Hi,
Is it possible to ignore files that match a regex pattern in specific directories while continuing to monitor in others? I’m trying to monitor the /var/spool/mqueue base directory and ignore all the mail related files within the directory as they change/move frequently.
I put the following ignore type rule in place to ignore the mail related files:
<directories check_all="yes">/var/spool</directories>
<ignore type="sregex">^Qf|^df|^qf|^xf</ignore>
I think this works ok for ignoring the mail related files, but the rule will also cause files in other directories to be ignored that I don’t want such as /etc/dfs/dfstab.
Is there a way to apply the ignore rule only to a specific directory? Thanks for your help!
Thanks,
Josh
If you know the file names you want to monitor inside the /var/spool
directory you can use
regular expressions in there:
<directories check_all="yes">/var/spool/*filesX</directories>
Otherwise you would need to use rules for that, since our <ignore>
option is very simple.
In the rule you can do:
<rule id="abc" level="0">
<if_group>syscheck</if_group>
<regex>/var/spool/QF|/var/spool/df</regex>
<description>Ignoring QF and DF files inside /var/spool</description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsul...@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society