{"id":13895,"date":"2019-04-06T13:57:14","date_gmt":"2019-04-06T13:57:14","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13895"},"modified":"2019-04-06T13:57:14","modified_gmt":"2019-04-06T13:57:14","slug":"swatchdog-simple-log-file-watcher-in-real-time-in-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/06\/swatchdog-simple-log-file-watcher-in-real-time-in-linux\/","title":{"rendered":"Swatchdog \u2013 Simple Log File Watcher in Real-Time in Linux"},"content":{"rendered":"

Swatchdog<\/strong>\u00a0(the \u201cSimple WATCH DOG<\/strong>\u201d) is a simple Perl script for monitoring active log files on Unix-like systems such as Linux. It watches your logs based on regular expressions that you can define in a configuration file. You can run it from the command line or in the background, detached from any terminal using the daemon mode option.<\/p>\n

Note that the program was originally called\u00a0swatch<\/strong>\u00a0(the \u201cSimple Watcher<\/strong>\u201d) but a request by the old Swiss watch company for a name change saw the developer change its name to\u00a0swatchdog<\/strong>.<\/p>\n

Read Also<\/strong>:\u00a04 Good Open Source Log Monitoring and Management Tools for Linux<\/a><\/p>\n

Importantly,\u00a0swatchdog<\/strong>\u00a0has grown from a script for watching logs produced by Unix\u2019s syslog facility, and it can monitor just about any kind of logs.<\/p>\n

How to Install Swatch in Linux<\/h3>\n

The package\u00a0swatchdog<\/strong>\u00a0is available to install from the official repositories of mainstream Linux distributions as a package \u201cswatch<\/strong>\u201d via a package manager as shown.<\/p>\n

$ sudo apt install swatch\t[On Ubuntu\/Debian<\/strong>]\r\n$ sudo yum install epel-release && sudo yum install swatch\t[On RHEL\/CentOS<\/strong>]\r\n$ sudo dnf install swatch\t[On Fedora 22+<\/strong>]\r\n<\/pre>\n
To install most latest version of\u00a0swatchdog<\/strong>, you need to compile it from source using following commands in any Linux distribution.<\/p>\n
$ git clone https:\/\/github.com\/ToddAtkins\/swatchdog.git\r\n$ cd swatchdog\/\r\n$ perl Makefile.PL\r\n$ make\r\n$ sudo make install\r\n$ sudo make realclean\r\n<\/pre>\n
Once you have installed the\u00a0swatch<\/strong>, you need to create its configuration file (default location is\u00a0\/home\/$USER\/.swatchdogrc<\/strong>\u00a0or\u00a0.swatchrc<\/strong>), to determine what types of expression patterns to look for and what type of action(s) should be taken when a pattern is matched.<\/p>\n
$ touch \/home\/tecmint\/.swatchdogrc\r\nOR\r\n$ touch \/home\/tecmint\/.swatchrc\r\n<\/pre>\n
Add your regular expression in this file and each line should contain a keyword and value (sometimes optional), separated by a\u00a0space<\/strong>\u00a0or an equal\u00a0(=)<\/code>\u00a0sign. You need to specify a pattern and an action(s) to be taken when a pattern is matched.<\/p>\n
We will use a simple configuration file, you can find more options in the swatchdog man page, for instance.<\/p>\n
watchfor  \/sudo\/\r\n\techo red\r\n\tmail=admin@tecmint.com, subject=\"Sudo Command\"\r\n<\/pre>\n
Here, our regular expression is a literal string \u2013\u00a0\u201csudo\u201d<\/strong>, means any time the string\u00a0sudo<\/strong>\u00a0appeared in the log file, would be printed to the terminal in red text and\u00a0mail<\/strong>\u00a0specify the action to be taken, which is to echo the matched pattern on the terminal and send an e-mail to the specified address, receptively.<\/p>\n
After you have configured it, swatchdog reads the\u00a0\/var\/log\/syslog<\/strong>\u00a0log file by default, if this file is not present, it reads\u00a0\/var\/log\/messages<\/strong>.<\/p>\n
$ swatch     [On RHEL\/CentOS & Fedora<\/strong>]\r\n$ swatchdog  [On Ubuntu\/Debian<\/strong>]\r\n<\/pre>\n
You can specify a different configuration file using the\u00a0-c<\/code>\u00a0flag as shown in the following example.<\/p>\n
First create a swatch configuration directory and a file.<\/p>\n
$ mkdir swatch\r\n$ touch swatch\/secure.conf\r\n<\/pre>\n
Next, add the following configuration in the file to monitor failed login attempts, failed SSH login attempts, successful SSH logins from the\u00a0\/var\/log\/secure<\/strong>\u00a0log file.<\/p>\n
watchfor \/FAILED\/\r\necho red\r\nmail=admin@tecmint.com, subject=\"Failed Login Attempt<\/strong>\"\r\n\r\nwatchfor \/ROOT LOGIN\/\r\necho red\r\nmail=admin@tecmint.com, subject=\"Successful Root Login<\/strong>\"\r\n\r\nwatchfor \/ssh.*: Failed password\/\r\necho red\r\nmail=admin@tecmint.com, subject=\"Failed SSH Login Attempt<\/strong>\"\r\n\r\nwatchfor \/ssh.*: session opened for user root\/ \r\necho red\r\nmail=admin@tecmint.com, subject=\"Successful SSH Root Login<\/strong>\"\r\n<\/pre>\n
Now run the Swatch by specifying the configuration file using the\u00a0-c<\/code>\u00a0and log file using\u00a0-t<\/code>\u00a0flag as shown.<\/p>\n
$ swatchdog -c ~\/swatch\/secure.conf -t \/var\/log\/secure\r\n<\/pre>\n
To run it in the background, use the\u00a0--daemon<\/code>\u00a0flag; in this mode, it is detached from any terminal.<\/p>\n
$ swatchdog ~\/swatch\/secure.conf -t \/var\/log\/secure --daemon  \r\n<\/pre>\n
Now to test the swatch configuration, try to login into server from the different terminal, you see the following output printed to the terminal where Swatchdog is running.<\/p>\n
*** swatch version 3.2.3 (pid:16531) started at Thu Jul 12 12:45:10 BST 2018\r\n\r\nJul 12 12:51:19 tecmint sshd[16739]: Failed password for root from 192.168.0.103 port 33324 ssh2\r\nJul 12 12:51:19 tecmint sshd[16739]: Failed password for root from 192.168.0.103 port 33324 ssh2\r\nJul 12 12:52:07 tecmint sshd[16739]: pam_unix(sshd:session): session opened for user root by (uid=0)\r\nJul 12 12:52:07 tecmint sshd[16739]: pam_unix(sshd:session): session opened for user root by (uid=0)\r\n<\/pre>\n
\n
\"Monitor<\/a><\/p>\n
Monitor Linux Logs in Real Time<\/p>\n<\/div>\n
You can also run multiple swatch processes to monitor various log files.<\/p>\n
$ swatchdog -c ~\/site1_watch_config -t \/var\/log\/nginx\/site1\/access_log --daemon  \r\n$ swatchdog -c ~\/messages_watch_config -t \/var\/log\/messages --daemon\r\n$ swatchdog -c ~\/auth_watch_config -t \/var\/log\/auth.log --daemon\r\n<\/pre>\n
For more information, check out the swatchdog man page.<\/p>\n
$ man swatchdog\r\n<\/pre>\n
Swatchdog SourceForge Repository:\u00a0https:\/\/sourceforge.net\/projects\/swatch\/<\/a><\/p>\n
The following are some additional log monitoring guides that you will find useful:<\/p>\n
    \n
  1. 4 Ways to Watch or Monitor Log Files in Real Time<\/a><\/li>\n
  2. How to Create a Centralized Log Server with Rsyslog<\/a><\/li>\n
  3. Monitor Server Logs in Real-Time with \u201cLog.io\u201d Tool<\/a><\/li>\n
  4. lnav \u2013 Watch and Analyze Apache Logs from a Linux Terminal<\/a><\/li>\n
  5. ngxtop \u2013 Monitor Nginx Log Files in Real Time in Linux<\/a><\/li>\n<\/ol>\n
    Swatchdog<\/strong>\u00a0is a simple active log file monitoring tool for Unix-like systems such as Linux. Try it out and share your thoughts or ask any questions in the comments section.<\/p>\n
    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Swatchdog\u00a0(the \u201cSimple WATCH DOG\u201d) is a simple Perl script for monitoring active log files on Unix-like systems such as Linux. It watches your logs based on regular expressions that you can define in a configuration file. You can run it from the command line or in the background, detached from any terminal using the daemon … <\/p>\n
    Continue reading “Swatchdog \u2013 Simple Log File Watcher in Real-Time in Linux”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13895","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13895"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13895\/revisions"}],"predecessor-version":[{"id":13896,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13895\/revisions\/13896"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}