Re: [ossec-list] ossec-syscheckd - how to exclude directory

2,305 views
Skip to first unread message

Stephane Rossan

unread,
Nov 7, 2012, 6:23:30 PM11/7/12
to ossec...@googlegroups.com
I believe you have to use ignore as file/directory you want to exclude:
 <ignore>/var/lib/backuppc</ignore>

On Wed, Nov 7, 2012 at 3:01 PM, SupuS <kop...@zserver.cz> wrote:
Hello,

I would like to exlude direcotory /var/lib/backuppc from ossec-syscheckd completly. Ossec server is installed on the same host and every day it scan this directory. It takes many hours and lot of CPU and I really don't want scan this directory. Is there a way how to do it?

In /var/ossec/etc/ossec.conf I have:

<!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

so /var directory should not be scanned at all .. right? But it is scanned every time when ossec-syscheckd runs.

Thanks for any suggestion

Jan Kopecký

unread,
Sep 24, 2013, 4:26:59 PM9/24/13
to ossec...@googlegroups.com
Hi srossan,

thank you for replay and sorry for a bit late response ;)

I set following in /var/ossec/etc/ossec.conf

<ignore>/var/lib/backuppc</ignore>

but it doesn't work. ossec-syscheckd daemon still check this directory. I found next recommendation on http://www.ossec.net/doc/manual/syscheck/ so I add following:

<ignore type="sregex">^/var/lib/backuppc</ignore>

but it doesn't help too. To directory /var/lib/backuppc is mounted separated filesystem and now it contains a lot of files. It takes few days when ossec-syscheckd finish scanning and it has really negative influence to backup performance.

Dne čtvrtek, 8. listopadu 2012 0:23:30 UTC+1 srossan napsal(a):

dan (ddp)

unread,
Sep 26, 2013, 9:52:24 AM9/26/13
to ossec...@googlegroups.com
On Wed, Nov 7, 2012 at 6:01 PM, SupuS <kop...@zserver.cz> wrote:
> Hello,
>
> I would like to exlude direcotory /var/lib/backuppc from ossec-syscheckd
> completly. Ossec server is installed on the same host and every day it scan
> this directory. It takes many hours and lot of CPU and I really don't want
> scan this directory. Is there a way how to do it?
>
> In /var/ossec/etc/ossec.conf I have:
>
>> <!-- Directories to check (perform all possible verifications) -->
>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>> <directories check_all="yes">/bin,/sbin</directories>
>
>
> so /var directory should not be scanned at all .. right? But it is scanned
> every time when ossec-syscheckd runs.
>
> Thanks for any suggestion

What version of OSSEC?
Are there any symlinks pointing to /var from the other places?
Is this an agent, local,or server install? Possible agent.conf issue?

Jan Kopecký

unread,
Oct 2, 2013, 6:51:42 AM10/2/13
to ossec...@googlegroups.com
> What version of OSSEC?

2.7 (upgraded from previous versions)


> Are there any symlinks pointing to /var from the other places?

no


> Is this an agent, local,or server install?

it is server install

> Possible agent.conf issue?

what should I search for?

Dne čtvrtek, 26. září 2013 15:52:24 UTC+2 dan (ddpbsd) napsal(a):

Franz Nemeth

unread,
Oct 2, 2013, 8:22:45 AM10/2/13
to ossec...@googlegroups.com
Did you try: <ignore type="sregex">/var/lib/backuppc/\.*</ignore> ?

This seems to solve the issue for me!

Regards
Franz Nemeth

dan (ddp)

unread,
Oct 2, 2013, 8:47:05 AM10/2/13
to ossec...@googlegroups.com
On Wed, Oct 2, 2013 at 6:51 AM, Jan Kopecký <kop...@zserver.cz> wrote:
>> What version of OSSEC?
>
> 2.7 (upgraded from previous versions)
>
>
>> Are there any symlinks pointing to /var from the other places?
>
> no
>
>
>> Is this an agent, local,or server install?
>
> it is server install
>
>> Possible agent.conf issue?
>
> what should I search for?
>

Syscheck entries that apply to that system.

> Dne čtvrtek, 26. září 2013 15:52:24 UTC+2 dan (ddpbsd) napsal(a):
>>
>> On Wed, Nov 7, 2012 at 6:01 PM, SupuS <kop...@zserver.cz> wrote:
>> > Hello,
>> >
>> > I would like to exlude direcotory /var/lib/backuppc from ossec-syscheckd
>> > completly. Ossec server is installed on the same host and every day it
>> > scan
>> > this directory. It takes many hours and lot of CPU and I really don't
>> > want
>> > scan this directory. Is there a way how to do it?
>> >
>> > In /var/ossec/etc/ossec.conf I have:
>> >
>> >> <!-- Directories to check (perform all possible verifications) -->
>> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>> >> <directories check_all="yes">/bin,/sbin</directories>
>> >
>> >
>> > so /var directory should not be scanned at all .. right? But it is
>> > scanned
>> > every time when ossec-syscheckd runs.
>> >
>> > Thanks for any suggestion
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

Jan Kopecký

unread,
Oct 16, 2013, 3:58:00 PM10/16/13
to ossec...@googlegroups.com
I put this line to ossec.conf but it doesn't help. Ossec is scanning content of /var/lib/backuppc/ right now. This is line from strace:

lstat("/var/lib/backuppc/pc/www.server.com/215/f%2f/fvar/fwww/fclients/fclient/fweb/fweb/fwp-admin/fimages/image.gif", {st_mode=S_IFREG|0640, st_size=243, ...}) = 0

Dne středa, 2. října 2013 14:22:45 UTC+2 Franz Nemeth napsal(a):

Jan Kopecký

unread,
Oct 16, 2013, 3:59:56 PM10/16/13
to ossec...@googlegroups.com
Here is my syscheck config in ossec.conf:

  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>
    <scan_on_start>no</scan_on_start>


    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/var/lib/backuppc</ignore>

    <ignore type="sregex">^/var/lib/backuppc</ignore>
    <ignore type="sregex">/var/lib/backuppc/\.*</ignore>

    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  </syscheck>

nothing special I guess.

Dne středa, 2. října 2013 14:47:05 UTC+2 dan (ddpbsd) napsal(a):

Paul Raines

unread,
Oct 18, 2013, 3:36:03 PM10/18/13
to ossec...@googlegroups.com
I think ossec-syscheckd also handles the rootcheck scans which will scan your whole filesystem for rootkit issues.

So you would need to put your <ignore> line in <rootcheck> section.
Reply all
Reply to author
Forward
0 new messages