On Mon, Aug 9, 2010 at 6:53 AM, ItsMikeE <[email protected]> wrote: > I have an NFS filesystem which might be mounted on one or more > servers. > > 1) How can I ensure that ossec only runs the syscheck tests once? > > 2) How can I avoid getting loads of alerts if the NFS is unmounted? > e.g. I want to monitor files under /NFSmount/directory > If /NFSmount is unmounted I get alerts telling me that /NFSmount/ > directory/file no longer exists > > I have been trying to work out a way of doing this using local rules. > In the documentation there are some examples of rule overrides using > <program_name> and <srcip>. > Is there a list of all the variables that can be used in this way? > Can we test for a running process? e.g. If application X is running > then run syscheck and application X's data files
I don't think syscheck has granular enough controls to do this. All it knows is that the files it has in its database are no longer there. So it (rightly) sends off an alert. There's a list here: http://www.ossec.net/main/manual/configuration-options/
