1. Home
2. Questions
3. Unanswered
4. AI Assist Labs
5. Tags
7. Chat
8. Users
10. Companies
Teams

Ask questions, find answers and collaborate at work with Stack Overflow for Teams.
Try Teams for free Explore Teams
Teams
Ask questions, find answers and collaborate at work with Stack Overflow for Teams. Explore Teams

Monitoring start and stop processes

Ask Question

Asked 1 year, 3 months ago

Modified 1 year, 3 months ago

Viewed 174 times

0

Im trying to monitor the start and stop of processes on a server with auditd, using the following rule

-w /usr/bin/ -p x -k T1569.002

However, when raising an event to generate the log and searching it with ausearch, the only log it finds is the addition of the rule.

edited Jul 23, 2024 at 12:54

AdminBee

23.6k25 gold badges55 silver badges77 bronze badges

asked Jul 19, 2024 at 21:16

David Pérez

1

If the process is already loaded into memory, /usr/bin is not referenced on startup. Not all executables come from /usr/bin. Nor is the filesystem referenced at all on process exit.

waltinator
– waltinator

2024-07-19 22:34:30 +00:00
Commented Jul 19, 2024 at 22:34
If you want to monitor process start/stop, you probably want to monitor the execve and exit system calls. Take a look at this article.

larsks
– larsks

2024-07-23 16:01:49 +00:00
Commented Jul 23, 2024 at 16:01
See sematext.com/blog/linux-monitoring-tools and cyberciti.biz/tips/top-linux-monitoring-tools.htm and do an intrrnet search on "Perfomance Accounting" Performance Monitoring". Be prepared to drink from the firehose of data if you track process statt/stop.

waltinator
– waltinator

2024-07-23 18:00:04 +00:00
Commented Jul 23, 2024 at 18:00

Add a comment |

0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.