Defining an alert level threshold
Each event on the Wazuh Agent is set to a certain severity level with 1 as the default. All events from this level up will trigger an alert in the Wazuh Manager.
Configuration
The alert level threshold is configured in the ossec.conf
file using the <alerts>
XML tag. The available options for this are detailed in Alerts reference
<ossec_config>
<alerts>
<log_alert_level>6</log_alert_level>
</alerts>
</ossec_config>
This will set the minimum severity level that will trigger alerts that will be stored in the alerts.log
and/or the alerts.json
file(s).
When any value is changed in the ossec.conf
file, the service must be restarted before the changes will take effect.
For Systemd:
# systemctl restart wazuh-manager
For SysV Init:
# service wazuh-manager restart