Bradley, these are coming from servername.example.com and were found in the monitored logfile /var/log/messages. I think you already figured that out :-)
rule 1002 creates a level 2 alert when any of the following words are found in a message : core_dumped|failure|error|attack|bad|illegal|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted in your case it was error and failed that triggered the alert. Cheers, Wim On Fri, Apr 23, 2010 at 2:06 PM, Bradley Radjoo <[email protected]> wrote: > Hello All, > Does anybody know where the below message come from ? > And where are they are generated from.....? > I don't have an hda device.......? > > ----- > > Regards, > > Bradley Radjoo > > Anyone who has never made a mistake has never tried anything new. — Albert > Einstein. > > Begin forwarded message: > > Subject: OSSEC Notification - *servername.exmaple.com* - Alert level 2 > > OSSEC HIDS Notification. > 2010 Apr 23 13:23:30 > > Received From:servername.example.com->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Apr 23 13:23:30 servername.example.com hda: packet command error: > status=0x51 { DriveReady SeekComplete Error } > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2010 Apr 23 13:23:30 > > Received From:servername.example.com->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Apr 23 13:23:30servername.example.com hda: packet command error: error=0x54 > { AbortedCommand LastFailedSense=0x05 } > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2010 Apr 23 13:23:30 > > Received From:servername.example.com->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Apr 23 13:23:30 servername.example.com ide: failed opcode was: unknown > > > --END OF NOTIFICATION > > > > > Please note: This email and its content are subject to the disclaimer as > displayed at the following link > http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. > Should you not have Web access, send an email to [email protected] and a > copy will be sent to you. -- Wim Remes Security Afficionado -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
