• Support
  • Forums
  • Blogs

How are processes that are configured in the plugins managed by ossim-agent?


Big Time
edited December 2012 in AlienVault USM Appliance > Sensor

How are plugins that are set to be started with ossim-agent monitored and restarted?

I took a look at the monit config, and it doesn't seem to be modified

Any assistance is appreciated

Share post:


  • Are you talking about plugins like the ones in /etc/ossim/agent/plugins/ ?

    As far as I know you can specify a process within each of the plugins configuration files and whether you want to have it started or not.

    If you are talking about the monitor plugins like nagios, fprobe and stuff - they have startup scripts which you can use.
  • For change the plugins you must configure it in the web interface, in "System Configuration -> Sensor configuration -> collection" and here you can select the plugin to use
  • edited December 2012
    Hello guys,

    Thanks for getting back to me quickly.

    I was interested in the actual programmatic mechanism that starts/restarts/watches the processes that are marked be started within the plugins' .cfg file.

    For instance, within /etc/ossim/agent/plugins/arpalert.cfg:

    start=yes ; launch plugin process when agent starts
    stop=yes ; shutdown plugin process when agent stops
    restart=no ; restart plugin process after each interval
    restart_interval=\_CFG(watchdog,restart_interval) ; interval between each restart
    startup=/etc/init.d/%(process)s start
    shutdown=/etc/init.d/%(process)s stop

    It appears that ossim-agent actually manages the start & restart (relevant arguments: start, restart, restart_interval, and startup).

    the \_CFG(watchdog,restart_interval) argument tells ossim-agent to take the restart_interval from the watchdog section of /etc/ossim/agent/config.cfg.  If the restart_interval isn't set, it defaults to 3600 seconds as set in /usr/share/ossim-agent/ossim_agent/Watchdog.py.

    I'm guessing you can actually assign these any names you wish, but surely, it makes the most sense to keep these defaults.

    My question really is: how does ossim-agent know the process is started?  Does it check for running processes by the name process?  Is it relying on the PID file?  If so, how is this determined, specifically if it's relying on init scripts?



    After poking around a bit in /usr/share/ossim-agent/ossim_agent/Watchdog.py, I believe that logic is present that checks to see:

    if watchdog is set...
    at first interval...
    check if process is running
    if process is running...
    and the process's start time isn't already noted (which the start function notes)
    note the current time as the process start time
    if process isn't running...
    start the process
    which notes the current time as the process start time

    So it's a self-contained sort of thing, which relies on nothing but its own time management.  From what I read, I suppose you could pass ~200% of the configured interval before the process is restarted if it was started previously.

    Can anyone confirm this whole thing to be correct?
  • seems about right, I've still got to dig through and confirm it myself though.

    I'm looking to get a series of these architecture-dependency writeups done in ARK, describing startup/config procedures for the core components (to assist in debugging stuff)..
This discussion has been closed.