-
Notifications
You must be signed in to change notification settings - Fork 20
/
alertflex.yaml
106 lines (80 loc) · 3.08 KB
/
alertflex.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
%YAML 1.1
---
# Alertflex collector configuration file. In addition to the comments describing
# the parameters for this file, see project documentation - http://alertflex.org/doc/index.html
# Collector version 0.7
collector:
node: "_node_id"
sensor: "_sensor_id"
# allow remote management of collector from controller
active_response: "true"
remote_upload: "true"
# time difference between collector and controller's, timezones in hours
time_zone: 0
# save events/logs to local path - /var/log/alertflex, if controller isn't available
# max size (MB) of the log file, if size more than this value, collector switches to the next log file
log_size: 100
# alerts threshold, if the threshold is exceeded, collector omits all others alerts until Redis list is not empty
# also special alert about multiple alerts will appear (redirection of alerts to logs will not interrupted)
alerts_threshold: 100
# TIMERS
# delay on collector startup in sec (default 30)
startup_timer: 30
# sleep delay in milisecond (default 1000)
sleep_timer: 1000
# period generation of reports for netflow and IDS statistics in sec, if 0 then this functionality is off (default 300)
report_timer: 300
# run update of rules on sensor side after that sync them with central node
update_timer: 1
# path to MaxMind Geo DB
geo_db: "/etc/alertflex/GeoLiteCity.dat"
# Altprobe reads via Wazuh API an OSSEC agents status (use report_timer for period of reading)
wazuh_host: "127.0.0.1"
wazuh_port: 55000
wazuh_user: "_wazuh_user"
wazuh_pwd: "_wazuh_pwd"
# Altprobe reads sources events from Redis list by pop API call
redis_host: "127.0.0.1"
redis_port: 6379
sources:
# redis list for metrics from ElasticStack Metricbeat
metric: "altprobe_metrics"
# redis list for events from Altprobe clients
misc: "altprobe_misc"
# nginx/modsecurity log file - /var/log/nginx/error.log
modsec_log: "none"
# redis list for events from Modsecurity WAF
modsec_redis: "altprobe_waf"
# suricata log file - /var/log/suricata/eve.json
suri_log: "none"
# redis list for events from Suricata IDS
suri_redis: "altprobe_nids"
# wazuh log file - /var/ossec/logs/alerts/alerts.json
wazuh_log: "/var/ossec/logs/alerts/alerts.json"
# redis list for events from Wazuh IDS/OSSEC
wazuh_redis: "altprobe_hids"
# modsec_path: "/etc/nginx/modsec/"
# modsec_iprep: "owasp-modsecurity-crs-3.0.2/rules/"
# modsec_rules: "owasp-modsecurity-crs-3.0.2/rules/"
modsec_path: "none"
modsec_iprep: "none"
modsec_rules: "none"
suri_path: "/etc/suricata/"
suri_iprep: "iprep/"
suri_rules: "rules/"
# suri_path: "none"
# suri_iprep: "none"
# suri_rules: "none"
wazuh_path: "/var/ossec/"
wazuh_iprep: "etc/lists/"
wazuh_rules: "ruleset/rules/"
# wazuh_path: "none"
# wazuh_iprep: "none"
# wazuh_rules: "none"
controller:
# send alerts and statistics to Controller (ActiveMQ interface)
amq: "ssl://_amq_host:61617"
user: "_amq_user"
pwd: "_amq_pwd"
cert: "/etc/alertflex/Broker.pem"
path: "jms/alertflex/"