That page, which I've been to before is like the rest of the OSSEC
documentation, sparse and not very clear. ;)
Please help us out, documentation is an on going effort that needs help
from the community. In the case of the wiki it is world editable and
monitored for spam, but just waiting for the community to take advantage of
it ;)
It doesn't even say
anything about "sregex" or which one is used within the <ignore>
statement. I looked at the code and <ignore> seems to use the os_match
library though.
sregex is matched using OS_Match functions so the docs are correct, but not
as clear as could be. From the wiki page on regex at the very bottom is
the bullet point:
* ignore (inside syscheck ignore fields as type="sregex")
Note: this was just added by ddpbsd. Thank mang!
I will see what I can do about getting the more formal manual updated.
-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf Of dan (ddp) Sent: Tuesday, August 03, 2010 6:08 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] File integrity checking ignore syntax
The sregex syntax is VERY limited.
This explains the syntax: http://www.ossec.net/wiki/Know_How:Regex_Readme
On Tue, Aug 3, 2010 at 6:17 PM, Jefferson, Shawn
<shawn.jeffer...@bcferries.com> wrote:
Hi,
I'm monitoring a directory that contains application files and logs.
I'd like to ignore the logs. The filenames are in the format:
blahblah.log.1 or blahblah.log.22 (one or two digits indicating the
day of the month.)
I thought that this might do it, but doesn't seem to be working:
<ignore type="sregex">.log.\d+$</ignore>
What am I doing wrong here?
Thanks,
Shawn
