Event severity scale

Nicola Ornaghi

unread,

Jun 25, 2018, 5:44:35 AM6/25/18

to wa...@googlegroups.com

Hello everyone

is there an explanation table somewhere illustrating the "intended" severity of the events? I am keen on keeping that as "stock" as possible, to prevent possible issues during updates and minimize maintenance, but I'd like to have an understanding on how severity is assigned.

E.g. a level 5 event, is it a disaster? what about 10? Up to what level can we consider events as "info"?

I know the "one size fits all" here won't apply, but I'd like to have a better understanding of the philosophy behind the default classification before starting to fiddle with it.

Thank you in advance!

Nicola

--

Nicola Ornaghi
IT Security Analyst

T : London: +44 207 323 3888

Checkout Ltd, Company No. 08037323, 1st Floor 32 Wigmore Street, London W1U 2RP, UK, is authorised and regulated by the Financial Conduct Authority under the Electronic Money Regulations 2011 (reference number 900816) to issue electronic money and provide payment services.

rafael...@wazuh.com

unread,

Jun 25, 2018, 6:37:10 AM6/25/18

to Wazuh mailing list

Hi Nicola,

Wazuh has an alert level range between [1,16]. The minimum level for an alert to be stored on the alerts.log is level 3.

That said its up to the user to give the alert level a meaning. For example an ssh brute force attack is a level 10 alert by default.

Here you can find information about the alert configuration: https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/alerts.html#reference-ossec-alerts

If you have any further questions, please don't hesitate to ask.

Best regards.

rafael...@wazuh.com

unread,

Jun 25, 2018, 9:14:30 AM6/25/18

to Wazuh mailing list

Maybe this image can help you.

On Monday, June 25, 2018 at 11:44:35 AM UTC+2, Nicola Ornaghi wrote:

Screenshot from 2018-06-25 15-13-11.png

Nicola Ornaghi

unread,

Jun 26, 2018, 5:05:39 AM6/26/18

to rafael...@wazuh.com, wa...@googlegroups.com

Thank you Rafael, this is exactly what I was looking for!

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0f93536e-ff96-4ec5-a89c-4783403aa90d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward