Unsupported product This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring processes

On the Monitor Configuration page, click Addico_add.png to add a new monitor configuration, or select an existing monitor configuration and click Editico_edit.png to update it. 

On the Add Monitor Types dialog, with the Monitoring Profile set to Complete or Process, and the Monitor Type set to Processes, provide the following details:

Field

Description

List of Processes

Process Details

Process Label

Enter a display name for process (s) to be monitored. The display name (process label) cannot contain special characters . [ ! @ # $ % ? { } ^ \ \ / | + = & * ( ) ) ; ] ) and blank spaces. The label can contain a maximum of 100 characters.

For example: Display name can be sshd_proc, patrolagent_proc.

See process configuration examples.

Monitored Process String

Enter a string that matches names of processes to be monitored. Input may also be a regular expression pattern.

For example:

  • The string can be /usr/sbin/sshd, Patrol.*
  • To monitor PATROL Agent process running on port 3282 enter the regular expression as PatrolAgent -p 3282$
    See process configuration examples.

Minimum Count

Select a minimum limit for which an alert should be generated if the number of processes drops below the specified limit.

Maximum Count

Select a maximum limit for which an alert should be generated if the number of processes exceed the specified limit.

Acceptable process owner

Enter the name of the user who owns the process. Regular expressions are supported. See process configuration examples.

Use Process Owners for Filtering?

Select this check box to filter processes based on the process owners. See process configuration examples.

Parent Process ID Must Be 1

Select this check box if the processes should have their parent process id as 1. See process configuration examples.

Filter Processes with Parent Process ID 1

Select this check box to filter the processes with parent process id as 1. See process configuration examples.

Process Alert Options

Alert Delay Count

Select the number of collection intervals after which the delay alert will be generated. See process configuration examples.

Alert State

Select the type of process alert state.

  • Alarm
  • Warning

Add to List

Click this option for confirming the configuration information that you provided and adding the process name to the list of processes.

Modify Selection

Select one of the items that you added to the list in the preceding step, and click this option to modify details.

Remove from List

Select the items added earlier and click this option to delete that item from the list of configured processes and the clear the details provided in the earlier fields.

Process configuration examples 

The following table demonstrates how specific filters are processed by the filter rules:

Scenario

Example

Comments

To receive an alert if the process count drops below
or exceeds the predefined number of processes

Process Label: bash

Process Name String: bash.*

Minimum count: 5

Maximum count: 15

None

To monitor processes started by authorized users and
receive an alert if an unauthorized user starts a process

Process Label: bash

Process Name String: bash.*

Minimum count: 5

Maximum count: 15

Acceptable process owner: abc

If "xyz" user starts bash process
Process Ownership Check attribute will
raise an alarm.

To monitor process started by a specific user and
exclude processes started by other users

Process Label: bash

Process Name String: bash.*

Minimum count: 5

Maximum count: 15

Acceptable process owner: abc|pqr|xyz

Use Process Owners for Filtering?: Select the checkbox

A pipe separated list or a regular expression of
acceptable process owners.

Here, abc, pqr and xyz are acceptable process owners.

To monitor processes whose Parent Process ID is one

Process Label: bash

Process Name String: bash.*

Minimum count: 5

Maximum count: 15

Parent Process ID must be 1: Select the checkbox

Filter Processes with Parent Process ID 1: Do not select the checkbox

This configuration is usually suitable for system processes with parent process ID 1.

If for some process, the parent PID is not 1, ProcessParentPID1

would be in WARN/ALARM state.

To filter processes whose Parent Process ID is one

Process Label: bash

Process Name String: bash.*

Minimum count: 5

Maximum count: 15

Parent Process ID must be 1: Select checkbox

Filter Processes with Parent Process ID 1: Select checkbox

Exclude all processes which match the Process Name String criteria but whose parent PID is not 1

To delay alert by 'N' number of collections

Process Label: bash

Process Name String: bash.*

Minimum count: 5

Maximum count: 15

Alert Delay Count: 3

Alert State: Warning or Alarm

This will delay an alert if some process violates the
set minimum or maximum limit.

To avoid delay and get immediate alert if a process
violates configured minimum or maximum thresholds

Process Label: bash

Process Name String: bash.*

Minimum count: 5

Maximum count: 15

Alert Delay Count: 0

Alert State: Warning or Alarm

None

To monitor processes that begin with /usr/sbin

Process Label: bash sys_processes

Process Name String: bash.* ^/usr/sbin

Monitors all the processes that
begin with /usr/sbin

Monitor processes like:

/usr/sbin/sshd

/usr/sbin/syslogd

/usr/sbin/inetd

Related topics

Configuring-after-installation 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*