Alert if there are no matching running process on Linux machine from the processes tab that comes from librenms agent

Within the MySQL CLI I can find devices that are seen to have the process /sbin/auditd from the LibreNMS agent. The SQL example below shows the 2 machines I have the agent installed on for my testing.

MariaDB [librenms]> SELECT * FROM processes WHERE command LIKE ‘/sbin/auditd%’;
±-------±----------±--------±-------±-----±---------±-----±-------------+
| id | device_id | pid | vsz | rss | cputime | user | command |
±-------±----------±--------±-------±-----±---------±-----±-------------+
| 113810 | 179 | 235198 | 130984 | 2180 | 00:00:05 | root | /sbin/auditd |
| 590604 | 341 | 1266268 | 130844 | 2284 | 00:00:00 | root | /sbin/auditd |
±-------±----------±--------±-------±-----±---------±-----±-------------+
2 rows in set (0.003 sec)

I’d like to trigger an alert when there are no /sbin/auditd processes found on a device. However, I can’t seem to adapt my SQL query above to do that. I’m not sure I’m entering my SQL correctly in the LibreNMS web interface.

How about an inverted alert rule?

As I’m sure you’ve seen, you can’t do doesn’t contain/start with/etc. because every other process that’s running, “doesn’t contain” ‘/sbin/auditd’, right?

So create a rule where processes.command contains '/sbin/auditd’ then turn on invert rule match. So basically, alert if 0 matches for processes.command that contain '/sbin/auditd’.

That did it. I had tried that before but I was including macros.device_up = 1 and with the inversion that likely got mangled. Very cool, this opens up a lot of possibilities for monitoring things on my cluster and I think it’s going to help me convince some people to stop using Splunk like it’s a monitoring tool. Thank you so much, you rock!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.