# Wazuh Manager — Production ossec.conf
# Full distributed config with 2 managers, multi-org CloudTrail, n8n integration, TLS
# Replace: CLUSTER_KEY, INDEXER_HOSTS, N8N_URL, MANAGER_IPS

<ossec_config>
  <!-- ==================== CLUSTER ==================== -->
  <cluster>
    <name>wazuh-production</name>
    <node_name>manager-1</node_name>
    <node_ip>10.0.1.20</node_ip>
    <nodes>
      <node>10.0.1.20</node>  <!-- manager-1 -->
      <node>10.0.1.21</node>  <!-- manager-2 -->
    </nodes>
    <key>CHANGE_TO_32_CHAR_UNIQUE_CLUSTER_KEY</key>
  </cluster>

  <!-- ==================== GLOBAL ==================== -->
  <global>
    <jsonout_output>yes</jsonout_output>
    <email_notification>yes</email_notification>
    <email_to>security-alerts@company.com</email_to>
    <email_from>wazuh@wazuh.internal.yourdomain.com</email_from>
    <email_maxperhour>100</email_maxperhour>
    <log_level>1</log_level>
    <logall>yes</logall>
  </global>

  <!-- ==================== ALERTS ==================== -->
  <alerts>
    <alerts_log>yes</alerts_log>
    <log_alert_level>6</log_alert_level>
    <email_alerts>yes</email_alerts>
    <email_grouping>yes</email_grouping>
  </alerts>

  <!-- ==================== ACTIVE RESPONSE ==================== -->
  <active-response>
    <disabled>no</disabled>
    <commands>
      <command>
        <name>host-deny</name>
        <executable>host-deny.sh</executable>
        <expect>srcip</expect>
        <timeout_enabled>yes</timeout_enabled>
        <ar_level>10</ar_level>
      </command>
      <command>
        <name>firewall-drop</name>
        <executable>firewall-drop.sh</executable>
        <expect>srcip</expect>
        <timeout_enabled>yes</timeout_enabled>
        <ar_level>10</ar_level>
      </command>
    </commands>
  </active-response>

  <!-- ==================== LOGGING ==================== -->
  <logging>
    <log_level>info</log_level>
    <log_format>json</log_format>
  </logging>

  <!-- ==================== SYSCHECK (FIM) ==================== -->
  <syscheck>
    <disabled>no</disabled>
    <frequency>300</frequency>  <!-- 5 min scan cycle -->
    <scan_on_start>yes</scan_on_start>
    <auto_ignore>yes</auto_ignore>
    <alert_new_files>yes</alert_new_files>

    <!-- Linux critical paths — real-time monitoring -->
    <directories check_all="yes" realtime="yes" report_changes="yes">
      /etc
      /usr/bin
      /usr/sbin
      /bin
      /sbin
    </directories>

    <directories check_all="yes" report_changes="yes">
      /var/log
      /home
      /opt
    </directories>

    <!-- Critical single files -->
    <files>/etc/passwd</files>
    <files>/etc/shadow</files>
    <files>/etc/group</files>
    <files>/etc/gshadow</files>
    <files>/etc/sudoers</files>
    <files>/etc/sudoers.d/</files>

    <!-- Ignore noisy system paths -->
    <ignore>/var/log/journal</ignore>
    <ignore>/var/log/sa</ignore>
    <ignore>/var/log/gdm</ignore>
    <ignore type="sregex">.log$</ignore>

    <!-- Windows critical paths -->
    <registry>HKEY_LOCAL_MACHINE\Software\Classes\*</registry>
    <registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services</registry>
    <registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</registry>
    <registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</registry>

    <!-- Whodata (capture user+process on file modification) -->
    <whodata>yes</whodata>

    <!-- Windows only: registry real-time monitoring -->
    <windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</windows_registry>
  </syscheck>

  <!-- ==================== ROOTCHECK ==================== -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <frequency>3600</frequency>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
  </rootcheck>

  <!-- ==================== OPENSCAP ==================== -->
  <open-scap>
    <disabled>yes</disabled>
    <content>/var/ossec/shared/cis-centos7-benchmark.xml</content>
    <interval>604800</interval>  <!-- Weekly -->
  </open-scap>

  <!-- ==================== SYSCOLLECTOR ==================== -->
  <!-- Hardware + OS inventory collection -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan-on-start>yes</scan-on-start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

  <!-- ==================== CSA (AWS CloudTrail Agentless) ==================== -->
  <!-- Multi-org: one entry per org's aggregated CloudTrail bucket -->
  <wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>5m</interval>
    <run_on_start>yes</run_on_start>
    <skip_on_error>yes</skip_on_error>

    <!-- Org-Alpha -->
    <bucket type="cloudtrail">
      <name>cloudtrail-org-alpha-logs</name>
      <iam_role_arn>arn:aws:iam::111111111111:role/WazuhCrossAccountRead</iam_role_arn>
      <only_logs_after>2025-01-01T00:00:00Z</only_logs_after>
      <regions>us-east-1,eu-west-1</regions>
    </bucket>

    <!-- Org-Beta -->
    <bucket type="cloudtrail">
      <name>cloudtrail-org-beta-logs</name>
      <iam_role_arn>arn:aws:iam::222222222222:role/WazuhCrossAccountRead</iam_role_arn>
      <only_logs_after>2025-01-01T00:00:00Z</only_logs_after>
      <regions>us-east-1</regions>
    </bucket>

    <!-- Org-Gamma -->
    <bucket type="cloudtrail">
      <name>cloudtrail-org-gamma-logs</name>
      <iam_role_arn>arn:aws:iam::333333333333:role/WazuhCrossAccountRead</iam_role_arn>
      <only_logs_after>2025-01-01T00:00:00Z</only_logs_after>
      <regions>us-east-1,ap-southeast-1</regions>
    </bucket>

    <!-- GuardDuty findings (if used) -->
    <service type="guardduty">
      <iam_role_arn>arn:aws:iam::111111111111:role/WazuhCrossAccountRead</iam_role_arn>
      <only_logs_after>2025-01-01T00:00:00Z</only_logs_after>
      <regions>us-east-1,eu-west-1</regions>
    </service>
  </wodle>

  <!-- ==================== VULNERABILITY SCANNER ==================== -->
  <wodle name="vulnerability-detector">
    <disabled>yes</disabled>
    <interval>1h</interval>
    <run_on_start>yes</run_on_start>
    <provider name="alas">
      <os>amazon-linux</os>
      <path>ALAS</path>
      <version>ALAS-1</version>
      <update_umbral>1d</update_umbral>
    </provider>
  </wodle>

  <!-- ==================== AGENTLESS ==================== -->
  <agentless>
    <!-- Use for SSH-based log collection from network devices -->
  </agentless>

  <!-- ==================== INTEGRATIONS ==================== -->
  <!-- n8n webhook — primary IR automation -->
  <integration>
    <name>wazuh-n8n</name>
    <hook_url>https://n8n.internal.yourdomain.com/webhook/wazuh-alerts</hook_url>
    <level>6</level>
    <alert_format>json</alert_format>
    <timeout>30</timeout>
    <retry_attempts>3</retry_attempts>
  </integration>

  <!-- Slack direct (for urgent alerts — parallel to n8n) -->
  <integration>
    <name>slack</name>
    <hook_url>https://hooks.slack.com/services/XXX/YYY/ZZZ</hook_url>
    <level>12</level>
    <alert_format>json</alert_format>
  </integration>

  <!-- ==================== AUTHDaemon (Agent Enrollment) ==================== -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>yes</use_source_ip>
    <limit_maxconn>20000</limit_maxconn>
    <ciphers>HIGH:!ADH:!AECDH:!MD5:!RC4</ciphers>
    <SSL_ca>/var/ossec/etc/ssl cacert.pem</SSL_ca>
    <SSL_cert>/var/ossec/etc/ssl agentcert.pem</SSL_cert>
    <SSL_key>/var/ossec/etc/ssl agentkey.pem</SSL_key>
    <force_register>no</force_register>
    <purge>no</purge>
    <use_password>no</use_password>
    <force_time>0</force_time>
    <key_path>/var/ossec/etc/key</key_path>
    <auth_password>no</auth_password>
    <remote_enrollment>yes</remote_enrollment>
  </auth>

  <!-- ==================== REMOTE ==================== -->
  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
    <reject_host_connections>no</reject_host_connections>
  </remote>

  <!-- ==================== COMMAND ==================== -->
  <!-- Custom commands for active response -->
  <command>
    <name>custom-block-ip</name>
    <executable>aws-security-group-block.py</executable>
    <expect>srcip</expect>
    <timeout>10</timeout>
  </command>

  <!-- ==================== LOCALFILE (additional log sources) ==================== -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd/access_log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd/error_log</location>
  </localfile>

  <localfile>
    <log_format>nginx</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>

  <localfile>
    <log_format>json</log_format>
    <location>/var/log/ossec/archives.json</location>
  </localfile>

</ossec_config>