On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison <leroy.tenni...@gmail.com> wrote: > I'm having trouble getting an ignore expression to actually ignore a change > and suspect it's due to not understanding how OSSEC regular expressions > work. When I searched for examples I found very little so I'm hoping > someone can reply with examples or explanations. What I tried was: > > <ignore type="regex">/var/lib/postgresql/9.5/main/base/\d+/\d+$</ignore> > <ignore>/var/lib/postgresql/9.5/main/pg_xlog/\d+$</ignore> > <ignore > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$</ignore> > <ignore > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$</ignore> >
According to the documentation, (https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html) sregex is what's available here. This is a VERY limited regex subset as documented here: https://ossec.github.io/docs/syntax/regex.html#os-match-sregex-syntax Also, I'm not sure ignores can be used in agent.conf. It's possible I'm mis-remembering this though. > > I'm still getting alerts such as the following: > > Integrity checksum changed for: > '/var/lib/postgresql/9.5/main/base/16387/1259' > Integrity checksum changed for: > '/var/lib/postgresql/9.5/main/pg_xlog/000000010000000000000026' > New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file > system. (I configured new file alerting and am glad to see it's working but > just not this directory). > > Thanks for the help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
