Hi Clayton, As Jason said, you can ignore it directly in the ossec.conf. However, your rule seems fine and should have ignored it too. Which version of OSSEC are you using? We fixed a bug related to the match tag not working with syscheck on version 1.4.
*if that's not it, check if you restarted ossec after changing the rule. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Jun 3, 2008 at 6:31 PM, Jason Fischer <[EMAIL PROTECTED]> wrote: > You can specify directories to ignore on integrity checking in the > ossec.conf file, I believe. > > On Tue, Jun 3, 2008 at 3:28 PM, Clayton Dillard <[EMAIL PROTECTED]> > wrote: >> >> We have an Amanda backup server where OSSEC is loaded. I've created a >> local rule to ignore files in the /etc/amanda directory but still get >> alerts. >> >> My rule looks like this: >> <rule id="100040" level="0"> >> <if_sid>553</if_sid> >> <match>/etc/amanda</match> >> <description>Ignore integrity checks for Amanda backup >> location</description> >> </rule> >> >> Here is one of the alerts: >> Received From: (raven) 1.2.3.4->syscheck >> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." >> Portion of the log(s): >> >> File >> '/etc/amanda/DailySet1/index/sugardb1.rpstechnology.com/_usr_local_apache2_htdocs/20080429010001_1.gz' >> was deleted. Unable to retrieve checksum. >> >> Thanks, >> Clay >
