Is the file /nsr/logs changing, or are files under that directory changing? Have you tried <ignore type="sregex">^/nsr/logs</ignore>?
On Thu, Jul 7, 2011 at 5:03 PM, reg <regoma...@gmail.com> wrote: > Hello All, > > Taking some advice on this list, I converted all my agents to a > minimal ossec.conf(just the server IP). Inside the agent.conf > file on the server, I have my entire configuration. This is working > quite nicely now, but I have one nagging issue. I keep getting > alerts regarding file changes that should be ignored.I have checked > and double-checked the ignore rules for syntax errors > in the file name, and still the alerts come in. > > Example: > > <agent_config name="myhost1|myhost2"> > <syscheck> > <frequency>86400</frequency> > <directories check_all="yes">/mnt,/nsr,/usr,/bin,/sbin,/lib,/ > etc,/root,/boot</directories> > <ignore>/nsr/logs</ignore> > </syscheck> > </agent_config> > > I do not have this issue on new agents. Checksum of agent.conf has > been verified with agent_control. Manual deletion of > file entries from /var/ossec/queue/syscheck/(hostname file) and client/ > server restarts but still the ignored entries get added back to > the file. > > -Reggie
