All, It's a bit embarrassing that I can't figure out how to stop this particular alert, but I don't know how. Here's the situation:
I have Sophos anti-virus installed on some of my Linux boxes. I keep getting Ossec alerts like the following: 2011 Oct 19 11:21:59 Rule Id: 1002 level: 2 Location: (plymouth) 192.168.1.2->/var/log/messages Unknown problem somewhere in the system. Oct 19 11:21:59 plymouth savd: savscan.log: On-demand scan details: master boot records scanned: 0, boot records scanned: 0, files scanned: 3, scan errors: 0, viruses detected: 0, infected files detected: 0 Obviously, I don't want this event to alert. What do I have to do in Ossec to prevent this specific alert? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.