My server is sending me the below error message to my email every five minutes:
OSSEC HIDS Notification.
2011 Jun 17 16:30:03Received From: ubuntu->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):Jun 18 08:30:01 ubuntu CRON[16935]: (www-data) CMD (php /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log)
Any ideas on what it means?
I believe looking as this rule which is below, basically if I'm not wrong this is where OSSEC fails through the cracks and ends up hitting this rule. There will always be this rule firing when new unknown syslogs appear and in your case it was Cacti polling log which it doesn't know about.
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
You will need to add rules to match syslogs that are good and write rule to alarm on the bad.
OSSECs site explains this here http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
