I have an NFS filesystem which might be mounted on one or more servers. 1) How can I ensure that ossec only runs the syscheck tests once?
2) How can I avoid getting loads of alerts if the NFS is unmounted? e.g. I want to monitor files under /NFSmount/directory If /NFSmount is unmounted I get alerts telling me that /NFSmount/ directory/file no longer exists I have been trying to work out a way of doing this using local rules. In the documentation there are some examples of rule overrides using <program_name> and <srcip>. Is there a list of all the variables that can be used in this way? Can we test for a running process? e.g. If application X is running then run syscheck and application X's data files
