<no title> — wazuh-api-kit 1.0.0 documentation

Provides the WazuhAgentLabelsConfiguration which allows to parse the localfile section of the Wazuh local configuration (ossec.conf).

class WazuhAgentLocalfileConfiguration(**kwargs)#

Bases: object

Object representation of an agent’s localfile configuration section.

Wazuh reference: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html

age: str | None#

Time span in which a file must not have been modified to be collected.

Examples: 1s, 2m 3h, 4d

alias: str | None#: Optional name which substitutes the command in the ossec logs.

command: str | None#: The command that is being executed to retrieve the events.

exclude: str | None#: Pattern of log source locations that will be excluded.

filter: str | None#: Collects journald logs selectively by filtering specific fields.

frequency: int | None#: Frequency in seconds in which the command is being executed.

ignore: list[WazuhAgentLocalfileRegexConfiguration]#: List of regular expressions which match log lines that will be ignored.

ignore_binaries: bool#: Indicates whether binary files will be ignored or not.

labels: dict[slice(<class 'str'>, <class 'str'>, None)] | None#: Dictionary of additional JSON fields that are appended to the events.

location: str | None#: Specifies the log source location. may be a path, the windows event channel, macOS ULS or journald.

log_format: str | None#

Specifies the read log format.

Possible values: [“apache”, “audit”, “command”, “djb-multilog”, “eventchannel”, “eventlog”, “full_command”, “generic”, “iis”, “journald”, “json”, “macos”, “multi-line”, “multi-line-regex”, “mysql_log”, “mssql_log”, “nmapg”, “ossecalert”, “postgresql_log”, “snort-fast”, “snort-full”, “squid”, “syslog”, “syslog-pipe”]

multiline_regex: str | None#: Regular expression for the interpretation of multiple log lines as one event.

only_future_events: bool = True#: Indicates wether only future events are being collected or not.

out_format: list[WazuhAgentLocalfileOutFormatConfiguration]#: List of output formats and their targets.

query: dict[slice(<class 'str'>, <built-in function any>, None)] | None#: Windows eventchannel or macOS ULS log query.

reconnect_time: str | None#

Time span after which the windows event channel will be queried again after encountering an error.

Examples: 1s, 2m 3h, 4d

restrict: list[WazuhAgentLocalfileRegexConfiguration]#: List of regular expressions which will redact specific parts of log messages.

target: list[str] | None#: List of sockets the events will be written to.

On this page