so we've created an autoscaling group with an ami of our own, that ami have a server and an automated ossec service that reports to slack channel, the thing is that when a new instance is launched, the ossec send a lot of alerts because the files signatures are different and that is ok because when a new instance is launched it recreates the ami in new volumes.
Now how can I have ossec installed in those ami, but when as launch a new instance not having all the alerts from files changed.
I tried restarting ossec service when a new instance is launched but It had the same behavior, ossec sends alerts that all the files were changed.
One way to solve this could be using a cronjob or systemd, to restart o start the hybrid OSSEC process.
In my case we decide to add the folders in the exceptions so the OSSEC don't scan that folders.