The intrusion detection system logs and processes a huge number of system events and classifies them according to how important they are in terms of system integrity. There are multiple levels of importance with 15 being the most important events, e.g. server compromise, and 1 being the least important and merely system notifications with no security relevance.

The Table below lists the Intrusion Detection Levels available and the type of items monitored at each level.

Alert LevelDefinition
Level 1Alert for intrusion events of any level. Please note that this level can be very noisy.
Level 2System low priority notification - System notification or status messages. They have no security relevance.
Level 3Successful/Authorized events - They include successful login attempts, firewall allow events, etc.
Level 4System low priority error - Errors related to bad configurations or unused devices/applications. They have no security relevance and are usually caused by default installations or software testing.
Level 5User generated error - They include missed passwords, denied actions, etc. By itself they have no security relevance.
Level 6Low relevance attack - They indicate a worm or a virus that have no affect to the system (like code red for Apache servers, etc). They also include frequently IDS events and frequently errors.
Level 7"Bad word" matching. They include words like “bad”, “error”, etc. These events are most of the time unclassified and may have some security relevance.
Level 8First time seen - Include first time seen events. First time an IDS event is fired or the first time an user logged in. If you just started using OSSEC HIDS these messages will probably be frequently. After a while they should go away, It also includes security relevant actions (like the starting of a sniffer or something like that).
Level 9Error from invalid source - Include attempts to login as an unknown user or from an invalid source. May have security relevance (specially if repeated). They also include errors regarding the “admin” (root) account.
Level 10

Multiple user generated errors - They include multiple bad passwords, multiple failed logins, etc. They may indicate an attack or may just be that a user just forgot his credentials.

(Memset Default and Recommended Level)

Level 11Integrity checking warning - They include messages regarding the modification of binaries or the presence of rootkits (by rootcheck). If you just modified your system configuration you should be fine regarding the “syscheck” messages. They may indicate a successful attack. Also included IDS events that will be ignored (high number of repetitions).
Level 12High importancy event - They include error or warning messages from the system, kernel, etc. They may indicate an attack against a specific application.
Level 13Unusual error (high importance) - Most of the times it matches a common attack pattern.
Level 14High importance security event. Most of the times done with correlation and it indicates an attack.
Level 15Severe attack - No chances of false positives. Immediate attention is necessary.

It is important to note that any selected level will include alerts for that level and also every level above i.e. more levels more important than it. For example, if the suggested level 10 is selected then alerts will be sent that match the criteria for levels 10 and also 11,12,13,14,15

Some consideration should be given to selecting a level that matches both your technical requirements and your time to read all the reports. The lower levels, less important levels, will send hundreds if not thousands of messages a day for a busy server making an important alert easily overlooked in so many messages. The desired alert level can be selected via the "Intrusion Detection Alert Settings" page for the server.

Further Information on Alert Levels can be found on the OSSEC Website.