PATROL LOGFILE EVENTS WITH SIMPLE WATCHdog

Simple WATCHdog (SWATCH) is a perl5-based tool used to scan and report on logfile events. It watches a specified log file and, depending on certain configuration values in a config file, responds to entries in the log file. It can also be used to e-mail an administrator about certain events, such as users who invoke su to become root, failed login attempts, RPM package upgrades, etc.

The configuration file is quite simple and uses an easy-to-understand syntax to tell SWATCH what to look for. For instance:

watchfor /(panic|halt)/

echo blink red

bell 3

mail mailto:addresses=pager/@mydomain.com,subject=System_crash_or_halt

This rule tells SWATCH to look for the words "panic" or "halt" in the log file and, if encountered, to echo the output text in red, beep the computer speaker, and send an e-mail to the address pager@mydomain.com with the subject "System crash or halt". In this instance, pager@mydomain.com could be a text-enabled cell phone or pager, which receives the message to alert you that the system crashed.

Calling SWATCH is also simple. SWATCH takes three parameters: the configuration file to use, the directory to write the temporary script it executes, and the file to monitor; for instance:

# /usr/bin/swatch

--config-file=/home/joe/bin/swatch/swatchrc

--script-dir=/home/joe/bin/swatch

--tail-file=/var/log/messages

This tells SWATCH to use the ~joe/bin/swatch/swatchrc file as a configuration file, to write the temporary SWATCH script (called .swatch_script.[PID] where [PID] is the process ID of the parent process), and to monitor the logfile /var/log/messages.

Because SWATCH writes an entire script to read the log file, you can have as many copies of SWATCH running to watch as many log files as you like.