This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

Defining an alert level threshold

Each event on the Wazuh agent is set to a certain severity level with 1 as the default. All events from this level up will trigger an alert in the Wazuh manager.

Configuration

The alert level threshold is configured in the ossec.conf file using the <alerts> XML tag. The available options for this are detailed in Alerts reference

<ossec_config>
  <alerts>
      <log_alert_level>6</log_alert_level>
  </alerts>
</ossec_config>

This will set the minimum severity level that will trigger alerts that will be stored in the alerts.log and/or the alerts.json file(s).

When any value is changed in the ossec.conf file, the service must be restarted before the changes will take effect.

  1. For Systemd:
# systemctl restart wazuh-manager
  1. For SysV Init:
# service wazuh-manager restart