On 13 January 2012 06:22, Jens Simmoleit <[email protected]> wrote:
> Now I'm wondering, is this because the ossec user tries to get information > from the crontab and can't succeed? Or is this a message Ossec grabbed from > the system? > > Is this a problem with ossec, or not? > > > Received From: adm-emt1->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): Jan 13 12:02:01 adm-emt1 /usr/sbin/cron[1028]: > Permission denied I'd check the corresponding log entry. All that can be gathered from the above is that OSSEC saw the "permission denied" entry in /var/log/messages and was reporting it; something DID try to access cron, but without the specific log entry you won't know what that was. kmw
