swatch Command in Linux

Introduction to Log Monitoring with Swatch

This lab provides a hands-on introduction to the swatch command, a vital tool for systemadmin tasks, specifically for monitoring log files and implementing custom alerts in a Linux environment. We will cover understanding the core functionality of the swatch command, actively monitoring log files using swatch, and effectively configuring swatch for specific alert scenarios.

Swatch (System Wide Analyzer and Tracker) is designed to monitor system log files and trigger predefined actions based on the occurrence of specific patterns or events. This allows for real-time responses to critical system events. It's highly configurable, allowing you to watch for specific log entries and execute various actions, including sending notifications via email, running custom scripts, or forwarding log entries to centralized logging systems. We will begin by installing the swatch package, addressing any necessary dependencies. You'll then be guided through creating a basic configuration file that instructs swatch to monitor log files for the word "error" and execute a specified command whenever such an error is detected.

Understanding the swatch Command

This section focuses on providing a comprehensive understanding of the swatch command, highlighting its capabilities as a robust tool for monitoring log files and establishing custom alerts within a Linux system.

As mentioned, the swatch (System Wide Analyzer and Tracker) command is designed to monitor system log files and trigger actions based on specific patterns or events. Its flexibility allows it to watch for particular log entries and execute various actions, such as sending notifications, running scripts, or forwarding log entries to other systems for centralized analysis.

First, let's install the swatch package on your system:

sudo apt-get update
sudo apt-get install -y swatch

Example output:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libconfig-inifiles-perl libconfig-tiny-perl libfile-tail-perl libio-socket-ssl-perl libnet-dns-perl libnet-ip-perl libnet-ssleay-perl libsys-syslog-perl
Suggested packages:
  libconfig-auto-perl
The following NEW packages will be installed:
  libconfig-inifiles-perl libconfig-tiny-perl libfile-tail-perl libio-socket-ssl-perl libnet-dns-perl libnet-ip-perl libnet-ssleay-perl libsys-syslog-perl swatch
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 223 kB of archives.
After this operation, 1,031 kB of additional disk space will be used.
Do you want to continue? [Y/n]

The swatch command works by reading log files and comparing each line against patterns defined in a configuration file. Upon finding a match, swatch can initiate various actions, such as sending an email notification, executing a pre-defined script, or logging the event for auditing purposes.

To grasp the fundamental usage of swatch, let's create a simple configuration file:

nano ~/project/swatch.config

Add the following content to the file:

## swatch.config
watchfor /error/
actions = echo "Error found: $_"

This basic configuration instructs swatch to monitor log files for the occurrence of the word "error". When this word is found, swatch will execute the echo command to display a message indicating the detection.

Now, let's execute swatch to monitor the system log file using the created configuration:

swatch --config-file ~/project/swatch.config --tail /var/log/syslog

The --tail option ensures that swatch continuously monitors the log file, watching for newly added entries in real-time.

Example output:

Error found: Apr 12 10:15:32 ubuntu sshd[1234]: error: could not open log file

In this example, swatch successfully detected the word "error" within the /var/log/syslog file and subsequently executed the configured action, which was to print a message to the console.

The swatch command provides a diverse array of options and configuration settings, enabling extensive customization of monitoring and alert behaviors. In the subsequent steps, you will learn how to tailor swatch configurations for more sophisticated and practical use cases, enhancing its effectiveness as a systemadmin tool.

Monitoring Log Files Effectively with swatch

This section guides you through the process of using swatch to monitor specific log files and configure custom alerts tailored to your system's needs.

First, let's create a sample log file that we can use to simulate events for monitoring purposes:

touch ~/project/sample.log

Now, we'll modify the swatch configuration file to specifically monitor this newly created sample log file:

nano ~/project/swatch.config

Add the following content to the file:

## swatch.config
watchfor /error/
actions = echo "Error found in sample.log: $_"
logfile = ~/project/sample.log

This configuration instructs swatch to monitor the ~/project/sample.log file and search for the occurrence of the word "error". Upon detection of the error, swatch will execute the echo command to display a message indicating the error's presence in the specified log file.

To initiate the monitoring of the log file, execute the following command:

swatch --config-file ~/project/swatch.config --tail ~/project/sample.log

The --tail option ensures that swatch continuously monitors the log file for new entries, providing real-time event detection.

Now, let's simulate an error event by adding an error message to the log file:

echo "This is an error message" >> ~/project/sample.log

You should observe the following output in the swatch terminal, confirming the successful detection of the error:

Error found in sample.log: This is an error message

Swatch has successfully identified the "error" keyword within the log file and executed the configured action, demonstrating its capability for event-based monitoring.

You can further customize the swatch configuration to monitor a variety of log files, search for specific patterns using regular expressions, and perform diverse actions, such as sending email notifications, executing scripts for automated responses, or forwarding log entries to centralized logging systems for comprehensive analysis.

Configuring swatch for Tailored Alerting

In this section, you will learn how to configure swatch to monitor for highly specific log entries and set up custom alerts that are relevant to your system's operational requirements.

Let's begin by creating a new configuration file specifically designed for managing alerts within swatch:

nano ~/project/swatch_alerts.config

Add the following content to the file:

## swatch_alerts.config
watchfor /failed login/
actions = exec /home/labex/project/alert_script.sh
logfile = /var/log/auth.log

watchfor /CRON/
actions = exec /home/labex/project/cron_alert.sh
logfile = /var/log/syslog

In this configuration, we have defined the following rules:

• The first rule monitors the /var/log/auth.log file for the phrase "failed login". Upon detecting a match, it executes the alert_script.sh script, which is intended to handle failed login attempts.
• The second rule monitors the /var/log/syslog file for the word "CRON". When found, it executes the cron_alert.sh script, designed to manage and report on cron job executions.

Now, let's create the alert scripts that will be executed when the specified log events are detected:

nano ~/project/alert_script.sh

Add the following content to the file:

#!/bin/bash
echo "Security alert: Failed login attempt detected!" | mail -s "Security Alert" [email protected]

This script sends an email notification to the specified email address [email protected], alerting the recipient about a detected failed login attempt, indicating a potential security breach.

nano ~/project/cron_alert.sh

Add the following content to the file:

#!/bin/bash
echo "Cron alert: Cron job executed" | mail -s "Cron Alert" [email protected]

This script sends an email notification to the address [email protected] whenever a cron job is executed, providing a means of tracking cron job activity.

Ensure that the scripts are executable by setting the appropriate permissions:

chmod +x ~/project/alert_script.sh ~/project/cron_alert.sh

Now, start swatch with the configuration file to monitor the log files and trigger the configured alerts based on detected events:

swatch --config-file ~/project/swatch_alerts.config --tail /var/log/auth.log /var/log/syslog

The --tail option instructs swatch to continuously monitor the specified log files, providing real-time event detection and alerting.

To test the configured alerts, you can simulate a failed login attempt or trigger a cron job execution. Swatch will detect these events and execute the corresponding alert scripts, sending the email notifications as configured.

Summary of Log Monitoring with Swatch

This lab provided a comprehensive introduction to the swatch command, a powerful tool for systemadmin users for monitoring log files and configuring custom alerts within Linux environments. You began by installing the swatch package and then created a simple configuration file to watch for the word "error" in the log files and execute a command when a match is found. Further, you learned how to effectively monitor log files using swatch and configure it for specific alerting scenarios, enabling actions such as sending notifications or executing scripts based on specific log events, ultimately enhancing system security and operational awareness.

Tác giả

Tôi là một chuyên gia System Administrator (SysAdmin) & DevOps Engineer với hơn 10 năm kinh nghiệm trong lĩnh vực quản trị hệ thống, bảo mật mạng, và tối ưu hạ tầng Cloud. Tôi đã từng làm việc tại các tập đoàn công nghệ lớn và tham gia triển khai nhiều hệ thống High Availability (HA), Load Balancing, Database, container và CI/CD giúp doanh nghiệp hoạt động ổn định với hiệu suất cao. Bài này tôi viết với thời gian đọc khoảng 8 phút. I also wrote a Vietnamese version.