Samhain - POLICY NODIRECTORY explained
This was a tricky one. I kept getting alerts for:
-----BEGIN MESSAGE----- [2012-07-09T23:40:37+1000] server8.somedomain.com CRIT : [2012-07-09T23:40:34+1000] msg=<POLICY NODIRECTORY>, path=</var/log> -----BEGIN SIGNATURE----- EA6AB852FD5E03118A95B8507E514F264CCFE3CC35E3330F 000154 1340761939::server8.somedomain.com -----END MESSAGE-----
And for the life of me wasn’t sure why but after reading the source code the cause is explained:
{ MSG_FI_NODIR, N_("File found where directory was expected"), IDMEF_IMPACT_TYPE_FILE },
And you know what it was correct! /var/log was a softlink to /data/logs!