GadElKareem

Watch log files on Linux server with Swatch 3.2.3

– Make sure to check CentOS, PHP-FPM, memcached and MYSQL posts.

– get a fresh package from Swatch project

wget "http://downloads.sourceforge.net/project/swatch/swatch/3.2.3/swatch-3.2.3.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fswatch%2F&ts=1330806322&use_mirror=garr"
tar xfz swatch-3.2.3.tar.gz 
cd swatch-3.2.3
cpan -i Date::Format File::Tail
cpan -i Date::Manip Date::Calc
cpan -i Test::Inter Test::Pod Test::Pod::Coverage Module::Build
cp /root/.cpan/sources/authors/id/S/SB/SBECK/Date-Manip-* .
tar xfz Date-Manip-*.tar.gz
cd Date-Manip-*
perl Build.PL 
./Build install
cd ..
perl Makefile.PL
make install

– configure swatch

vi /server/swatch.conf
# Swatch configuration file for Linux box
# Last Modified 7 April, 2000
# Lance Spitzner
# swatch -c /etc/swatchrc -t /var/log/messages
### Snort honeypot alerts from firewall
# watchfor /IDS/
# echo bold
# mail addressess=admin,subject=— Snort IDS Alert —
# exec echo $0 >> /var/log/IDS-scans
# throttle 01:00 use=IDS27



################# Watching for /var/log/secure

#Send Email to server root for every ssh login
watchfor /^(.+\]\:(.+password.+))$/
        exec "echo '$1' | mail root -s '[swatch][ssh]:\ $2' "
        echo=red
        bell 2

#Send Email to server root for every su session
watchfor /^(.*su\: pam_unix\(su-l\:session\):(.*))$/
        exec "echo '$1' | mail root -s '[swatch][su]:\ $2' "
        echo=red
        bell 2



######################## Watches /var/log/php.log  

#Send user www an email for PHP Warnings
watchfor   /^((\[[^\]]+\])(.*PHP Warning.*))$/
        echo=red
        exec "echo '$1' | mail www -s '[swatch][PHP]:WARNING' "
        throttle threshold=20,delay=0:1:0,key=$3
        bell 2


#Send www@example.com an email for PHP Errors
watchfor   /^(.+?(PHP[^:]+?error):.+)$/
        echo=red 
        exec "echo '$1' | mail www@example.com -s '[swatch][PHP]:\ $2' "
        bell 2




######################## Watches /server/log/nginx/error.log

#Send user www an email for authentication errors
watchfor   /^(.+(\/server\/secure\/accesslist|basic authentication).+)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:401' "
        bell 2

#Send user www an email for access forbidden errors
watchfor   /^(.+(access forbidden).+)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:403' "
        bell 2

#Send user root an email for php-fpm failure
watchfor   /^(.+?(php-fpm.sock failed).+)$/
        echo=red
        exec "echo '$1' | mail root -s '[swatch][NGINX]:\ $2' "
        bell 2

#Send user www an email for 404 errors
watchfor   /^(.* "([^"]+)" failed \(2: No such file or directory\).*)$/
        echo=yellow
        exec "echo '$1' | mail www -s '[swatch][NGINX]:404' "
        throttle threshold=20,delay=0:1:0,key=$2
        bell 2



#########################################################
#       EXAMPLES    #
#########################################################


#watchfor /PORTSCAN DETECTED/
# echo bold
# mail addresses=admin,subject=— Snort Port Scan Alert —
# exec echo $0 >> /var/log/IDS-scans

### DNS zone transfers
#watchfor /approved AXFR/
# echo bold
# mail addresses=admin,subject=— Zone transfer Alert —
# exec echo $0 >> /var/log/IDS-scans

### Bad login attempts
# watchfor   /failed/
#        echo bold
#        mail addressess=root,subject=Failed Authentication

### Some is sniffing!
# watchfor   /promiscuous/
#        echo bold
#        mail addressess=root,subject=Someone is sniffing the network!

### Ignore this stuff
# ignore   /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/

### Kernel problems or system reboots
# watchfor   /(panic|halt|SunOS Release)/
#        echo bold
#        mail addresses=root,subject=System Panic,Halt, or Reboot!

# watchfor   /file system full/
#        echo bold
#        mail addresses=root,subject=File system Full
#        throttle 01:00

# watchfor   /su:/
#        echo bold
#        mail addresses=root,subject=Someone sued to root access

– run swatch as deamon

/usr/local/bin/swatch -c /server/swatch.conf  --daemon \
-t "/var/log/secure /var/log/php.log /server/log/nginx/error.log" \
&

– test the config by generating PHP error or logging into ssh again, a bell sound and error prompt should appear on your terminal.