Defining an alert level threshold¶
Each event on the Wazuh agent is set to a certain severity level with 1 as the default. All events from this level up will trigger an alert in the Wazuh manager.
The alert level threshold is configured in the
ossec.conf file using the
<alerts> XML tag. The available options for this are detailed in Alerts reference
<ossec_config> <alerts> <log_alert_level>6</log_alert_level> </alerts> </ossec_config>
This will set the minimum severity level that will trigger alerts that will be stored in the
alerts.log and/or the
When any value is changed in the
ossec.conf file, the service must be restarted before the changes will take effect.
- For Systemd:
# systemctl restart wazuh-manager
- For SysV Init:
# service wazuh-manager restart