Hi Clayton,
How did you create your rule? Something like:
<rule id="100101" level="0">
<if_group>syscheck</if_group>
<match>/etc/amanda/</match
<description>Integrity checksum ignored for /etc/amanda.</description>
</rule>
Should work. If you didn't put your rule under the syscheck group
(using if_group or if_sid), it probably
never got evaluated. This document may help you understand the rules a bit:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 19, 2008 at 1:13 PM, Clayton Dillard
<[EMAIL PROTECTED]> wrote:
> I have an Amanda backup server onto which I've installed the OSSEC agent. I
> get regular alerts for files in /etc/amanda that have been deleted because
> of backup rotations and purging. I've tried creating a rule on the OSSEC
> server with a <match>/etc/amanda/</match> statement but still get the
> alerts.
>
> Can someone point where I'm wrong on this?
>
> Thanks,
> CTD
>
>
