|Callbacks:||init, config, read, shutdown|
|Copyright:||2017 Andrew Bays|
|List of Plugins|
This plugin utilizes the Netlink library to monitor process starts and exits.
While running, two threads are used:
- The main read thread, to read semaphore-protected shared memory.
- A blocking listening thread that waits for process messages on a Netlink socket. When a message is received, it is placed in shared memory (a ring buffer).
When the plugin is initialized, the /proc directory of the system is analyzed to find any running processes that match process names or regular expressions enumerated in the plugin configuration. A linked list of process PID/name combos is stored for all running processes that are of interest to the plugin. When a new, matching process is detected during runtime, it will be added to the linked list if its PID/name combo is not already present. When an old, matching process dies during runtime, its PID will be removed from the linked list item and replaced with -1, but the linked list item itself will remain with the process name still present (we do this to reuse the memory rather than freeing the space and reallocating when the process might appear again).
In the case of either a matching process start or exit (in the listening thread), a ring buffer entry is added to the shared memory. The read thread will then read this entry (and any other new entries) when it next wakes, and will use information in the linked list and the buffer entry to construct an event notification to dispatch
<Plugin procevent> BufferLength 10 Process "name" ProcessRegex "regex" </Plugin>
|BufferLength length||Maximum number of process events that can be stored in plugin's ring buffer. By default, this is set to 10. Once an event has been read, its location becomes available for storing a new event.|
|Process name||Enumerate a process name to monitor. All processes that match this exact name will be monitored for EXECs and EXITs.|
|ProcessRegex regex||Enumerate a process pattern to monitor. All processes that match this regular expression will be monitored for EXECs and EXITs.|
None yet. Add one now!
- Plugin that monitors process starts/stops via netlink library added in 5.10