The error does not appear in /var/log/messages on the agent being monitored, but does appear in the ossec.log on the master. There is a very long message in /var/log/messages on the agent at around the same time.
Is there a maximum size for messages? All agents are running on RHEL 5 On Sep 11, 4:04 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > On Sat, Sep 11, 2010 at 7:53 AM, ItsMikeE <mernst...@gmail.com> wrote: > > OSSEC is giving me an alert > > > "OSSEC HIDS Notification. > > 2010 Sep 11 12:43:23 > > > Received From: (server) 101.102.103.104->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > > system." > > Portion of the log(s): > > > Sep 11 12:43:15 server error getting update info: tuple index out of > > range > > > --END OF NOTIFICATION" > > > Could this be caused by OSSEC trying to decode a message in /var/log/ > > messages which is too long? > > Can you find that message in /var/log/messages?
