I'm using report_changes on a lot of directories, and to avoid having large diff queues, I ignore a bunch of files I don't care about. I'm having issues with the regex on an ignore rule. The files are in /tmp as follow: /tmp/FILENAME1-New_Customer.swx /tmp/FILENAME2-New_Customer.swx /tmp/FILENAME3-New_Customer.swx /tmp/FILENAME4-New_Customer.swx
So I wrote the following rule: <ignore>^/tmp/\S+New_Customer.swx$</ignore> But it doesn't get applied. Regardless of the ignore rule, syscheck creates a diff in the queue directory: root@machine:/var/ossec/queue/diff/local/tmp# ls -al |grep New_Customer.swx drwxr-x--- 2 root root 4096 2012-02-06 12:42 SYSCHECK123-New_Customer.swx drwxr-x--- 2 root root 4096 2012-02-06 12:42 TESTSYSCHECK-New_Customer.swx And I get an alert for the creation of the new file... What do I need to change to make this ignore regex work as expected ? Thanks, Julien
