I was referring to syscheck ignore entry, but if I can do it either ways
that will be nice.
Here is what I have:
<ignore type="sregex"> logs|work|</ignore>
Is this entry correctly instructs syscheck to ignore the directories logs
and work?
Yes I had rule 554 in ossec_rules.xml set to level "7".
<rule id="554" level="7">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
Do I need to do anything on the agent side? in The meanwhile I will be
testing this again.
Thank you
Abdellah
-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Friday, August 12, 2011 2:17 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] ossec alert new files
On Fri, Aug 12, 2011 at 2:50 PM, Abdellah Tantan <adtan...@paydq.com> wrote:
> My ossec does not report new files when they are created even though I
have
> this in the agent ossec.conf file
>
> <syscheck>
> <!-- Frequency that syscheck is executed - default to every 22 hours
-->
> <frequency>79200</frequency>
> <alert_new_files>yes</alert_new_files>
>
Did you bump the level of rule 554?
> Am I missing anything here? Also, how can I exclude a directory name using
> regular expressions from file change check?
>
Are you talking about a syscheck ignore entry, or as a rule?
<ignore type="sregex">^/path/to/directory</ignore>
Maybe (in a rule): <regex>\.*directory\.*</regex>
> Thank you,
> Abdellah
>
>
