+4 votes
832 views
How to use Swatchdog to monitor Logs on Linux

in Linux / Unix by (550k points)
reopened | 832 views

1 Answer

+5 votes
Best answer

1. How to install Swatchdog on Linux
2. How to configure Swatchdog in Linux

As system administrators we must always have the best tools and applications that allow us to carry out monitoring and supervision tasks in a much more comprehensive way, that is, not only to obtain superficial but complete data on each action that occurs both at the level internal as external within the operating system.

One of the best ways to access this information is through the logs or event logs in which multiple data is stored such as:

  • System startups, restarts and shutdowns both successful and failed
  • Access to applications and programs
  • Security events
  • Incoming and outgoing connection logs and much more.

One of the best options to access the monitoring of these logs is Swatchdog and for this reason in TechnoWikis we will explain how to install and use it in Linux.

What is Swatchdog

Swatchdog is a simple Perl-based script that has been developed to monitor active log files on Unix-like systems like Linux.

Swatchdog is capable of monitoring almost any type of logs in Linux and these logs are produced by the Unix syslog function and it will be possible to see the logs based on regular expressions which we can define in the utility configuration file.

1. How to install Swatchdog on Linux


For this case we will use Ubuntu 18.04, the swatchdog package is available for installation from the official repositories of each of the main Linux distributions as a "swatch" package through a package manager, for its installation we can execute the following based on the distribution used:

 sudo apt install swatch (Ubuntu / Debian) sudo yum install epel-release && sudo yum install swatch (RHEL / CentOS) sudo dnf install swatch (Fedora 22) 

image

Press the S key to confirm the download and installation of Swatchdog.

If we want to install the latest version of Swatchdog, it must be compiled from the source using the following commands in all Linux distributions:

 git clone https://github.com/ToddAtkins/swatchdog.git cd swatchdog / perl Makefile.PL make sudo make install sudo make realclean 

With those commands you will have it ready.

2. How to configure Swatchdog in Linux


Once the Swatchdog installation process is complete, it will be necessary to create the configuration file, its default location is /home/$USER/.swatchdogrc or .swatchrc, this in order to determine what types of expression patterns are They are going to search and what type of action should be performed when combining a pattern.

Step 1


To create this file we will use one of the following options:

 sudo touch /home/technowikis/.swatchdogrc sudo touch /home/technowikis/.swatchrc 

image

Note

The TechnoWikis field must be replaced by the respective user.

Now we are going to add a regular expression in this file and each line must contain a keyword and a value separated by a space or an equal sign (=), it will be necessary to specify a pattern and an action to take in the event that a Pattern.

We access the file using the desired editor:

 sudo nano swatchdogrc 

Step 2


There we will paste, as an example, the following:

 watchfor / sudo / echo red [email protected], subject = "Sudo Action" 

image

We save the changes using the keys:

Ctrl + O

and we leave the editor using:

Ctrl + X

Step 3


In this example, the regular expression is a literal string called "sudo", which means that every time the string sudo is executed in the log file, it will be printed in the terminal in red text and the action will be specified in the mail. has been executed, so we will have constant information on the actions carried out.

After its configuration, swatchdog reads the / var / log / syslog log file by default, and if this file is not present, it will read / var / log / messages.

We run the following to read the logs:

 swatch (RHEL / CentOS and Fedora) swatchdog (Ubuntu / Debian) 

image

Step 4


It will also be possible to indicate a different configuration file using the -c parameter, for this we will first create a file as follows:

 mkdir swatch touch swatch / secure.conf 

Step 5


Once created, we are going to add the following settings in the file in order to monitor failed login attempts, failed SSH login attempts, successful SSH logins in the / var / log / log file secure.

 watchfor / FAILED / echo red [email protected], subject = "Access attempt failed" watchfor / ROOT LOGIN / echo red mail = [email protected], subject = "Root access correct" watchfor /ssh.*: Failed password / echo red mail = [email protected], subject = "SSH connection attempt failed" watchfor /ssh.*: session opened for user root / echo red mail = [email protected], subject = "Correct SSH root access" 

image

Step 6


We save the changes using the Ctrl + O keys and exit the editor using Ctrl + X.
Now we are going to run Swatch specifying the configuration file created using the -c file and the log using the -t flag like so:

 swatchdog -c ~ / swatch / secure.conf -t / var / log / secure 

Step 7


In this way, as entries are recorded, they will be displayed in the Swatchdog results.
Additionally we can create other files for monitoring such as:

 swatchdog -c ~ / site1_watch_config -t / var / log / nginx / site1 / access_log --daemon swatchdog -c ~ / messages_watch_config -t / var / log / messages --daemon swatchdog -c ~ / auth_watch_config -t /var/log/auth.log --daemon 

Some additional usage options are:

--awk-field-syntax

This option can be used only if you want to override the regex of the regular expression in favor of the awk style field reference

-config-file | -c filename

Tells swatchdog where to find the configuration file

--daemon

Tells swatchdog to run in the background and disassociate itself from any terminal

-extra-module | -M module_name

Tell swatchdog which custom action modules to load.

Thus, it will be possible to keep a more precise control of the events in Linux thanks to this utility.


by (3.5m points)

Related questions

+3 votes
1 answer
asked Sep 22, 2019 in Linux / Unix by backtothefuture (550k points) | 213 views
+4 votes
1 answer
asked Jun 12, 2020 in Linux / Unix by backtothefuture (550k points) | 282 views
+5 votes
1 answer
+3 votes
1 answer
asked Oct 22, 2019 in Linux / Unix by backtothefuture (550k points) | 228 views
+3 votes
1 answer
Sponsored articles cost $40 per post. You can contact us via Feedback
10,627 questions
10,759 answers
510 comments
3 users