Swatch: The Simple Log Watcher

You'll always know what time it is with swatch, a real time monitoring tool for your logs.

Swatch isn’t a cleverly designed watch from the 1980s but you’ll think it’s just as handy (and cleverly designed) as one. Like Logwatch, swatch is a perl script that watches your logs but swatch watches them for regular expressions that you configure. Swatch will notify you via mail or the console screen (stdout) when it matches the configured log file entries with your watchfor directives.

Swatch picks up and delivers messages as intrusions occur so that you can halt any potential breakins or hacks before the intruder does any damage. It is one of the most important defensive weapons in your system administrator arsenal.

The Basics

The Swatch Project page is the first place you need to visit so that you can grab the source code and get started. If you’re lucky, your distribution will have a pre-built package for you to install. Packaged version or not, you have some work to do before swatch will work. The man page is helpful for basic information to run and configure swatch. Pay particular attention to the COMMAND LINE OPTIONS and THE CONFIGURATION FILE sections. You can find a bit more help under /usr/share/doc/swatch.

The information in this article comes from some trial and error in dealing with and configuring this latest version (3.2.3) of swatch using the information provided by the swatch man page and the included doc file.

The Swatch Startup Script

You’ll want to setup a startup script so that swatch launches every time you have to reboot your system. This script also provides a manual startup and shutdown mechanism for swatch. You’ll need to recycle swatch each time you make a change to its configuration file. Create the example startup script (below) as /etc/init.d/swatch.

# Simple Log Watcher Program

case "$1" in
		/usr/bin/swatch --daemon --config-file=/etc/swatch.conf --tail-file=/var/log/auth.log --pid-file=/var/run/swatch.pid
		PID=`cat /var/run/swatch.pid`
		kill $PID
		echo "Usage: $0 { start | stop }
exit 0

Then to make sure that swatch starts up in your standard runlevels, you’ll need to perform the following tasks.

$ sudo chmod 755 /etc/init.d/swatch
$ sudo ln -s /etc/init.d/swatch /etc/rc2.d/S99swatch
$ sudo ln -s /etc/init.d/swatch /etc/rc3.d/S99swatch
$ sudo ln -s /etc/init.d/swatch /etc/rc5.d/S99swatch

The Swatch Command

The swatch command parameters shown in the startup script above require some explanation. Remember that you can test any new parameter or configuration options by using swatch at the command line. You don’t have to change it in the startup script and restart it for testing. Let’s dissect this very basic but very functional swatch command.

/usr/bin/swatch --daemon --config-file=/etc/swatch.conf --tail-file=/var/log/auth.log --pid-file=/var/run/swatch.pid

/usr/sbin/swatch is the full explicit path to the swatch script (command). When scripting, you should always use explicit paths to alleviate any annoying “command not found” messages due to $PATH problems.

The –daemon option tells swatch to run as a daemon.

The –config-file=/etc/swatch.conf option refers to the swatch configuration file that contains your alert directives and instructions. Swatch requires that you create and use a configuration file.

The –tail-file=/var/log/auth.log entry tells swatch which log file you want to watch. You may watch more than one log file by adding it to the list. For example, –tail-file=/var/log/auth.log /var/log/messages.

You can specify a PID (Process ID) file with the –pid-file option. Using this option makes it easier to script a “kill” or shutdown for swatch as you can see in the Startup Script section.

Should you decide to alter an option, you can test it at the command line with or without the –daemon option. Remember to restart swatch each time you change a parameter to force swatch to reread the configuration file.


The default configuration file is the .swatchrc located in the swatch user’s home directory. Swatch can use any filename as a configuration if it’s specified in the command line argument. This means that you can create a system-level swatch that watches logs in /var/log and individual swatch log watchers for other programs that don’t necessarily drop their log files into /var/log. It also means that you can individualize swatch log watchers on a per user basis and any user can run swatch.

Let’s look at a system-level swatch configuration and then you can extrapolate it for individual swatch log watchers. The /etc directory is the logical location for a system-level configuration file, so let’s use /etc/swatch.conf for the system-level configuration file.

The /etc/swatch.conf file contains all of your watchfor and ignore directives. It also holds your notification email addresses. See a simple swatch.conf below.

watchfor /invalid|repeated|incomplete/
		 write khess
		 mail addresses=khess\@localhost, subject=Authentication Problems

The watchfor entry is a list of keywords that you want to alert on so that when the system writes an entry containing one or more of your keywords, swatch will take any actions that follow the watchfor line. The echo line tells swatch to echo the alert to the console screen. The write line tells swatch to write the message to the user’s terminal. You can see an example of this write command in action in Figure 1. The last line in this configuration file tells swatch to mail those offending captured entries to the person(s) listed.

Figure 1: Intruder detection notification sent via the write configuration option.
Figure 1: Intruder detection notification sent via the write configuration option.

Refer to the listing below to see what the output to mail looks like.

$ mail
>U   1 root     Tue Jun  8 06:43 17/579  Authentication Problems
 U   2 root     Tue Jun  8 06:43 16/544  Authentication Problems
 U   3 root     Tue Jun  8 06:43 16/546  Authentication Problems

The contents of the mail message you receive is the excerpted entry from the auth.log file you defined for the swatch command.

Jun 8 06:43:54 kubuntu sshd [1618]: Failed none for invalid user freddy from port 37800 ssh2

Interactive Session Notification

An attempt on your system looks like the following listing as it occurs. These messages appear on the console screen of the target host running swatch. These warnings give you a real time notification that a possible breakin attempt is in progress and allows you to take action.

If you use the write option in the configuration file, you’ll also see the messages shown in Figure 1 (above) as the attempt occurs.

Jun 8 06:43:41 kubuntu sshd[1618]: Invalid user freddy from
Jun 8 06:43:41 kubuntu sshd[1618]: Failed none for invalid user freddy from port 378000 ssh2
Jun 8 06:43:46 kubuntu sshd[1618]: Failed none for invalid user freddy from port 378000 ssh2
Jun 8 06:43:50 kubuntu sshd[1618]: Failed none for invalid user freddy from port 378000 ssh2
Jun 8 06:43:54 kubuntu sshd[1618]: Failed none for invalid user freddy from port 378000 ssh2

Swatch is an excellent “catch them in the act” log monitoring tool. Using swatch provides you with a real time trap for those would be hackers and system crackers. With swatch, these blackhatted types will never have a chance to break in and cover their tracks. You can stop them cold by knowing what time it is.

Next week, we temporarily divert your attention from logs to a look at how to expand those ever-filling virtual machine filesystems.

Comments on "Swatch: The Simple Log Watcher"


Seems like the wrong approach to me. Especially when looking at logfiles \”badness enumeration\” is just wrong.

I\’d rather tell it about the things I don\’t care – that is things I know (IIRC logwatch does that).

Granted, swatch is still better than having logfiles just for the reason that they exist.


I have had to use the following options in my initd script :
–tail-args \’–follow=name –lines=3\’

This makes sure that if the filename swatch is monitoring is rotated out by logrotate, swatch will re-open the file as needed

I use swatch to monitor all my servers for nfs mounts that suddenly disappear

Heya i?m for the first time here. I found this board and I to find It really useful & it helped me out much. I hope to give something back and help others such as you helped me.

Thank you a bunch for sharing this with all of us you really realize what you’re speaking approximately! Bookmarked. Please additionally talk over with my site =). We can have a link exchange agreement among us

Unfortunately you cnanot use these patterns in Photoshop. You must open them in Adobe Illustrator.

I agree with this, but do you have any recommendations for an alternative tool that does this? preferably something running as a daemon.

Nice, but instead of it emailing me the line it’s matched I like it to include the x number of lines before/after the match like grep -A.
Useful for mail or reject logs.
Anyway to do this?

Have a look at Simple Event Correlator (simple-evcorr.sourceforge.net). It’s written in perl like Swatch, but has several advanced features for message aggregation and multiline matching.

There is also a SEC FAQ entry on how to convert existing Swatch rules into SEC rules:


Thanks for any other great post. The place else could anyone get that type of info in such a perfect approach of writing? I’ve a presentation next week, and I’m at the look for such info.

Appreciate it for this rattling post, I am glad I observed this site on yahoo.

Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, for one you do not use all three H tags in your post, also I notice that you are not using bold or italics properly in your SEO optimization. On-Page SEO means more now than ever since the new Google update: Panda. No longer are backlinks and simply pinging or sending out a RSS feed the key to getting Google PageRank or Alexa Rankings, You now NEED On-Page SEO. So what is good On-Page SEO?First your keyword must appear in the title.Then it must appear in the URL.You have to optimize your keyword and make sure that it has a nice keyword density of 3-5% in your article with relevant LSI (Latent Semantic Indexing). Then you should spread all H1,H2,H3 tags in your article.Your Keyword should appear in your first paragraph and in the last sentence of the page. You should have relevant usage of Bold and italics of your keyword.There should be one internal link to a page on your blog and you should have one image with an alt tag that has your keyword….wait there’s even more Now what if i told you there was a simple WordPress plugin that does all the On-Page SEO, and automatically for you? That’s right AUTOMATICALLY, just watch this 4minute video for more information at. Seo Plugin

Admiring the persistence you put into your site and in depth information you present. It’s awesome to come across a blog every once in a while that isn’t the same outdated rehashed material. Wonderful read! I’ve saved your site and I’m adding your RSS feeds to my Google account.

Hi, Neat post. There is a problem along with your web site in internet explorer, could check thisK IE nonetheless is the market leader and a good element of other folks will pass over your wonderful writing due to this problem.

We prefer to honor several other net internet sites on the web, even when they aren?t linked to us, by linking to them. Underneath are some webpages worth checking out.

Just beneath, are quite a few totally not related sites to ours, nonetheless, they’re surely worth going over.

Check beneath, are some absolutely unrelated web-sites to ours, even so, they’re most trustworthy sources that we use.

Check beneath, are some totally unrelated web-sites to ours, on the other hand, they are most trustworthy sources that we use.

I’ve been browsing on-line more than three hours as of late, but I by no means discovered any fascinating article like yours. It¦s pretty worth enough for me. In my opinion, if all web owners and bloggers made excellent content as you did, the web can be much more useful than ever before.

The time to read or check out the material or internet sites we have linked to below.

Please go to the web pages we adhere to, like this 1, as it represents our picks through the web.

Hello! Do you know if they make any plugins to assist with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results. If you know of any please share. Appreciate it!

Although websites we backlink to below are considerably not associated to ours, we feel they’re really really worth a go by, so possess a look.

I?¦ll right away seize your rss feed as I can’t to find your email subscription link or e-newsletter service. Do you have any? Please permit me realize in order that I may subscribe. Thanks.

Here are a few of the internet sites we suggest for our visitors.

I see your website needs some fresh & unique articles.
Writing manually is time consuming, there is tool for this task.
Just search in gogle for – marihhus content tool

The information talked about within the report are a number of the best available.

Although web-sites we backlink to beneath are considerably not related to ours, we feel they’re essentially really worth a go by way of, so have a look.

Wonderful story, reckoned we could combine some unrelated information, nonetheless definitely really worth taking a look, whoa did one study about Mid East has got much more problerms too.

Usually posts some pretty interesting stuff like this. If you?re new to this site.

The time to study or pay a visit to the material or web sites we have linked to below.

Very couple of web sites that come about to become comprehensive below, from our point of view are undoubtedly properly worth checking out.

Thanks a bunch for sharing this with all people you actually understand what you’re speaking approximately! Bookmarked. Please also discuss with my site =). We could have a link alternate arrangement between us!

Every as soon as inside a even though we choose blogs that we read. Listed beneath are the newest internet sites that we decide on.

Although web-sites we backlink to below are considerably not connected to ours, we feel they may be in fact really worth a go by way of, so have a look.

The time to read or stop by the subject material or sites we have linked to beneath.

That will be the finish of this write-up. Right here you?ll come across some web pages that we feel you will enjoy, just click the links.

Here are some hyperlinks to websites that we link to simply because we feel they are worth visiting.

The data mentioned inside the post are some of the top readily available.

The info talked about in the write-up are several of the top accessible.

hi!,I like your writing very a lot! share we communicate extra about your post on AOL? I need an expert on this house to resolve my problem. Maybe that’s you! Having a look forward to peer you.
salomon cosmic 4d 2 gtx http://www.fyossalud.es/salud.php?es=id-2296

Below you?ll find the link to some sites that we feel you should visit.

Hiya very nice website!! Man .. Excellent .. Amazing .. I’ll bookmark your web site and take the feeds additionally?I am happy to search out a lot of helpful info here in the publish, we need work out more techniques in this regard, thank you for sharing. . . . . .
tiendas de ropa interior femenina http://www.racdesign.com.br/srra.php?es=tiendas-de-ropa-interior-femenina

Lucky then I do not out seo expert (Constance) strategies is because I consider search engine optimization techniques themselves is a little self offering, and also slimey,

This will not be onerous to do and the extra internet pages or web sites you may have the more cash you will make.

Also visit my webpage; business marketing expert (136097.webhosting47.1blu.de)

“Hi there! I’m at work browsing your blog from my new iphone 4! Just wanted to say I love reading your blog and look forward to all your posts! Keep up the fantastic work!”

That could be the end of this post. Here you will discover some internet sites that we feel you will enjoy, just click the hyperlinks.

Leave a Reply