Forgive me, I was removing identifying information and mistyped. This is from my agent: * <ignore>C:\Inetpub\wwwroot\app1\logs</ignore> *
and this is the alert I get: * Integrity checksum changed for: * * 'C:\Inetpub/wwwroot/app1/Logs/user.xxxxxxx-12-19-2012.txt' * Do I add any ignores to the manager or is it strictly agent based? Thank you so so so much. To show my appreciation, I am trying to help you out answering questions in the group :) Thanks On Thursday, December 20, 2012 8:27:33 AM UTC-5, dan (ddpbsd) wrote: > > On Wed, Dec 19, 2012 at 5:15 PM, Lsilverman > <[email protected] <javascript:>> wrote: > > I am monitoring my inetpub folder on a webserver and ignoring log > > files/folders within inetpub. For some reason ossec sends me email > alerts > > for files/folders that I am ignoring. Can someone look at my config and > help > > me understand what's wrong? (Dan, looking at you buddy :) :) :)) > > > > From OSSEC.conf on the agent: > > <syscheck> > > <alert_new_files>yes</alert_new_files> > > <directories realtime="yes" check_all="yes">C:\inetpub</directories> > > <ignore>C:\Inetpub\mailroot</ignore> > > <ignore>C:\Inetpub\wwwroot\app1\logs</ignore> > > <ignore>C:\Inetpub\wwwroot\app2\logs</ignore> > > <ignore>C:\Inetpub\wwwroot\app1\Imports</ignore> > > <ignore>C:\Inetpub\wwwroot\app2\Imports</ignore> > > </syscheck> > > </ossec_config> > > > > I keep getting email alerts like: > > > > Rule: 550 fired (level 14) -> "Integrity checksum changed of monitored > > file." > > Portion of the log(s): > > > > Integrity checksum changed for: > > 'C:\Inetpub/wwwroot/app1/Log/user.xxxxxxx-12-19-2012.txt' > > > > You don't have this path defined above. You have > "<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>" instead. > > > > > OSSEC is correct that the file it is showing me has changed but I have > > marked that folder to be ignored. I know that ossec scans all > files/folders > > but should choose to alert on files NOT being ignored. Is my config bad? > > Should I add my ignores to the manager and not the agent conf? > > > > > > Any help is greatly appreciated. Thanks in advance. > > > > > > > > Make sure you restart the agent processes after adding the correct > ignores. >
