Yes, this rule would be applied to all agents. Why would you want it to be different for some agents?
On Mon, Apr 25, 2011 at 1:50 PM, Christopher Laibinis <[email protected]> wrote: > I think this will have a rule on the ossec server, I am looking to do > this on an agent basis and have the same rule set for all the agents. > > On Apr 22, 4:15 pm, "dan (ddp)" <[email protected]> wrote: >> Not what you're asking, but should provide very similar results. >> >> <rule id="ID_NUMBER" level="0"> >> <if_sid>510</if_sid> >> <match>/dev/oracleasm/.query_disk</match> >> <description>Ignore alerts for this file.</description> >> </rule> >> >> On Fri, Apr 22, 2011 at 8:06 AM, Christopher Laibinis >> >> <[email protected]> wrote: >> > How can I ignore a file or directory in the rootcheck portion of OSSC? >> >> > For instance I am receiving the following: >> >> > OSSEC HIDS Notification. >> > 2011 Apr 22 02:48:35 >> >> > Received From: (nyctpdprd1) 10.186.196.132->rootcheck >> > Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> > (rootcheck)." >> > Portion of the log(s): >> >> > File '/dev/oracleasm/.query_disk' present on /dev. Possible hidden >> > file. >> >> > I would like to ignore this file and have added the >> >> > <ignore>/dev/oracleasm</ignore> >> >> > directive in the ossec.conf file under the <rootcheck> portion, but it >> > does not work.
