Wouldn't it be easier rather than to modify the rule - simply add these to the ignores with -
<ignore>/dev/oracleasm</ignore> ?? Just a thought. Kat On Tuesday, August 30, 2016 at 9:12:33 AM UTC-5, Stephen LuShing wrote: > > I have been getting this notification which I am trying to fix. This is an > normal occurance since this is an oracle database using ASM disks. The > notification is the same but the files changes. Here is what we received > > OSSEC HIDS Notification. > > 2016 Aug 30 08:33:48 > > > > Received From: (lxbanrdt2) 147.4.146.155->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > > Portion of the log(s): > > File '/dev/oracleasm/iid/00000000000019BE' present on /dev. Possible > hidden file. > > --END OF NOTIFICATION > > OSSEC HIDS Notification. > > 2016 Aug 30 08:33:48 > > I want to have this notification ignored so any ideas on how to do this. > > > Stephen LuShing > > Hofstra University > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.