Thanks Jesus Linares, Yes, I noticed the typo, was using<ignore *type="sregex"*>
I can't use '.jpg$' because I want to only exclude directory_one/directory_two/*.jpg Therefore I tried config like this: <ignore type="sregex">/home/leo/testing/\.+.jpg</ignore> <ignore type="sregex">/home/leo/testing/\S+.jpg</ignore> Unfortunately no luck with regular expression matching for me On Friday, 12 February 2016 01:08:11 UTC+11, Jesus Linares wrote: > > Hi Leo, > > I'm glad you can solve your issue with the rules, but *ignore *should > work. > > The symbol ^ in "<ignore *type="^sregex*">.jpg$</ignore>" is a typo. You > could try with <ignore *type="sregex"*>.jpg$</ignore>. > > Check the documentation out: > http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/ > > Regards. > Jesus Linares. > > On Wednesday, February 10, 2016 at 11:42:52 PM UTC+1, Leo G wrote: >> >> Thank you!! >> >> add match and regex in rules worked for me. >> >> no luck with ignore="sregex" :( >> >> On Wednesday, 10 February 2016 10:16:08 UTC+11, Leo G wrote: >>> >>> >>> Hi, >>> >>> Can someone please help with the regex? I want to exclude all the .jpg >>> files in xxx/xxx/, >>> >>> I have config in ossec.conf below: >>> >>> <alert_new_files>yes</alert_new_files> >>> <directories check_all="yes">/home/xxx</directories> >>> <ignore>/home/xxx/xxx/\S*\.jpg</ignore> >>> </syscheck> >>> >>> However it seems it's still not ignoring all the jpg files, still >>> getting alerts for all the new jpg files. >>> >>> Also used 'ossec-regex' for testing, >>> >>> > /var/ossec/bin/ossec-regex '/home/xxx/xxx/\S*\.jpg' >>> > New file '/home/xxx/xxx/yyy.jpg' added to the file system. >>> >>> +OSRegex_Execute: New file '/home/xxx/xxx/yyy.jpg' added to the file >>> system. >>> +OS_Regex : New file '/home/xxx/xxx/yyy.jpg' added to the file >>> system. >>> ^C >>> >>> Seems to be matching. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
