We talk about ignoring file extension here: https://groups.google.com/forum/?hl=en#!searchin/ossec-list/jesus/ossec-list/hFbTx5uxLmU/HTTNtrrbCgAJ
You could use: <ignore type="^sregex">.jpg$</ignore> Also, you can create a specific rule with "<if_group>syscheck</if_group>". Regards. Jesus Linares. On Wednesday, February 10, 2016 at 12:21:41 AM UTC+1, dan (ddpbsd) wrote: > > > On Feb 9, 2016 6:16 PM, "Leo G" <[email protected] <javascript:>> wrote: > > > > > > Hi, > > > > Can someone please help with the regex? I want to exclude all the .jpg > files in xxx/xxx/, > > > > I have config in ossec.conf below: > > > > <alert_new_files>yes</alert_new_files> > > <directories check_all="yes">/home/xxx</directories> > > <ignore>/home/xxx/xxx/\S*\.jpg</ignore> > > I don't think ignore accepts regex. > > > </syscheck> > > > > However it seems it's still not ignoring all the jpg files, still > getting alerts for all the new jpg files. > > > > Also used 'ossec-regex' for testing, > > > > > /var/ossec/bin/ossec-regex '/home/xxx/xxx/\S*\.jpg' > > > New file '/home/xxx/xxx/yyy.jpg' added to the file system. > > > > +OSRegex_Execute: New file '/home/xxx/xxx/yyy.jpg' added to the file > system. > > +OS_Regex : New file '/home/xxx/xxx/yyy.jpg' added to the file > system. > > ^C > > > > Seems to be matching. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
