You should use ossec-logtest and see how this alert is decoded by OSSEC.
The rule 1002 is usually ran because your error message contains one of the
keyword of the rule, I believe in this case it is caused by "error".
I tried against one of my test OSSEC server and got a different result:
[fimtest100 ~]# /apps/ossec/bin/ossec-logtest
2012/01/09 21:39:47 ossec-testrule: INFO: Reading local decoder file.
2012/01/09 21:39:48 ossec-testrule: INFO: Started (pid: 20910).
ossec-testrule: Type one log per line.
Jan 9 12:00:03 mail01 named[16307]: error (network unreachable) resolving
'rfc-ignorant.org/DS/IN': 2001:500:48::1#53
**Phase 1: Completed pre-decoding.
full event: 'Jan 9 12:00:03 mail01 named[16307]: error (network
unreachable) resolving 'rfc-ignorant.org/DS/IN': 2001:500:48::1#53'
hostname: 'mail01'
program_name: 'named'
log: 'error (network unreachable) resolving 'rfc-ignorant.org/DS/IN':
2001:500:48::1#53'
**Phase 2: Completed decoding.
decoder: 'named'
**Phase 3: Completed filtering (rules).
Rule id: '12100'
Level: '0'
Description: 'Grouping of the named rules'
I have an OSSEC 2.6 version installed.
-Stephane
From: Scott <[email protected]<mailto:[email protected]>>
Reply-To: <[email protected]<mailto:[email protected]>>
Date: Mon, 9 Jan 2012 12:05:48 -0500
To: <[email protected]<mailto:[email protected]>>
Subject: [ossec-list] rule 1002 problem... did i completely miss something?
Jan 9 12:00:03 mail01 named[16307]: error (network unreachable) resolving
'rfc-ignorant.org/DS/IN<http://rfc-ignorant.org/DS/IN>': 2001:500:48::1#53
