This is the documentation for Wazuh 3.12. Check out the docs for the latest version of Wazuh!

Defining an alert level threshold

Each event collected by the Wazuh agent is transmitted to the Wazuh Manager. The Manager will assign the event a severity level depending of which rules it matches from the ruleset. By default it will only log alerts with a severity level of 3 or higher.

Configuration

The alert level threshold is configured in the ossec.conf file using the <alerts> XML tag. The available options for this are detailed in Alerts reference

<ossec_config>
  <alerts>
      <log_alert_level>6</log_alert_level>
  </alerts>
</ossec_config>

This will set the minimum severity level that will trigger alerts that will be stored in the alerts.log and/or the alerts.json file(s).

When any value is changed in the ossec.conf file, the service must be restarted before the changes will take effect.

  1. For Systemd:
# systemctl restart wazuh-manager
  1. For SysV Init:
# service wazuh-manager restart