Hello all, I'm trying to use Ossec in a very rudimentary process monitoring capacity (similar to Nagios or Big Brother). However, everything I've read so far only applies to process monitoring on Windows systems, nothing in the manual or wiki references Linux/Unix process monitoring at all, even though the system_audit_rcl.txt file clearly lists "p" as one of the types available. Is it possible to use Ossec (1.5) on the client side to monitor for a particular process running?
If so, is the check basically done via "ps -ef | grep <process> | grep -v grep"... where Ossec will just look for any returned lines and accept those as a positive check? What I'm trying to do is send an alert when a process does not exist (ie - isn't running). Is there any example out there for Linux systems that I could look at? I'm quite surprised that the wiki and manual (and even the book, which we've purchased) make no mention of such a monitoring scenario. Specifically, we need stunnel running on our logging server, and need to be notified when the process is no longer running. Thanks in advance for any and all help. -- Timothy Meader L-3 Communications, NASA EOS Security Operations [EMAIL PROTECTED] (301) 614-6371
