Hi, I keep receiving an email with the following content:
OSSEC HIDS Notification. > 2015 Jan 02 12:00:01 > > Received From: trinity->/var/log/maillog > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Jan 2 12:00:00 trinity smtpd[1161]: smtp-out: Error on session > 07918989899b62f0: Connection failed: No route to host > > > > --END OF NOTIFICATION I read that If OSSEC receives a log that it doesn’t know how to decode it will generate an event 1002 - "Unknown problem somewhere in the system" The solution is to configure a minimal decoder to identify a unique field within the log so that OSSEC no longer considers the log unknown. Could someone please help me to understand how to apply this solution? I'll appreciate a simple example to get me on track. Thank you -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
