How to exclude logins from check_procs checks of sshd

Question

I am looking to use the Nagios plugin check_procs to monitor the number of ssh daemons running on my CentOS servers. Consider my server right now:

$ ps auxww | grep ssh
root      6750  0.0  0.0  31812  1224 ?        Ss    2012   0:01 /usr/sbin/sshd
root     23375  0.0  0.0  65464  3244 ?        Ss   16:53   0:00 sshd: user [priv]
user     23377  0.0  0.0  65464  1908 ?        S    16:53   0:00 sshd: user@pts/1
root     23404  0.0  0.0  65464  3248 ?        Ss   16:53   0:00 sshd: user [priv]
user     23406  0.0  0.0  65464  1912 ?        S    16:53   0:00 sshd: user@pts/2

I am only interested in knowing how many instances of '/usr/sbin/sshd' are running, NOT how many daemons have been launched to handle incoming ssh connections. Is there a way to accomplish this?

Answer 1

You could check for 'sshd' daemons started specifically from 'root' using:

check_procs -p 1 -C sshd
PROCS OK: 1 process with PPID = 1, command name 'sshd'

That should eliminate the forks started to handle user connections. The '-p' option tells check_procs to only count those processes with the given PPID, in this case '1' belonging to root. The check_procs command won't allow you to add a path.

If you need to see the number of '/usr/sbin/sshd' specific daemons running, no mater the user they are running from, you could build a check around the following:

ps -ef | grep "/usr/sbin/sshd" | grep -v grep | wc -l
1

That would give you the count, which you can then check in bash/perl/... and throw the alert as required.

After looking at the source for check_procs, I would use the following check config:

check_procs -p 1 --ereg-argument-array=^\/usr\/sbin\/sshd

That should give you exactly what you're looking for and will include the 'path' in what is being checked - which is not available with the -C option.