swatch - Simple Log Analyzer

swatch is a perl program that can run as a daemon and continiously analyze log files for certain patterns to appear and then trigger an email notification.

You do definitley need a working MTA (e.g. dma or postfix) installed on ipfire for swatch to actually work.

Furthermore you need a configuration file that tells swatch for which patterns it should look out and which action to trigger. For Example sending email notification on SNORT prio 1 and 2 alerts, would look like this:

  watchfor /Priority\: ([1|2])/
  mail=alerts@your.domain,subject=[SNORT] Priority $1 Alert

Put this config in a file, e.g. /var/ipfire/snort/swatchrc

Then tell swatch to start in daemon mode and read in the snort log file in "tail" mode. As SNORT alert log entries are multiline texts, seperated by 2 newlines, we also tell swatch to use the 2 new lines as a seperator:

/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/snort/alert

To start this automatically at system startup, best put it in:


swatch, despite being named "simple" is a very powerful tool that can be used for all sorts of neat stuff. Here is another example about what can be done:

and here is an overview of the config and command line options:

Edit Page ‐ Yes, you can edit!

Older Revisions • August 23, 2019 at 12:26 am • Jon