Please forgive my noob question... globbing? Can version 2.0 support directory wildcards? Could I use .. \FUND\Clients\*\*\WebSvc\*\web.conf ? The file 'web.conf' is the only file they want monitored and I'm trying to figure out if it can be done via the Ossec.conf file locally or do I need to setup a rule to exclude every other file but that one.
Thanks for your help! Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-871-8981 cell -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Thursday, May 06, 2010 4:53 PM To: [email protected] Subject: Re: [ossec-list] excluded files rule Are they simple enough to be able to use globbing for those files? On Thu, May 6, 2010 at 9:25 AM, Swartz, Patrick H <[email protected]> wrote: > > Hi All, > > > > Using Ossec 2.0 server/client model. > > I have been asked if there is a way we can create a rule to exclude files > based on the following directory structure on a Windows machine... > > > > {WWWROOT}\FUND\Clients\<client name>\<project,sub-project > names>\WebSvc\<version>\web.config > > > > Currently our Ossec.conf file is very large due to each {WWWROOT} entry is > expanded to where ever ISS is setup, and each <client name> and > <project,sub-project names>, and <version> has to be expanded. For some 500 > servers, this equates to a very large number of lines in the config file. > > Or is there a better way to write our config file with those 'variables'? > > > > Any thoughts would be greatly appreciated. > > Thanks, > > > > Patrick Swartz > UNIX Planning & Engineering (DSUSSE) > > First Data > 402-777-7337 desk > 402-871-8981 cell > > > > ________________________________ > > The information in this message may be proprietary and/or confidential, and > protected from disclosure. If the reader of this message is not the intended > recipient, or an employee or agent responsible for delivering this message to > the intended recipient, you are hereby notified that any dissemination, > distribution or copying of this communication is strictly prohibited. If you > have received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your computer. ----------------------------------------- The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
