ospatrol.conf: Global options¶
Overview¶
Location¶
All global options must be configured in the /var/ospatrol/etc/ospatrol.conf and used within the <ospatrol_config> tag.
XML excerpt to show location:
<ospatrol_config>
<global>
<!--
Global options here
-->
</global>
</ospatrol_config>
Options¶
- global¶
- email_notification¶
Enable or disable e-mail alerting.
Default: no
Allowed: yes/no
- email_to¶
E-mail recipient of the alerts.
Allowed: Any valid e-mail address
Note
To use granular email configurations, a base configuration is necessary in the <global> section.
- email_from¶
E-mail “source” of the alerts.
Allowed: Any valid e-mail address
- smtp_server¶
SMTP server.
Allowed: Any valid hostname or IP Address
- email_maxperhour¶
Specifies the maximum number of e-mails to be sent per hour. All emails in excess of this setting will be queued for later distribution.
Default: 12
Allowed: Any number from 1 to 9999
Note
At the end of the hour any queued emails will be sent together in one email. This is true whether the mail grouping is enabled or disabled.
- custom_alert_output¶
Specifies the format of alerts written to the logfile.
Variables: "$TIMESTAMP" - The time the event was processed by OSPatrol. "$FTELL" - Unknown "$RULEALERT" - Unknown "$HOSTNAME" - Hostname of the system generating the event. "$LOCATION" - The file the log messages was saved to. "$RULEID" - The rule id of the alert. "$RULELEVEL" - The rule level of the alert. "$RULECOMMENT" - Unknown "$SRCIP" - The source IP specified in the log message. "$DSTUSER" - The destination user specified in the log message. "$FULLLOG" - The original log message. "$RULEGROUP" - The groups containing the rule.
- stats¶
Alerting level for the events generated by the statistical analysis.
Default: 8
Allowed: Any level from 0 to 16
- logall¶
States if we should store all the events received.
Default: no
Allowed: yes/no
- memory_size¶
Sets the memory size for the event correlation.
Default: 1024
Allowed: Any size from 16 to 5096
- white_list¶
List of IP addresses that should never be blocked by the active response (one per element). This option is only valid in server and local installs.
Multiples Allowed: yes
Allowed: Any IP address or netblock
- host_infomation¶
Alerting level for the events generated by the host change monitor.
Default: 8
Allowed: Any level from 0 to 16
- prelude_output¶
Enables or disables prelude output.
Default: no
Allowed: yes/no
- picviz_output¶
Enable picviz output.
Warning
PicViz is experimental.
Allowed: yes
- picviz_socket¶
The full path of the socket that ospatrol will write alerts/events to. This will then be read by picviz for processing.
Allowed: File and path that ospatrol will create and feed events to.
- geoip_db_path¶
The full path to the GeoIP IPv4 database file location.
Example:
<geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path>