CustoSec:Check Windows Process

From CustosecWiki
Jump to navigation Jump to search
caption
Basic Information on Check
Name of Check Windows Process Technical Name check_win_process
Available in All Systems Number of Arguments 2
From Version >ARANSEC 1.0 Compability All ARANSEC and CustoSec




Scope of Check

This is a standard check to monitor if a particular process (exe-file) given as an argument is running on a Windows system. The check is based on a snmp query.


Requirements

For the check to work properly the following requirements must be met:

  • The check is configured as a service check on the target host that should be monitored
  • SNMP must be activated on the target host (read only and a community name; It is also recommended to allow only the ARANSEC/CustoSec IP-Address to read SNMP information on the host). SNMP can easily be checked by starting a second session in a second browser tab and do a SNMP-Walk from ARANSEC's SNMP-Walk function (bottom entry in the left hand menu).


Arguments

To configure the check, the following arguments are available:

Argument No. Argument Name Allowed Arguments Explanation Examples
Arg1 snmp-community string Community name for the SNMP agent. It is strongly recommended to change the default community on most windows systems from "public" to something like "aransec".
Must be entered or check cannot find OID.
custosec
Arg2 process name integer The name of the process that should be monitored (exe-File).
The name is entered with the suffix (.exe) of the process name.<br /<This can also be the process name of a Windows Service, like "svchost.exe"
sqlservr.exe


Returned Values of the Check

The Check returns the following values and information.

Status Output Remarks
OK 1 process matching cobraTM.exe (> 0) (<= 50):OK At least one service has been found matching the search pattern. The return value returns the number of processes found. The warn/critical value are fixed with 50, so OK is returned.
If there are more instances of a process running, the service returns the number of instances running ("2 process matching AdressPLUS.exe"). If this number would exceed 50, the check would return "critical". (see notes)
WARNING - Warning will not be reported by this check
CRITICAL 94 process matching (> 0) (> 50 : CRITICAL) The detailed information of the output is a bit cryptic. Basically the value 94 means there is no service matching running the search pattern, which is returned by the script with the integer 94. The critical value is fixed with 50, so critical is reported.


Notes

  • This is a very simple check which basically only checks if a process is running or not.
  • To monitor services on a windows host, in most cases it is easier and more simple to use Check Windows Service (check_win_service).
  • This check can monitor processes on a windows server. These can also be found by opening the process list within the task manager(processes of all users).
  • This check has a fixed threshold of 50 matching services to turn CRITICAL, which in most cases is no problem. Usually this check is used to monitor processes that are running only once. In case more flexible thresholds are needed please use Check Windows Process Intervals (check_win_process_int).