Hi Daniel, I have one more quick question about how process monitoring works, if you don't mind: How will OSSEC process commands that return multi-line output? To use my previous example, if ps aux | grep mysql returns the following lines:
root 5481 0.0 0.0 4540 1288 ? S 17:25 0:00 /bin/ sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/ mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/ mysqld/mysqld.pid mysql 5541 0.3 1.2 136776 18016 ? Sl 17:25 0:02 /usr/ libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql -- pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/ var/lib/mysql/mysql.sock root 7793 0.0 0.0 3924 668 pts/1 R+ 17:38 0:00 grep mysql will OSSEC treat that as a single line, or will it understand the three lines are separate and apply decoders/rules accordingly? Thanks! -Alisha On Jan 15, 11:17 am, Daniel Cid <[email protected]> wrote: > Hi Alisha, > > You can run whatever commands you like and write your own rules to parse > those. > By default we have just a few commands supported (with rules), but they are > very easy to extend. You can do "ps auwx |grep mysql" as you said... > > As far as the frequency of the checks, OSSEC is not time driven but event > driven, so it is generally every 1.5 or 2 minutes that it checks (can > take a bit longer > or less depending on the flow). > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Fri, Jan 8, 2010 at 4:43 PM, Alisha Kloc <[email protected]> wrote: > > Hello, > > > I am very excited about the new process monitoring feature. However, I > > looked athttp://www.ossec.net/main/manual/manual-process-monitoring, > > as well as the release notes for v. 2.3, but didn't see a list of > > supported commands. > > > Are all commands supported (i.e., OSSEC will run whatever command is > > put between the <command> tags), and I just need to write decoders/ > > rules for the commands I'm interested in? Or is there a specific > > subset of commands OSSEC can run with this feature? Also, how complex > > can the commands be? Can they be piped together (such as ps aux | grep > > mysqld)? Or is it just the base command with arguments? > > > I also noticed in another post that Daniel Cid said the command output > > is checked every 1-2 minutes depending on the flow of the logs. What > > does that mean? Is there a timer, or is it tied to another check, or > > what? > > > Thanks in advance! > > -Alisha Kloc
