On Wed, Jan 25, 2012 at 12:35 PM, BP9906 <[email protected]> wrote: > No, that option does tell syscheckd to ignore that entire folder and > subcontents. If you have windows, I believe its different. > > See http://www.ossec.net/main/manual/manual-syscheck#examples >
I think ossec-syscheckd will still go down into the directory, it just won't forward the information. > On Jan 24, 11:03 am, Julien Vehent <[email protected]> wrote: >> On Mon 23.Jan'12 at 11:46:17 -0800, BP9906 wrote: >> >> > Your ignore syntax for ossec.conf might be a bit off. >> >> > Try this: >> >> > <ignore type="sregex">^/etc/something</ignore> >> >> > That will ignore anything that starts with /etc/something. Then >> > restart the agent of course to take effect. >> >> That will ignore the alerts, but not prevent syscheckd from browsing >> that directory, which is the issue. >> >> The ignore rule works fine: content of that directory does not generate >> alerts. But my problem is with syscheckd scanning a 12TB NFS share. >> >> - Julien
