swatch is a Linux tool for watching (it uses ”tail -f”) log files and then demonizes it.
I had a need to know when a host needed rebooting after yum-cron had updated the kernel, rather than logging into each host I decided I could make use of ”swatch”, in my case, it watches the ”yum.conf” file for the string ”Installed: kernel”, if the string appears in the log it sends an email out.
I have not found away for a single daemon instance to watch more than a single log file, there are some examples online showing this configuration, but when I tested it only ever worked on a single file being watched. After further reading and research this is the expected behavior.
Installing swatch, configuring start-up to watch a single log source
- First install it
yum install swatch
- Next create a swatch directory
mkdir -p /etc/swatch
- Create a ”swatch” conf file for what you want to monitor
vi swatch-yum.conf
watchfor /Installed: kernel/
echo bold
mail=root@localhost, subject=”New kernel has been installed – reboot required”
- Now create a ”.swatchrc file in ”/root”
touch /root/.swatchrc
- You can now test the configuration, you might want to change it to something that is easy to test and validate, ssh logins or something.
swatch –config-file=/etc/swatch/swatch-yum.conf –tail-file=/var/log/yum.log –daemon
- Check it started
ps -ef | grep swatch
root 1187 1 0 12:59 ? 00:00:00 /usr/bin/swatch –config-file=/etc/swatch/swatch-yum.conf –tail-file=/var/log/yum.log –pid-file=/var/run/sw
- Ok, so we know it works, so go ahead and kill it to stop it as we need to create a custom unit file (service) so it can start at boot.
kill -15 1187
- Because this is systemd you do not need to touch init scripts or anything, but you do need to create a custom unit file, cd to ”/etc/systemd/system”
- Next, create your unit file using an editor
vi swatch.service
[Unit]
Description=Swatch Log Monitoring Daemon
After=syslog.target network.target auditd.service sshd.service
[Service]
ExecStart=/usr/bin/swatch –config-file=/etc/swatch/swatch-yum.conf –tail-file=/var/log/yum.log –pid-file=/var/run/swatch.pid –daemon
ExecStop=/usr/bin/kill -s KILL $(cat /var/run/swatch.pid)
Type=forking
PIDFile=/var/run/swatch.pid
[Install]
WantedBy=multi-user.target
- Create PIDs
touch /var/run/swatch-secure.pid
touch /var/run/swatch-secure.pid
- Now reload it, start it and enabled and check its status.
systemctl daemon-reload
systemctl start swatch.service
systemctl enable swatch.service
systemctl status swatch.service
If it doesn’t work , try rebooting
- If all has gone well it should look like this
- systemctl status swatch.service
● swatch.service – Swatch Log Monitoring Daemon
Loaded: loaded (/etc/systemd/system/swatch.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-10-11 12:59:05 CDT; 39min ago
Main PID: 1187 (/usr/bin/swatch)
CGroup: /system.slice/swatch.service
├─1187 /usr/bin/swatch –config-file=/etc/swatch/swatch-yum.conf –tail-file=/var/log/yum.log –pid-file=/var/run/sw
└─1188 /usr/bin/tail -n 0 -F /var/log/yum.log
Oct 11 12:59:03 rhel7-.local systemd[1]: Starting Swatch Log Monitoring Daemon…
Oct 11 12:59:05 rhel7-.local systemd[1]: Started Swatch Log Monitoring Daemon.
Configuring swatch to monitor more than a single log file source
This is pretty much the same as the above, but I split things up a little, it makes it easier to manage. I’ve assumed you’ve done the initial install, also note that the file paths have changed in the service start-up files to reflect having to run more than a single instance of swatch.
- Create your swatch.conf files, in this case I’m going watch /var/log/yum.log for kernel updates and /var/log/secure for invalid user and failed password attempts.
vi swatch-yum.conf
watchfor /Installed: kernel/
echo bold
mail=root@localhost, subject=”New kernel has been installed – reboot required”
vi swatch-secure.conf
watchfor /Invalid user/
echo bold
mail=root@localhost, subject=”Invalid user”
watchfor /Failed password/
echo bold
mail=root@localhost, subject=”Failed password”
- Next you need to create 2 custom unit file (service), one for each file we want to monitor. Note that we have to created two separate PID files now.
vi swatch-yum.service
[Unit]
Description=Swatch Log Monitoring Daemon
After=syslog.target network.target auditd.service sshd.service
[Service]
ExecStart=/usr/bin/swatch –config-file=/etc/swatch/swatch-yum.conf –tail-file=/var/log/yum.log –pid-file=/var/run/swatch-yum.pid –daemon
ExecStop=/usr/bin/kill -s KILL $(cat /var/run/swatch-yum.pid)
Type=forking
PIDFile=/var/run/swatch-yum.pid
[Install]
WantedBy=multi-user.target
And..
vi swatch-secure.service
[Unit]
Description=Swatch Log Monitoring Daemon
After=syslog.target network.target auditd.service sshd.service
[Service]
ExecStart=/usr/bin/swatch –config-file=/etc/swatch/swatch-secure.conf –tail-file=/var/log/yum.log –pid-file=/var/run/swatch-secure.pid –daemon
ExecStop=/usr/bin/kill -s KILL $(cat /var/run/swatch-secure.pid)
Type=forking
PIDFile=/var/run/swatch-secure.pid
[Install]
WantedBy=multi-user.target
- Now reload it, start it and enabled and check its status.
systemctl daemon-reload
systemctl start swatch-yum
systemctl enable swatch-yum
systemctl start swatch-secure
systemctl enable swatch-secure
You can test it by echoing the watch text to the log
echo Failed password >> /var/log/secure