Creating Patterns in Inclusion/Exclusion Filters
By using Inclusion/Exclusion filter, you can achieve the following:
- Monitor only what’s required instead of inundating the platform with false positives. This means what is not required is dropped at the agent level itself and never reaches the platform, reducing the load on agent as well as platform.
For example, if you wants to monitor any modifications only on database files under C:\ProgramData, then File type Inclusion filter can used and ‘*.db’ should entered as the relative path. Any event which is not for ‘.db’ files will be dropped and won’t go on to platform.
- Reduce the unnecessary processing of Qualys Cloud Agent.
- CPU usage is kept to minimal which is strength of Qualys Cloud Agent.
Supported Patterns
The files/directories patterns entered in Advanced Options to include or exclude files/directories for monitoring are validated against these rules.
Supported Pattern Types for Windows Directory
- Do not use these special characters / " < > | in directory paths.
- Can contain a maximum of 260 characters including spaces, slashes and [ ] { } ( ) * ? ' (? is a single character wildcard, and * is a multi-character wildcard).
Supported Pattern Types for Windows File
- Do not use these special characters / " < > | in file names. Special characters allowed are [ ] { } ( ) * ? ' (? is a single character wildcard, and * is a multi-character wildcard).
- Can contain a maximum of 260 characters including spaces, slashes.
Supported Pattern Type for Linux Directory
- Do not use these special characters \ " < > : | in directory paths.
- Can contain a maximum of 4096 characters including spaces, slashes and [ ] { } ( ) * ? '(? is a single character wildcard, and * is a multi-character wildcard).
Supported Pattern Type for Linux File
- Do not use these special characters \ " < > : | in file names. Special characters allowed are [ ] { } ( ) * ? ' (? is a single character wildcard, and * is a multi-character wildcard).
- Can contain a maximum of 255 characters including spaces, slashes.
Wildcard Support while Writing Patterns in Inclusion/Exclusion Filters
- ‘?’ is a single character wildcard.
- ‘*’ is a multi-character wildcard.
- ‘*’ can only be used at the beginning or end of a string literal or in lieu of a string literal.
- ‘*’ should never be used on both sides of a string literal.
- *.* is supported.
Note: ‘*’ should never be used on both sides of a string literal. Example: "*file*" is not supported.
Some of the examples to show usage of above-mentioned rules are as follows:
Valid usage of wildcards | Invalid usage of wildcards |
- *.* - Text?.txt - *.log - Win?ow?.log - *host.dat - qualys* - ?icro?oft |
- *microsoft* |
Sample Scenarios for Inclusion and Exclusion filter
Here are a few sample scenarios for Inclusion and Exclusion Filter. The inclusion and exclusion filter may change based on your environment and use case.
-Scenario 1: You want to monitor events for any kind of modification on configuration [*.conf] files and wants to block events for [*.sh] files.
- Scenario 2: You want to monitor events for changes only in *.conf type of files and exclude the rest.
- Scenario 3: You want to monitor events for modifications in any type of files (with extensions) excluding the ones with ‘.sh’ extension.
Related Topics
Import a Profile from Qualys Library
Activate and Deactivate a Profile