Using Swatch for Automated Log Monitoring
Okay, you’ve painstakingly configured, tested, and fine-tuned your system logger to sort system messages by type and importance and then log them both to their respective files and to a central log server. You’ve also configured a log-rotation scheme that keeps as much old log data around as you think you’ll need.
But who’s got the time to actually read all those log messages?
swatch (the “Simple
swatch, a free
log-monitoring utility written 100% in Perl, monitors logs as
they’re being written and takes action when it finds
something you’ve told it to look out for. Swatch
does for logs what tripwire does for system-file integrity.
are two ways to install
swatch. First, of
course, is via whatever binary package of
your Linux distribution of choice provides. (I use the term loosely
here; “executable package” is more
precise.) The current version of Mandrake has an RPM package of
swatch, but none of the other most popular
distributions (i.e., Red Hat, SuSE, Slackware, or Debian) appear to.
This is just as well, though, since the second way to install
swatch is quite interesting.
swatch’s source distribution,
available from http://www.stanford.edu/~atkins/swatch,
includes a sophisticated script called
Makefile.PL that automatically checks for all
necessary Perl modules (see Should We Let Perl Download and Install Its Own Modules? later in this chapter) and uses Perl 5’s CPAN functionality to download ...