Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Plugin settings

Setup settings

The Setup plugin is configured through settings in opensearch.yml. All settings use the plugins.setup prefix.

SettingData typeDefault valueDescription
plugins.setup.timeoutInteger30Timeout in seconds for index and search operations.
plugins.setup.backoffInteger15Delay in seconds for the retry mechanism involving initialization tasks.

Content manager settings

The Content Manager plugin is configured through settings in opensearch.yml. All settings use the plugins.content_manager prefix.

SettingData typeDefault valueDescription
plugins.content_manager.cti.apiStringhttps://api.pre.cloud.wazuh.com/api/v1Base URL for the Wazuh CTI API
plugins.content_manager.catalog.sync_intervalInteger60Sync interval in minutes. Valid range: 1–1440
plugins.content_manager.max_items_per_bulkInteger999Maximum documents per bulk indexing request. Valid range: 10–999
plugins.content_manager.max_concurrent_bulksInteger5Maximum concurrent bulk operations. Valid range: 1–5
plugins.content_manager.client.timeoutLong10HTTP client timeout in seconds for CTI API requests. Valid range: 10–50
plugins.content_manager.catalog.update_on_startBooleantrueTrigger content sync when the plugin starts
plugins.content_manager.catalog.update_on_scheduleBooleantrueEnable the periodic sync job
plugins.content_manager.catalog.rulesetString""Full CTI consumer URL for ruleset content
plugins.content_manager.catalog.iocsString""Full CTI consumer URL for IoC content
plugins.content_manager.catalog.vulnerabilitiesString""Full CTI consumer URL for vulnerabilities content
plugins.content_manager.catalog.create_detectorsBooleantrueAutomatically create Security Analytics detectors from CTI content
plugins.content_manager.telemetry.enabledBooleantrueEnable or disable the daily Update check service ping. This setting is dynamic.
plugins.content_manager.catalog.update_on_demandBooleantrueWhen false, on-demand content updates (POST /update) return 403 Forbidden for every caller, regardless of role.
plugins.content_manager.catalog.policy_update.enabledBooleantrueWhen false, policy updates (PUT /policy/{space}) return 403 Forbidden for every caller, regardless of role.

Security Analytics settings

The Security Analytics plugin is configured through settings in opensearch.yml. All node-scope settings use the plugins.security_analytics prefix. Almost every setting is dynamic and can be changed at runtime via the Cluster Settings API.

SettingData typeDefault valueDescription
plugins.security_analytics.alert_finding_enabledBooleantrueEnable rollover and retention management for the finding history indices
plugins.security_analytics.alert_finding_max_docsLong1000Deprecated. Maximum document count for a finding history index before rollover. Minimum 0
plugins.security_analytics.alert_finding_rollover_periodTime12hHow often the finding history rollover job runs
plugins.security_analytics.alert_history_enabledBooleantrueEnable rollover and retention management for the alert history indices
plugins.security_analytics.alert_history_max_ageTime30dMaximum age of an alert history index before rollover
plugins.security_analytics.alert_history_max_docsLong1000Maximum document count for an alert history index before rollover. Minimum 0
plugins.security_analytics.alert_history_retention_periodTime60dRetention period after which alert history indices are deleted
plugins.security_analytics.alert_history_rollover_periodTime12hHow often the alert history rollover job runs
plugins.security_analytics.auto_correlations_enabledBooleanfalseAutomatically generate correlation rules from new findings
plugins.security_analytics.correlation.detector_cache_ttlTime5mTTL for the in-memory monitor-id to detector cache. Set to 0s to disable the cache
plugins.security_analytics.correlation.events_backpressure.enabledBooleantrueWrite-block the events indices when the correlation backlog fills, so ingestion pauses and the backlog drains instead of the node running out of memory
plugins.security_analytics.correlation.events_backpressure.high_watermark_percentInteger100Backlog level, as a percent of correlation.max_pending_findings, at or above which the events indices are write-blocked. Valid range: 1–100
plugins.security_analytics.correlation.events_backpressure.low_watermark_percentInteger60Backlog level, as a percent of correlation.max_pending_findings, at or below which the events-index write block is lifted. Valid range: 0–99
plugins.security_analytics.correlation.max_in_flight_findingsInteger50Maximum number of correlation pipelines running concurrently. Valid range: 1–1000
plugins.security_analytics.correlation.max_pending_findingsInteger10000Maximum findings waiting for a free correlation slot. When the backlog is full, new findings are shed (correlation and enrichment skipped) so the node does not run out of memory under overload. Valid range: 1–1000000
plugins.security_analytics.correlation.metadata_cache_ttlTime5mTTL for the in-memory caches of log-type list and correlation rules by detector type. Set to 0s to disable both caches
plugins.security_analytics.correlation_history_max_ageTime30dMaximum age of a correlation history index before rollover
plugins.security_analytics.correlation_history_max_docsLong1000Maximum document count for a correlation history index before rollover. Minimum 0
plugins.security_analytics.correlation_history_retention_periodTime60dRetention period after which correlation history indices are deleted
plugins.security_analytics.correlation_history_rollover_periodTime12hHow often the correlation history rollover job runs
plugins.security_analytics.correlation_time_windowTime5mTime window used to group findings into correlations
plugins.security_analytics.enable_detectors_with_dedicated_query_indicesBooleantrueCreate dedicated query indices for new detectors
plugins.security_analytics.enable_workflow_usageBooleantrueUse Alerting composite workflows when running detectors
plugins.security_analytics.enriched_findings_bulk_sizeInteger100Number of enriched findings buffered before a bulk index request is fired. Valid range: 10–1000
plugins.security_analytics.enriched_findings_enrich_batch_sizeInteger100Findings drained per in-flight permit; their source events are fetched in one combined MultiGet instead of one request per finding. Valid range: 1–1000
plugins.security_analytics.enriched_findings_flush_intervalInteger5Seconds between periodic flushes of any leftover buffered enriched findings. Valid range: 1–60
plugins.security_analytics.enriched_findings_index_enabledBooleantrueToggle the enriched findings pipeline (see Architecture)
plugins.security_analytics.enriched_findings_max_in_flightInteger5Maximum concurrent enrichment chains, to bound peak load on the transport layer. Valid range: 1–10
plugins.security_analytics.enriched_findings_rule_cache_max_sizeInteger10000Maximum rule-metadata entries cached in memory by the enrichment service. Minimum 0. Static; requires a node restart to change
plugins.security_analytics.filter_by_backend_rolesBooleanfalseRestrict access to detectors, rules, and findings based on the requester’s backend roles
plugins.security_analytics.finding_history_max_ageTime30dMaximum age of a finding history index before rollover
plugins.security_analytics.finding_history_retention_periodTime60dRetention period after which finding history indices are deleted
plugins.security_analytics.index_timeoutTime60sTimeout for Security Analytics index operations
plugins.security_analytics.max_detectorsInteger10Maximum number of user-created detectors (Content Manager detectors do not count). Minimum 0