Ease logfile monitoring with swatch

by Vincent Danen | Jul 17, 2006 7:00:00 AM

Tags: Scripting languages, Programming languages, Development tools, Monitors & displays, Vincent Danen, monitoring, Perl, configuration file, monitor, Swatch, Linux Tips Newsletter

6 comment(s)

Takeaway: If monitoring log files has become too much to manage, there is a simple tool called swatch that will help you get a handle on the most important log information. Vincent Danen tells you how to set up swatch.

The ability to monitor log files is fantastic; the problem is having the time to sift through them for the important things. On a busy system, logs can be generated at an alarming rate and could very well be a full-time job just to manage them. Having a helper application, such as swatch can help you monitor your log files much more easily.

Swatch is a perl-based application that can take advantage of perl regular expressions for the configuration file. It will also require a number of perl modules that can be installed via vendor pre-built packages or via CPAN.

To begin with, a simple swatch configuration file is required, as in this example:

watchfor������� /sudo:/

������� ��������echo bold

��������������� throttle 01:00

watchfor������� /sudo:.*command not allowed/

��������������� echo bold red

The above configuration snippet will actively look for and report any sudo: strings in the file and print them to STDOUT in a bold font, and it will throttle it so that subsequent similar sudo calls won't be shown for one minute. The next stanza also monitors sudo entries in the log file, but if the string command not allowed is also picked up, it prints the matching log line in a bold red font.

You can also set swatch to send e-mails based on matching log strings, such as failed login attempts. The key is that each stanza contains a watchfor command with a regular expression condition, and if the condition matches, the next commands are executed, such as: echo (writes to STDOUT), bell (makes the computer beep), exec (executes a particular command), mail (sends an e-mail to a specified e-mail address), and more.

To run swatch, use something like:

#!/bin/sh

/usr/bin/swatch --config-file=/etc/swatchrc --script-dir=/var/tmp \

� --tail-file="/var/log/system/all/current /var/log/system/kmsg/current" \

� --tail-args="-n 0 -F --max-unchanged-stats=3"

This invocation tells swatch a number of things: to use the /etc/swatchrc configuration file, to use /var/tmp for its script to execute, to watch the two files /var/log/system/all/current and /var/log/system/kmsg/current, and to use custom arguments to the tail program�namely, that it follows based on the filename and will check to see if a file has been unlinked or renamed if it has not changed size after 3 iterations. This is extremely useful for watching log files that rotate.

Swatch is quite simple to set up, unlike other log-monitoring software. It may not be as extensible as other packages, but it works great to remotely monitor logfiles. It can also be executed in the background to pipe its output to a "summary" logfile that compiles logs from all the watched logs on the system.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

6 comment(s)