On Tue, Dec 17, 2013 at 10:13 AM, Georg Schönberger <[email protected]> wrote: > Hi there, > > I want to exclude a specific filetype in a directory from the syscheck. > As the ignore option in the syscheck only supports sregex, I don't know how > to achieve this. > > If I would use > <ignore type="sregex">.log$</ignore> > then all .log files are ignored. > > Is there a way to specify a pattern for one directory only? >
Create a rule looking for syslog alerts, and for the directory you're concerned with. Then create a second rule with an <if_sid> of the first looking for the specific file type. <rule id="choochoo" level="X"> <if_sid>551</if_sid> <!-- Probably wrong, can't remember for sure and too lazy to lookup --> <match>/home/george/files/tuesdays</match> <description>Tuesday's files.</description> </rule> <rule id="choochoo2" level="0"> <if_sid>choochoo</if_sid> <match>.log</match> <description>Ignore Tuesday's logfiles</description> </rule> > Best regards, Georg > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
