Defining an alert level threshold

Each event on the Wazuh agent is set to a certain severity level with 1 as the default. All events from this level up will trigger an alert in the Wazuh manager.

Configuration

The alert level threshold is configured in the ossec.conf file using the <alerts> XML tag. The available options for this are detailed in Alerts reference

<ossec_config>
  <alerts>
      <log_alert_level>6</log_alert_level>
  </alerts>
</ossec_config>

This will set the minimum severity level that will trigger alerts that will be stored in the alerts.log and/or the alerts.json file(s).

When any value is changed in the ossec.conf file, the service must be restarted before the changes will take effect.

  1. For Systemd:

# systemctl restart wazuh-manager
  1. For SysV Init:

# service wazuh-manager restart