On Tue, Feb 28, 2012 at 8:47 AM, jjj092353 <[email protected]> wrote: > I have ossec running on abour 20 linux boxes and only one of the boxes > (they're all Centos 5.4 or higher) throws this error. > > I sometimes get this error every 10 minutes. How do I change the > parameter to stop the errors or solve the root problem? > > thanks in advance - Jeff > > OSSEC HIDS Notification. > 2012 Feb 27 21:15:21 > > Received From: (dot210) 65.36.241.210->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > system." > Portion of the log(s): > > Feb 27 23:10:19 mysite ntpd[2148]: frequency error -512 PPM exceeds > tolerance 500 PPM >
The 1002 alert is triggering on the word "error" in this message. You can easily write a rule to ignore it. > > > --END OF NOTIFICATION
