Hi Alisha, You can run whatever commands you like and write your own rules to parse those. By default we have just a few commands supported (with rules), but they are very easy to extend. You can do "ps auwx |grep mysql" as you said...
As far as the frequency of the checks, OSSEC is not time driven but event driven, so it is generally every 1.5 or 2 minutes that it checks (can take a bit longer or less depending on the flow). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jan 8, 2010 at 4:43 PM, Alisha Kloc <[email protected]> wrote: > Hello, > > I am very excited about the new process monitoring feature. However, I > looked at http://www.ossec.net/main/manual/manual-process-monitoring, > as well as the release notes for v. 2.3, but didn't see a list of > supported commands. > > Are all commands supported (i.e., OSSEC will run whatever command is > put between the <command> tags), and I just need to write decoders/ > rules for the commands I'm interested in? Or is there a specific > subset of commands OSSEC can run with this feature? Also, how complex > can the commands be? Can they be piped together (such as ps aux | grep > mysqld)? Or is it just the base command with arguments? > > I also noticed in another post that Daniel Cid said the command output > is checked every 1-2 minutes depending on the flow of the logs. What > does that mean? Is there a timer, or is it tied to another check, or > what? > > Thanks in advance! > -Alisha Kloc >
