Swatchdog – Simple Log File Watcher in Real-Time in Linux

[‘

n

Swatchdog (the “Simple WATCH DOG”) is a simple Perl script for monitoring active log files on Unix-like systems such as Linux. It watches your logs based on regular expressions that you can define in a configuration file. You can run it from the command line or in the background, detached from any terminal using the daemon mode option.

n

Note that the program was originally called swatch (the “Simple Watcher”) but a request by the old Swiss watch company for a name change saw the developer change its name to swatchdog.

n

Read Also: 4 Good Open Source Log Monitoring and Management Tools for Linux

n

Importantly, swatchdog has grown from a script for watching logs produced by Unix’s syslog facility, and it can monitor just about any kind of logs.

n

How to Install Swatch in Linux

n

The package swatchdog is available to install from the official repositories of mainstream Linux distributions as a package “swatch” via a package manager as shown.

n

$ sudo apt install swatcht[On Ubuntu/Debian]rn$ sudo yum install epel-release && sudo yum install swatcht[On RHEL/CentOS]rn$ sudo dnf install swatcht[On Fedora 22+]rn

n

To install most latest version of swatchdog, you need to compile it from source using following commands in any Linux distribution.

n

$ git clone https://github.com/ToddAtkins/swatchdog.gitrn$ cd swatchdog/rn$ perl Makefile.PLrn$ makern$ sudo make installrn$ sudo make realcleanrn

n

Once you have installed the swatch, you need to create its configuration file (default location is /home/$USER/.swatchdogrc or .swatchrc), to determine what types of expression patterns to look for and what type of action(s) should be taken when a pattern is matched.

n

$ touch /home/tecmint/.swatchdogrcrnORrn$ touch /home/tecmint/.swatchrcrn

n

Add your regular expression in this file and each line should contain a keyword and value (sometimes optional), separated by a space or an equal (=) sign. You need to specify a pattern and an action(s) to be taken when a pattern is matched.

n

We will use a simple configuration file, you can find more options in the swatchdog man page, for instance.

n

watchfor  /sudo/rntecho redrnt[emailxa0protected], subject="Sudo Command"rn

n

Here, our regular expression is a literal string – “sudo”, means any time the string sudo appeared in the log file, would be printed to the terminal in red text and mail specify the action to be taken, which is to echo the matched pattern on the terminal and send an e-mail to the specified address, receptively.

n

After you have configured it, swatchdog reads the /var/log/syslog log file by default, if this file is not present, it reads /var/log/messages.

n

$ swatch     [On RHEL/CentOS & Fedora]rn$ swatchdog  [On Ubuntu/Debian]rn

n

You can specify a different configuration file using the -c flag as shown in the following example.

n

First create a swatch configuration directory and a file.

n

$ mkdir swatchrn$ touch swatch/secure.confrn

n

Next, add the following configuration in the file to monitor failed login attempts, failed SSH login attempts, successful SSH logins from the /var/log/secure log file.

n

watchfor /FAILED/rnecho redrn[emailxa0protected], subject="Failed Login Attempt"rnrnwatchfor /ROOT LOGIN/rnecho redrn[emailxa0protected], subject="Successful Root Login"rnrnwatchfor /ssh.*: Failed password/rnecho redrn[emailxa0protected], subject="Failed SSH Login Attempt"rnrnwatchfor /ssh.*: session opened for user root/ rnecho redrn[emailxa0protected], subject="Successful SSH Root Login"rn

n

Now run the Swatch by specifying the configuration file using the -c and log file using -t flag as shown.

n

$ swatchdog -c ~/swatch/secure.conf -t /var/log/securern

n

To run it in the background, use the --daemon flag; in this mode, it is detached from any terminal.

n

$ swatchdog ~/swatch/secure.conf -t /var/log/secure --daemon  rn

n

Now to test the swatch configuration, try to login into server from the different terminal, you see the following output printed to the terminal where Swatchdog is running.

n

*** swatch version 3.2.3 (pid:16531) started at Thu Jul 12 12:45:10 BST 2018rnrnJul 12 12:51:19 tecmint sshd[16739]: Failed password for root from 192.168.0.103 port 33324 ssh2rnJul 12 12:51:19 tecmint sshd[16739]: Failed password for root from 192.168.0.103 port 33324 ssh2rnJul 12 12:52:07 tecmint sshd[16739]: pam_unix(sshd:session): session opened for user root by (uid=0)rnJul 12 12:52:07 tecmint sshd[16739]: pam_unix(sshd:session): session opened for user root by (uid=0)rn

n

Monitor Linux Logs in Real Time
Monitor Linux Logs in Real Time

n

You can also run multiple swatch processes to monitor various log files.

n

$ swatchdog -c ~/site1_watch_config -t /var/log/nginx/site1/access_log --daemon  rn$ swatchdog -c ~/messages_watch_config -t /var/log/messages --daemonrn$ swatchdog -c ~/auth_watch_config -t /var/log/auth.log --daemonrn

n

For more information, check out the swatchdog man page.

n

$ man swatchdogrn

n

Swatchdog SourceForge Repository: https://sourceforge.net/projects/swatch/

n

The following are some additional log monitoring guides that you will find useful:

n

    n

  1. 4 Ways to Watch or Monitor Log Files in Real Time
  2. n

  3. How to Create a Centralized Log Server with Rsyslog
  4. n

  5. Monitor Server Logs in Real-Time with “Log.io” Tool
  6. n

  7. lnav – Watch and Analyze Apache Logs from a Linux Terminal
  8. n

  9. ngxtop – Monitor Nginx Log Files in Real Time in Linux
  10. n

n

Swatchdog is a simple active log file monitoring tool for Unix-like systems such as Linux. Try it out and share your thoughts or ask any questions in the comments section.

n

‘]