All remote options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
<ossec_config>
<remote>
<!--
remote options here
-->
</remote>
</ossec_config>
remote
¶connection
¶Specify the type of connection being enabled: secure or using syslog.
Default: secure
Allowed: secure/syslog
port
¶Specifies the port to listen for events.
Default:
Allowed: Any port number from 1 to 65535
protocol
¶Specifies the protocol to use for syslog events.
Default: udp
Allowed: udp or tcp
allowed-ips
¶List of IP addresses that are allowed to send syslog messages to the server (one per element).
Allowed: Any IP address or network
Note
It is necessary to allow at least one IP address when using the syslog connection type.
deny-ips
¶List of IP addresses that are not allowed to send syslog messages to the server(one per element).
Allowed: Any IP address or network
local_ip
¶Local ip address to listen for connections.
Default: all interfaces
Allowed: Any internal ip address
ipv6
¶Local ipv6 address to listen for connections.
Default: None
Allowed: Any IPv6 address.
Note
This is not well tested. For the time being I recommend using the full IPv6 address instead of one of the many shortcuts.