[ossec-list] Process Monitoring issues

Fri, 23 Nov 2012 11:01:12 -0800 

I apologies before hand if I double posted; I sent an email to ossec-list 
48 hours ago but didn't see any activity or it being posted here on the 
google group so I deduced something went wrong.

I am attempting to use the process monitor + check_diff option to validate 
if 3 processes are running or not via the result of a "ps -eo cmd" command 
followed by a grep... I thought I had finally figured it out as I explained 
on the email I sent but I was dead wrong.
Note: Everything is being configured on the server and all three processes 
are also running on the server.

I have added the following at /var/ossec/etc/ossec.conf:
----
  <localfile>
    <log_format>full_command</log_format>
    <command>ps -eo cmd |grep arpwatch</command>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>ps -eo cmd |grep dumpcap |sed -e 
"s/\/[0-9]*-[0-9]*-[0-9]*\///g"</command>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>ps -eo cmd |grep com.objectplanet.probe</command>
    <frequency>300</frequency> 
  </localfile>
--------------------
I've added the following on my local rules:

 <rule id="100080" level="7">
   <if_sid>530</if_sid>
   <hostname>thePC</hostname>
   <match>ossec: output: 'ps -eo cmd |grep arpwatch':</match>
   <check_diff />
   <description>ARPWATCH is not running</description>
 </rule>
 <rule id="100081" level="7">
   <if_sid>530</if_sid>
   <hostname>thePC</hostname>
   <match>ossec: output: 'ps -eo cmd |grep /usr/bin/dumpcap:</match>
   <check_diff />
   <description>dumpcap is not running</description>
 </rule>
 <rule id="100082" level="7">
   <if_sid>530</if_sid>
   <hostname>thePC</hostname>
   <match>ossec: output: 'ps -eo cmd |grep com.objectplanet.probe:</match>
   <check_diff />
   <description>networkprobe is not running</description>
 </rule>
-------------
It seems I am unable to tell ossec how to differentiate all three commands 
since the results from all three commands keep landing at:
/var/ossec/diff/thePC/100080/last-entry

If I change the ps command slightly, such as "ps -eox cmd" and "ps -xeo 
cmd" for commands 2 and 3 respectively then things seem to work for 
command\rule 100080.

I'm dead lost at this point and hope anyone can clarify things for me.

Thanks in advance!

Reply via email to