Afaik, ignore option has always worked fine, meaning that those files are not scanned/monitored. Joseph, I would say problem is caused because you are using realtime and report_changes together (pretty sure this could fill up your hard disk space quickly).
Here are a couple of issues to keep in mind with realtime option: - It doesn't monitor files when rootcheck is running (meaning that it can take actually a while to report the file change, could be several minutes) - It doesn't monitor new files, until the next iteration of syscheck (a while loop), when file descriptors are reset for the directory monitored in realtime. This can take SYSTEM_WAIT (300 seconds, hardcoded) + time to run the syscheck + time to run the rootcheck. Hope that helps On Thu, Mar 3, 2016 at 10:35 AM, dan (ddp) <[email protected]> wrote: > On Thu, Mar 3, 2016 at 1:27 PM, Santiago Bassett > <[email protected]> wrote: > > Weird, are you sure the ignored directories are getting scanned? Maybe > have > > a duplicated directory given to the Syscheck both in ossec.conf and > > agent.conf? > > > > Unless something has changed, that's been the way it's worked for years > now. > > > > > On Thu, Mar 3, 2016 at 7:00 AM, Joseph cosgrove <[email protected]> > > wrote: > >> > >> I have a large number of applications that i need to monitor and i was > >> wondering if there is a syscheck configuration option that i can use > that > >> will not scan certain directories and/or files(similar to the way the > >> skip_nfs aborts syschecks). I have my agent_conf set to ignore the > >> directories that i want to ignore, however syscheck still scans on the > >> agents and creates entries in /var, potentially filling up diskspace. > Given > >> the large number of apps that we have, writing custom rules to remedy > this > >> is tedious. > >> I have my agent configuration scanning in real time like this: > >> <directories check_all="yes" realtime="yes" > >> > report_changes="yes">path/to/dir</directories><ignore>path/to/logs</ignore> > >> > >> > >> > >> > >> This is what is listed in the Documentation, is there a config option > >> anyone can think of that will help with my issue? > >> > >> ignore > >> > >> List of files or directories to be ignored (one entry per element). The > >> files and directories are still checked, but the results are ignored. > >> > >> Default: /etc/mtab > >> > >> Attributes: > >> > >> type: Value=sregex > >> > >> This is a simple regex pattern to filter out files so alerts are not > >> generated. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
