wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


addons:swatch:start

swatch - Simple Log Analyzer

swatch is a perl program that can run as a daemon and continiously analyze log files for certain patterns to appear and then trigger an email notification.

You do definitley need a working MTA (e.g. dma or postfix) installed on ipfire for swatch to actually work.

Furthermore you need a configuration file that tells swatch for which patterns it should look out and which action to trigger. For Example sending email notification on SNORT prio 1 and 2 alerts, would look like this:

watchfor /Priority\: ([1|2])/
echo=normal
mail=alerts@your.domain,subject=[SNORT] Priority $1 Alert

Put this config in a file, e.g. /var/ipfire/snort/swatchrc

Then tell swatch to start in daemon mode and read in the snort log file in “tail” mode. As SNORT alert log entries are multiline texts, seperated by 2 newlines, we also tell swatch to use the 2 new lines as a seperator:

/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/snort/alert

To start this automatically at system startup, best put it in

/etc/sysconfig/rc.local

swatch, despite being named “simple” is a very powerful tool that can be used for all sorts of neat stuff. Here is another example about what can be done:

http://etutorials.org/Linux+systems/secure+linux-based+servers/Chapter+10.+System+Log+Management+and+Monitoring/Section+10.5.+Using+Swatch+for+Automated+Log+Monitoring/

and here is an overview of the config and command line options:

http://linux.die.net/man/1/swatch

addons/swatch/start.txt · Last modified: 2013/06/19 13:35 by lentf