On Mon, Dec 23, 2013 at 9:10 AM, Robert Micallef <[email protected]> wrote: > Hi, > > I have been researching this for a few days and cannot find anything. I > would like a rule to alert me if a program is not running. > > On the agent I added a process monitoring where a command: ps -ef | grep > program-name is run. > > On the server side I have tried creating a rule to send an e-mail out if the > output is nothing. Basically if the program is running, that command will > output the PID and paths etc, and if not running it will output nothing. > > I tried using <check_diff/> but the output changes frequently (even though > the process keeps running), so we cannot use that as an option. > > Could someone please point me in the right direction? >
Try using something like: ps auxww | grep smtpd: | sed 's/ */ /g' | cut -d ' ' -f 2,12 That should give you a list of PIDs and (in the case of smtpd, maybe try 11 for non privsep daemons) processes. Or use one of the many daemons designed to make sure a process is running. > Thanks, > Robert > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
