Alert threshold

Each event collected by the Wazuh agent is transmitted to the Wazuh Manager. The Manager will assign the event a severity level depending on which rules it matches from the ruleset. By default, it will only log alerts with a severity level of 3 or higher.


The alert level threshold is configured in the ossec.conf file using the <alerts> XML tag. The available options for this are detailed in Alerts reference


This will set the minimum severity level that will trigger alerts that will be stored in the alerts.log and/or the alerts.json file(s).

When any value is changed in the ossec.conf file, the service must be restarted before the changes will take effect.

# systemctl restart wazuh-manager