Unless stated otherwise, every option here corresponds to certain configuration block which would be placed in one of the configuration files in "ossec.conf.d" directory. Disabled options will do the same, but for "ossec.conf.d/disabled" directory. All "*.conf" files from the "ossec.conf.d" directory will be merged into "ossec.conf" in alphabetic order. If you are not satisfied with the generated configuration, you can disable the corresponding option and use files from "ossec.conf.d/disabled" directory as samples. The "pushed" sections (*_P options) relate to configuration pushed to agents using "agent.conf". The generated configuration blocks will be placed in "agent.conf.d" and "agent.conf.d/disabled" directories. Note that the agent needs to enable proper profile to benefit from "agent.conf" configuration pushed by the server. This also means that profiles not enabled on the agent are ignored. This is why all "pushed" options are enabled by default. The port currently contains configuration templates for the following agent systems: - FreeBSD - Debian Linux Consider contributing to the port by contacting the maintainer and providing configuration templates for other operating systems runnig OSSEC agents. Files generated by the port will be overwritten during port upgrades so any additional configuration should be put in separate files. File Integrity Checking: NOAUTO_SC: OSSEC by default will ignore files that change too often (after the third change). This option disables this feature. Files that change too often as a result of correct system operation should better be added to ignore list manually. Command Output Monitoring: Adds additional commands, the output of which can be monitored. To actually send alerts about the changing output, the proper rules need to be configured as well (see CMDOUT_R option). These commands can be tweaked in "command.conf". Active Response Firewall: Creates "firewall-drop.sh" hardlink to one of the scripts shipped with OSSEC. This option is only meaningful if this OSSEC instance will be the target of "firewall-drop" active response.