– Make sure to check CentOS, PHP-FPM, memcached and MYSQL posts.
– get a fresh package from Swatch project
wget "http://downloads.sourceforge.net/project/swatch/swatch/3.2.3/swatch-3.2.3.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fswatch%2F&ts=1330806322&use_mirror=garr"
tar xfz swatch-3.2.3.tar.gz
cd swatch-3.2.3
cpan -i Date::Format File::Tail
cpan -i Date::Manip Date::Calc
cpan -i Test::Inter Test::Pod Test::Pod::Coverage Module::Build
cp /root/.cpan/sources/authors/id/S/SB/SBECK/Date-Manip-* .
tar xfz Date-Manip-*.tar.gz
cd Date-Manip-*
perl Build.PL
./Build install
cd ..
perl Makefile.PL
make install
– configure swatch
vi /server/swatch.conf
# Swatch configuration file for Linux box
# Last Modified 7 April, 2000
# Lance Spitzner
# swatch -c /etc/swatchrc -t /var/log/messages
### Snort honeypot alerts from firewall
# watchfor /IDS/
# echo bold
# mail addressess=admin,subject=— Snort IDS Alert —
# exec echo $0 >> /var/log/IDS-scans
# throttle 01:00 use=IDS27
################# Watching for /var/log/secure
#Send Email to server root for every ssh login
watchfor /^(.+\]\:(.+password.+))$/
exec "echo '$1' | mail root -s '[swatch][ssh]:\ $2' "
echo=red
bell 2
#Send Email to server root for every su session
watchfor /^(.*su\: pam_unix\(su-l\:session\):(.*))$/
exec "echo '$1' | mail root -s '[swatch][su]:\ $2' "
echo=red
bell 2
######################## Watches /var/log/php.log
#Send user www an email for PHP Warnings
watchfor /^((\[[^\]]+\])(.*PHP Warning.*))$/
echo=red
exec "echo '$1' | mail www -s '[swatch][PHP]:WARNING' "
throttle threshold=20,delay=0:1:0,key=$3
bell 2
#Send [email protected] an email for PHP Errors
watchfor /^(.+?(PHP[^:]+?error):.+)$/
echo=red
exec "echo '$1' | mail [email protected] -s '[swatch][PHP]:\ $2' "
bell 2
######################## Watches /server/log/nginx/error.log
#Send user www an email for authentication errors
watchfor /^(.+(\/server\/secure\/accesslist|basic authentication).+)$/
echo=yellow
exec "echo '$1' | mail www -s '[swatch][NGINX]:401' "
bell 2
#Send user www an email for access forbidden errors
watchfor /^(.+(access forbidden).+)$/
echo=yellow
exec "echo '$1' | mail www -s '[swatch][NGINX]:403' "
bell 2
#Send user root an email for php-fpm failure
watchfor /^(.+?(php-fpm.sock failed).+)$/
echo=red
exec "echo '$1' | mail root -s '[swatch][NGINX]:\ $2' "
bell 2
#Send user www an email for 404 errors
watchfor /^(.* "([^"]+)" failed \(2: No such file or directory\).*)$/
echo=yellow
exec "echo '$1' | mail www -s '[swatch][NGINX]:404' "
throttle threshold=20,delay=0:1:0,key=$2
bell 2
#########################################################
# EXAMPLES #
#########################################################
#watchfor /PORTSCAN DETECTED/
# echo bold
# mail addresses=admin,subject=— Snort Port Scan Alert —
# exec echo $0 >> /var/log/IDS-scans
### DNS zone transfers
#watchfor /approved AXFR/
# echo bold
# mail addresses=admin,subject=— Zone transfer Alert —
# exec echo $0 >> /var/log/IDS-scans
### Bad login attempts
# watchfor /failed/
# echo bold
# mail addressess=root,subject=Failed Authentication
### Some is sniffing!
# watchfor /promiscuous/
# echo bold
# mail addressess=root,subject=Someone is sniffing the network!
### Ignore this stuff
# ignore /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/
### Kernel problems or system reboots
# watchfor /(panic|halt|SunOS Release)/
# echo bold
# mail addresses=root,subject=System Panic,Halt, or Reboot!
# watchfor /file system full/
# echo bold
# mail addresses=root,subject=File system Full
# throttle 01:00
# watchfor /su:/
# echo bold
# mail addresses=root,subject=Someone sued to root access
– run swatch as deamon
/usr/local/bin/swatch -c /server/swatch.conf --daemon \
-t "/var/log/secure /var/log/php.log /server/log/nginx/error.log" \
&
– test the config by generating PHP error or logging into ssh again, a bell sound and error prompt should appear on your terminal.
