Topics

Watch log files on Linux server with Swatch 3.2.3

– Make sure to check CentOS, PHP-FPM, memcached and MYSQL posts.

– get a fresh package from Swatch project

wget "http://downloads.sourceforge.net/project/swatch/swatch/3.2.3/swatch-3.2.3.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fswatch%2F&ts=1330806322&use_mirror=garr"
tar xfz swatch-3.2.3.tar.gz 
cd swatch-3.2.3
cpan -i Date::Format File::Tail
cpan -i Date::Manip Date::Calc
cpan -i Test::Inter Test::Pod Test::Pod::Coverage Module::Build
cp /root/.cpan/sources/authors/id/S/SB/SBECK/Date-Manip-* .
tar xfz Date-Manip-*.tar.gz
cd Date-Manip-*
perl Build.PL 
./Build install
cd ..
perl Makefile.PL
make install

– configure swatch

vi /server/swatch.conf
# Swatch configuration file for Linux box
# Last Modified 7 April, 2000
# Lance Spitzner
# swatch -c /etc/swatchrc -t /var/log/messages
### Snort honeypot alerts from firewall
# watchfor /IDS/
# echo bold
# mail addressess=admin,subject=— Snort IDS Alert —
# exec echo $0 >> /var/log/IDS-scans
# throttle 01:00 use=IDS27



################# Watching for /var/log/secure

#Send Email to server root for every ssh login
watchfor /^(.+\]\:(.+password.+))$/
        exec "echo '$1' | mail root -s '[swatch][ssh]:\ $2' "
        echo=red
        bell 2

#Send Email to server root for every su session
watchfor /^(.*su\: pam_unix\(su-l\:session\):(.*))$/
        exec "echo '$1' | mail root -s '[swatch][su]:\ $2' "
        echo=red
        bell 2



######################## Watches /var/log/php.log  

#Send user www an email for PHP Warnings
watchfor   /^((\[[^\]]+\])(.*PHP Warning.*))$/
        echo=red
        exec "echo '$1' | mail www -s '[swatch][PHP]:WARNING' "
        throttle threshold=20,delay=0:1:0,key=$3
        bell 2


#Send [email protected] an email for PHP Errors
watchfor   /^(.+?(PHP[^:]+?error):.+)$/
        echo=red 
        exec "echo '$1' | mail [email protected] -s '[swatch][PHP]:\ $2' "
        bell 2




######################## Watches /server/log/nginx/error.log

#Send user www an email for authentication errors
watchfor   /^(.+(\/server\/secure\/accesslist|basic authentication).+)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:401' "
        bell 2

#Send user www an email for access forbidden errors
watchfor   /^(.+(access forbidden).+)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:403' "
        bell 2

#Send user root an email for php-fpm failure
watchfor   /^(.+?(php-fpm.sock failed).+)$/
        echo=red
        exec "echo '$1' | mail root -s '[swatch][NGINX]:\ $2' "
        bell 2

#Send user www an email for 404 errors
watchfor   /^(.* "([^"]+)" failed \(2: No such file or directory\).*)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:404' "
        throttle threshold=20,delay=0:1:0,key=$2
        bell 2



#########################################################
#       EXAMPLES    #
#########################################################


#watchfor /PORTSCAN DETECTED/
# echo bold
# mail addresses=admin,subject=— Snort Port Scan Alert —
# exec echo $0 >> /var/log/IDS-scans

### DNS zone transfers
#watchfor /approved AXFR/
# echo bold
# mail addresses=admin,subject=— Zone transfer Alert —
# exec echo $0 >> /var/log/IDS-scans

### Bad login attempts
# watchfor   /failed/
#        echo bold
#        mail addressess=root,subject=Failed Authentication

### Some is sniffing!
# watchfor   /promiscuous/
#        echo bold
#        mail addressess=root,subject=Someone is sniffing the network!

### Ignore this stuff
# ignore   /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/

### Kernel problems or system reboots
# watchfor   /(panic|halt|SunOS Release)/
#        echo bold
#        mail addresses=root,subject=System Panic,Halt, or Reboot!

# watchfor   /file system full/
#        echo bold
#        mail addresses=root,subject=File system Full
#        throttle 01:00

# watchfor   /su:/
#        echo bold
#        mail addresses=root,subject=Someone sued to root access

– run swatch as deamon

/usr/local/bin/swatch -c /server/swatch.conf  --daemon \
-t "/var/log/secure /var/log/php.log /server/log/nginx/error.log" \
&

– test the config by generating PHP error or logging into ssh again, a bell sound and error prompt should appear on your terminal.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close