Hi all, Is the auto_ignore value really default to yes? I think so So I changed on the ossec SERVER the file ossec.conf add added under syscheck <auto_ignore>no</auto_ignore>
Do I need to zeroes the auto-ignore counter? (syscheck_control -z -f?) or will this work just fine from now on? Don't you think that the default value should be "no" since people may think their files are monitored whereas they won't be alerted after 3 changes. I have to say it can be quite normal to have config files changed more that 3 times but you still need to be alerted from a change control perspective. Thanks, David Robert http://blog.ombrepixel.com/
