On Fri, Nov 23, 2012 at 1:58 PM, JPZ <jp.zurbr...@gmail.com> wrote: > I apologies before hand if I double posted; I sent an email to ossec-list 48 > hours ago but didn't see any activity or it being posted here on the google > group so I deduced something went wrong. > > I am attempting to use the process monitor + check_diff option to validate > if 3 processes are running or not via the result of a "ps -eo cmd" command > followed by a grep... I thought I had finally figured it out as I explained > on the email I sent but I was dead wrong. > Note: Everything is being configured on the server and all three processes > are also running on the server. > > I have added the following at /var/ossec/etc/ossec.conf: > ---- > <localfile> > <log_format>full_command</log_format> > <command>ps -eo cmd |grep arpwatch</command> > </localfile> > <localfile> > <log_format>full_command</log_format> > <command>ps -eo cmd |grep dumpcap |sed -e > "s/\/[0-9]*-[0-9]*-[0-9]*\///g"</command> > </localfile> > <localfile> > <log_format>full_command</log_format> > <command>ps -eo cmd |grep com.objectplanet.probe</command> > <frequency>300</frequency> > </localfile> > -------------------- > I've added the following on my local rules: > > <rule id="100080" level="7"> > <if_sid>530</if_sid> > <hostname>thePC</hostname> > <match>ossec: output: 'ps -eo cmd |grep arpwatch':</match> > <check_diff /> > <description>ARPWATCH is not running</description> > </rule> > <rule id="100081" level="7"> > <if_sid>530</if_sid> > <hostname>thePC</hostname> > <match>ossec: output: 'ps -eo cmd |grep /usr/bin/dumpcap:</match> > <check_diff /> > <description>dumpcap is not running</description> > </rule> > <rule id="100082" level="7"> > <if_sid>530</if_sid> > <hostname>thePC</hostname> > <match>ossec: output: 'ps -eo cmd |grep com.objectplanet.probe:</match> > <check_diff /> > <description>networkprobe is not running</description> > </rule> > ------------- > It seems I am unable to tell ossec how to differentiate all three commands > since the results from all three commands keep landing at: > /var/ossec/diff/thePC/100080/last-entry > > If I change the ps command slightly, such as "ps -eox cmd" and "ps -xeo cmd" > for commands 2 and 3 respectively then things seem to work for command\rule > 100080. > > I'm dead lost at this point and hope anyone can clarify things for me. > > Thanks in advance!
Use aliases to differentiate. <alias>arpwatch-check</alias>
