I can't remember if 2.0 can do the wildcards or not. I'd look at the release notes for that version to see if it's mentioned.
On Fri, May 7, 2010 at 9:13 AM, Swartz, Patrick H <[email protected]> wrote: > Please forgive my noob question... globbing? Can version 2.0 support > directory wildcards? Could I use .. > \FUND\Clients\*\*\WebSvc\*\web.conf ? The file 'web.conf' is the only file > they want monitored and I'm trying to figure out if it can be done via the > Ossec.conf file locally or do I need to setup a rule to exclude every other > file but that one. > > Thanks for your help! > > Patrick Swartz > UNIX Planning & Engineering (DSUSSE) > First Data > 402-777-7337 desk > 402-871-8981 cell > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, May 06, 2010 4:53 PM > To: [email protected] > Subject: Re: [ossec-list] excluded files rule > > Are they simple enough to be able to use globbing for those files? > > On Thu, May 6, 2010 at 9:25 AM, Swartz, Patrick H > <[email protected]> wrote: >> >> Hi All, >> >> >> >> Using Ossec 2.0 server/client model. >> >> I have been asked if there is a way we can create a rule to exclude files >> based on the following directory structure on a Windows machine... >> >> >> >> {WWWROOT}\FUND\Clients\<client name>\<project,sub-project >> names>\WebSvc\<version>\web.config >> >> >> >> Currently our Ossec.conf file is very large due to each {WWWROOT} entry is >> expanded to where ever ISS is setup, and each <client name> and >> <project,sub-project names>, and <version> has to be expanded. For some 500 >> servers, this equates to a very large number of lines in the config file. >> >> Or is there a better way to write our config file with those 'variables'? >> >> >> >> Any thoughts would be greatly appreciated. >> >> Thanks, >> >> >> >> Patrick Swartz >> UNIX Planning & Engineering (DSUSSE) >> >> First Data >> 402-777-7337 desk >> 402-871-8981 cell >> >> >> >> ________________________________ >> >> The information in this message may be proprietary and/or confidential, and >> protected from disclosure. If the reader of this message is not the intended >> recipient, or an employee or agent responsible for delivering this message >> to the intended recipient, you are hereby notified that any dissemination, >> distribution or copying of this communication is strictly prohibited. If you >> have received this communication in error, please notify First Data >> immediately by replying to this message and deleting it from your computer. > > ----------------------------------------- > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
