From FrugalWiki
Example /etc/monitrc file
# Base system
check process sshd with pidfile "/var/run/sshd.pid"
group ssh
start = "/sbin/service sshd start"
stop = "/sbin/service sshd stop"
if failed port 22 and protocol ssh then restart
depends on sshd_rc
depends on sshd_bin
check file sshd_config with path "/etc/ssh/sshd_config"
group ssh
if changed checksum then alert
check directory ssh_config.d with path "/etc/ssh"
group ssh
if changed timestamp then alert
check file sshd_rc with path "/etc/rc.d/rc.sshd"
group ssh
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file sshd_bin with path "/usr/sbin/sshd"
group ssh
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check directory sbin with path "/sbin"
if changed timestamp then alert
check directory usr-sbin with path "/usr/sbin"
if changed timestamp then alert
check directory bin with path "/bin"
if changed timestamp then alert
check directory usr-bin with path "/usr/bin"
if changed timestamp then alert
check device disk1 with path /dev/md0
start = "/bin/mount /dev/md0"
# stop = "/bin/umount /dev/md0"
if space usage > 90% then alert
# if space usage > 99% then stop
if inode usage > 90% then alert
# if inode usage > 99% then stop
#check file monitrc with path "/etc/monit/monitrc"
# if failed checksum then exec "/usr/sbin/monit reload"
# HTTP
check process httpd with pidfile "/var/run/httpd.pid"
group web
start = "/etc/rc.d/rc.httpd start"
stop = "/etc/rc.d/rc.httpd stop"
if failed port 80 and protocol http and request "/index.html" then restart
if cpu usage > 60% for 5 cycles then alert
if cpu usage > 98% for 10 cycles then restart
if 2 restarts within 3 cycles then timeout
depends on httpd_rc
depends on httpd_bin
check file httpd.conf with path "/etc/httpd/conf/httpd.conf"
group web
if changed checksum then exec "/usr/sbin/apachectl graceful"
check directory httpd.conf.d with path "/etc/httpd/conf/modules.d"
group web
if changed timestamp then exec "/usr/sbin/apachectl graceful"
check file httpd_rc with path "/etc/rc.d/rc.httpd"
group web
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file httpd_bin with path "/usr/sbin/httpd"
group web
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file httpd-ssl.conf with path "/etc/httpd/conf/ssl.conf"
group web
if changed checksum then alert
# MySQL
check process mysqld with pidfile "/var/lib/mysql/secure.pid"
group sql
start program = "/etc/rc.d/rc.mysqld start"
stop program = "/etc/rc.d/rc.mysqld stop"
if cpu usage is greater than 60 percent for 2 cycles then alert
if cpu usage > 98% for 5 cycles then restart
if 2 restarts within 3 cycles then timeout
if failed unixsocket /tmp/mysql.sock then restart
if 5 restarts within 5 cycles then timeout
depends on mysql_bin
depends on mysql_rc
check file mysql_bin with path "/usr/sbin/mysqld"
group sql
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file mysql_rc with path "/etc/rc.d/rc.mysqld"
group sql
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file mysql.conf with path "/etc/my.cnf"
group sql
if changed checksum then alert
# Clamav
check process clamd with pidfile /var/run/clamav/clamd.pid
group clamav
start program = "/etc/rc.d/rc.clamav start"
stop program = "/etc/rc.d/rc.clamav stop"
if failed unixsocket /tmp/clamd then restart
if 5 restarts within 5 cycles then timeout
depends on clamd_bin
depends on clamav_rc
check process freshclam with pidfile "/var/run/clamav/freshclam.pid"
group clamav
start program = "/etc/rc.d/rc.clamav start"
stop program = "/etc/rc.d/rc.clamav stop"
if 5 restarts within 5 cycles then timeout
depends on freshclam_bin
depends on clamav_rc
check file clamd_bin with path /usr/sbin/clamd
group clamav
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file clamav_rc with path /etc/rc.d/rc.clamav
group clamav
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file freshclam_bin with path /usr/bin/freshclam
group clamav
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file clamd.conf with path "/etc/clamd.conf"
group clamav
if changed checksum then alert
check file freshclam.conf with path "/etc/freshclam.conf"
group clamav
if changed checksum then alert
# OpenNTPD
check process openntpd with pidfile "/var/run/ntpd.pid"
group ntp
start = "/sbin/service ntpd start"
stop = "/sbin/service ntpd stop"
if failed host 127.0.0.1 port 123 type udp then alert
if 5 restarts within 5 cycles then timeout
depends on openntpd_bin
depends on openntpd_rc
check file openntpd_bin with path "/usr/sbin/ntpd"
group ntp
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file openntpd_rc with path "/etc/rc.d/rc.ntpd"
group ntp
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file openntpd.conf with path "/etc/ntpd.conf"
group ntp
if changed checksum then alert
# Syslog
check process syslogd with pidfile "/var/run/syslogd.pid"
group syslog
start program = "/etc/rc.d/rc.syslog start"
stop program = "/etc/rc.d/rc.syslog stop"
if 5 restarts within 5 cycles then timeout
depends on syslogd_rc
depends on syslogd_bin
check file syslogd_rc with path "/etc/rc.d/rc.syslog"
group syslog
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file syslogd_bin with path "/usr/sbin/syslogd"
group syslog
if failed checksum then unmonitor
if failed permission 500 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
# Cron
check process crond with pidfile /var/run/crond.pid
group cron
start program = "/etc/rc.d/rc.crond start"
stop program = "/etc/rc.d/rc.crond stop"
if 5 restarts within 5 cycles then timeout
depends on crond_rc
depends on crond_bin
check file crond_rc with path /etc/rc.d/rc.crond
group cron
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file crond_bin with path "/usr/sbin/crond"
group cron
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid wheel then unmonitor
# Bind
check process bind with pidfile /var/run/named.pid
group bind
start program = "/etc/rc.d/rc.bind start"
stop program = "/etc/rc.d/rc.bind stop"
if 5 restarts within 5 cycles then timeout
depends on bind_rc
depends on bind_bin
check file bind_rc with path /etc/rc.d/rc.bind
group bind
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file bind_bin with path "/usr/sbin/named"
group bind
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file bind.conf with path "/etc/named.conf"
group bind
if changed checksum then alert
# Munin
check process munin with pidfile "/var/run/munin/munin-node.pid"
group munin
start = "/etc/rc.d/rc.munin-node start"
stop = "/etc/rc.d/rc.munin-node stop"
if failed port 4949 then restart
depends on munin_rc
depends on munin_bin
check file munin-node.conf with path "/etc/munin/munin-node.conf"
group munin
if changed checksum then alert
check file munin.conf with path "/etc/munin/munin.conf"
group munin
if changed checksum then alert
check directory munin-plugin-conf.d with path "/etc/munin/plugin-conf.d"
group munin
if changed timestamp then alert
check directory munin-plugins with path "/etc/munin/plugins"
group munin
if changed timestamp then alert
check file munin_rc with path "/etc/rc.d/rc.munin-node"
group munin
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file munin_bin with path "/usr/sbin/munin-node"
group munin
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
# SMTP
check process postfix with pidfile "/var/spool/postfix/pid/master.pid"
group mail
start program = "/etc/rc.d/rc.postfix start"
stop program = "/etc/rc.d/rc.postfix stop"
if cpu usage > 98% for 5 cycles then restart
if 2 restarts within 3 cycles then timeout
if failed port 25 protocol smtp then restart
if 5 restarts within 5 cycles then timeout
depends on mysqld
depends on postgrey
depends on amavis
depends on postfix_rc
depends on postfix_bin
check file postfix_bin with path "/usr/sbin/postfix"
group mail
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file postfix_rc with path "/etc/rc.d/rc.postfix"
group mail
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check directory postfix.conf with path "/etc/postfix"
group mail
if changed timestamp then alert
# Pure-FTPD
check process pure-ftpd with pidfile "/var/run/pure-ftpd.pid"
group ftp
start program = "/etc/rc.d/rc.pure-ftpd start"
stop program = "/etc/rc.d/rc.pure-ftpd stop"
if failed port 21 protocol ftp then restart
if 5 restarts within 5 cycles then timeout
depends on mysqld
depends on pure-ftpd_bin
depends on pure-ftpd_rc
check file pure-ftpd_bin with path "/usr/sbin/pure-ftpd"
group ftp
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file pure-ftpd_rc with path "/etc/rc.d/rc.pure-ftpd"
group ftp
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file pure-ftpd.conf with path "/etc/pure-ftpd.conf"
group ftp
if changed checksum then alert
check file pureftpd-mysql.conf with path "/etc/pureftpd-mysql.conf"
group ftp
if changed checksum then alert
# amavisd-new
check process amavis with pidfile "/var/run/amavisd.pid"
group amavis
start program = "/etc/rc.d/rc.amavisd-new start"
stop program = "/etc/rc.d/rc.amavisd-new stop"
if failed port 10024 protocol smtp then restart
# if 5 restarts within 5 cycles then timeout
depends on amavis_rc
depends on amavis_bin
depends on clamd
check file amavis_bin with path "/usr/sbin/amavisd"
group amavis
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file amavis_rc with path "/etc/rc.d/rc.amavisd-new"
group amavis
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check directory amavis.conf with path "/etc/amavis"
group amavis
if changed timestamp then alert
# DenyHosts
check process denyhosts with pidfile /var/run/denyhosts.pid
group denyhosts
start program = "/etc/rc.d/rc.denyhosts start"
stop program = "/etc/rc.d/rc.denyhosts stop"
depends on denyhosts_rc
depends on denyhosts_bin
check file denyhosts_rc with path /etc/rc.d/rc.denyhosts
group denyhosts
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file denyhosts_bin with path "/usr/bin/denyhosts.py"
group denyhosts
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file denyhosts.conf with path "/etc/denyhosts.cfg"
group denyhosts
if changed checksum then alert
# Courier
# Courier-authlib
check process courier-authlib with pidfile /var/run/courier/pid
group courier
start program = "/etc/rc.d/rc.courier-authlib start"
stop program = "/etc/rc.d/rc.courier-authlib stop"
depends on mysqld
depends on courier-authlib_rc
depends on courier-authlib_bin
check file courier-authlib_rc with path /etc/rc.d/rc.courier-authlib
group courier
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file courier-authlib_bin with path "/usr/libexec/courier-authlib/authdaemond"
group courier
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file courier-authdaemon.conf with path "/etc/courier/authdaemonrc"
group courier
if changed checksum then alert
check file courier-authmysql.conf with path "/etc/courier/authmysqlrc"
group courier
if changed checksum then alert
# Courier-imapd
check process courier-imapd with pidfile /var/run/courier/imapd.pid
group courier
start program = "/etc/rc.d/rc.courier-imapd start"
stop program = "/etc/rc.d/rc.courier-imapd stop"
depends on courier-imapd_rc
depends on courier-imapd_bin
depends on courier-authlib
check file courier-imapd_rc with path /etc/rc.d/rc.courier-imapd
group courier
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file courier-imapd_bin with path "/usr/bin/imapd"
group courier
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file courier-imapd.conf with path "/etc/courier/imapd"
group courier
if changed checksum then alert
# Courier-imapd-ssl
check process courier-imapd-ssl with pidfile /var/run/courier/imapd-ssl.pid
group courier
start program = "/etc/rc.d/rc.courier-imapd-ssl start"
stop program = "/etc/rc.d/rc.courier-imapd-ssl stop"
depends on courier-imapd-ssl_rc
depends on courier-imapd_bin
depends on courier-authlib
check file courier-imapd-ssl_rc with path /etc/rc.d/rc.courier-imapd-ssl
group courier
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file courier-imapd-ssl.conf with path "/etc/courier/imapd-ssl"
group courier
if changed checksum then alert
# Courier-pop3d
check process courier-pop3d with pidfile /var/run/courier/pop3d.pid
group courier
start program = "/etc/rc.d/rc.courier-pop3d start"
stop program = "/etc/rc.d/rc.courier-pop3d stop"
depends on courier-pop3d_rc
depends on courier-pop3d_bin
depends on courier-authlib
check file courier-pop3d_rc with path /etc/rc.d/rc.courier-pop3d
group courier
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file courier-pop3d_bin with path "/usr/bin/pop3d"
group courier
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file courier-pop3d.conf with path "/etc/courier/pop3d"
group courier
if changed checksum then alert
# Courier-pop3d-ssl
check process courier-pop3d-ssl with pidfile /var/run/courier/pop3d-ssl.pid
group courier
start program = "/etc/rc.d/rc.courier-pop3d-ssl start"
stop program = "/etc/rc.d/rc.courier-pop3d-ssl stop"
depends on courier-pop3d-ssl_rc
depends on courier-pop3d_bin
depends on courier-authlib
check file courier-pop3d-ssl_rc with path /etc/rc.d/rc.courier-pop3d-ssl
group courier
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file courier-pop3d-ssl.conf with path "/etc/courier/pop3d-ssl"
group courier
if changed checksum then alert
# Postgrey
check process postgrey with pidfile /var/run/postgrey.pid
group postgrey
start program = "/etc/rc.d/rc.postgrey start"
stop program = "/etc/rc.d/rc.postgrey stop"
depends on postgrey_rc
depends on postgrey_bin
check file postgrey_rc with path /etc/rc.d/rc.postgrey
group postgrey
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor
check file postgrey_bin with path "/usr/sbin/postgrey"
group postgrey
if failed checksum then unmonitor
if failed permission 755 then unmonitor
if failed uid root then unmonitor
if failed gid root then unmonitor