Monitor Ossec

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Monitor Ossec

frwa onto
Dear All,
             We plan to run Ossec tool is it possible for monit to monitor is Ossec running well and restart it if it goes down or not running? Thank you.

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

jsiemins
I went to the same point and I made quick solution.

first file calls ossec-control and check staus:

#!/bin/bash
/var/ossec/bin/ossec-control status > /tmp/ossec-status
count=$(grep -c running /tmp/ossec-status)
if
count=7
then
echo "running"
exit 0
elseif
echo "not running"
exit 1
fi
 
make it executable

Second is monit conf file:

check program OSSEC with path "/PATH/TO/FIRST/FILE" with timeout 1000 seconds
       if status != 0 then restart
start program = "/etc/init.d/ossec_server start" with timeout 60 seconds
stop program = "/etc/init.d/ossec_server stop"
group server




Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Jaro,
              Thank you four help. I am wondering for mysql I start with this command monit start mysql. THis will enable monit to monitor it properly. So how about ossec how do you suggest it should be start with monit? Another thing is that where is this pointing to /PATH/TO/FIRST/FILE ?


On Mon, Sep 23, 2013 at 5:15 AM, jsiemins <[hidden email]> wrote:
I went to the same point and I made quick solution.

first file calls ossec-control and check staus:

#!/bin/bash
/var/ossec/bin/ossec-control status > /tmp/ossec-status
count=$(grep -c running /tmp/ossec-status)
if
count=7
then
echo "running"
exit 0
elseif
echo "not running"
exit 1
fi

make it executable

Second is monit conf file:

check program OSSEC with path "/PATH/TO/FIRST/FILE" with timeout 1000
seconds
       if status != 0 then restart
start program = "/etc/init.d/ossec_server start" with timeout 60 seconds
stop program = "/etc/init.d/ossec_server stop"
group server








--
View this message in context: http://nongnu.13855.n7.nabble.com/Monitor-Ossec-tp3207p172740.html
Sent from the monit-general mailing list archive at Nabble.com.

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

jsiemins
Hi,

Name first file test_ossec and put it in /usr/bin.
Make it executable sudo chmod +x /usr/bin/test_ossec
Check if it wotks sudo /usr/bin/test_ossec

Name second file  ossec.conf and put info /etc/monit/conf.d/ directory
Change /PATH/TO/FIRST/FILE to /usr/bin/test_ossec.
Restart monit with sudo monit reload.


Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Jaro,
               Ok the first file I created check all is working fine. I dont have this directory /etc/monit/ ?  In /etc I got monit.conf and monit.d.


On Mon, Sep 23, 2013 at 5:04 PM, jsiemins <[hidden email]> wrote:
Hi,

Name first file test_ossec and put it in /usr/bin.
Make it executable sudo chmod +x /usr/bin/test_ossec
Check if it wotks sudo /usr/bin/test_ossec

Name second file  ossec.conf and put info /etc/monit/conf.d/ directory
Change /PATH/TO/FIRST/FILE to /usr/bin/test_ossec.
Restart monit with sudo monit reload.






--
View this message in context: http://nongnu.13855.n7.nabble.com/Monitor-Ossec-tp3207p172763.html
Sent from the monit-general mailing list archive at Nabble.com.

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

Werner Flamme
frwa onto [23.09.2013 16:53]:
> Dear Jaro,
>                Ok the first file I created check all is working fine. I
> dont have this directory /etc/monit/ ?  In /etc I got monit.conf and
> monit.d.

Then you should put it into /etc/monit.d/

--

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Werner,
                   I tried and getting this error Starting monit: /etc/monit.d/ossec.conf:1: Error: syntax error 'OSSEC' I guess it does not recognise my OSSEC ?


On Mon, Sep 23, 2013 at 11:04 PM, Werner Flamme <[hidden email]> wrote:
frwa onto [23.09.2013 16:53]:
> Dear Jaro,
>                Ok the first file I created check all is working fine. I
> dont have this directory /etc/monit/ ?  In /etc I got monit.conf and
> monit.d.

Then you should put it into /etc/monit.d/

--


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

jsiemins
So try to put ossec.conf into /etc/monit.d/
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Jaro,
              Yes its in the /etc/monit.d/ and when I start monit it where it generates that error.


On Tue, Sep 24, 2013 at 3:38 AM, jsiemins <[hidden email]> wrote:
So try to put ossec.conf into /etc/monit.d/




--
View this message in context: http://nongnu.13855.n7.nabble.com/Monitor-Ossec-tp3207p172792.html
Sent from the monit-general mailing list archive at Nabble.com.



--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

Werner Flamme
frwa onto [24.09.2013 04:42]:
> Dear Jaro,
>               Yes its in the /etc/monit.d/ and when I start monit it where
> it generates that error.

May we see the content of the file?

--


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Jaro,
              Here it is 

check program OSSEC with path "/usr/bin/test_ossec" with timeout 1000
seconds
       if status != 0 then restart
start program = "/etc/init.d/ossec_server start" with timeout 60 seconds
stop program = "/etc/init.d/ossec_server stop"
group server

Another thing I have check is that I dont have /etc/init.d/ossec_server start or stop but just this one file ossec_hids

vi ossec-hids
        stop)
          stop
          ;;
        status)
          rh_status
          ;;
        restart)
          restart
          ;;
        condrestart)
          if [ -e /var/lock/subsys/$SHORT ]; then restart; fi
          ;;
        reload)
          reload
          ;;
        *)
          echo $"Usage: ossec-hids {start|stop|status|restart|condrestart|reload}"
          exit 1
esac

exit $RETVAL





On Tue, Sep 24, 2013 at 2:59 PM, Werner Flamme <[hidden email]> wrote:
frwa onto <a href="tel:%5B24.09.2013%2004" value="+12409201304">[24.09.2013 04:42]:
> Dear Jaro,
>               Yes its in the /etc/monit.d/ and when I start monit it where
> it generates that error.

May we see the content of the file?

--


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

Werner Flamme
frwa onto [24.09.2013 11:48]:
> Dear Jaro,
>               Here it is
>
> check program OSSEC with path "/usr/bin/test_ossec" with timeout 1000
> seconds
>        if status != 0 then restart
> start program = "/etc/init.d/ossec_server start" with timeout 60 seconds
> stop program = "/etc/init.d/ossec_server stop"
> group server

It should read "check process..." instead of "check program..."

> Another thing I have check is that I dont have /etc/init.d/ossec_server
> start or stop but just this one file ossec_hids

Well, you should replace "/etc/init.d/ossec_server start" with the
command that really starts and stops the software.

Jaroslaw only gave a pattern you could use, but you should fill in
correct values. And you still are allowed to look up man pages :-) There
is a section "PROGRAM STATUS TESTING" on "man monit".

> vi ossec-hids
>         stop)
>           stop
>           ;;
>         status)
>           rh_status
>           ;;
>         restart)
>           restart
>           ;;
>         condrestart)
>           if [ -e /var/lock/subsys/$SHORT ]; then restart; fi
>           ;;
>         reload)
>           reload
>           ;;
>         *)
>           echo $"Usage: ossec-hids
> {start|stop|status|restart|condrestart|reload}"
>           exit 1
> esac
>
> exit $RETVAL

This script does not contain those few lines only, does it? There must
be functions and variables defined in the script. If this script is
intended to start and stop OSSEC, the lines in /etc/monit.d/ossec.conf
should read

start program = "/etc/init.d/ossec-hids start" with timeout 60 seconds
stop program = "/etc/init.d/ossec-hids stop"


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

sven falempin
I may sound rude, but
I do not see any relation with monit.

You all sound like a commercial for OSSEC. And this is BAD advertising.


On Tue, Sep 24, 2013 at 6:11 AM, Werner Flamme <[hidden email]> wrote:
frwa onto <a href="tel:%5B24.09.2013%2011" value="+12409201311">[24.09.2013 11:48]:
> Dear Jaro,
>               Here it is
>
> check program OSSEC with path "/usr/bin/test_ossec" with timeout 1000
> seconds
>        if status != 0 then restart
> start program = "/etc/init.d/ossec_server start" with timeout 60 seconds
> stop program = "/etc/init.d/ossec_server stop"
> group server

It should read "check process..." instead of "check program..."

> Another thing I have check is that I dont have /etc/init.d/ossec_server
> start or stop but just this one file ossec_hids

Well, you should replace "/etc/init.d/ossec_server start" with the
command that really starts and stops the software.

Jaroslaw only gave a pattern you could use, but you should fill in
correct values. And you still are allowed to look up man pages :-) There
is a section "PROGRAM STATUS TESTING" on "man monit".

> vi ossec-hids
>         stop)
>           stop
>           ;;
>         status)
>           rh_status
>           ;;
>         restart)
>           restart
>           ;;
>         condrestart)
>           if [ -e /var/lock/subsys/$SHORT ]; then restart; fi
>           ;;
>         reload)
>           reload
>           ;;
>         *)
>           echo $"Usage: ossec-hids
> {start|stop|status|restart|condrestart|reload}"
>           exit 1
> esac
>
> exit $RETVAL

This script does not contain those few lines only, does it? There must
be functions and variables defined in the script. If this script is
intended to start and stop OSSEC, the lines in /etc/monit.d/ossec.conf
should read

start program = "/etc/init.d/ossec-hids start" with timeout 60 seconds
stop program = "/etc/init.d/ossec-hids stop"



--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail 
/\ 

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

Werner Flamme
sven falempin [24.09.2013 16:52]:
> I may sound rude, but
> I do not see any relation with monit.

Pardon? Isn't this thread about watching ossec by monit?

> You all sound like a commercial for OSSEC. And this is BAD advertising.

No intention to do so. Where did I write anything like an ad for a
software I don't even know from own experience?

--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Werner,
                   I went into the man page here http://mmonit.com/monit/documentation/monit.html#program_status_testing so I read and change it to this now check program test_ossec  with path "/usr/bin/test_ossec" with timeout 1000 seconds and still get service monit start
Starting monit: /etc/monit.d/ossec.conf:1: Error: syntax error 'test_ossec'
                                                           [FAILED]
 . I think my problem why it does not recognize could it be due to my monit version is  monit -V
This is monit version 5.1.1
Copyright (C) 2000-2010 by Tildeslash Ltd. All Rights Reserved. I am using Centos 6.4 and epel repo. Another thing how I start the ossec is via the /var/ossec/bin/ossec-control start not via the /etc/init.d scripts.



On Tue, Sep 24, 2013 at 11:06 PM, Werner Flamme <[hidden email]> wrote:
sven falempin <a href="tel:%5B24.09.2013%2016" value="+12409201316">[24.09.2013 16:52]:
> I may sound rude, but
> I do not see any relation with monit.

Pardon? Isn't this thread about watching ossec by monit?

> You all sound like a commercial for OSSEC. And this is BAD advertising.

No intention to do so. Where did I write anything like an ad for a
software I don't even know from own experience?

--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Werner,
                   I dont understand what is the need of the extra ossec.conf why not its in the main monit.conf ?


On Tue, Sep 24, 2013 at 11:19 PM, frwa onto <[hidden email]> wrote:
Dear Werner,
                   I went into the man page here http://mmonit.com/monit/documentation/monit.html#program_status_testing so I read and change it to this now check program test_ossec  with path "/usr/bin/test_ossec" with timeout 1000 seconds and still get service monit start
Starting monit: /etc/monit.d/ossec.conf:1: Error: syntax error 'test_ossec'
                                                           [FAILED]
 . I think my problem why it does not recognize could it be due to my monit version is  monit -V
This is monit version 5.1.1
Copyright (C) 2000-2010 by Tildeslash Ltd. All Rights Reserved. I am using Centos 6.4 and epel repo. Another thing how I start the ossec is via the /var/ossec/bin/ossec-control start not via the /etc/init.d scripts.



On Tue, Sep 24, 2013 at 11:06 PM, Werner Flamme <[hidden email]> wrote:
sven falempin <a href="tel:%5B24.09.2013%2016" value="+12409201316" target="_blank">[24.09.2013 16:52]:
> I may sound rude, but
> I do not see any relation with monit.

Pardon? Isn't this thread about watching ossec by monit?

> You all sound like a commercial for OSSEC. And this is BAD advertising.

No intention to do so. Where did I write anything like an ad for a
software I don't even know from own experience?

--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?



--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

Werner Flamme
frwa onto [24.09.2013 17:21]:
> Dear Werner,
>                    I dont understand what is the need of the extra
> ossec.conf why not its in the main monit.conf ?

You can put anything you wrote into the separate file into monit.conf
(which I don't have, it's monitrc for me). The reason for keeping it
separated is that on an update, the central config may be rewritten, and
that your parts of the config might get lost. If you keep it in a
separate file, it will stay there even when you update monit.


> On Tue, Sep 24, 2013 at 11:19 PM, frwa onto <[hidden email]> wrote:
>
>> Dear Werner,
>>                    I went into the man page here
>> http://mmonit.com/monit/documentation/monit.html#program_status_testing so
>> I read and change it to this now check program test_ossec  with path
>> "/usr/bin/test_ossec" with timeout 1000 seconds and still get service monit
>> start
>> Starting monit: /etc/monit.d/ossec.conf:1: Error: syntax error 'test_ossec'
>>                                                            [FAILED]
>>  . I think my problem why it does not recognize could it be due to my
>> monit version is  monit -V
>> This is monit version 5.1.1
>> Copyright (C) 2000-2010 by Tildeslash Ltd. All Rights Reserved. I am using
>> Centos 6.4 and epel repo. Another thing how I start the ossec is via the
>> /var/ossec/bin/ossec-control start not via the /etc/init.d scripts.

From what I found, "check program" must have been introduced with
version 5.3, so you are on the bad side here.

Regards,
Werner

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Werner,
                   So if we keep separate how will the monit executable will be able to read different .conf file? Ok I got it why you want to keep it separate it due to updates of monit. So since I am on the bad side what is your best advice here ? Any other method to simulate it.


On Tue, Sep 24, 2013 at 11:50 PM, Werner Flamme <[hidden email]> wrote:
frwa onto <a href="tel:%5B24.09.2013%2017" value="+12409201317">[24.09.2013 17:21]:
> Dear Werner,
>                    I dont understand what is the need of the extra
> ossec.conf why not its in the main monit.conf ?

You can put anything you wrote into the separate file into monit.conf
(which I don't have, it's monitrc for me). The reason for keeping it
separated is that on an update, the central config may be rewritten, and
that your parts of the config might get lost. If you keep it in a
separate file, it will stay there even when you update monit.


> On Tue, Sep 24, 2013 at 11:19 PM, frwa onto <[hidden email]> wrote:
>
>> Dear Werner,
>>                    I went into the man page here
>> http://mmonit.com/monit/documentation/monit.html#program_status_testing so
>> I read and change it to this now check program test_ossec  with path
>> "/usr/bin/test_ossec" with timeout 1000 seconds and still get service monit
>> start
>> Starting monit: /etc/monit.d/ossec.conf:1: Error: syntax error 'test_ossec'
>>                                                            [FAILED]
>>  . I think my problem why it does not recognize could it be due to my
>> monit version is  monit -V
>> This is monit version 5.1.1
>> Copyright (C) 2000-2010 by Tildeslash Ltd. All Rights Reserved. I am using
>> Centos 6.4 and epel repo. Another thing how I start the ossec is via the
>> /var/ossec/bin/ossec-control start not via the /etc/init.d scripts.

From what I found, "check program" must have been introduced with
version 5.3, so you are on the bad side here.

Regards,
Werner


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

martinp@tildeslash.com
Hello Frwa,

the program check was added in Monit 5.3 - you need to upgrade Monit.

The concept of include files allows to modularize the configuration - it's optional and if you want to keep it simple, put everything into single monitrc file (otherwise the include files can be enabled using "include" statement - see manual for details).

Regards,
Martin


On Sep 24, 2013, at 6:02 PM, frwa onto <[hidden email]> wrote:

Dear Werner,
                   So if we keep separate how will the monit executable will be able to read different .conf file? Ok I got it why you want to keep it separate it due to updates of monit. So since I am on the bad side what is your best advice here ? Any other method to simulate it.


On Tue, Sep 24, 2013 at 11:50 PM, Werner Flamme <[hidden email]> wrote:
frwa onto <a href="tel:%5B24.09.2013%2017" value="+12409201317">[24.09.2013 17:21]:
> Dear Werner,
>                    I dont understand what is the need of the extra
> ossec.conf why not its in the main monit.conf ?

You can put anything you wrote into the separate file into monit.conf
(which I don't have, it's monitrc for me). The reason for keeping it
separated is that on an update, the central config may be rewritten, and
that your parts of the config might get lost. If you keep it in a
separate file, it will stay there even when you update monit.


> On Tue, Sep 24, 2013 at 11:19 PM, frwa onto <[hidden email]> wrote:
>
>> Dear Werner,
>>                    I went into the man page here
>> http://mmonit.com/monit/documentation/monit.html#program_status_testing so
>> I read and change it to this now check program test_ossec  with path
>> "/usr/bin/test_ossec" with timeout 1000 seconds and still get service monit
>> start
>> Starting monit: /etc/monit.d/ossec.conf:1: Error: syntax error 'test_ossec'
>>                                                            [FAILED]
>>  . I think my problem why it does not recognize could it be due to my
>> monit version is  monit -V
>> This is monit version 5.1.1
>> Copyright (C) 2000-2010 by Tildeslash Ltd. All Rights Reserved. I am using
>> Centos 6.4 and epel repo. Another thing how I start the ossec is via the
>> /var/ossec/bin/ossec-control start not via the /etc/init.d scripts.

From what I found, "check program" must have been introduced with
version 5.3, so you are on the bad side here.

Regards,
Werner

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Monitor Ossec

frwa onto
Dear Martin,
                  So in the case of Centos then I have rebuild as I dont see any direct .rpm file of monit 5.3 ? Ok I got it about the include files is very clear now not a big issue here.


On Wed, Sep 25, 2013 at 12:10 AM, Martin Pala <[hidden email]> wrote:
Hello Frwa,

the program check was added in Monit 5.3 - you need to upgrade Monit.

The concept of include files allows to modularize the configuration - it's optional and if you want to keep it simple, put everything into single monitrc file (otherwise the include files can be enabled using "include" statement - see manual for details).

Regards,
Martin


On Sep 24, 2013, at 6:02 PM, frwa onto <[hidden email]> wrote:

Dear Werner,
                   So if we keep separate how will the monit executable will be able to read different .conf file? Ok I got it why you want to keep it separate it due to updates of monit. So since I am on the bad side what is your best advice here ? Any other method to simulate it.


On Tue, Sep 24, 2013 at 11:50 PM, Werner Flamme <[hidden email]> wrote:
frwa onto <a href="tel:%5B24.09.2013%2017" value="+12409201317" target="_blank">[24.09.2013 17:21]:
> Dear Werner,
>                    I dont understand what is the need of the extra
> ossec.conf why not its in the main monit.conf ?

You can put anything you wrote into the separate file into monit.conf
(which I don't have, it's monitrc for me). The reason for keeping it
separated is that on an update, the central config may be rewritten, and
that your parts of the config might get lost. If you keep it in a
separate file, it will stay there even when you update monit.


> On Tue, Sep 24, 2013 at 11:19 PM, frwa onto <[hidden email]> wrote:
>
>> Dear Werner,
>>                    I went into the man page here
>> http://mmonit.com/monit/documentation/monit.html#program_status_testing so
>> I read and change it to this now check program test_ossec  with path
>> "/usr/bin/test_ossec" with timeout 1000 seconds and still get service monit
>> start
>> Starting monit: /etc/monit.d/ossec.conf:1: Error: syntax error 'test_ossec'
>>                                                            [FAILED]
>>  . I think my problem why it does not recognize could it be due to my
>> monit version is  monit -V
>> This is monit version 5.1.1
>> Copyright (C) 2000-2010 by Tildeslash Ltd. All Rights Reserved. I am using
>> Centos 6.4 and epel repo. Another thing how I start the ossec is via the
>> /var/ossec/bin/ossec-control start not via the /etc/init.d scripts.

From what I found, "check program" must have been introduced with
version 5.3, so you are on the bad side here.

Regards,
Werner

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
12