On Mon 23.Jan'12 at 11:46:17 -0800, BP9906 wrote: > Your ignore syntax for ossec.conf might be a bit off. > > Try this: > > <ignore type="sregex">^/etc/something</ignore> > > That will ignore anything that starts with /etc/something. Then > restart the agent of course to take effect.
That will ignore the alerts, but not prevent syscheckd from browsing that directory, which is the issue. The ignore rule works fine: content of that directory does not generate alerts. But my problem is with syscheckd scanning a 12TB NFS share. - Julien
