Home
  •  

Process Audit Service Health

Microsoft.Linux.RHEL.5.Process.Audit.Monitor (UnitMonitor)

Red Hat Enterprise Linux Server 5 Process Audit Monitor

Knowledge Base article:

Summary

This process monitor watches for the audit process to be running.

Causes

A failure indicates that the audit service on the system is down.

Resolutions

Check the service by running ps -ef | grep auditd or by viewing the diagnostic in the Operations Manager Console. Start it by running the command "service auditd start" or by clicking the recovery link in the Operations Manager Console.

For root cause analysis, first check the system logfile (/var/log/messages), and view any related entries at the time of failure.

Element properties:

TargetMicrosoft.Linux.RHEL.5.OperatingSystem
Parent MonitorSystem.Health.AvailabilityState
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Unix.WSMan.Process.Status.MonitorType
RemotableTrue
AccessibilityPublic
Alert Message
Red Hat Enterprise Linux Server 5 Process Audit Monitor Alert
The Kernel Auditing daemon on server {0} is not running.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.Linux.RHEL.5.Process.Audit.Monitor" Accessibility="Public" Target="Microsoft.Linux.RHEL.5.OperatingSystem" TypeID="Unix!Microsoft.Unix.WSMan.Process.Status.MonitorType" Enabled="true" ParentMonitorID="SystemHealth!System.Health.AvailabilityState">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.Linux.RHEL.5.Process.Audit.AlertMessage">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState HealthState="Success" MonitorTypeStateID="Running" ID="Running"/>

    <OperationalState HealthState="Error" MonitorTypeStateID="NotRunning" ID="NotRunning"/>

  </OperationalStates>

  <Configuration>

    <TargetSystem>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</TargetSystem>

    <ProcessName>auditd</ProcessName>

    <Interval>300</Interval>

  </Configuration>

</UnitMonitor>