Watch log files on Linux server with Swatch 3.2.3

- Make sure to check CentOS, PHP-FPM, memcached and MYSQL posts.

- get a fresh package from Swatch project

wget "http://downloads.sourceforge.net/project/swatch/swatch/3.2.3/swatch-3.2.3.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fswatch%2F&ts=1330806322&use_mirror=garr"
tar xfz swatch-3.2.3.tar.gz 
cd swatch-3.2.3
cpan -i Date::Format File::Tail
cpan -i Date::Manip Date::Calc
cpan -i Test::Inter Test::Pod Test::Pod::Coverage Module::Build
cp /root/.cpan/sources/authors/id/S/SB/SBECK/Date-Manip-* .
tar xfz Date-Manip-*.tar.gz
cd Date-Manip-*
perl Build.PL 
./Build install
cd ..
perl Makefile.PL
make install

- configure swatch


vi /server/swatch.conf
# Swatch configuration file for Linux box
# Last Modified 7 April, 2000
# Lance Spitzner
# swatch -c /etc/swatchrc -t /var/log/messages
### Snort honeypot alerts from firewall
# watchfor /IDS/
# echo bold
# mail addressess=admin,subject=— Snort IDS Alert —
# exec echo $0 >> /var/log/IDS-scans
# throttle 01:00 use=IDS27
 
 
 
################# Watching for /var/log/secure
 
#Send Email to server root for every ssh login
watchfor /^(.+\]\:(.+password.+))$/
        exec "echo '$1' | mail root -s '[swatch][ssh]:\ $2' "
        echo=red
        bell 2
 
#Send Email to server root for every su session
watchfor /^(.*su\: pam_unix\(su-l\:session\):(.*))$/
        exec "echo '$1' | mail root -s '[swatch][su]:\ $2' "
        echo=red
        bell 2
 
 
 
######################## Watches /var/log/php.log  
 
#Send user www an email for PHP Warnings
watchfor   /^((\[[^\]]+\])(.*PHP Warning.*))$/
        echo=red
        exec "echo '$1' | mail www -s '[swatch][PHP]:WARNING' "
        throttle threshold=20,delay=0:1:0,key=$3
        bell 2
 
 
#Send www@example.com an email for PHP Errors
watchfor   /^(.+?(PHP[^:]+?error):.+)$/
        echo=red 
        exec "echo '$1' | mail www@example.com -s '[swatch][PHP]:\ $2' "
        bell 2
 
 
 
 
######################## Watches /server/log/nginx/error.log
 
#Send user www an email for authentication errors
watchfor   /^(.+(\/server\/secure\/accesslist|basic authentication).+)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:401' "
        bell 2
 
#Send user www an email for access forbidden errors
watchfor   /^(.+(access forbidden).+)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:403' "
        bell 2
 
#Send user root an email for php-fpm failure
watchfor   /^(.+?(php-fpm.sock failed).+)$/
        echo=red
        exec "echo '$1' | mail root -s '[swatch][NGINX]:\ $2' "
        bell 2
 
#Send user www an email for 404 errors
watchfor   /^(.* "([^"]+)" failed \(2: No such file or directory\).*)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:404' "
        throttle threshold=20,delay=0:1:0,key=$2
        bell 2
 
 
 
#########################################################
#       EXAMPLES    #
#########################################################
 
 
#watchfor /PORTSCAN DETECTED/
# echo bold
# mail addresses=admin,subject=— Snort Port Scan Alert —
# exec echo $0 >> /var/log/IDS-scans
 
### DNS zone transfers
#watchfor /approved AXFR/
# echo bold
# mail addresses=admin,subject=— Zone transfer Alert —
# exec echo $0 >> /var/log/IDS-scans
 
### Bad login attempts
# watchfor   /failed/
#        echo bold
#        mail addressess=root,subject=Failed Authentication
 
### Some is sniffing!
# watchfor   /promiscuous/
#        echo bold
#        mail addressess=root,subject=Someone is sniffing the network!
 
### Ignore this stuff
# ignore   /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/
 
### Kernel problems or system reboots
# watchfor   /(panic|halt|SunOS Release)/
#        echo bold
#        mail addresses=root,subject=System Panic,Halt, or Reboot!
 
# watchfor   /file system full/
#        echo bold
#        mail addresses=root,subject=File system Full
#        throttle 01:00
 
# watchfor   /su:/
#        echo bold
#        mail addresses=root,subject=Someone sued to root access

- run swatch as deamon

/usr/local/bin/swatch -c /server/swatch.conf  --daemon \
-t "/var/log/secure /var/log/php.log /server/log/nginx/error.log" \
&

- test the config by generating PHP error or logging into ssh again, a bell sound and error prompt should appear on your terminal.

Recommended posts: