# General syntax of syscheck's configuration file: # Empty lines are allowed. Comments one-per-line are allowed. Very long # lines may be split and continued by putting a backslash at the end, as in # this is a \ # very long line # THE EVAL STATEMENT # 'eval' can be used to inject Perl code. Typically used to set up the # environment, the PATH and so on. eval $ENV{PATH} .= ':/usr/local/bin:/opt/local/bin'; # THE SYSTEM STATEMENT # 'system' commands are always run. system echo `date` syscheck started on `hostname` # THE POPULATE STATEMENT # 'populate' stores the output of a command in a named list. The list name # is later used in 'expect' statements. E.g., this fetches the list of all # processes and stores them in a list 'pslist'. populate pslist ps ax # THE EXPECT STATEMENT # 'expect' matches the text in a populated list with a regular expression. # Several expects may be stated, in that case all must match. # When they don't, then the next 'correct' command is run. # Example: See if Apache is running. If not, fire it up using apachectl. expect pslist httpd -k start correct apachectl start # MULTIPLE EXPECTS # Here is the same example, but using nc (netcat). The 'populate' line calls nc # to probe http://localhost:10000. The 'expect' lines want to match a few # strings in the output. The idea is that this detects a partially-broken # webserver. When one or more expected parts are not matched, Apache is # forcefully restarted. populate webserver_output echo 'GET /' | nc localhost 10000 expect webserver_output expect webserver_output expect webserver_output expect webserver_output correct killall -9 httpd; sleep 1; apachectl start # MULTIPLE LISTS # An example with 2 lists. I want the program 'microproxy' to be running, and # I want the log file '/tmp/microproxy.log' to be present. When either # condition is not satisfied, microproxy is (re)started. This also restarts # the microproxy when someone accidentally removes the log file in /tmp. # This uses the above filled process list 'pslist' and populates its own # list 'tmp_listing'. populate tmp_listing ls /tmp/*log expect tmp_listing microproxy.log expect pslist microproxy -t correct killall microproxy; sleep 1; \ microproxy -tvvp3126 | loglimit /tmp/microproxy.log 100000 3 &