Hi chris, The work around's the same what u have done$ just a few things to check:
a. Put the absolute path of the file in the ossec.conf in ignore tab b. Restart ossec to let the changes come in place. c. Create a rule in local_rules.xml using the match tag, being applie on this rule. -- tanishk Sent from BlackBerry® on Airtel -----Original Message----- From: sameer nanda <[email protected]> Sender: [email protected] Date: Fri, 22 Apr 2011 09:28:55 To: <[email protected]> Reply-To: [email protected] Subject: Re: [ossec-list] OSSEC rootcheck file/directory ignore hey doug, y dont u increase the time of syscheck .. that is what i mean to say is , set it at a time gap of around 21600 seconds. i hope this will reduce cpu utilization. On 22 April 2011 05:06, Christopher Laibinis <[email protected]>wrote: > How can I ignore a file or directory in the rootcheck portion of OSSC? > > For instance I am receiving the following: > > OSSEC HIDS Notification. > 2011 Apr 22 02:48:35 > > Received From: (nyctpdprd1) 10.186.196.132->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > File '/dev/oracleasm/.query_disk' present on /dev. Possible hidden > file. > > I would like to ignore this file and have added the > > <ignore>/dev/oracleasm</ignore> > > directive in the ossec.conf file under the <rootcheck> portion, but it > does not work. >
