Swatch is a software to monitor our log files, and do an action for some events. It’s an efficient way to monitor our system events like attempts to connect to our server, when systems crash or for example when a user login in our system. This can be a great help for system administrator, instead to search manually search log files using filter programs like grep, swatch do it automatically and can do some actions like send an email to alert to warn us. Swatch monitor continuously to search the log files that we will indicate to search the last events, it can be very useful when we work in a server that provide a centralized logging or also with Snort to monitor the alert log file and send an email alert when a event occurs. Swatch use two required fields:
- Patterns: Reference a pattern string to search in the log files that we provide to swatch.
- Actions: When swatch match with a pattern, swatch try to do something like send an email or execute a script.
In this post I’ll explain how to configure swatch with an init script that will monitor some log files in search a root login, a failed attempt to connect to the server, when a new package is installed and when cron job is executed and send an email to warning about this events.
Installing swatch
# yum install swatch
Creating the configuration files
# mkdir /etc/swatch # vi /etc/swatch/secure.conf
#Looking for failed attempts to login system watchfor /Failed/ echo bold mail=root@localhost,subject=Attempt_To_Login_Failed #Looking for root logins watchfor /session opened for user root/ echo bold mail=root@localhost,subject=Login_root_success
# vi /etc/swatch/messages.conf #Looking for new installed packages on the system watchfor /Installed:/ echo bold mail=root@localhost,subject=New_Package_Installed
# vi /etc/swatch/cron.conf #Looking for failed attempts to login system watchfor /CROND/ echo bold mail=root@localhost,subject=CRON_Job_Executed
Init script for swatch
# vi /etc/init.d/swatchd
#!/bin/sh
LOGS="secure messages cron"
start()
{
for i in `echo $LOGS` ; do
/usr/bin/swatch --config-file=/etc/swatch/$i.conf --tail-file=/var/log/$i --pid-file=/var/run/swatch-$i.pid --daemon > /dev/null >&1
done
}
stop()
{
for i in `echo $LOGS` ; do
PID=`cat /var/run/swatch-$i.pid`
kill $PID
done
}
case $1 in
start)
start
exit 0
;;
stop)
stop
exit 0
;;
restart)
stop
start
exit 0
;;
*)
echo "Usage: $0 { start | stop | restart }"
exit 1
;;
esac
Making script starts at system boot time
# chmod +x /etc/init.d/swatchd # ln -s /etc/init.d/swatchd /etc/rc3.d/S86swatchd # ln -s /etc/init.d/swatchd /etc/rc4.d/S86swatchd # ln -s /etc/init.d/swatchd /etc/rc5.d/S86swatchd # ln -s /etc/init.d/swatchd /etc/rc0.d/K87swatchd # ln -s /etc/init.d/swatchd /etc/rc6.d/K87swatchd
Mail example from swatch of a failed attempt to connect to server
