Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

swatch - Simple Log Analyzer

swatch is a perl program that can run as a daemon and continiously analyze log files for certain patterns to appear and then trigger an email notification.

You do definitley need a working MTA (e.g. dma or postfix) installed on ipfire for swatch to actually work.

Furthermore you need a configuration file that tells swatch for which patterns it should look out and which action to trigger. For Example sending email notification on SNORT prio 1 and 2 alerts, would look like this:

  watchfor /Priority\: ([1|2])/
echo=normal
  mail=alerts@your.domain,subject=[SNORT] Priority $1 Alert

Put this config in a file, e.g. /var/ipfire/snort/swatchrc

Then tell swatch to start in daemon mode and read in the snort log file in "tail" mode. As SNORT alert log entries are multiline texts, seperated by 2 newlines, we also tell swatch to use the 2 new lines as a seperator:

/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/snort/alert

To start this automatically at system startup, best put it in:

/etc/sysconfig/rc.local

swatch, despite being named "simple" is a very powerful tool that can be used for all sorts of neat stuff. Here is another example about what can be done:

and here is an overview of the config and command line options:

Edit Page ‐ Yes, you can edit!

Older Revisions • August 23 at 12:26 am • Jon