LabEx
Log In Join For Free

Linux swatch Command with Practical Examples

LinuxLinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to use the swatch command, a powerful tool for monitoring log files and setting up custom alerts in Linux. The lab covers understanding the swatch command, monitoring log files with swatch, and configuring swatch for specific alerts.

The swatch (System Wide Analyzer and Tracker) command is used to monitor system log files and trigger actions based on specific patterns or events. It can be configured to watch for specific log entries and perform various actions, such as sending notifications, executing scripts, or forwarding the log entries to other systems. The lab starts by installing the swatch package, which may require additional dependencies. The lab then guides you through creating a simple configuration file to watch for the word "error" in the log files and execute a command when a match is found.

Linux Commands Cheat Sheet

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("`Linux`")) -.-> linux/BasicFileOperationsGroup(["`Basic File Operations`"]) linux(("`Linux`")) -.-> linux/BasicSystemCommandsGroup(["`Basic System Commands`"]) linux(("`Linux`")) -.-> linux/TextProcessingGroup(["`Text Processing`"]) linux(("`Linux`")) -.-> linux/VersionControlandTextEditorsGroup(["`Version Control and Text Editors`"]) linux/BasicFileOperationsGroup -.-> linux/cat("`File Concatenating`") linux/BasicFileOperationsGroup -.-> linux/tail("`File End Display`") linux/BasicSystemCommandsGroup -.-> linux/echo("`Text Display`") linux/TextProcessingGroup -.-> linux/grep("`Pattern Searching`") linux/BasicFileOperationsGroup -.-> linux/chmod("`Permission Modifying`") linux/VersionControlandTextEditorsGroup -.-> linux/nano("`Simple Text Editing`") subgraph Lab Skills linux/cat -.-> lab-422943{{"`Linux swatch Command with Practical Examples`"}} linux/tail -.-> lab-422943{{"`Linux swatch Command with Practical Examples`"}} linux/echo -.-> lab-422943{{"`Linux swatch Command with Practical Examples`"}} linux/grep -.-> lab-422943{{"`Linux swatch Command with Practical Examples`"}} linux/chmod -.-> lab-422943{{"`Linux swatch Command with Practical Examples`"}} linux/nano -.-> lab-422943{{"`Linux swatch Command with Practical Examples`"}} end

Understand the swatch Command

In this step, you will learn about the swatch command, a powerful tool for monitoring log files and setting up custom alerts in Linux.

The swatch (System Wide Analyzer and Tracker) command is used to monitor system log files and trigger actions based on specific patterns or events. It can be configured to watch for specific log entries and perform various actions, such as sending notifications, executing scripts, or forwarding the log entries to other systems.

Let's start by installing the swatch package:

sudo apt-get update
sudo apt-get install -y swatch

Example output:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libconfig-inifiles-perl libconfig-tiny-perl libfile-tail-perl libio-socket-ssl-perl libnet-dns-perl libnet-ip-perl libnet-ssleay-perl libsys-syslog-perl
Suggested packages:
  libconfig-auto-perl
The following NEW packages will be installed:
  libconfig-inifiles-perl libconfig-tiny-perl libfile-tail-perl libio-socket-ssl-perl libnet-dns-perl libnet-ip-perl libnet-ssleay-perl libsys-syslog-perl swatch
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 223 kB of archives.
After this operation, 1,031 kB of additional disk space will be used.
Do you want to continue? [Y/n]

The swatch command reads log files and checks each line for patterns specified in a configuration file. When a match is found, swatch can perform various actions, such as sending an email, executing a script, or logging the event.

To understand the basic usage of swatch, let's create a simple configuration file:

nano ~/project/swatch.config

Add the following content to the file:

## swatch.config
watchfor /error/
actions = echo "Error found: $_"

This configuration file tells swatch to watch for the word "error" in the log files and, when found, execute the echo command to print a message.

Now, let's run swatch to monitor the system log file:

swatch --config-file ~/project/swatch.config --tail /var/log/syslog

The --tail option tells swatch to continuously monitor the log file and watch for new entries.

Example output:

Error found: Apr 12 10:15:32 ubuntu sshd[1234]: error: could not open log file

In this example, swatch detected the word "error" in the /var/log/syslog file and executed the configured action to print a message.

The swatch command provides a wide range of options and configuration settings to customize the monitoring and alert behavior. In the next steps, you will learn how to configure swatch for more advanced use cases.

Monitor Log Files with swatch

In this step, you will learn how to use swatch to monitor specific log files and set up custom alerts.

First, let's create a sample log file that we can use for monitoring:

touch ~/project/sample.log

Now, let's update the swatch configuration file to monitor the sample log file:

nano ~/project/swatch.config

Add the following content to the file:

## swatch.config
watchfor /error/
actions = echo "Error found in sample.log: $_"
logfile = ~/project/sample.log

This configuration tells swatch to monitor the ~/project/sample.log file and look for the word "error". When an error is detected, swatch will execute the echo command to print a message.

To start monitoring the log file, run the following command:

swatch --config-file ~/project/swatch.config --tail ~/project/sample.log

The --tail option tells swatch to continuously monitor the log file and watch for new entries.

Now, let's simulate an error in the log file:

echo "This is an error message" >> ~/project/sample.log

You should see the following output in the swatch terminal:

Error found in sample.log: This is an error message

Swatch has detected the "error" keyword in the log file and executed the configured action.

You can customize the swatch configuration to monitor different log files, watch for specific patterns, and perform various actions, such as sending email notifications, executing scripts, or forwarding log entries to other systems.

Configure swatch for Specific Alerts

In this step, you will learn how to configure swatch to monitor specific log entries and set up custom alerts.

Let's start by creating a new configuration file for swatch:

nano ~/project/swatch_alerts.config

Add the following content to the file:

## swatch_alerts.config
watchfor /failed login/
actions = exec /home/labex/project/alert_script.sh
logfile = /var/log/auth.log

watchfor /CRON/
actions = exec /home/labex/project/cron_alert.sh
logfile = /var/log/syslog

In this configuration:

  • The first rule watches for the phrase "failed login" in the /var/log/auth.log file and executes the alert_script.sh script when a match is found.
  • The second rule watches for the word "CRON" in the /var/log/syslog file and executes the cron_alert.sh script when a match is found.

Now, let's create the alert scripts:

nano ~/project/alert_script.sh

Add the following content to the file:

#!/bin/bash
echo "Security alert: Failed login attempt detected!" | mail -s "Security Alert" [email protected]

This script sends an email to the [email protected] address when a failed login attempt is detected.

nano ~/project/cron_alert.sh

Add the following content to the file:

#!/bin/bash
echo "Cron alert: Cron job executed" | mail -s "Cron Alert" [email protected]

This script sends an email to the [email protected] address when a cron job is executed.

Make the scripts executable:

chmod +x ~/project/alert_script.sh ~/project/cron_alert.sh

Now, start swatch to monitor the log files and trigger the configured alerts:

swatch --config-file ~/project/swatch_alerts.config --tail /var/log/auth.log /var/log/syslog

The --tail option tells swatch to continuously monitor the log files and watch for new entries.

To test the alerts, you can simulate a failed login attempt or trigger a cron job. Swatch will detect the events and execute the corresponding alert scripts.

Summary

In this lab, you learned about the swatch command, a powerful tool for monitoring log files and setting up custom alerts in Linux. You started by installing the swatch package and then created a simple configuration file to watch for the word "error" in the log files and execute a command when a match is found. You also learned how to monitor log files with swatch and configure it for specific alerts, such as sending notifications or executing scripts based on log events.

Linux Commands Cheat Sheet

Other Linux Tutorials you may like

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

LinuxShell
Beginner
Linux for Noobs

Linux for Noobs

LinuxShell
Intermediate
Practice Linux Commands

Practice Linux Commands

LinuxShell
Beginner

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy