I was referring to syscheck ignore entry, but if I can do it either ways that will be nice.
Here is what I have: <ignore type="sregex"> logs|work|</ignore> Is this entry correctly instructs syscheck to ignore the directories logs and work? Yes I had rule 554 in ossec_rules.xml set to level "7". <rule id="554" level="7"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule> Do I need to do anything on the agent side? in The meanwhile I will be testing this again. Thank you Abdellah -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Friday, August 12, 2011 2:17 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec alert new files On Fri, Aug 12, 2011 at 2:50 PM, Abdellah Tantan <adtan...@paydq.com> wrote: > My ossec does not report new files when they are created even though I have > this in the agent ossec.conf file > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>79200</frequency> > <alert_new_files>yes</alert_new_files> > Did you bump the level of rule 554? > Am I missing anything here? Also, how can I exclude a directory name using > regular expressions from file change check? > Are you talking about a syscheck ignore entry, or as a rule? <ignore type="sregex">^/path/to/directory</ignore> Maybe (in a rule): <regex>\.*directory\.*</regex> > Thank you, > Abdellah > >