry_interval`	Time interval between connection attempts (seconds).	`5`	String
`$ossec_notify_time`	Specifies the time in seconds between agent check-ins to the manager.	`10`	String
`$ossec_time_reconnect`	Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the `notify_time` parameter.	`60`	String
`$ossec_auto_restart`	Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.	`yes`	String
`$ossec_crypto_method`	Choose the encryption of the messages that the agent sends to the manager.	`aes`	String
`$client_buffer_queue_size`	Sets the capacity of the agent buffer in number of events.	`5000`	Integer
`$client_buffer_events_per_second`	Specifies the number of events sent to the manager per second.	`500`	String

Localfile variables

Parameter	Description	Default value	Data type
`$ossec_local_files`	Files list for log analysis These files are listed in `params_agent.pp` in section `$default_local_files` . If a change is needed, it should be modified in the `params_agent.pp` .	Depends on the OS family.	List

Rootcheck variables

Parameter	Description	Default value	Data type
`$ossec_rootcheck_disabled`	Disable rootcheck on this host (Linux).	`no`	String
`$ossec_rootcheck_check_files`	Enable the rootcheck checkfiles option.	`yes`	String
`$ossec_rootcheck_check_trojans`	Enable rootcheck checktrojans option.	`yes`	String
`$ossec_rootcheck_check_dev`	Enable rootcheck checkdev option.	`yes`	String
`$ossec_rootcheck_check_sys`	Enable the rootcheck checksys option.	`yes`	String
`$ossec_rootcheck_check_pids`	Enable rootcheck checkpids option.	`yes`	String
`$ossec_rootcheck_check_ports`	Enable the rootcheck checkports option.	`yes`	String
`$ossec_rootcheck_check_if`	Enable rootcheck check_if option.	`yes`	String
`$ossec_rootcheck_frequency`	How often the rootcheck scan will run (in seconds).	`36000`	String
`$ossec_rootcheck_ignore_list`	List of files or directories to be ignored. These files and directories will be ignored during scans.	`[]`	List
`$ossec_rootcheck_rootkit_files`	Change the location of the rootkit files database.	`'/var/ossec/etc/shared/rootkit_files.txt'`	String
`$ossec_rootcheck_rootkit_trojans`	Change the location of the rootkit trojan's database.	`'etc/shared/rootkit_trojans.txt'`	String
`$ossec_rootcheck_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` will exclude checking files on CIFS or NFS mounts.	`yes`	String
`$ossec_rootcheck_system_audit`	Specifies the path to an audit definition file for Unix-like systems.	`[]`	List
`$ossec_rootcheck_windows_disabled`	Disables rootcheck if the host has a Windows OS.	`no`	String
`$ossec_rootcheck_windows_windows_apps`	Specifies the path to a Windows application definition file.	`'./shared/win_applications_rcl.txt'`	String
`$ossec_rootcheck_windows_windows_malware`	Specifies the path to a Windows malware definitions file.	`'./shared/win_applications_rcl.txt'`	String

SCA variables

Parameter	Description	Default value	Data type
`$configure_sca`	Enables SCA section render on this host.	`true`	boolean
`$sca_amazon_enabled`	Enable SCA on this host (Amazon Linux 2). Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_amazon_scan_on_start`	The SCA module will perform the scan immediately when started (Amazon Linux 2). Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_amazon_interval`	The interval between module executions. Depends on `configure_sca` and `apply_template_os`	`12h`	String
`$sca_amazon_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` will exclude checking files on CIFS or NFS mounts. Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_amazon_policies`	A list of policies to run assessments can be included in this section. Depends on `configure_sca` and `apply_template_os`	`[]`	List
`$sca_rhel_scan_on_start`	The SCA module will perform the scan immediately when started (RHEL). Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_rhel_interval`	The interval between module executions. Depends on `configure_sca` and `apply_template_os`	`12h`	String
`$sca_rhel_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` excludes checking files on CIFS or NFS mounts. Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_rhel_policies`	A list of policies to run assessments can be included in this section. Depends on `configure_sca` and `apply_template_os`	`[]`	List
`$sca_else_scan_on_start`	The SCA module will perform the scan immediately when started (Linux). Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_else_interval`	The interval between module executions. Depends on `configure_sca` and `apply_template_os`	`12h`	String
`$sca_else_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` excludes checking files on CIFS or NFS mounts. Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_else_policies`	A list of policies to run assessments can be included in this section. Depends on `configure_sca` and `apply_template_os`	`[]`	List

$sca_max_eps

Sets the maximum throughput for event reporting. Events are messages that generate alerts.

Default 50

Type String

Depends on configure_sca

$sca_synchronization_enabled

Enables periodic inventory synchronization.

Default yes

Type String

Depends on configure_sca

$sca_synchronization_interval

Specifies the initial time between inventory synchronizations.

Default 5m

Type String

Depends on configure_sca

$sca_synchronization_response_timeout

Waiting time in seconds between a sync message and the next synchronization.

Default 30

Type String

Depends on configure_sca

$sca_synchronization_max_eps

Sets the maximum throughput for synchronization messages.

Default 10

Type String

Depends on configure_sca

Syscheck variables

Parameter	Description	Default value	Data type
`$configure_syscheck`	Enables syscheck section rendering on this host. If this variable is not set to 'true', the complete `syscheck` tag will not be added to `/var/ossec/etc/ossec.conf`.	`true`	Boolean
`$ossec_syscheck_disabled`	Disables syscheck on this host.	`no`	String
`$ossec_syscheck_frequency`	Enables syscheck section rendering on this host.	`43200`	String
`$ossec_syscheck_scan_on_start`	Specifies if syscheck scans immediately when started.	`yes`	String
`$ossec_syscheck_auto_ignore`	Specifies whether or not syscheck will ignore files that change too many times (manager only).	`undef`	String
`$ossec_syscheck_directories_1`	List of directories to be monitored. The directories should be comma-separated.	`'/etc,/usr/bin,/usr/sbin'`	String
`$ossec_syscheck_realtime_directories_1`	This will enable real-time/continuous monitoring on directories listed on `ossec_syscheck_directories_1` . Real time only works with directories, not individual files.	`no`	String
`$ossec_syscheck_whodata_directories_1`	This will enable who-data monitoring on directories listed on `ossec_syscheck_directories_1` .	`no`	String
`$ossec_syscheck_directories_2`	List of directories to be monitored. The directories should be comma-separated.	`'/etc,/usr/bin,/usr/sbin'`	String
`$ossec_syscheck_realtime_directories_2`	This will enable real-time/continuous monitoring on directories listed on `ossec_syscheck_directories_2` . The real-time settings work with directories, not individual files.	`no`	String
`$ossec_syscheck_whodata_directories_2`	This will enable who-data monitoring on directories listed on `ossec_syscheck_directories_2` .	`no`	String
`$ossec_syscheck_report_changes_directories_2`	Report file changes. This is limited to text files at this time.	`no`	String
`$ossec_syscheck_ignore_list`	List of files or directories to be ignored. Ignored files and directories are still being scanned, but the results are not reported.	`['/etc/mtab','/etc/hosts.deny',` `'/etc/mail/statistics',` `'/etc/random-seed',` `'/etc/random.seed',` `'/etc/adjtime',` `'/etc/httpd/logs',` `'/etc/utmpx','/etc/wtmpx',` `'/etc/cups/certs',` `'/etc/dumpdates',` `'/etc/svc/volatile',` `'/sys/kernel/security',` `'/sys/kernel/debug',` `'/dev/core',]`	String
`$ossec_syscheck_ignore_type_1`	Simple regex pattern to filter out files.	`'^/proc'`	String
`$ossec_syscheck_ignore_type_2`	Another simple regex pattern to filter out files.	`'.log$\|.swp$'`	String
`$ossec_syscheck_process_priority`	Sets the nice value for the syscheck process.	`10`	String
`$ossec_syscheck_synchronization_enabled`	Specifies whether there will be periodic inventory synchronizations or not.	`yes`	String
`$ossec_syscheck_synchronization_interval`	Specifies the initial number of seconds between every inventory synchronization. If synchronization fails, the value will be duplicated until it reaches the value of `max_interval` .	`5m`	String
`$ossec_syscheck_synchronization_max_eps`	Sets the maximum synchronization message throughput.	`10`	String
`$ossec_syscheck_synchronization_max_interval`	Specifies the maximum number of seconds between every inventory synchronization.	`1h`	String
`$ossec_syscheck_skip_nfs`	Specifies if syscheck should scan network-mounted filesystems. This option works on Linux and FreeBSD systems. Currently, `skip_nfs` will exclude checking files on CIFS or NFS mounts.	`yes`	String

$ossec_syscheck_max_eps

Sets the maximum throughput for reporting events. Events are messages that trigger alerts.

Default 50

Type String

$ossec_syscheck_notify_first_scan

Specifies whether the first Syscheck (FIM) scan reports stateless events.

Default no

Type String

$ossec_syscheck_synchronization_response_timeout

Waiting time in seconds between a sync message and the next synchronization.

Default 30

Type String

Wodle Syscollector

Parameter	Description	Default value	Data type
`$wodle_syscollector_disabled`	Disable the Syscollector wodle.	`no`	String
`$wodle_syscollector_interval`	Time between system scans.	`1h`	String
`$wodle_syscollector_scan_on_start`	Run a system scan immediately when the service is started.	`yes`	String
`$wodle_syscollector_hardware`	Enables the hardware scan.	`yes`	String
`$wodle_syscollector_os`	Enables the scan of the OS.	`yes`	String
`$wodle_syscollector_network`	Enables the network scan.	`yes`	String
`$wodle_syscollector_packages`	Enables the scan of the packages.	`yes`	String
`$wodle_syscollector_ports`	Enables the scanning of the ports.	`yes`	String
`$wodle_syscollector_processes`	Enables the scan of the processes.	`yes`	String
`$wodle_syscollector_users`	Enables the scanning of user accounts.	`yes`	String
`$wodle_syscollector_groups`	Enables the scanning of user account groups.	`yes`	String
`$wodle_syscollector_services`	Enables the scanning of services.	`yes`	String
`$wodle_syscollector_browser_extensions`	Enables the scanning of browser extensions.	`yes`	String

$wodle_syscollector_max_eps

Sets the maximum throughput for reporting events. Events are messages that trigger alerts.

Default 50

Type String

$wodle_syscollector_notify_first_scan

Specifies whether the first scan reports stateless events.

Default no

Type String

$wodle_syscollector_synchronization_enabled

Specifies whether to perform periodic inventory synchronizations.

Default yes

Type String

$wodle_syscollector_synchronization_interval

Specifies the initial interval between inventory synchronizations.

Default 5m

Type String

$wodle_syscollector_synchronization_response_timeout

Waiting time in seconds between a sync message and the next synchronization.

Default 30

Type String

$wodle_syscollector_synchronization_max_eps

Sets the maximum throughput for synchronization messages.

Default 10

Type String

Misc Variables

Parameter	Description	Default value	Data type
`$agent_package_name`	Defines the package name using `params_agent.pp`	`wazuh-agent`	String
`$agent_package_version`	Defines package version	`5.0.0-1`	String
`$selinux`	Whether to install a SELinux policy to allow rotation of OSSEC logs.	`false`	Boolean
`$agent_name`	Configure agent name.	`undef`	String
`$manage_repo`	Install Wazuh through Wazuh repositories.	`true`	Boolean
`$manage_client_keys`	Manage client keys option.	`yes`	String
`$agent_auth_password`	Define a password for agent-auth	`undef`	String