- Make sure to check CentOS, PHP-FPM, memcached and MYSQL posts.
- get a fresh package from Swatch project
wget "http://downloads.sourceforge.net/project/swatch/swatch/3.2.3/swatch-3.2.3.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fswatch%2F&ts=1330806322&use_mirror=garr" tar xfz swatch-3.2.3.tar.gz cd swatch-3.2.3 cpan -i Date::Format File::Tail cpan -i Date::Manip Date::Calc cpan -i Test::Inter Test::Pod Test::Pod::Coverage Module::Build cp /root/.cpan/sources/authors/id/S/SB/SBECK/Date-Manip-* . tar xfz Date-Manip-*.tar.gz cd Date-Manip-* perl Build.PL ./Build install cd .. perl Makefile.PL make install |
- configure swatch
vi /server/swatch.conf |
# Swatch configuration file for Linux box # Last Modified 7 April, 2000 # Lance Spitzner # swatch -c /etc/swatchrc -t /var/log/messages ### Snort honeypot alerts from firewall # watchfor /IDS/ # echo bold # mail addressess=admin,subject=— Snort IDS Alert — # exec echo $0 >> /var/log/IDS-scans # throttle 01:00 use=IDS27 ################# Watching for /var/log/secure #Send Email to server root for every ssh login watchfor /^(.+\]\:(.+password.+))$/ exec "echo '$1' | mail root -s '[swatch][ssh]:\ $2' " echo=red bell 2 #Send Email to server root for every su session watchfor /^(.*su\: pam_unix\(su-l\:session\):(.*))$/ exec "echo '$1' | mail root -s '[swatch][su]:\ $2' " echo=red bell 2 ######################## Watches /var/log/php.log #Send user www an email for PHP Warnings watchfor /^((\[[^\]]+\])(.*PHP Warning.*))$/ echo=red exec "echo '$1' | mail www -s '[swatch][PHP]:WARNING' " throttle threshold=20,delay=0:1:0,key=$3 bell 2 #Send www@example.com an email for PHP Errors watchfor /^(.+?(PHP[^:]+?error):.+)$/ echo=red exec "echo '$1' | mail www@example.com -s '[swatch][PHP]:\ $2' " bell 2 ######################## Watches /server/log/nginx/error.log #Send user www an email for authentication errors watchfor /^(.+(\/server\/secure\/accesslist|basic authentication).+)$/ echo=yellow exec "echo '$1' | mail www -s '[swatch][NGINX]:401' " bell 2 #Send user www an email for access forbidden errors watchfor /^(.+(access forbidden).+)$/ echo=yellow exec "echo '$1' | mail www -s '[swatch][NGINX]:403' " bell 2 #Send user root an email for php-fpm failure watchfor /^(.+?(php-fpm.sock failed).+)$/ echo=red exec "echo '$1' | mail root -s '[swatch][NGINX]:\ $2' " bell 2 #Send user www an email for 404 errors watchfor /^(.* "([^"]+)" failed \(2: No such file or directory\).*)$/ echo=yellow exec "echo '$1' | mail www -s '[swatch][NGINX]:404' " throttle threshold=20,delay=0:1:0,key=$2 bell 2 ######################################################### # EXAMPLES # ######################################################### #watchfor /PORTSCAN DETECTED/ # echo bold # mail addresses=admin,subject=— Snort Port Scan Alert — # exec echo $0 >> /var/log/IDS-scans ### DNS zone transfers #watchfor /approved AXFR/ # echo bold # mail addresses=admin,subject=— Zone transfer Alert — # exec echo $0 >> /var/log/IDS-scans ### Bad login attempts # watchfor /failed/ # echo bold # mail addressess=root,subject=Failed Authentication ### Some is sniffing! # watchfor /promiscuous/ # echo bold # mail addressess=root,subject=Someone is sniffing the network! ### Ignore this stuff # ignore /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/ ### Kernel problems or system reboots # watchfor /(panic|halt|SunOS Release)/ # echo bold # mail addresses=root,subject=System Panic,Halt, or Reboot! # watchfor /file system full/ # echo bold # mail addresses=root,subject=File system Full # throttle 01:00 # watchfor /su:/ # echo bold # mail addresses=root,subject=Someone sued to root access |
- run swatch as deamon
/usr/local/bin/swatch -c /server/swatch.conf --daemon \ -t "/var/log/secure /var/log/php.log /server/log/nginx/error.log" \ & |
- test the config by generating PHP error or logging into ssh again, a bell sound and error prompt should appear on your terminal.
Pingback: Installing CentOS 6.2 on VMware :: GadElKareem