On Mon, Dec 19, 2011 at 7:18 PM, helpmailinglist <[email protected]> wrote: > A file integrity check is needed on archived files only. For > instance, /var/log/httpd/*.gz. How is this possible? And can the > rule(s) be set up on the ossec server rather than the clients?
I haven't tried putting files into syscheck, so I don't know if that would work. You could add directories entries for /var/log/httpd, and <ignore> the error_log/access_log/whatever_log files. Or you could monitor /var/log/httpd and create rules to first ignore everything, then another rule to alert on .gz files changing. Or you could use the restrict option in your directories definition.
