Hi Daniel,

I have one more quick question about how process monitoring works, if
you don't mind: How will OSSEC process commands that return multi-line
output? To use my previous example, if ps aux | grep mysql returns the
following lines:

root      5481  0.0  0.0   4540  1288 ?        S    17:25   0:00 /bin/
sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/
mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/
mysqld/mysqld.pid
mysql     5541  0.3  1.2 136776 18016 ?        Sl   17:25   0:02 /usr/
libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --
pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/
var/lib/mysql/mysql.sock
root      7793  0.0  0.0   3924   668 pts/1    R+   17:38   0:00 grep
mysql

will OSSEC treat that as a single line, or will it understand the
three lines are separate and apply decoders/rules accordingly?

Thanks!
-Alisha




On Jan 15, 11:17 am, Daniel Cid <[email protected]> wrote:
> Hi Alisha,
>
> You can run whatever commands you like and write your own rules to parse 
> those.
> By default we have just a few commands supported (with rules), but they are
> very easy to extend. You can do "ps auwx |grep mysql" as you said...
>
> As far as the frequency of the checks, OSSEC is not time driven but event
> driven, so it is generally every 1.5 or 2 minutes that it checks (can
> take a bit longer
> or less depending on the flow).
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Fri, Jan 8, 2010 at 4:43 PM, Alisha Kloc <[email protected]> wrote:
> > Hello,
>
> > I am very excited about the new process monitoring feature. However, I
> > looked athttp://www.ossec.net/main/manual/manual-process-monitoring,
> > as well as the release notes for v. 2.3, but didn't see a list of
> > supported commands.
>
> > Are all commands supported (i.e., OSSEC will run whatever command is
> > put between the <command> tags), and I just need to write decoders/
> > rules for the commands I'm interested in? Or is there a specific
> > subset of commands OSSEC can run with this feature? Also, how complex
> > can the commands be? Can they be piped together (such as ps aux | grep
> > mysqld)? Or is it just the base command with arguments?
>
> > I also noticed in another post that Daniel Cid said the command output
> > is checked every 1-2 minutes depending on the flow of the logs. What
> > does that mean? Is there a timer, or is it tied to another check, or
> > what?
>
> > Thanks in advance!
> > -Alisha Kloc

Reply via email to