Actually think this might be what I'm looking for (even though it's not what I said). The network shares are mounted under a single dir, so it should be easy. I'll give it a try and see whether it works. Appreciate the fast response!
Cheers, Juraj On Wednesday, August 31, 2016 at 6:26:11 PM UTC+2, q wrote: > > Hello Juraj! > > > you can try <ignore> option in rootcheck section in your > ossec-agent-shared.conf > > for example: > > > <agent_config profile="my_profile"> > <syscheck> > > </syscheck> > > <rootcheck> > > <ignore>/var/www/ptb/</ignore> > > </rootcheck> > > <agent_config> > > > > > On 31.08.2016 15:08, B2RN wrote: > > Hey all, > > I'm trying to figure out whether there's a way to disable any sort of FS > crawls performed by OSSEC. We have a few SAN clients that have 2.3PB of > mounted network shares and I'd like to avoid OSSEC going through them for > obvious reasons. > > http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/ mentions > "skip_nfs", but this isn't actually NFS. It's a magical proprietary thing. > > And like I said, I'd just want to disable FS crawls entirely and have the > agent(s) set up with log parsing and maybe active-response. Depends on how > well I can write up the decoders/rules. > > By the way, asking before I start messing around with this because the > machines are live. > > Cheers, > Juraj > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
