Generating Alerts for specifics agents

Isaac S.

unread,

Jun 9, 2026, 2:36:04 PM (3 days ago) Jun 9

to Wazuh | Mailing List

Hello Wazuh Team

I have been checking the wazuh documentation but, unfortunately i haven't found a way for generate alerts for a specific agents. I was expecting find like a "<agent_id>" tag in rules syntax .

Is there a way to generate alerts for some agents ids ?

Thank you

Isaac S.

Pablo Ariel Gonzalez

unread,

Jun 9, 2026, 3:04:58 PM (3 days ago) Jun 9

to Wazuh | Mailing List

Hi Isaac:

There isn't a specific `<agent_id>` tag in the rules syntax.

However, you can create rules that match events from specific agents by filtering on agent-related fields, for example:

<field name="agent.id">001</field>

or

<field name="agent.name">server01</field>

Could you share a bit more about your use case? Depending on what you're trying to achieve, there may be a more suitable approach.

Pablo Ariel Gonzalez

unread,

Jun 10, 2026, 7:45:57 AM (3 days ago) Jun 10

to Wazuh | Mailing List

Hi Isaac,

Correction: There is no <agent_id> tag in the Wazuh rules syntax, and agent.id cannot be used directly in a rule because it is added as metadata after rule evaluation. If you need to target specific agents, the usual approach is to match on fields available during decoding, such as hostname (when present) or location.

Could you share your use case? There may be a more suitable approach depending on what you're trying to achieve.

Isaac S.

unread,

Jun 10, 2026, 2:28:19 PM (2 days ago) Jun 10

to Wazuh | Mailing List

Hello Pablo

Thank you for your response, let me create a use case for sharing with you.

Your response helped me and clarify that there is no a tag for filter by agent.

Isaac S.

Reply all

Reply to author

Forward