regex help/clarification - specify all files with a given extension
13 views
Skip to first unread message
Leroy Tennison
Mar 19, 2020, 4:58:56 PM3/19/20
to ossec-list
Running v3.3.0 on the server and v3.2.0 on the client, trying to exclude *.bz2 in a given directory, I tried:
<agent_config profile="bfr">
<syscheck>
<ignore type="sregex">/path/to/.bz2$</ignore>
</syscheck>
</agent_config>
based on another post. I obviously don't understand how to do it because it's not working. /var/ossec/etc/shared/agent.conf shows the above and ossec.conf on the client has:
<ossec_config>
<client>
<server-ip>10.22.14.11</server-ip>
<config-profile>bfr, cfg, ubuntu</config-profile>
</client>
I've also tried the above with the qcow2 extension and get the same result.
In general, how do I write an OSSEC specification to exclude all files with a given extension? Thanks for your help.
dan (ddp)
Mar 27, 2020, 1:30:47 PM3/27/20
to ossec...@googlegroups.com
On Thu, Mar 19, 2020 at 4:59 PM Leroy Tennison <leroy.t...@gmail.com> wrote:
>
> Running v3.3.0 on the server and v3.2.0 on the client, trying to exclude *.bz2 in a given directory, I tried:
>
> <agent_config profile="bfr">
> <syscheck>
> <ignore type="sregex">/path/to/.bz2$</ignore>
I think this will ignore '/path/to/.bz2' and only that file.
>
> Running v3.3.0 on the server and v3.2.0 on the client, trying to exclude *.bz2 in a given directory, I tried:
>
> <agent_config profile="bfr">
> <syscheck>
> <ignore type="sregex">/path/to/.bz2$</ignore>
> </syscheck>
> </agent_config>
>
> based on another post. I obviously don't understand how to do it because it's not working. /var/ossec/etc/shared/agent.conf shows the above and ossec.conf on the client has:
>
> <ossec_config>
> <client>
> <server-ip>10.22.14.11</server-ip>
> <config-profile>bfr, cfg, ubuntu</config-profile>
> </client>
>
> I've also tried the above with the qcow2 extension and get the same result.
>
> In general, how do I write an OSSEC specification to exclude all files with a given extension? Thanks for your help.
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6b541572-515d-4346-9fc7-cc57a5f2b76b%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages