About the double backslashes, I saw this here : http://www.ossec.net/wiki/Know_How:Regex_Readme
But you have right, it doesn't work. I changed those like this (local_rules.xml) : <group name="local,syslog,"> <!-- Note that rule id 5711 is defined at the ssh_rules file - as a ssh failed login. This is just an example - since ip 1.1.1.1 shouldn't be used anywhere. - Level 0 means ignore. --> <rule id="100001" level="0"> <if_group>syscheck,</if_group> <hostname>***|***</hostname> <regex>'\S+/.svn</regex> <description>Directories to exclude</description> </rule> <rule id="100002" level="0"> <if_group>syscheck,</if_group> <hostname>***|***</hostname> <regex>'/etc/logrotate\S+</regex> <description>Directories to exclude</description> </rule> <rule id="100003" level="0"> <if_group>syscheck,</if_group> <hostname>***|***</hostname> <regex>'/etc/tinydns-dns\d+/log</regex> <description>Directories to exclude</description> </rule> But it doesn't work too :/ ! About the first rule, I want to ignore all the ".svn" subdirectories. About the second, I want to ignore /etc/logrotate_syslog.d~/mail and /etc/logrotate_syslog.d~/local2 for example. And for the last, I want to ignore /etc/tinydns-dns1/* and /etc/tinydns-dns2/* for example. I think I need help ! Thanks a lot ! -/etc/logrotate_syslog.d~/uucp https://ossec.m-plify.net/index.php?f=i# *File:* /etc/logrotate_syslog.d~/uucp *Agent:* Yui *Modification time:* 2010 Jul 16 15:55:42 https://ossec.m-plify.net/index.php?f=i# https://ossec.m-plify.net/index.php?f=i# ----- Message d'origine ----- De : dan (ddp) Envoyés : 19.07.10 18:57 À : [email protected] Objet : Re: Re : Re: [ossec-list] Rule for syscheck On Fri, Jul 16, 2010 at 5:22 AM, Bob Sauvage <[email protected]> wrote: > Ok, thanks for these tips ;) ! > > I changed it like this : > > <rule id="100001" level="0"> > <if_group>syscheck,</if_group> > <hostname>**|**</hostname> > <regex>'\\S+/.svn</regex> > <description>Directories to exclude</description> > </rule> > > <rule id="100002" level="0"> > <if_group>syscheck,</if_group> > <hostname>**|**</hostname> > <regex>'/etc/logrotate\\S+</regex> > <description>Directories to exclude</description> > </rule> > > <rule id="100003" level="0"> > <if_group>syscheck,</if_group> > <hostname>**|**</hostname> > <regex>'/etc/tinydns-dns\\d+/log</regex> > <description>Directories to exclude</description> > </rule> > > What do you think of this ? > I'm not so sure of the double backslashes (\\). I think that may not be quite what you want.
