Looking for documentation? Check out ARK - our new documentation portal!
AlienVault OSSIM v4.2 Released! Download here

How are processes that are configured in the plugins managed by ossim-agent?

mbrownnycmbrownnyc
in Sensor
Hello,

How are plugins that are set to be started with ossim-agent monitored and restarted?

I took a look at the monit config, and it doesn't seem to be modified

Any assistance is appreciated
Flag Off Topic Dislike Like Awesome

Answers

  • derDuffyderDuffy ✭✭
    Are you talking about plugins like the ones in /etc/ossim/agent/plugins/ ?

    As far as I know you can specify a process within each of the plugins configuration files and whether you want to have it started or not.

    If you are talking about the monitor plugins like nagios, fprobe and stuff - they have startup scripts which you can use.
    mbrownnyc
    Flag Off Topic Dislike 1Like Awesome
  • aariasaarias Alien
    For change the plugins you must configure it in the web interface, in "System Configuration -> Sensor configuration -> collection" and here you can select the plugin to use
    mbrownnyc
    Flag Off Topic Dislike 1Like Awesome
  • mbrownnycmbrownnyc
    Hello guys,

    Thanks for getting back to me quickly.

    I was interested in the actual programmatic mechanism that starts/restarts/watches the processes that are marked be started within the plugins' .cfg file.

    For instance, within /etc/ossim/agent/plugins/arpalert.cfg:

    process=arpalert
start=yes ; launch plugin process when agent starts
stop=yes ; shutdown plugin process when agent stops
restart=no ; restart plugin process after each interval
restart_interval=\_CFG(watchdog,restart_interval) ; interval between each restart
startup=/etc/init.d/%(process)s start
shutdown=/etc/init.d/%(process)s stop

    It appears that ossim-agent actually manages the start & restart (relevant arguments: start, restart, restart_interval, and startup).

    the \_CFG(watchdog,restart_interval) argument tells ossim-agent to take the restart_interval from the watchdog section of /etc/ossim/agent/config.cfg.  If the restart_interval isn't set, it defaults to 3600 seconds as set in /usr/share/ossim-agent/ossim_agent/Watchdog.py.

    I'm guessing you can actually assign these any names you wish, but surely, it makes the most sense to keep these defaults.


    My question really is: how does ossim-agent know the process is started?  Does it check for running processes by the name process?  Is it relying on the PID file?  If so, how is this determined, specifically if it's relying on init scripts?


    Thanks,

    Matt

    [edit]
    After poking around a bit in /usr/share/ossim-agent/ossim_agent/Watchdog.py, I believe that logic is present that checks to see:

    if watchdog is set...
    at first interval...
    check if process is running
    if process is running...
    and the process's start time isn't already noted (which the start function notes)
    note the current time as the process start time
    if process isn't running...
    start the process
    which notes the current time as the process start time

    So it's a self-contained sort of thing, which relies on nothing but its own time management.  From what I read, I suppose you could pass ~200% of the configured interval before the process is restarted if it was started previously.

    Can anyone confirm this whole thing to be correct?
    cpconstantine
    Flag Off Topic Dislike 1Like Awesome
  • cpconstantinecpconstantine admin
    seems about right, I've still got to dig through and confirm it myself though.

    I'm looking to get a series of these architecture-dependency writeups done in ARK, describing startup/config procedures for the core components (to assist in debugging stuff)..
    Flag Off Topic Dislike Like Awesome
Sign In or Register to comment.