I think this will have a rule on the ossec server, I am looking to do this on an agent basis and have the same rule set for all the agents.
On Apr 22, 4:15 pm, "dan (ddp)" <[email protected]> wrote: > Not what you're asking, but should provide very similar results. > > <rule id="ID_NUMBER" level="0"> > <if_sid>510</if_sid> > <match>/dev/oracleasm/.query_disk</match> > <description>Ignore alerts for this file.</description> > </rule> > > On Fri, Apr 22, 2011 at 8:06 AM, Christopher Laibinis > > <[email protected]> wrote: > > How can I ignore a file or directory in the rootcheck portion of OSSC? > > > For instance I am receiving the following: > > > OSSEC HIDS Notification. > > 2011 Apr 22 02:48:35 > > > Received From: (nyctpdprd1) 10.186.196.132->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > > (rootcheck)." > > Portion of the log(s): > > > File '/dev/oracleasm/.query_disk' present on /dev. Possible hidden > > file. > > > I would like to ignore this file and have added the > > > <ignore>/dev/oracleasm</ignore> > > > directive in the ossec.conf file under the <rootcheck> portion, but it > > does not work.
