IranServer.com This workflow corresponds to n8n.io template #8792 — we link there as the canonical source.
This workflow follows the Chainllm → OpenAI Chat recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "amcM1ga8xVDcFEbm",
"meta": {
"templateCredsSetupCompleted": true
},
"name": "ProcessMonitor2",
"tags": [],
"nodes": [
{
"id": "bf0b5b25-747c-4b66-bafd-a0f310bbbf0e",
"name": "Schedule Trigger - Every 6 Hours",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
448,
80
],
"parameters": {
"rule": {
"interval": [
{
"field": "hours",
"hoursInterval": 6
}
]
}
},
"typeVersion": 1.2
},
{
"id": "a7e0d406-e475-465f-911a-0620af584b40",
"name": "SSH - Gather Process and Network Data",
"type": "n8n-nodes-base.ssh",
"position": [
896,
80
],
"parameters": {
"cwd": "/root",
"command": "ps aux --sort=-%cpu,-%mem && ss -tulpn > /vps_process_report.txt"
},
"credentials": {
"sshPassword": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"id": "0ecfd207-80f9-40b8-b3fb-dd9fff548ba4",
"name": "AI Security Analysis",
"type": "@n8n/n8n-nodes-langchain.chainLlm",
"position": [
1072,
80
],
"parameters": {
"text": "=You are a security analyst AI. I will provide you with a list of running processes and open network ports from a Linux VPS. Your task:\n\n1. Identify any processes, commands, or connections that appear suspicious, malicious, or unusual.\n2. Explain why you think they are suspicious (e.g., known malware patterns, unusual network connections, strange process names, or abnormal resource usage).\n3. Focus on: cryptocurrency miners, botnet activity, unauthorized network services, suspicious shell processes, or processes with unusual resource consumption.\n4. Provide structured output with malicious and suspicious findings separately.\n\nHere is the process and network information:\n\n {{ $json.stdout }}",
"batching": {},
"promptType": "define",
"hasOutputParser": true
},
"typeVersion": 1.7
},
{
"id": "d8f6c690-69f0-4c06-836b-025f590bafe2",
"name": "Parse Security Analysis Results",
"type": "@n8n/n8n-nodes-langchain.outputParserStructured",
"position": [
1216,
288
],
"parameters": {
"schemaType": "manual",
"inputSchema": "{\n\t\"type\": \"object\",\n\t\"properties\": {\n\t\t\"malicious\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"List of confirmed malicious processes or activities\"\n\t\t},\n \"malicious_explain\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"Detailed explanation of why these are considered malicious\"\n\t\t},\n\t\t\"suspicious\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"List of potentially suspicious but not confirmed malicious activities\"\n\t\t},\n \"suspicious_explain\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"Explanation of suspicious findings that need investigation\"\n\t\t},\n\t\t\"status\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"Overall security status: clean, suspicious, or compromised\"\n\t\t}\n\t}\n}"
},
"typeVersion": 1.3
},
{
"id": "3d63a352-f7f9-48c1-b2f2-e1d45103eee6",
"name": "OpenAI GPT-4 Mini Model",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
1056,
272
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4o-mini",
"cachedResultName": "gpt-4o-mini"
},
"options": {
"temperature": 0.1
}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.2
},
{
"id": "4549adf6-770e-427f-9080-b662ee7f1d18",
"name": "Check for Malicious Activity",
"type": "n8n-nodes-base.if",
"position": [
1408,
80
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "7a3a5d70-a8bc-4f03-b83e-20812b36c82e",
"operator": {
"type": "string",
"operation": "notEmpty",
"singleValue": true
},
"leftValue": "={{ $json.output.malicious }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "d77d0b4d-bcc3-4ec3-bef0-f08a17139f58",
"name": "Check for Suspicious Activity",
"type": "n8n-nodes-base.if",
"position": [
1408,
288
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "suspicious-check",
"operator": {
"type": "string",
"operation": "notEmpty",
"singleValue": true
},
"leftValue": "={{ $json.output.suspicious }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "ab56fd12-7e17-4b00-802b-dda2eb704e26",
"name": "Send Malicious Activity Alert",
"type": "n8n-nodes-base.telegram",
"position": [
1632,
0
],
"parameters": {
"text": "=\ud83d\udea8 **SECURITY ALERT - MALICIOUS ACTIVITY DETECTED** \ud83d\udea8\n\n**Server:** {{ $('Configuration - User Settings').first().json.server_name }}\n**Time:** {{ new Date().toLocaleString() }}\n\n**\u26a0\ufe0f Malicious Processes:**\n{{ $json.output.malicious }}\n\n**\ud83d\udccb Analysis:**\n{{ $json.output.malicious_explain }}\n\n**\ud83d\udd0d Overall Status:** {{ $json.output.status }}\n\n**Action Required:** Immediate investigation recommended!",
"chatId": "={{ $('Configuration - User Settings').first().json.admin_telegram_id }}",
"additionalFields": {
"parse_mode": "Markdown"
}
},
"credentials": {
"telegramApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.2
},
{
"id": "d707188d-f89f-4cc8-9b5c-3a33966669d1",
"name": "Send Suspicious Activity Notice",
"type": "n8n-nodes-base.telegram",
"position": [
1632,
288
],
"parameters": {
"text": "=\u26a0\ufe0f **Security Notice - Suspicious Activity** \u26a0\ufe0f\n\n**Server:** {{ $('Configuration - User Settings').first().json.server_name }}\n**Time:** {{ new Date().toLocaleString() }}\n\n**\ud83d\udd0d Suspicious Processes:**\n{{ $json.output.suspicious }}\n\n**\ud83d\udccb Analysis:**\n{{ $json.output.suspicious_explain }}\n\n**Status:** {{ $json.output.status }}\n\n**Recommendation:** Monitor closely and investigate if needed.",
"chatId": "={{ $('Configuration - User Settings').first().json.admin_telegram_id }}",
"additionalFields": {
"parse_mode": "Markdown"
}
},
"credentials": {
"telegramApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.2
},
{
"id": "0c82a50c-abba-4010-aecd-6c53636a5b2a",
"name": "Configuration - User Settings",
"type": "n8n-nodes-base.set",
"position": [
656,
80
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "f30b7286-9424-4150-960c-925578bf143a",
"name": "admin_telegram_id",
"type": "string",
"value": "YOUR_TELEGRAM_CHAT_ID"
},
{
"id": "server-name-field",
"name": "server_name",
"type": "string",
"value": "Production VPS"
},
{
"id": "alert-level-field",
"name": "alert_level",
"type": "string",
"value": "high"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "5b19a69a-1931-4e92-ae68-a56d0b045c7c",
"name": "Sticky Note - Main Explanation",
"type": "n8n-nodes-base.stickyNote",
"position": [
-64,
-528
],
"parameters": {
"width": 420,
"height": 844,
"content": "## \ud83d\udd10 VPS Security Monitor with AI Analysis\n\nThis workflow automatically monitors your VPS for security threats using AI analysis and sends alerts via Telegram.\n\n### \ud83d\udccb How it works:\n1. **Scheduled Monitoring**: Runs every 6 hours (customizable)\n2. **SSH Data Collection**: Gathers process and network information\n3. **AI Security Analysis**: Uses OpenAI GPT-4 Mini to identify threats\n4. **Smart Alerting**: Only sends notifications for actual threats\n\n### \u2699\ufe0f Configuration Required:\n- Update SSH credentials in \"SSH - Gather Process and Network Data\" node\n- Add OpenAI API key in \"OpenAI GPT-4 Mini Model\" node \n- Set your Telegram chat ID in \"Configuration - User Settings\"\n- Add Telegram bot token in alert nodes\n\n### \ud83c\udfaf Features:\n- Detects malware, cryptocurrency miners, botnet activity\n- Monitors unusual network connections and resource usage\n- Structured AI analysis with clear explanations\n- Separate alerts for malicious vs suspicious activity\n\n### \ud83d\udca1 Customization:\n- Adjust monitoring frequency in Schedule Trigger\n- Modify AI prompt for specific security concerns\n- Add multiple servers by duplicating SSH nodes\n- Extend with email/Slack notifications"
},
"typeVersion": 1
},
{
"id": "48ea074a-a297-412d-baa7-e0c4e429deb7",
"name": "Sticky Note - Step 1",
"type": "n8n-nodes-base.stickyNote",
"position": [
816,
-128
],
"parameters": {
"height": 184,
"content": "### Step 1: Data Collection\n\nSSH into VPS and gather:\n- Running processes (sorted by CPU/memory)\n- Active network connections\n- System information"
},
"typeVersion": 1
},
{
"id": "574f7e67-8bb1-4dd4-81f8-040d0ea28560",
"name": "Sticky Note - Step 2",
"type": "n8n-nodes-base.stickyNote",
"position": [
1056,
-128
],
"parameters": {
"height": 184,
"content": "### Step 2: AI Analysis\n\nOpenAI analyzes data for:\n- Known malware patterns\n- Suspicious network activity\n- Unusual resource usage\n- Botnet indicators"
},
"typeVersion": 1
},
{
"id": "deb0b4d3-5cb1-49a0-894e-c15b3fa15a6b",
"name": "Sticky Note - Step 3",
"type": "n8n-nodes-base.stickyNote",
"position": [
1568,
-224
],
"parameters": {
"height": 216,
"content": "### Step 3: Smart Alerting\n\nSeparate alerts for:\n- \ud83d\udea8 Malicious: Confirmed threats\n- \u26a0\ufe0f Suspicious: Needs investigation\n\nNo spam - only real threats!"
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "98230907-c132-464b-84e5-9c8fd082d0fa",
"connections": {
"AI Security Analysis": {
"main": [
[
{
"node": "Check for Malicious Activity",
"type": "main",
"index": 0
},
{
"node": "Check for Suspicious Activity",
"type": "main",
"index": 0
}
]
]
},
"OpenAI GPT-4 Mini Model": {
"ai_languageModel": [
[
{
"node": "AI Security Analysis",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Check for Malicious Activity": {
"main": [
[
{
"node": "Send Malicious Activity Alert",
"type": "main",
"index": 0
}
]
]
},
"Check for Suspicious Activity": {
"main": [
[
{
"node": "Send Suspicious Activity Notice",
"type": "main",
"index": 0
}
]
]
},
"Configuration - User Settings": {
"main": [
[
{
"node": "SSH - Gather Process and Network Data",
"type": "main",
"index": 0
}
]
]
},
"Parse Security Analysis Results": {
"ai_outputParser": [
[
{
"node": "AI Security Analysis",
"type": "ai_outputParser",
"index": 0
}
]
]
},
"Schedule Trigger - Every 6 Hours": {
"main": [
[
{
"node": "Configuration - User Settings",
"type": "main",
"index": 0
}
]
]
},
"SSH - Gather Process and Network Data": {
"main": [
[
{
"node": "AI Security Analysis",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
openAiApisshPasswordtelegramApi
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This n8n template automatically monitors your VPS for suspicious processes and network connections using AI analysis. It connects to your server via SSH, analyzes running processes, and sends Telegram alerts when potential security threats are detected. System administrators…
Source: https://n8n.io/workflows/8792/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This n8n template demonstrates how to create consistent character videos using AI image and video generation. The workflow generates photorealistic videos featuring the same character across different
Chain Llm, OpenAI Chat, Output Parser Structured +3
Automate Blog Creation and Publishing with Ultra-Low Cost AI
Chain Llm, WordPress, HTTP Request +6
This n8n workflow automates the creation of viral CCTV-style animal videos using AI, perfect for TikTok content creators looking to capitalize on the popular security camera animal footage trend. The
OpenAI, HTTP Request, Telegram +5
This n8n workflow automates the process of creating high-quality, scroll-stopping LinkedIn posts based on live research, AI insight generation, and Google Sheets storage.
OpenAI Chat, Output Parser Structured, Google Sheets +3
This workflow contains community nodes that are only compatible with the self-hosted version of n8n.
Mailgun, OpenAI, OpenAI Chat +8