Thanks for the reply Th.G., but that's exactly my problem, the regex supported in ignore is "sregex" only, which is a simpler regex and it does not support "\.+" (which i presume you mean, not "\+"). I did mention that in my email.
The sregex is described at: http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html?highlight=sregex(the lower part of the page). The configuration examples you mentioned, for sregex in ignore only show something simple like below, not full regex: <ignore type="sregex">.log$|.tmp</ignore> or <ignore type="sregex">^/opt/application/log</ignore> For the moment since I guess there is no way to make this happen in the current OSSEC version, I have decided to try ignoring the whole /etc/SOMEDIR folder, and hope that the copies of the sensitive files don't get created in /var/ossec/queue/diff/local. Thank you for your time. On Tue, Mar 25, 2014 at 7:42 AM, Th. G. <[email protected]> wrote: > You need to tell ossec that you are using regex in your ignore list like > <ignore type="sregex">^/etc/SOMEDIR/\+.data$</ignore> > > Look here: > > http://ossec-docs.readthedocs.org/en/latest/http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html?highlight=sregexmanual/syscheck/index.html#configuration-examples<http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/index.html#configuration-examples> > > Hope that helps. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
