On Fri 27.Jan'12 at 17:45:23 -0500, dan (ddp) wrote: > On Wed, Jan 25, 2012 at 12:35 PM, BP9906 <[email protected]> wrote: > > No, that option does tell syscheckd to ignore that entire folder and > > subcontents. If you have windows, I believe its different. > > > > See http://www.ossec.net/main/manual/manual-syscheck#examples > > > > I think ossec-syscheckd will still go down into the directory, it just > won't forward the information. >
Correct. This is what I observe when following syscheckd with strace on a linux box. IMHO <ignore> should tell syscheckd to not even look at the directory. Should it be a feature/bug request ? - Julien
