Graylog receives Wazuh logs fine (same as Wazuh Dashboard), but no Alerts/Events are triggered. Need them for SOCFortress CoPilot

New to Graylog Community? READ-ME FIRST Guides
1

Hi everyone!

I’m very close, but I’m stuck on alerting.

What works:

  • Wazuh shows alerts correctly in the Wazuh Dashboard.

  • Graylog definitely ingests the same events as logs — I can see them in Search, with fields similar to Wazuh (rule/id, level/severity, agent, etc.).

  • Queries like application_name:wazuh-alerts (or similar) reliably return messages.

Problem:
When I try to configure Graylog alerting (Events/Alerts via Event Definitions + Notifications), nothing triggers. No events/alerts show up at all.
My goal is to have these alerts/events visible in SOCFortress CoPilot.

Environment:

  • Graylog: [version]

  • Backend (OpenSearch/Elasticsearch): [version]

  • Wazuh: [version]

  • Log transport into Graylog: [Syslog TCP/UDP / Beats / other]

  • Index Set: [which one]

  • Timestamp/timezone in messages: [UTC/local]

What I tried:

  1. Created a Stream for Wazuh messages (rule: application_name:wazuh-alerts / program:wazuh / etc.).

  2. Created an Event Definition:

    • Filter by Stream (or by query)

    • Condition like count() > 0 in 1 minute / or severity >= N / or specific rule.id

    • Added a Notification (email/webhook)

  3. Used “Test”/preview — but it shows no events / nothing triggers.

  4. Rebuilt index ranges, checked permissions, confirmed messages are recent and routed into the Stream.

Expected:

  • Graylog should create Events/Alerts based on Wazuh alert logs (e.g. severity >= X, or specific rule.id).

  • Then I can consume them in SOCFortress CoPilot (as far as I understand it expects alerts/events, not just raw logs).

Questions:

  1. What are the most common reasons Event Definitions don’t trigger even when messages exist in Search? (stream routing, timestamps, field types, index ranges, permissions, pipeline parsing?)

  2. What is the recommended approach to turn Wazuh alerts into Graylog Events: Streams + Event Definitions, Pipeline rules, a content pack, something else?

  3. Which fields should I base conditions on (severity/level/rule.id), and do I need to cast field types (string → number) in a pipeline?

Sample message (sanitized):

  • timestamp: [example]

  • fields: [application_name / rule.id / level / agent.name / message]

Any guidance on where to look first would be greatly appreciated.

2

Hey @unanswered,

The event definition is disabled, the query is not satisfied, the aggregation isn’t satisfied or messages arrive late to the stream due to a processing delay and thus the search window of the event definition never aligns with messages arriving.

Try extending the search window to 5 and 5.

You could also check the server logs to see if there is anything related to the event definition failing.