Your ignore syntax for ossec.conf might be a bit off. Try this:
<ignore type="sregex">^/etc/something</ignore> That will ignore anything that starts with /etc/something. Then restart the agent of course to take effect. On Jan 21, 7:16 am, Julien Vehent <[email protected]> wrote: > On Fri 20.Jan'12 at 22:12:00 -0800, SuilAmhain wrote: > > > Add an ignore rule to ossec.conf. Reststart ossec after adding it. > > Had you read my email, you would have noticed that this has been done > already, before following syscheckd's activity with strace. > > - Julien
