Using swatch for log analysis

  • Post author:
  • Post category:Sem categoria

Artigo retirado do site

Source: Chris Parker – Posted by: Chris Parker
Date: Tuesday, 14 November 2000
Security Tips Log files are the central place to find information about problematic system errors. With most services, when anything slightly significant happens, a message about it is reported to syslogd. The sooner the user is aware of the message, the sooner the user can take action in regard to that message if it is needed. With 1000+ long log files, log checkers are needed as time savers and to make sure an indication of trouble is not missed.

Swatch stands for Simple WATCHer. Other log analysis software scans the logs periodically, they can tell you what HAS happened. Swatch can do this, but it can also actively scan log entries as syslogd gets them and tell you what IS happening. Not only this, swatch can also take actions when it encounters certain log messages.
First, download the newest version of swatch. Then, run:

perl Makefile.PL
make test
make install
make realclean

After swatch is installed, perl modules that are needed for use of swatch may also have to be downloaded.
Swatch uses regular expressions to find lines of interest. Once swatch finds a line that matches a pattern, it takes an action, such as printing it to the screen, emailing it, or taking a user defined action.

watchfor /[dD]enied|/DEN.*ED/
echo bold
bell 3
exec “/etc/call_pager 5551234 08”

This is an example of a section of a swatch configuration script. First, swatch looks for a line that contains the word denied, Denied, or anything that starts with DEN and ends with ED. Once it finds a line that contains one of the three search strings, it echoes the line in bold into the terminal and makes the bell sound (^G) 3 times. Then, swatch emails the user that is running swatch (usually root) about the line and executes the /etc/call_pager program with the given options. ignore /sendmail/,/fax/,/unimportant stuff/ In this example, the search strings sendmail, fax, and unimportant stuff are going to be ignored, even if they would normally match one of the strings being looked for.
Using swatch is very simple. For using swatch to check logs normally, run:

swatch –config-file=/home/chris/swatch.conf –examine=/var/log/messages

This is assuming that the configuration file for swatch is located at /home/chris/swatch.conf and that the file that is to be checked in called /var/log/messages. To use swatch as a constantly running service that scans lines of a log file as they come in, run:

swatch –config-file=/home/chris/swatch.conf –tail-file=/var/log/messages

More Information
If more help is needed, check swatch’s homepage. Also, swatch-users is a mailing list that can help with most questions. The README and man page are both online. Finally, if all else fails or if a bug is found, email Todd Atkins, the author.