Hi Matthias, If your upgrades run during a specific day or time, you can write a local rule to ignore any alert from syscheck during that period of time. Something like:
<rule id="100122" level="0"> <if_group>syscheck</if_group> <time>1 am - 3:30 am</time> <weekday>sunday</weekday> <description>Ignore syscheck during that time</description> </rule> Or you can run syscheck_update before you run the checks to clear the syscheck queue and make sure the alerts are not sent. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Jun 11, 2008 at 5:00 AM, <[EMAIL PROTECTED]> wrote: > > Hi all > > I'm using ossec in a huge controlled environment with planned (and > well tested) software upgrades. Every time such an update is done, > ossec notifies all these (known) changes, sure. I'm wondering if there > is any possibility to avoid this. Has anyone of you guys experience > with that? > > Maybe we could simply update the entries in <ossec-dir>/queue/syscheck/ > syscheck to the "updated" values - before the next syscheck starts? Or > is this file specially protected in any way? Is there a description of > all the fields in this file? Or is there maybe a much easier way to do > this? > > Thanks a lot! > > Wish you a nice day, > Matthias >
