Article Title: Use Swatch for Linux Log Analysis. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Swatch can be literally understood as Watcher (guardian ). other log analysis software regularly scans log files to report system problems or status to you. the Swatch program can not only do this, but also actively scan log files and fix specific log messages like the Syslogd daemon.
I. Preparations
1. Download and decompress the latest Swatch software package. It is recommended to obtain a reliable Swatch software package from the official website of Swatch.
Download URL: http://sourceforge.net/projects/swatch/
1) create a directory for storing Swatch software packages.
#mkdir -p /usr/local/src/log
|
2) decompress the source code package and a new directory named apache_1.3.33 will be generated under the log directory.
#tar zpxf swatch-3.1.1.tar.gz
|
Ii. Installation
#cd swatch-3.1.1
#make
#make test
#make install
#make realclean
|
After the Swatch program is successfully installed, the Perl module is used to run the Swatch program.
Iii. Configuration
The Swatch program uses a forward expression (Regular Expressions) to discover target rows of interest. once Swatch finds that a row matches the pre-set mode, it immediately takes action, such as screen printing, sending emails, or taking pre-set actions.
watchfor /[dD]enied│/DEN.*ED/
ech-o bold
bell 3
mail
exe-c "/etc/call_pager 5551234 08"
|
The above script is an example of the Swatch configuration file. first, Swatch searches the specified log file for rows that contain the set word "denied, Denied, or other words that start with DEN or end with ED. once a row is found to contain any of the three search words. the Swatch program immediately displays the terminal with lines in bold and three rings, and then sends an email to the user running the swatch Program (usually
Root User) the row where the alert is located and the/etc/call_paper program is executed. Ignore sendmail, fax, and unimportant stuff. in this example, the search strings sendmail, fax, and unimportant stuff will be ignored. they even match one of the predefined search strings.
4. Use
It is very easy to use Swatch, such as using Swatch to check logs and run:
swatch --config-file=/home/zhaoke/swatch.conf
--examine=/var/log/messages
|
In the preceding example, the absolute path of the configuration file is/home/zhake/swatch. conf. The log file to be checked is/var/log/messages.
Use swatch to check the log files that are not added:
swatch --config-file=/home/zhaoke/swatch.conf
--tail-file=/var/log/messages
|
