Anyone have any insight on how to exclude files/directories with the proper regex ?
On Nov 5, 7:11 am, Jeremy Lee <[email protected]> wrote: > I've tried this and the "*" regex wildcard does not work with the <ignore> > directive. > > On Wed, Nov 4, 2009 at 2:35 PM, John A. Sullivan III < > > [email protected]> wrote: > > > Hmmm . . .just a thought - haven't tried it - what if you > > included /var/spool/mqueue and ignored /var/spool/mqueue/*? - John > > > On Wed, 2009-11-04 at 09:53 -0800, Joshua Albright wrote: > > > Hi Daniel, > > > > Thanks for your reply. Is it possible to to monitor only the base > > > directory without monitoring any of the files located in the > > > directory? > > > > For example I want to make sure permissions don't change on /var/spool/ > > > mqueue, but don't care about any files inside that directory. > > > > Thanks, > > > > Josh > > > > On Sep 18, 9:46 am, Daniel Cid <[email protected]> wrote: > > > > Hi Josh, > > > > > If you know the file names you want to monitor inside the /var/spool > > > > directory you can use > > > > regular expressions in there: > > > > > <directories check_all="yes">/var/spool/*filesX</directories> > > > > > Otherwise you would need to use rules for that, since our <ignore> > > > > option is very simple. > > > > In the rule you can do: > > > > > <rule id="abc" level="0"> > > > > <if_group>syscheck</if_group> > > > > <regex>/var/spool/QF|/var/spool/df</regex> > > > > <description>Ignoring QF and DF files inside /var/spool</description> > > > > </rule> > > > > > Hope it helps. > > > > > -- > > > > Daniel B. Cid > > > > dcid ( at ) ossec.net > > > > > On Thu, Sep 17, 2009 at 2:03 PM, Josh Albright <[email protected]> > > wrote: > > > > > Hi, > > > > > > Is it possible to ignore files that match a regex pattern in specific > > > > > directories while continuing to monitor in others? I’m trying to > > monitor the > > > > > /var/spool/mqueue base directory and ignore all the mail related > > files > > > > > within the directory as they change/move frequently. > > > > > > I put the following ignore type rule in place to ignore the mail > > related > > > > > files: > > > > > > <directories check_all="yes">/var/spool</directories> > > > > > > <ignore type="sregex">^Qf|^df|^qf|^xf</ignore> > > > > > > I think this works ok for ignoring the mail related files, but the > > rule will > > > > > also cause files in other directories to be ignored that I don’t want > > such > > > > > as /etc/dfs/dfstab. > > > > > > Is there a way to apply the ignore rule only to a specific directory? > > Thanks > > > > > for your help! > > > > > > Thanks, > > > > > > Josh > > > > > > This email and the information included in this transmission are > > privileged > > > > > and confidential and intended only for the recipient listed above. If > > you > > > > > are not the intended recipient, please advise the sender immediately > > by > > > > > reply e-mail and delete this message and any attachments without > > retaining a > > > > > copy. If you are not the intended recipient, you are hereby notified > > that > > > > > any disclosure, copying or distribution of this message, or the > > taking of > > > > > any action based upon it, is strictly prohibited. Although this email > > and > > > > > any attachments are believed to be free of any virus or other defects > > which > > > > > might affect any computer or IT system into which they are received, > > neither > > > > > Escalate Retail nor any of its affiliates shall be liable for any > > loss or > > > > > damage arising in any way from the receipt or use thereof. > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > [email protected] > > >http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society
