We have an Amanda backup server where OSSEC is loaded. I've created a
local rule to ignore files in the /etc/amanda directory but still get
alerts.
My rule looks like this:
<rule id="100040" level="0">
<if_sid>553</if_sid>
<match>/etc/amanda</match>
<description>Ignore integrity checks for Amanda backup
location</description>
</rule>
Here is one of the alerts:
Received From: (raven) 1.2.3.4->syscheck
Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve
checksum."
Portion of the log(s):
File
'/etc/amanda/DailySet1/index/sugardb1.rpstechnology.com/_usr_local_apache2_htdocs/20080429010001_1.gz'
was deleted. Unable to retrieve checksum.
Thanks,
Clay
