Am Dienstag, 17. Dezember 2013 16:58:59 UTC+1 schrieb dan (ddpbsd): > > On Tue, Dec 17, 2013 at 10:13 AM, Georg Schönberger > <[email protected] <javascript:>> wrote: > > Hi there, > > > > I want to exclude a specific filetype in a directory from the syscheck. > > As the ignore option in the syscheck only supports sregex, I don't know > how > > to achieve this. > > > > If I would use > > <ignore type="sregex">.log$</ignore> > > then all .log files are ignored. > > > > Is there a way to specify a pattern for one directory only? > > > > Create a rule looking for syslog alerts, and for the directory you're > concerned with. Then create a second rule with an <if_sid> of the > first looking for the specific file type. > > <rule id="choochoo" level="X"> > <if_sid>551</if_sid> <!-- Probably wrong, can't remember for sure > and too lazy to lookup --> > <match>/home/george/files/tuesdays</match> > <description>Tuesday's files.</description> > </rule> > > <rule id="choochoo2" level="0"> > <if_sid>choochoo</if_sid> > <match>.log</match> > <description>Ignore Tuesday's logfiles</description> > </rule> > > > Best regards, Georg > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. >
Hi Dan, thanks for you answer. I have thought about implementing it over custom rules also, thanks for the example. I was just interested, if the syscheck xml configuration in the ossec.conf can also ignore file patterns in a directory. But it seems it doesn't. - Georg -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
