dcsimg

Swatch: The Simple Log Watcher

You'll always know what time it is with swatch, a real time monitoring tool for your logs.

Swatch isn’t a cleverly designed watch from the 1980s but you’ll think it’s just as handy (and cleverly designed) as one. Like Logwatch, swatch is a perl script that watches your logs but swatch watches them for regular expressions that you configure. Swatch will notify you via mail or the console screen (stdout) when it matches the configured log file entries with your watchfor directives.

Swatch picks up and delivers messages as intrusions occur so that you can halt any potential breakins or hacks before the intruder does any damage. It is one of the most important defensive weapons in your system administrator arsenal.

The Basics

The Swatch Project page is the first place you need to visit so that you can grab the source code and get started. If you’re lucky, your distribution will have a pre-built package for you to install. Packaged version or not, you have some work to do before swatch will work. The man page is helpful for basic information to run and configure swatch. Pay particular attention to the COMMAND LINE OPTIONS and THE CONFIGURATION FILE sections. You can find a bit more help under /usr/share/doc/swatch.

The information in this article comes from some trial and error in dealing with and configuring this latest version (3.2.3) of swatch using the information provided by the swatch man page and the included doc file.

The Swatch Startup Script

You’ll want to setup a startup script so that swatch launches every time you have to reboot your system. This script also provides a manual startup and shutdown mechanism for swatch. You’ll need to recycle swatch each time you make a change to its configuration file. Create the example startup script (below) as /etc/init.d/swatch.

#!/bin/sh
# Simple Log Watcher Program

case "$1" in
'start')
		/usr/bin/swatch --daemon --config-file=/etc/swatch.conf --tail-file=/var/log/auth.log --pid-file=/var/run/swatch.pid
		;;
'stop')
		PID=`cat /var/run/swatch.pid`
		kill $PID
		;;
*)
		echo "Usage: $0 { start | stop }
		;;
esac
exit 0

Then to make sure that swatch starts up in your standard runlevels, you’ll need to perform the following tasks.

$ sudo chmod 755 /etc/init.d/swatch
$ sudo ln -s /etc/init.d/swatch /etc/rc2.d/S99swatch
$ sudo ln -s /etc/init.d/swatch /etc/rc3.d/S99swatch
$ sudo ln -s /etc/init.d/swatch /etc/rc5.d/S99swatch

The Swatch Command

The swatch command parameters shown in the startup script above require some explanation. Remember that you can test any new parameter or configuration options by using swatch at the command line. You don’t have to change it in the startup script and restart it for testing. Let’s dissect this very basic but very functional swatch command.

/usr/bin/swatch --daemon --config-file=/etc/swatch.conf --tail-file=/var/log/auth.log --pid-file=/var/run/swatch.pid

/usr/sbin/swatch is the full explicit path to the swatch script (command). When scripting, you should always use explicit paths to alleviate any annoying “command not found” messages due to $PATH problems.

The –daemon option tells swatch to run as a daemon.

The –config-file=/etc/swatch.conf option refers to the swatch configuration file that contains your alert directives and instructions. Swatch requires that you create and use a configuration file.

The –tail-file=/var/log/auth.log entry tells swatch which log file you want to watch. You may watch more than one log file by adding it to the list. For example, –tail-file=/var/log/auth.log /var/log/messages.

You can specify a PID (Process ID) file with the –pid-file option. Using this option makes it easier to script a “kill” or shutdown for swatch as you can see in the Startup Script section.

Should you decide to alter an option, you can test it at the command line with or without the –daemon option. Remember to restart swatch each time you change a parameter to force swatch to reread the configuration file.

Configuration

The default configuration file is the .swatchrc located in the swatch user’s home directory. Swatch can use any filename as a configuration if it’s specified in the command line argument. This means that you can create a system-level swatch that watches logs in /var/log and individual swatch log watchers for other programs that don’t necessarily drop their log files into /var/log. It also means that you can individualize swatch log watchers on a per user basis and any user can run swatch.

Let’s look at a system-level swatch configuration and then you can extrapolate it for individual swatch log watchers. The /etc directory is the logical location for a system-level configuration file, so let’s use /etc/swatch.conf for the system-level configuration file.

The /etc/swatch.conf file contains all of your watchfor and ignore directives. It also holds your notification email addresses. See a simple swatch.conf below.

watchfor /invalid|repeated|incomplete/
         echo
		 write khess
		 mail addresses=khess\@localhost, subject=Authentication Problems

The watchfor entry is a list of keywords that you want to alert on so that when the system writes an entry containing one or more of your keywords, swatch will take any actions that follow the watchfor line. The echo line tells swatch to echo the alert to the console screen. The write line tells swatch to write the message to the user’s terminal. You can see an example of this write command in action in Figure 1. The last line in this configuration file tells swatch to mail those offending captured entries to the person(s) listed.

Figure 1: Intruder detection notification sent via the write configuration option.
Figure 1: Intruder detection notification sent via the write configuration option.

Refer to the listing below to see what the output to mail looks like.

$ mail
>U   1 root     Tue Jun  8 06:43 17/579  Authentication Problems
 U   2 root     Tue Jun  8 06:43 16/544  Authentication Problems
 U   3 root     Tue Jun  8 06:43 16/546  Authentication Problems

The contents of the mail message you receive is the excerpted entry from the auth.log file you defined for the swatch command.

Jun 8 06:43:54 kubuntu sshd [1618]: Failed none for invalid user freddy from 192.168.56.102 port 37800 ssh2

Interactive Session Notification

An attempt on your system looks like the following listing as it occurs. These messages appear on the console screen of the target host running swatch. These warnings give you a real time notification that a possible breakin attempt is in progress and allows you to take action.

If you use the write option in the configuration file, you’ll also see the messages shown in Figure 1 (above) as the attempt occurs.

Jun 8 06:43:41 kubuntu sshd[1618]: Invalid user freddy from 192.168.56.102
Jun 8 06:43:41 kubuntu sshd[1618]: Failed none for invalid user freddy from 192.168.56.102 port 378000 ssh2
Jun 8 06:43:46 kubuntu sshd[1618]: Failed none for invalid user freddy from 192.168.56.102 port 378000 ssh2
Jun 8 06:43:50 kubuntu sshd[1618]: Failed none for invalid user freddy from 192.168.56.102 port 378000 ssh2
Jun 8 06:43:54 kubuntu sshd[1618]: Failed none for invalid user freddy from 192.168.56.102 port 378000 ssh2

Swatch is an excellent “catch them in the act” log monitoring tool. Using swatch provides you with a real time trap for those would be hackers and system crackers. With swatch, these blackhatted types will never have a chance to break in and cover their tracks. You can stop them cold by knowing what time it is.

Next week, we temporarily divert your attention from logs to a look at how to expand those ever-filling virtual machine filesystems.

Comments on "Swatch: The Simple Log Watcher"

We came across a cool internet site that you might take pleasure in. Take a look when you want.

For instance, lots of seo expert (Erin) tasks still invest many hours in conversations
of keyword positioning and keyword density.

Please stop by the web pages we stick to, including this one particular, because it represents our picks from the web.

Every when in a though we pick out blogs that we read. Listed below are the newest websites that we pick.

Very couple of internet websites that happen to become comprehensive beneath, from our point of view are undoubtedly well worth checking out.

Here is a superb Blog You might Discover Exciting that we encourage you to visit.

Every after inside a even though we pick blogs that we study. Listed below are the latest web-sites that we pick.

Wonderful story, reckoned we could combine a few unrelated information, nonetheless seriously worth taking a appear, whoa did one find out about Mid East has got much more problerms also.

Wow, great article post.Really thank you!

We came across a cool web page that you just could possibly enjoy. Take a search if you want.

Here are some hyperlinks to web-sites that we link to mainly because we assume they may be worth visiting.

Every the moment inside a although we decide on blogs that we read. Listed beneath would be the most recent web-sites that we pick out.

Here are some links to sites that we link to because we believe they may be worth visiting.

Usually posts some quite intriguing stuff like this. If you?re new to this site.

Very handful of web sites that take place to become in depth beneath, from our point of view are undoubtedly properly worth checking out.

One of our visitors just lately suggested the following website.

We prefer to honor many other world wide web websites on the net, even when they aren?t linked to us, by linking to them. Below are some webpages worth checking out.

Wonderful story, reckoned we could combine a handful of unrelated information, nonetheless truly really worth taking a search, whoa did 1 learn about Mid East has got a lot more problerms as well.

Very couple of internet sites that come about to be detailed below, from our point of view are undoubtedly effectively worth checking out.

Although internet websites we backlink to beneath are considerably not connected to ours, we feel they may be really worth a go via, so possess a look.

That could be the end of this article. Right here you?ll obtain some web-sites that we assume you will enjoy, just click the hyperlinks.

Always a significant fan of linking to bloggers that I appreciate but really don’t get a lot of link appreciate from.

Below you will obtain the link to some web pages that we assume you ought to visit.

Usually posts some very interesting stuff like this. If you are new to this site.

Sites of interest we have a link to.

The time to read or take a look at the material or internet sites we have linked to beneath.

Below you?ll find the link to some web sites that we believe it is best to visit.

Here are some links to websites that we link to simply because we believe they’re worth visiting.

Fa2qXU aospivqmifey, [url=http://ijvdanxmlheo.com/]ijvdanxmlheo[/url], [link=http://perkjndeexam.com/]perkjndeexam[/link], http://ybqsmgvugkdj.com/

Here are some hyperlinks to websites that we link to due to the fact we consider they’re worth visiting.

Wonderful story, reckoned we could combine several unrelated data, nevertheless actually really worth taking a appear, whoa did 1 understand about Mid East has got extra problerms also.

Undeniably believe that that you said. Your favourite reason appeared to be with the web the easiest factor to understand
of. I have faith that to you personally, I certainly get irked even while other people think of
worries which they just will not recognise about.

You controlled to hit the nail upon the very best as smartly
as defined out everything with out side effect , other people could go on a signal.

Will probably be back to get additional. Thanks

Check out my blog post: GuyRCrespino

Here are some links to web sites that we link to due to the fact we feel they are worth visiting.

Please take a look at the sites we stick to, which includes this 1, as it represents our picks through the web.

Just beneath, are quite a few totally not related web-sites to ours, nevertheless, they’re certainly really worth going over.

Just beneath, are various absolutely not associated internet sites to ours, nevertheless, they’re surely really worth going over.

We prefer to honor quite a few other internet websites on the internet, even if they aren?t linked to us, by linking to them. Below are some webpages worth checking out.

Please let me know if you’re looking for a article author for your site.

You have some really great posts and I believe I would be
a good asset. If you ever want to take some of the load off, I’d absolutely love to write some material for your blog in exchange for a link back to mine.
Please send me an e-mail if interested. Thank you!

Feel free to visit my blog :: RandyUYeater

Although web sites we backlink to beneath are considerably not associated to ours, we feel they’re in fact worth a go through, so have a look.

The facts mentioned inside the report are some of the most beneficial offered.

That will be the finish of this write-up. Here you will locate some internet sites that we consider you?ll value, just click the hyperlinks.

It’s actually a great and useful bit of info.
I’m satisfied that you simply shared this helpful information with us.
Please keep us up-to-date like this. Thanks a lot for sharing.

Also visit my web blog :: SaulTSayne

Definitely, what a great website and revealing posts, I will bookmark your site.Have an awsome day!

Very couple of sites that come about to be detailed below, from our point of view are undoubtedly well worth checking out.

Please take a look at the websites we stick to, which includes this 1, as it represents our picks in the web.

We came across a cool web page that you simply may well love. Take a appear for those who want.

Here is a great Blog You may Find Exciting that we encourage you to visit.

Here are some hyperlinks to web pages that we link to because we feel they’re really worth visiting.

Howdy! Would you mind if I share your blog with my myspace group?
There’s a lot of people that I think would really appreciate your
content. Please let me know. Thanks

Here is my blog :: MickiSShimon

Below you will find the link to some websites that we consider you ought to visit.

Leave a Reply