How to set OSSEC to ignore certain folders

[gaia]

One of our backup solution's folders is being diff'ed by OSSEC and it is taking up a lot of space.

A) Should I edit ossec.conf and add <ignore>/path/to/folder/</ignore> or is there an ASL specific recommended way to do this?

B) Is it safe to delete the contents of this folder in /var/ossec/queue/diff/local/path/to/folder?

C) What is the default setting in ASL's conf of OSSEC for how many diffs are stored? How far back is the history kept?

thanks

[faris]

In the GUI, under the ASL tab, check out File Integrity. That's where you would normally add extra directories to ignore.

I would assume that as soon as you have added it to the ignore list, it would be safe to delete, but....

I'm not sure how long the diffs go back. They certainly take a huge amount of space in some cases.

So we'll wait for official word on these two question.

[gaia]

official word was:

A) Ignores are configured in ASL Web->File Integrity->Ignore Rules

B) You can, but it can increase disk IO when it scans again it will add back the most recent copies. C is a better way to do it

C) Retention is configured from ASL Web->Settings->ASL Configuration->Host Intrusion Detection System->Number of Days to retain File Diff data

The default is to retain revisions for 60 days.

[faris]

Brilliant. thanks.

I don't quite understand the answer to B though.

If the directory is ignored, why would it be scanned again?

Even if it was scanned again, I'm curious to know what exactly would be put back other than the most recent (single) diff (or diffs if there are a lot of files), which I'd have thought would result in the same or at least similar I/O as would normally happen? I guess it depends on the files and how much changes?

[scott]

I think he was asking if he deleted the a whole diff tree that wasnt ignored. The next cycle (<frequency>XXXX) it would make copies of the files again.

[gaia]

I think he was asking if he deleted the a whole diff tree that wasnt ignored. The next cycle (<frequency>XXXX) it would make copies of the files again.

In my case it wouldn't. the diff scan and the backup run roughly at the same time, and i am changing that. but the temporary files created by the backup solution were getting picked up by the diff process. since they are deleted once the backup completed, the next time the diff runs it wont have any files to watch over in that folder.

[faris]

Ah, yes, I understand.

Thanks to both of you.