I have a problem with configuring OSSEC rootcheck. While rootcheck is scanning at my data directories with the enormous amount of files, application server suffered from high CPU overload and I\O wait.
current settings from ./etc/ossec.conf <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> </rootcheck>
systemcheck settings I have already modified to exclude my dirs.
The question is how to exclude particular dirs from scanning during rootcheck, not the notification?