Thanks a stack Wim ;-)
On 23 Apr 2010, at 3:38 PM, Wim Remes wrote: > Bradley, > > these are coming from servername.example.com and were found in the > monitored logfile /var/log/messages. I think you already figured that > out :-) > > rule 1002 creates a level 2 alert when any of the following words are > found in a message : > core_dumped|failure|error|attack|bad|illegal|denied|refused|unauthorized|fatal|failed|Segmentation > Fault|Corrupted > > in your case it was error and failed that triggered the alert. > > Cheers, > > Wim > > > On Fri, Apr 23, 2010 at 2:06 PM, Bradley Radjoo <[email protected]> > wrote: >> Hello All, >> Does anybody know where the below message come from ? >> And where are they are generated from.....? >> I don't have an hda device.......? >> >> ----- >> >> Regards, >> >> Bradley Radjoo >> >> Anyone who has never made a mistake has never tried anything new. — Albert >> Einstein. >> >> Begin forwarded message: >> >> Subject: OSSEC Notification - *servername.exmaple.com* - Alert level 2 >> >> OSSEC HIDS Notification. >> 2010 Apr 23 13:23:30 >> >> Received From:servername.example.com->/var/log/messages >> >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Apr 23 13:23:30 servername.example.com hda: packet command error: >> status=0x51 { DriveReady SeekComplete Error } >> >> >> >> --END OF NOTIFICATION >> >> >> >> OSSEC HIDS Notification. >> 2010 Apr 23 13:23:30 >> >> Received From:servername.example.com->/var/log/messages >> >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Apr 23 13:23:30servername.example.com hda: packet command error: error=0x54 >> { AbortedCommand LastFailedSense=0x05 } >> >> >> --END OF NOTIFICATION >> >> >> >> OSSEC HIDS Notification. >> 2010 Apr 23 13:23:30 >> >> Received From:servername.example.com->/var/log/messages >> >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Apr 23 13:23:30 servername.example.com ide: failed opcode was: unknown >> >> >> --END OF NOTIFICATION >> >> >> >> >> Please note: This email and its content are subject to the disclaimer as >> displayed at the following link >> http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. >> Should you not have Web access, send an email to [email protected] and a >> copy will be sent to you. > > > > -- > Wim Remes > Security Afficionado > > > -- > Subscription settings: > http://groups.google.com/group/ossec-list/subscribe?hl=en Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to [email protected] and a copy will be emailed to you.
