Hi Tim, OSSEC can be used as that, but the policy monitoring is not executed frequently enough by default, so you will need to change the rootcheck frequency to a lower value (probably every 10 or 20 minutes, depending on how quickly do you want to be notified).
As far as unix process monitoring, it works very similar to the Windows one. For example, if you want to be alerted whenever ossec-analysis is running, you can add: [Process ossec-analysisd running] [any] [] p:r:ossec-analysisd; Or if you want to be alerted whenever it is NOT running, do: [Alert! Process ossec-analysisd NOT running] [any] [] p:!r:ossec-analysisd; Hope it helps.. *yes, we need to update the wiki with this information... Anyone interested in doing that? :) -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Jun 3, 2008 at 1:15 PM, Tim Meader <[EMAIL PROTECTED]> wrote: > > Hello all, > > I'm trying to use Ossec in a very rudimentary process monitoring > capacity (similar to Nagios or Big Brother). However, everything I've > read so far only applies to process monitoring on Windows systems, > nothing in the manual or wiki references Linux/Unix process monitoring > at all, even though the system_audit_rcl.txt file clearly lists "p" as > one of the types available. Is it possible to use Ossec (1.5) on the > client side to monitor for a particular process running? > > If so, is the check basically done via "ps -ef | grep <process> | grep > -v grep"... where Ossec will just look for any returned lines and accept > those as a positive check? What I'm trying to do is send an alert when a > process does not exist (ie - isn't running). Is there any example out > there for Linux systems that I could look at? I'm quite surprised that > the wiki and manual (and even the book, which we've purchased) make no > mention of such a monitoring scenario. > > Specifically, we need stunnel running on our logging server, and need to > be notified when the process is no longer running. > > Thanks in advance for any and all help. > -- > > Timothy Meader > L-3 Communications, NASA EOS Security Operations > [EMAIL PROTECTED] > (301) 614-6371 > >
