I don't know why that isn't working, but try adding the ignore to the manager's ossec.conf. That should ignore it for all agents and the manager.
I don't think <auto_ignore>no</auto_ignore> does anything on the agents. It should be a manager side option. Make sure the agent.conf on the agents is getting updated, and make sure the agent is using the correct sections. An easy way to do this is to add a <localfile> into each section. Even if the file does not exist on the agent, it should be mentioned in the ossec.log. On Tue, Apr 19, 2011 at 10:02 AM, satish patel <[email protected]> wrote: > Hey Guys! > > This is again i am posting issue about ignoring file and directory > following is my agent.conf file please let me know why its now > working. I did thousand time restart and reboot machine on both client > and server but still i am getting alert :( > > Getting alert : Integrity checksum changed for: '/etc/prelink.cache' > > Following is my agent.conf file. > > root@vmg035:~# cat /var/ossec/etc/shared/agent.conf > <agent_config> > <syscheck> > > <!-- Frequency that syscheck is executed - default to every 2 hours --> > <frequency>7200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- No scan at start service time --> > <scan_on_start>no</scan_on_start> > > <!-- Disable frequently changes files --> > <auto_ignore>no</auto_ignore> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > <ignore>/etc/motd</ignore> > <ignore>/etc/printcap</ignore> > <ignore>/etc/prelink.cache</ignore> > <ignore>/etc/lvm/backup</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > </rootcheck> > </agent_config> > > <!-- Redhat Linux Logfiles monitor for PROD boxes fiona and shrek --> > <agent_config name="fiona|shrek"> > > <active-response> > <disabled>yes</disabled> > </active-response> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/vsftpd.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > </agent_config> > > > <!-- Redhat Linux Logfiles monitor for TEST and DEV--> > <agent_config name="dev01|dev02|dragon|donkey"> > > <active-response> > <disabled>yes</disabled> > </active-response> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/vsftpd.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > </agent_config> > > <!-- sebfwint1 extra logfiles for ubuntu OS --> > <agent_config name="sebfw01"> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/auth.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/syslog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/mail.info</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/dpkg.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/apache2/error.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/apache2/access.log</location> > </localfile> > </agent_config> >
