On Fri, Jan 2, 2015 at 8:49 AM, Fred974 <[email protected]> wrote: > Hi, > > I keep receiving an email with the following content: > >> OSSEC HIDS Notification. >> 2015 Jan 02 12:00:01 >> >> Received From: trinity->/var/log/maillog >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Jan 2 12:00:00 trinity smtpd[1161]: smtp-out: Error on session >> 07918989899b62f0: Connection failed: No route to host >> >> >> >> --END OF NOTIFICATION > > > I read that If OSSEC receives a log that it doesn't know how to decode it > will generate an event 1002 - "Unknown problem somewhere in the system"
This is incorrect. Rules that contain a word in the $BAD_WORDS variable in syslog_rules.xml trigger alert 1002. > The solution is to configure a minimal decoder to identify a unique field > within the log so that OSSEC no longer considers the log unknown. > > Could someone please help me to understand how to apply this solution? > I'll appreciate a simple example to get me on track. > You need to create a rule to handle this log message, not a decoder. > Thank you > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
