Hi Leo, I'm glad you can solve your issue with the rules, but *ignore *should work.
The symbol ^ in "<ignore *type="^sregex*">.jpg$</ignore>" is a typo. You could try with <ignore *type="sregex"*>.jpg$</ignore>. Check the documentation out: http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/ Regards. Jesus Linares. On Wednesday, February 10, 2016 at 11:42:52 PM UTC+1, Leo G wrote: > > Thank you!! > > add match and regex in rules worked for me. > > no luck with ignore="sregex" :( > > On Wednesday, 10 February 2016 10:16:08 UTC+11, Leo G wrote: >> >> >> Hi, >> >> Can someone please help with the regex? I want to exclude all the .jpg >> files in xxx/xxx/, >> >> I have config in ossec.conf below: >> >> <alert_new_files>yes</alert_new_files> >> <directories check_all="yes">/home/xxx</directories> >> <ignore>/home/xxx/xxx/\S*\.jpg</ignore> >> </syscheck> >> >> However it seems it's still not ignoring all the jpg files, still getting >> alerts for all the new jpg files. >> >> Also used 'ossec-regex' for testing, >> >> > /var/ossec/bin/ossec-regex '/home/xxx/xxx/\S*\.jpg' >> > New file '/home/xxx/xxx/yyy.jpg' added to the file system. >> >> +OSRegex_Execute: New file '/home/xxx/xxx/yyy.jpg' added to the file >> system. >> +OS_Regex : New file '/home/xxx/xxx/yyy.jpg' added to the file >> system. >> ^C >> >> Seems to be matching. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
