alerts to only enable specific rule levels

18 views

Skip to first unread message

John Smith

unread,

Jun 23, 2025, 2:52:54 AMJun 23

to Wazuh | Mailing List

Hi all,
I wanted to ask if it is possible to configure Wazuh alerts to only enable specific rule levels, such as 3, 5, 9, and 10-15. I looked into the documentation, and it only explains how to set a minimum rule level using:

<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
However, I couldn’t find any configuration option to specify exactly which rule levels we want to be alerted about.

Is this possible?

Md. Nazmur Sakib

unread,

Jun 23, 2025, 4:30:52 AMJun 23

to Wazuh | Mailing List

Hi John Smith,

The <email_alert_level> tag sets the minimum severity level for an alert to generate an email notification. The default value is 12. The allowed value is any integer from 1 to 16. So if you set the level to 8, you will get mail notifications for level 8 and above.

You can configure mail alerts based on other configurations like rule group, rule ID, event location, etc.

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/email-alerts.html

https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#granular-email-options

If you have something more specific with the level, you can write a custom mail alert script and configure it with Wazuh integration.
https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html#custom-integration

This medium document can be useful for making the custom script.
https://medium.com/@cedrickfoko12/custom-email-alerts-with-wazuh-b5103c6d8f8b

Let me know if you need any further assistance.

Reply all

Reply to author

Forward

0 new messages