Update file.md

LaurenceJJones · web-flow · commit c8774157cd2f · 2024-11-18T10:33:14.000Z
diff --git a/crowdsec-docs/docs/notification_plugins/file.md b/crowdsec-docs/docs/notification_plugins/file.md
@@ -51,6 +51,10 @@ Some SIEM agents may not support some top level keys we define in the default nd
 
 ### SIEM Integration
 
+:::warning
+Please note if you change the format that is printed to the file you must also configure the collector on the SIEM side to also expect the same format
+:::
+
 #### Filebeat
 
 Filebeat has a set of reserved top level keys and should not be used in the ndjson format. The following format can be used to be compatible with Filebeat:
@@ -61,6 +65,16 @@ format: |
    { "time": "{{.StopAt}}", "source": "crowdsec", "alert": {{. | toJson }} }
   {{ end -}}
 ```
+#### Wazuh
+
+Wazuh has set of reserved top level keys and may cause logs not to be sent by the agent. The following format can be used to be compatible with Wazuh:
+
+```yaml
+format: |
+  {{range . -}}
+   { "crowdsec": { "time": "", "program": "crowdsec", "alert": {{. | toJson }} }}
+  {{ end -}}
+```
 
 ## Testing the plugin
 
