Keeping tabs on network security can be overwhelming when the signal gets lost in the noise. Wazuh is an incredibly powerful open-source SIEM tool, but it sometimes shouts too loud—especially when it’s just doing its job.

Let’s talk about a real-world example: Docker and promiscuous mode alerts.

🧠 Context: My Self-Hosted Wazuh Setup

I host my own Wazuh server to monitor the security status of various devices across my network—from personal machines to Docker hosts. It's been rock solid for real-time monitoring, alerting, and log analysis. But as with any good watchdog... sometimes it barks a bit too much. 🐕

🐳 The Docker Dilemma: Promiscuous Mode Alerts

Some of my monitored devices are Docker hosts, which means they regularly create and destroy virtual network adapters.

Wazuh, being vigilant, doesn't miss a thing. It repeatedly logs alerts like:

⚠️ Network interface entered promiscuous mode

While this is technically useful, I was getting flooded with notifications—dozens per hour—just because Docker was doing its normal thing. Not a breach. Not suspicious. Just... Docker being Docker.

🔕 The Solution: Suppressing Specific Alerts

Rather than disable the module entirely (which could hide actual threats), I decided to suppress only those specific alert IDs using Wazuh’s built-in custom rules.

✍️ How to Suppress Wazuh Alerts

You can add suppression rules directly to:

/var/ossec/etc/rules/local_rules.xml

Here’s a sample configuration I added:

<rule id="100003" level="0">
  <if_sid>80710</if_sid>
  <description>Suppress Docker promiscuous mode alert</description>
</rule>

<rule id="100004" level="0">
  <if_sid>5104</if_sid>
  <description>Suppress Docker promiscuous mode alert</description>
</rule>

🔹 80710 and 5104 are the alert IDs triggered when Docker interfaces enter promiscuous mode.

🔹 Setting the level to 0 tells Wazuh to silently ignore them.

✅ Don’t Forget:

After editing local_rules.xml, restart the Wazuh manager for changes to take effect:

sudo systemctl restart wazuh-manager

🎯 Final Thoughts

By selectively suppressing noisy—but benign—alerts, you can keep Wazuh focused on what really matters. It’s all about tuning the signal-to-noise ratio so that when a real threat appears, it doesn’t get lost in a sea of Docker chatter.

🔐 Pro tip: Regularly review your alert rules to avoid suppressing something that might later become relevant.
Rules Syntax - Ruleset XML syntax · Wazuh documentation
User manual, installation and configuration guides. Learn how to get the most out of the Wazuh platform.
WazuhWazuh

📝 Like this post?
Read more real-world DevOps and self-hosting stories at:
👉 blog.opensourceitsolutions.co.uk

🏷️ Tags

Wazuh · SIEM · Alert Suppression · Docker Monitoring · Open Source Security · HomeLab