{"id":408,"date":"2009-12-08T18:23:53","date_gmt":"2009-12-08T18:23:53","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=408"},"modified":"2020-07-03T18:25:23","modified_gmt":"2020-07-03T18:25:23","slug":"process-monitoring-with-ossec-2","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2009\/12\/process-monitoring-with-ossec-2\/","title":{"rendered":"Process monitoring with OSSEC"},"content":{"rendered":"\n<p>OSSEC v2.3&nbsp;<a href=\"http:\/\/www.ossec.net\/main\/ossec-v23-released\">was just released<\/a>&nbsp;and one feature that really interested me was the&nbsp;<a href=\"http:\/\/www.ossec.net\/main\/manual\/manual-process-monitoring\/\">Process monitoring<\/a>. That\u2019s what the OSSEC team says about it:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u201cWe love logs. Inside OSSEC we treat everything as if it was a log and parse it appropriately with our rules. However, some information is not available in log files but we still want to monitor them. To solve that gap, we added the ability to monitor the output of commands via OSSEC and treat those just like they were log files.\u201d<\/p><\/blockquote>\n\n\n\n<p>Basically, it allows you to monitor the output of any command and generate alerts\/active responses from them.<\/p>\n\n\n\n<p>Cool, let\u2019s try it out. First, let\u2019s monitor the output of \u201chttpd status\u201d to receive alerts if Apache ever goes down. I added the following command to my ossec.conf and the following rule to my local_rules:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><br>command<br>\/etc\/init.d\/httpd status<\/p><p><br>530<br>ossec: output: \u2018\/etc\/init.d\/httpd status\u2019:<br>is stopped<br>Apache STOPPED.<\/p><\/blockquote>\n\n\n\n<p>Now, if I manually stop Apache to try it out, I get in a few seconds via email:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>2009 Dec 08 10:45:04 (sucuri) xx-&gt;\/etc\/init.d\/httpd status<br>Rule: 100200 (level 10) -&gt; \u2018Apache STOPPED.\u2019<br>Src IP: (none)<br>User: (none)<br>ossec: output: \u2018\/etc\/init.d\/httpd status\u2019: httpd is stopped<\/p><\/blockquote>\n\n\n\n<p>Perfect! Now I can have all my monitoring in just one tool\u2026 Next step is to create an active response to restart the service on failure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OSSEC v2.3&nbsp;was just released&nbsp;and one feature that really interested me was the&nbsp;Process monitoring. That\u2019s what the OSSEC team says about it: \u201cWe love logs. Inside OSSEC we treat everything as if it was a log and parse it appropriately with our rules. However, some information is not available in log files but we still want [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[18],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/408"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=408"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/408\/revisions"}],"predecessor-version":[{"id":409,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/408\/revisions\/409"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}