On Mon, Feb 6, 2012 at 12:48 PM, Julien Vehent <[email protected]> wrote: > I'm using report_changes on a lot of directories, and to avoid having > large diff queues, I ignore a bunch of files I don't care about. > I'm having issues with the regex on an ignore rule. The files are in > /tmp as follow: > /tmp/FILENAME1-New_Customer.swx > /tmp/FILENAME2-New_Customer.swx > /tmp/FILENAME3-New_Customer.swx > /tmp/FILENAME4-New_Customer.swx > > So I wrote the following rule: > <ignore>^/tmp/\S+New_Customer.swx$</ignore> > > But it doesn't get applied. Regardless of the ignore rule, syscheck > creates a diff in the queue directory: > > root@machine:/var/ossec/queue/diff/local/tmp# ls -al |grep New_Customer.swx > drwxr-x--- 2 root root 4096 2012-02-06 12:42 SYSCHECK123-New_Customer.swx > drwxr-x--- 2 root root 4096 2012-02-06 12:42 TESTSYSCHECK-New_Customer.swx > > And I get an alert for the creation of the new file... > > What do I need to change to make this ignore regex work as expected ? > > > Thanks, > Julien >
Ignore does not support regex. You can use the sregex type instead: <ignore type="sregex">New_Customer.swx$</ignore>
