I am monitoring my inetpub folder on a webserver and ignoring log files/folders within inetpub. For some reason ossec sends me email alerts for files/folders that I am ignoring. Can someone look at my config and help me understand what's wrong? (Dan, looking at you buddy :) :) :))
>From OSSEC.conf on the agent: <syscheck> <alert_new_files>yes</alert_new_files> <directories realtime="yes" check_all="yes">C:\inetpub</directories> <ignore>C:\Inetpub\mailroot</ignore> <ignore>C:\Inetpub\wwwroot\app1\logs</ignore> <ignore>C:\Inetpub\wwwroot\app2\logs</ignore> <ignore>C:\Inetpub\wwwroot\app1\Imports</ignore> <ignore>C:\Inetpub\wwwroot\app2\Imports</ignore> </syscheck> </ossec_config> I keep getting email alerts like: Rule: 550 fired (level 14) -> "Integrity checksum changed of monitored file." Portion of the log(s): Integrity checksum changed for: 'C:\Inetpub/wwwroot/app1/Log/user.xxxxxxx-12-19-2012.txt' OSSEC is correct that the file it is showing me has changed but I have marked that folder to be ignored. I know that ossec scans all files/folders but should choose to alert on files NOT being ignored. Is my config bad? Should I add my ignores to the manager and not the agent conf? Any help is greatly appreciated. Thanks in advance.
