bookmark_borderProcess monitoring with OSSEC

OSSEC v2.3 was just released and one feature that really interested me was the Process monitoring. That’s what the OSSEC team says about it:

“We love logs. Inside OSSEC we treat everything as if it was a log and parse it appropriately with our rules. However, some information is not available in log files but we still want to monitor them. To solve that gap, we added the ability to monitor the output of commands via OSSEC and treat those just like they were log files.”

Basically, it allows you to monitor the output of any command and generate alerts/active responses from them.

Cool, let’s try it out. First, let’s monitor the output of “httpd status” to receive alerts if Apache ever goes down. I added the following command to my ossec.conf and the following rule to my local_rules:

/etc/init.d/httpd status

ossec: output: ‘/etc/init.d/httpd status’:
is stopped

Now, if I manually stop Apache to try it out, I get in a few seconds via email:

2009 Dec 08 10:45:04 (sucuri) xx->/etc/init.d/httpd status
Rule: 100200 (level 10) -> ‘Apache STOPPED.’
Src IP: (none)
User: (none)
ossec: output: ‘/etc/init.d/httpd status’: httpd is stopped

Perfect! Now I can have all my monitoring in just one tool… Next step is to create an active response to restart the service on failure.

bookmark_borderOSSEC v2.3 released

Directly from

What is new?

  1. Log analysis rules for the Nginx web server
  2. Log analysis rules for Suhosin (Hardened PHP)
  3. Support for real time file integrity monitoring on Windows systems
  4. Support for monitoring the output of commands (process monitoring)
  5. And a lot more…

Check out our v2.3 changelog of the complete list of new features and bugs fixed.

Download the new version from

*Special thanks to our contributors Jeremy Rossi, Fabio Paracchini and Michael Starks and our beta testers Dan Parriott, Michael Starks, Timo Vehvilainen and Jeremy Rossi.