I'm having trouble getting an ignore expression to actually ignore a change and suspect it's due to not understanding how OSSEC regular expressions work. When I searched for examples I found very little so I'm hoping someone can reply with examples or explanations. What I tried was:
<ignore type="regex">/var/lib/postgresql/9.5/main/base/\d+/\d+$</ignore> <ignore>/var/lib/postgresql/9.5/main/pg_xlog/\d+$</ignore> <ignore type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$</ignore> <ignore type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$</ignore> I'm still getting alerts such as the following: Integrity checksum changed for: '/var/lib/postgresql/9.5/main/base/16387/1259' Integrity checksum changed for: '/var/lib/postgresql/9.5/main/pg_xlog/000000010000000000000026' New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file system. (I configured new file alerting and am glad to see it's working but just not this directory). Thanks for the help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
