Here is my syscheck config in ossec.conf:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<scan_on_start>no</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/var/lib/backuppc</ignore>
<ignore type="sregex">^/var/lib/backuppc</ignore>
<ignore type="sregex">/var/lib/backuppc/\.*</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
nothing special I guess.
Dne středa, 2. října 2013 14:47:05 UTC+2 dan (ddpbsd) napsal(a):
>
> On Wed, Oct 2, 2013 at 6:51 AM, Jan Kopecký <[email protected]<javascript:>>
> wrote:
> >> What version of OSSEC?
> >
> > 2.7 (upgraded from previous versions)
> >
> >
> >> Are there any symlinks pointing to /var from the other places?
> >
> > no
> >
> >
> >> Is this an agent, local,or server install?
> >
> > it is server install
> >
> >> Possible agent.conf issue?
> >
> > what should I search for?
> >
>
> Syscheck entries that apply to that system.
>
> > Dne čtvrtek, 26. září 2013 15:52:24 UTC+2 dan (ddpbsd) napsal(a):
> >>
> >> On Wed, Nov 7, 2012 at 6:01 PM, SupuS <[email protected]> wrote:
> >> > Hello,
> >> >
> >> > I would like to exlude direcotory /var/lib/backuppc from
> ossec-syscheckd
> >> > completly. Ossec server is installed on the same host and every day
> it
> >> > scan
> >> > this directory. It takes many hours and lot of CPU and I really don't
> >> > want
> >> > scan this directory. Is there a way how to do it?
> >> >
> >> > In /var/ossec/etc/ossec.conf I have:
> >> >
> >> >> <!-- Directories to check (perform all possible verifications) -->
> >> >> <directories
> check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> >> >> <directories check_all="yes">/bin,/sbin</directories>
> >> >
> >> >
> >> > so /var directory should not be scanned at all .. right? But it is
> >> > scanned
> >> > every time when ossec-syscheckd runs.
> >> >
> >> > Thanks for any suggestion
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
