On Mon, Jan 30, 2012 at 5:02 AM, Macus <[email protected]> wrote: > in the OSSEC Wiki, it states auto_ignore , Specifies if syscheck will > ignore files that change too often (after the third change). > > I am using OSSEC 2.6 on Centos 5.3 64bit > What's the mechanism of the auto ignore for a file that change too > often? Does it ignore the file after the third change? How to check if > a file is already ignored?
If you don't turn off auto ignore, changes after the third will not be tracked. The only way I know of to see how many times it's changed is to count the number of entries in the syscheck db: `./syscheck_control -i 001 | grep ossec.conf | wc -l` > I found a file was changed, but it was not reported by the OSSEC. I > guest the file file was ignored automatically.
