Still the same issue. I upgraded my manager to 2.7, not my agents. I am monitoring *c:\inetpub* but ignoring *regex ^C:\inetpub\mailroot* * * I continue to get alerts like:
*Integrity checksum changed for: 'C:\Inetpub/mailroot/Badmail/348972394723894723894.BDR'* * * Here is a snippet of my config: <syscheck> <alert_new_files>yes</alert_new_files> <directories realtime="yes" check_all="yes">C:\Inetpub</directories> <ignore type="sregex">^C:\Inetpub\mailroot</ignore> </syscheck> Any ideas what I am doing wrong? Thanks!!! On Thursday, December 20, 2012 9:21:20 AM UTC-5, dan (ddpbsd) wrote: > > On Thu, Dec 20, 2012 at 9:13 AM, Lsilverman > <[email protected] <javascript:>> wrote: > > Forgive me, I was removing identifying information and mistyped. > > > > This is from my agent: > > <ignore>C:\Inetpub\wwwroot\app1\logs</ignore> > > > > > > and this is the alert I get: > > Integrity checksum changed for: > > 'C:\Inetpub/wwwroot/app1/Logs/user.xxxxxxx-12-19-2012.txt' > > > > Did you restart the OSSEC processes? I don't know if the case matters > or not. I guess you could also try an sregex: > > <ignore type="sregex">^C:\Inetpub/wwwroot/app1/Logs</ignore> > > > > > Do I add any ignores to the manager or is it strictly agent based? > > > > IIRC, if you add them to the manager they will be ignored from all > agents. If you add them to the agents they will only be ignored on > those agents. > > > Thank you so so so much. To show my appreciation, I am trying to help > you > > out answering questions in the group :) > > > > Thanks > > > > > > > > > > On Thursday, December 20, 2012 8:27:33 AM UTC-5, dan (ddpbsd) wrote: > >> > >> On Wed, Dec 19, 2012 at 5:15 PM, Lsilverman > >> <[email protected]> wrote: > >> > I am monitoring my inetpub folder on a webserver and ignoring log > >> > files/folders within inetpub. For some reason ossec sends me email > >> > alerts > >> > for files/folders that I am ignoring. Can someone look at my config > and > >> > help > >> > me understand what's wrong? (Dan, looking at you buddy :) :) :)) > >> > > >> > From OSSEC.conf on the agent: > >> > <syscheck> > >> > <alert_new_files>yes</alert_new_files> > >> > <directories realtime="yes" > check_all="yes">C:\inetpub</directories> > >> > <ignore>C:\Inetpub\mailroot</ignore> > >> > <ignore>C:\Inetpub\wwwroot\app1\logs</ignore> > >> > <ignore>C:\Inetpub\wwwroot\app2\logs</ignore> > >> > <ignore>C:\Inetpub\wwwroot\app1\Imports</ignore> > >> > <ignore>C:\Inetpub\wwwroot\app2\Imports</ignore> > >> > </syscheck> > >> > </ossec_config> > >> > > >> > I keep getting email alerts like: > >> > > >> > Rule: 550 fired (level 14) -> "Integrity checksum changed of > monitored > >> > file." > >> > Portion of the log(s): > >> > > >> > Integrity checksum changed for: > >> > 'C:\Inetpub/wwwroot/app1/Log/user.xxxxxxx-12-19-2012.txt' > >> > > >> > >> You don't have this path defined above. You have > >> "<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>" instead. > >> > >> > > >> > OSSEC is correct that the file it is showing me has changed but I > have > >> > marked that folder to be ignored. I know that ossec scans all > >> > files/folders > >> > but should choose to alert on files NOT being ignored. Is my config > bad? > >> > Should I add my ignores to the manager and not the agent conf? > >> > > >> > > >> > Any help is greatly appreciated. Thanks in advance. > >> > > >> > > >> > > >> > >> Make sure you restart the agent processes after adding the correct > >> ignores. >
