From OSSEC Wiki

• Rule:

<varname="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation</var>

<rule id="1002" level="2"> <match>$BAD_WORDS</match> <options>alert_by_email</options> <description>Unknown problem somewhere in the system.</description> </rule>

• Inside file: syslog_rules
• Inside group(s): Errors Syslog
• Depends on:
• False positive:
• Comments:

This alert will fire when a string from $BAD_WORDS is seen

• Example of log: