Your regex is wrong. http://www.ossec.net/wiki/Know_How:Regex_Readme
You could also look at the syscheck ignore options: http://www.ossec.net/main/manual/manual-syscheck/#examples On Thu, Jul 15, 2010 at 6:54 AM, Bob Sauvage <[email protected]> wrote: > Hello people ! > > I want to make a rule to ignore some directories for the syscheck. > I need regex because I have a lot of directories... > > I make this : > > > > <group name="local,syslog,"> > > <!-- Note that rule id 5711 is defined at the ssh_rules file > - as a ssh failed login. This is just an example > - since ip 1.1.1.1 shouldn't be used anywhere. > - Level 0 means ignore. > --> > <rule id="100001" level="0"> > <if_group>syscheck</if_group> > <hostname>***|***</hostname> > <regex>*/.svn*|/etc/logrotate*|/etc/tinydns-dns*/log/*</regex> > <description>Directories to exclude</description> > </rule> > > But I always have alert for the logfile of tinydns... > > Thanks a lot ! >
