On Tue, Jul 20, 2010 at 3:06 AM, Bob Sauvage <[email protected]> wrote: > About the double backslashes, I saw this here : > http://www.ossec.net/wiki/Know_How:Regex_Readme > > But you have right, it doesn't work. I changed those like this > (local_rules.xml) : > > <group name="local,syslog,"> > > <!-- Note that rule id 5711 is defined at the ssh_rules file > - as a ssh failed login. This is just an example > - since ip 1.1.1.1 shouldn't be used anywhere. > - Level 0 means ignore. > --> > <rule id="100001" level="0"> > <if_group>syscheck,</if_group> > <hostname>***|***</hostname> > <regex>'\S+/.svn</regex> > <description>Directories to exclude</description> > </rule> > > <rule id="100002" level="0"> > <if_group>syscheck,</if_group> > <hostname> > ***|***</hostname> > <regex>'/etc/logrotate\S+</regex> > <description>Directories to exclude</description> > </rule> > > <rule id="100003" level="0"> > <if_group>syscheck,</if_group> > <hostname> > ***|***</hostname> > <regex>'/etc/tinydns-dns\d+/log</regex> > <description>Directories to exclude</description> > </rule> > > But it doesn't work too :/ ! > > About the first rule, I want to ignore all the ".svn" subdirectories. > > About the second, I want to ignore /etc/logrotate_syslog.d~/mail and > /etc/logrotate_syslog.d~/local2 for example. > > And for the last, I want to ignore /etc/tinydns-dns1/* and > /etc/tinydns-dns2/* for example. > > I think I need help ! > > Thanks a lot ! > > -/etc/logrotate_syslog.d~/uucp > File: /etc/logrotate_syslog.d~/uucp > Agent: Yui > Modification time: 2010 Jul 16 15:55:42 >
I don't see anything obviously wrong with the rules, but I haven't tried any real syscheck rules. Did you restart the ossec server processes after creating the rules?
