From 8c180548c4a709722cedf288e41737866e7656b8 Mon Sep 17 00:00:00 2001
From: Laurence Jones <laurence.jones@live.co.uk>
Date: Thu, 26 Dec 2024 12:41:44 +0000
Subject: [PATCH] Update file.md (#672)

---
 .../docs/local_api/notification_plugins/file.md    | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/crowdsec-docs/docs/local_api/notification_plugins/file.md b/crowdsec-docs/docs/local_api/notification_plugins/file.md
index d206bf35e..cf09d1bd5 100644
--- a/crowdsec-docs/docs/local_api/notification_plugins/file.md
+++ b/crowdsec-docs/docs/local_api/notification_plugins/file.md
@@ -51,6 +51,10 @@ Some SIEM agents may not support some top level keys we define in the default nd
 
 ### SIEM Integration
 
+:::warning
+Please note if you change the format that is printed to the file you must also configure the collector on the SIEM side to also expect the same format
+:::
+
 #### Filebeat
 
 Filebeat has a set of reserved top level keys and should not be used in the ndjson format. The following format can be used to be compatible with Filebeat:
@@ -61,6 +65,16 @@ format: |
    { "time": "{{.StopAt}}", "source": "crowdsec", "alert": {{. | toJson }} }
   {{ end -}}
 ```
+#### Wazuh
+
+Wazuh has set of reserved top level keys and may cause logs not to be sent by the agent. The following format can be used to be compatible with Wazuh:
+
+```yaml
+format: |
+  {{range . -}}
+   { "crowdsec": { "time": "", "program": "crowdsec", "alert": {{. | toJson }} }}
+  {{ end -}}
+```
 
 ## Testing the plugin