Defining an alert level threshold
Each event collected by the Wazuh agent is transmitted to the Wazuh Manager. The Manager will assign the event a severity level depending of which rules it matches from the ruleset. By default it will only log alerts with a severity level of 3 or higher.
Configuration
The alert level threshold is configured in the ossec.conf
file using the <alerts>
XML tag. The available options for this are detailed in Alerts reference
<ossec_config>
<alerts>
<log_alert_level>6</log_alert_level>
</alerts>
</ossec_config>
This will set the minimum severity level that will trigger alerts that will be stored in the alerts.log
and/or the alerts.json
file(s).
When any value is changed in the ossec.conf
file, the service must be restarted before the changes will take effect.
For Systemd:
# systemctl restart wazuh-manager
For SysV Init:
# service wazuh-manager restart