Hi Daniel, Thanks for your reply. Is it possible to to monitor only the base directory without monitoring any of the files located in the directory?
For example I want to make sure permissions don't change on /var/spool/ mqueue, but don't care about any files inside that directory. Thanks, Josh On Sep 18, 9:46 am, Daniel Cid <[email protected]> wrote: > Hi Josh, > > If you know the file names you want to monitor inside the /var/spool > directory you can use > regular expressions in there: > > <directories check_all="yes">/var/spool/*filesX</directories> > > Otherwise you would need to use rules for that, since our <ignore> > option is very simple. > In the rule you can do: > > <rule id="abc" level="0"> > <if_group>syscheck</if_group> > <regex>/var/spool/QF|/var/spool/df</regex> > <description>Ignoring QF and DF files inside /var/spool</description> > </rule> > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Thu, Sep 17, 2009 at 2:03 PM, Josh Albright <[email protected]> wrote: > > Hi, > > > Is it possible to ignore files that match a regex pattern in specific > > directories while continuing to monitor in others? I’m trying to monitor the > > /var/spool/mqueue base directory and ignore all the mail related files > > within the directory as they change/move frequently. > > > I put the following ignore type rule in place to ignore the mail related > > files: > > > <directories check_all="yes">/var/spool</directories> > > > <ignore type="sregex">^Qf|^df|^qf|^xf</ignore> > > > I think this works ok for ignoring the mail related files, but the rule will > > also cause files in other directories to be ignored that I don’t want such > > as /etc/dfs/dfstab. > > > Is there a way to apply the ignore rule only to a specific directory? Thanks > > for your help! > > > Thanks, > > > Josh > > > This email and the information included in this transmission are privileged > > and confidential and intended only for the recipient listed above. If you > > are not the intended recipient, please advise the sender immediately by > > reply e-mail and delete this message and any attachments without retaining a > > copy. If you are not the intended recipient, you are hereby notified that > > any disclosure, copying or distribution of this message, or the taking of > > any action based upon it, is strictly prohibited. Although this email and > > any attachments are believed to be free of any virus or other defects which > > might affect any computer or IT system into which they are received, neither > > Escalate Retail nor any of its affiliates shall be liable for any loss or > > damage arising in any way from the receipt or use thereof.
