Wazuh Configuration Management

Managing the Wazuh Configuration File

The Wazuh manager configuration file in the LME setup is located at:

/opt/lme/config/wazuh_cluster/wazuh_manager.conf

This file is mounted into the Wazuh Manager container when running in Podman.

Editing the Configuration File

• Open the file with your preferred text editor (you may need sudo privileges) by running:

  sudo nano /opt/lme/config/wazuh_cluster/wazuh_manager.conf
  

• Update the relevant sections. Common configuration areas include:

  • <global>: Set global settings for Wazuh
  • <ruleset>: Define rules and decoders
  • <syscheck>: File integrity monitoring settings
  • <rootcheck>: Rootkit detection settings
  • <wodle>: Wazuh modules configuration

• Save the changes and exit the editor.

Applying Configuration Changes

After editing the configuration file, restart the Wazuh Manager service for the changes to take effect.

• Restart the Wazuh Manager service container by running:

  podman restart lme-wazuh-manager
  

  Or with systemctl by running:

  sudo systemctl restart lme-wazuh-manager.service
  

• Verify the status of the Wazuh Manager service to ensure it started successfully by running:

  podman logs lme-wazuh-manager
  

This command will validate your configuration and report any errors.

Best Practices

• Always backup the configuration file before making changes by running:

  sudo cp /opt/lme/config/wazuh_cluster/wazuh_manager.conf /opt/lme/config/wazuh_cluster/wazuh_manager.conf.bak
  

• Provide comments within the configuration file to document your changes and explain customizations.

• Test configuration changes in a non-production environment before applying them to your production setup.

• Regularly review and update your Wazuh configuration to ensure it aligns with your current security needs and policies.

Note: Reference the official Wazuh documentation for detailed information on all available configuration options.

• ←Previous
• Next→