Plugin settings
Setup settings
The Setup plugin is configured through settings in opensearch.yml. All settings use the plugins.setup prefix.
| Setting | Data type | Default value | Description |
|---|---|---|---|
plugins.setup.timeout | Integer | 30 | Timeout in seconds for index and search operations. |
plugins.setup.backoff | Integer | 15 | Delay in seconds for the retry mechanism involving initialization tasks. |
Content manager settings
The Content Manager plugin is configured through settings in opensearch.yml. All settings use the plugins.content_manager prefix.
| Setting | Data type | Default value | Description |
|---|---|---|---|
plugins.content_manager.cti.api | String | https://api.pre.cloud.wazuh.com/api/v1 | Base URL for the Wazuh CTI API |
plugins.content_manager.catalog.sync_interval | Integer | 60 | Sync interval in minutes. Valid range: 1–1440 |
plugins.content_manager.max_items_per_bulk | Integer | 999 | Maximum documents per bulk indexing request. Valid range: 10–999 |
plugins.content_manager.max_concurrent_bulks | Integer | 5 | Maximum concurrent bulk operations. Valid range: 1–5 |
plugins.content_manager.client.timeout | Long | 10 | HTTP client timeout in seconds for CTI API requests. Valid range: 10–50 |
plugins.content_manager.catalog.update_on_start | Boolean | true | Trigger content sync when the plugin starts |
plugins.content_manager.catalog.update_on_schedule | Boolean | true | Enable the periodic sync job |
plugins.content_manager.catalog.ruleset | String | "" | Full CTI consumer URL for ruleset content |
plugins.content_manager.catalog.iocs | String | "" | Full CTI consumer URL for IoC content |
plugins.content_manager.catalog.vulnerabilities | String | "" | Full CTI consumer URL for vulnerabilities content |
plugins.content_manager.catalog.create_detectors | Boolean | true | Automatically create Security Analytics detectors from CTI content |
plugins.content_manager.telemetry.enabled | Boolean | true | Enable or disable the daily Update check service ping. This setting is dynamic. |
plugins.content_manager.catalog.update_on_demand | Boolean | true | When false, on-demand content updates (POST /update) return 403 Forbidden for every caller, regardless of role. |
plugins.content_manager.catalog.policy_update.enabled | Boolean | true | When false, policy updates (PUT /policy/{space}) return 403 Forbidden for every caller, regardless of role. |
Security Analytics settings
The Security Analytics plugin is configured through settings in opensearch.yml. All node-scope settings use the plugins.security_analytics prefix. Almost every setting is dynamic and can be changed at runtime via the Cluster Settings API.
| Setting | Data type | Default value | Description |
|---|---|---|---|
plugins.security_analytics.alert_finding_enabled | Boolean | true | Enable rollover and retention management for the finding history indices |
plugins.security_analytics.alert_finding_max_docs | Long | 1000 | Deprecated. Maximum document count for a finding history index before rollover. Minimum 0 |
plugins.security_analytics.alert_finding_rollover_period | Time | 12h | How often the finding history rollover job runs |
plugins.security_analytics.alert_history_enabled | Boolean | true | Enable rollover and retention management for the alert history indices |
plugins.security_analytics.alert_history_max_age | Time | 30d | Maximum age of an alert history index before rollover |
plugins.security_analytics.alert_history_max_docs | Long | 1000 | Maximum document count for an alert history index before rollover. Minimum 0 |
plugins.security_analytics.alert_history_retention_period | Time | 60d | Retention period after which alert history indices are deleted |
plugins.security_analytics.alert_history_rollover_period | Time | 12h | How often the alert history rollover job runs |
plugins.security_analytics.auto_correlations_enabled | Boolean | false | Automatically generate correlation rules from new findings |
plugins.security_analytics.correlation.detector_cache_ttl | Time | 5m | TTL for the in-memory monitor-id to detector cache. Set to 0s to disable the cache |
plugins.security_analytics.correlation.events_backpressure.enabled | Boolean | true | Write-block the events indices when the correlation backlog fills, so ingestion pauses and the backlog drains instead of the node running out of memory |
plugins.security_analytics.correlation.events_backpressure.high_watermark_percent | Integer | 100 | Backlog level, as a percent of correlation.max_pending_findings, at or above which the events indices are write-blocked. Valid range: 1–100 |
plugins.security_analytics.correlation.events_backpressure.low_watermark_percent | Integer | 60 | Backlog level, as a percent of correlation.max_pending_findings, at or below which the events-index write block is lifted. Valid range: 0–99 |
plugins.security_analytics.correlation.max_in_flight_findings | Integer | 50 | Maximum number of correlation pipelines running concurrently. Valid range: 1–1000 |
plugins.security_analytics.correlation.max_pending_findings | Integer | 10000 | Maximum findings waiting for a free correlation slot. When the backlog is full, new findings are shed (correlation and enrichment skipped) so the node does not run out of memory under overload. Valid range: 1–1000000 |
plugins.security_analytics.correlation.metadata_cache_ttl | Time | 5m | TTL for the in-memory caches of log-type list and correlation rules by detector type. Set to 0s to disable both caches |
plugins.security_analytics.correlation_history_max_age | Time | 30d | Maximum age of a correlation history index before rollover |
plugins.security_analytics.correlation_history_max_docs | Long | 1000 | Maximum document count for a correlation history index before rollover. Minimum 0 |
plugins.security_analytics.correlation_history_retention_period | Time | 60d | Retention period after which correlation history indices are deleted |
plugins.security_analytics.correlation_history_rollover_period | Time | 12h | How often the correlation history rollover job runs |
plugins.security_analytics.correlation_time_window | Time | 5m | Time window used to group findings into correlations |
plugins.security_analytics.enable_detectors_with_dedicated_query_indices | Boolean | true | Create dedicated query indices for new detectors |
plugins.security_analytics.enable_workflow_usage | Boolean | true | Use Alerting composite workflows when running detectors |
plugins.security_analytics.enriched_findings_bulk_size | Integer | 100 | Number of enriched findings buffered before a bulk index request is fired. Valid range: 10–1000 |
plugins.security_analytics.enriched_findings_enrich_batch_size | Integer | 100 | Findings drained per in-flight permit; their source events are fetched in one combined MultiGet instead of one request per finding. Valid range: 1–1000 |
plugins.security_analytics.enriched_findings_flush_interval | Integer | 5 | Seconds between periodic flushes of any leftover buffered enriched findings. Valid range: 1–60 |
plugins.security_analytics.enriched_findings_index_enabled | Boolean | true | Toggle the enriched findings pipeline (see Architecture) |
plugins.security_analytics.enriched_findings_max_in_flight | Integer | 5 | Maximum concurrent enrichment chains, to bound peak load on the transport layer. Valid range: 1–10 |
plugins.security_analytics.enriched_findings_rule_cache_max_size | Integer | 10000 | Maximum rule-metadata entries cached in memory by the enrichment service. Minimum 0. Static; requires a node restart to change |
plugins.security_analytics.filter_by_backend_roles | Boolean | false | Restrict access to detectors, rules, and findings based on the requester’s backend roles |
plugins.security_analytics.finding_history_max_age | Time | 30d | Maximum age of a finding history index before rollover |
plugins.security_analytics.finding_history_retention_period | Time | 60d | Retention period after which finding history indices are deleted |
plugins.security_analytics.index_timeout | Time | 60s | Timeout for Security Analytics index operations |
plugins.security_analytics.max_detectors | Integer | 10 | Maximum number of user-created detectors (Content Manager detectors do not count). Minimum 0 |