Defining an alert level threshold¶
Every posible event on the Wazuh Agent is set with certain level, by default is 1, all events from this level will trigger and alert into Wazuh Manager.
All configuration of Remote Service is done via
<alerts> XML tag, all the available options are detailed in Alerts reference
<ossec_config> <alerts> <log_alert_level>6</log_alert_level> </alerts> </ossec_config>
This will set to level 6 the minimum severity level for alerts to be stored to alerts.log and/or alerts.json.
When you change any value on
ossec.conf file, you need to restart the service to enabling previously changed values.
systemctl restart wazuh-manager
For SysV Init:
service wazuh-manager restart