You can specify directories to ignore on integrity checking in the ossec.conf file, I believe.
On Tue, Jun 3, 2008 at 3:28 PM, Clayton Dillard <[EMAIL PROTECTED]> wrote: > We have an Amanda backup server where OSSEC is loaded. I've created a > local rule to ignore files in the /etc/amanda directory but still get > alerts. > > *My rule looks like this:* > <rule id="100040" level="0"> > <if_sid>553</if_sid> > <match>/etc/amanda</match> > <description>Ignore integrity checks for Amanda backup > location</description> > </rule> > > *Here is one of the alerts:* > Received From: (raven) 1.2.3.4->syscheck > Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." > Portion of the log(s): > > File '/etc/amanda/DailySet1/index/ > sugardb1.rpstechnology.com/_usr_local_apache2_htdocs/20080429010001_1.gz' > was deleted. Unable to retrieve checksum. > > Thanks, > Clay >
