Hi TheSoc
I hope you are doing fine!
Yes, the idea is to filter the alert by level, if the level alert is not specified in the integration configuration it will send all the alerts that trigger the other conditions.
This filters alerts by rule level so that only alerts with the specified level or above are pushed.Here is the
level configuration section for Integration.
An example
<!-- Integration with Slack -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/...</hook_url>
<level>10</level> <-------- level filter
<group>multiple_drops,authentication_failures</group>
<alert_format>json</alert_format>
</integration>
Also, there is an alert generation condition, in ossec.conf file in the manager, any rule that contains the level equal or higher than this value will generate alert. if it is less than this number does not generate alert, therefore the integration will not receive events of that type, I understand that it is not your case, but it is good to know.
<alerts> <log_alert_level>3</log_alert_level> <---- this is the filter to generate an alert. <email_alert_level>12</email_alert_level> </alerts>Do you have a level 12 or higher alert in your environment? or Do you have any custom event or alert to test it?
Let me know if this information helps.
Regards.