Using Swatch for Automated Log Monitoring

Okay, you’ve painstakingly configured, tested, and fine-tuned your system logger to sort system messages by type and importance and then log them both to their respective files and to a central log server. You’ve also configured a log-rotation scheme that keeps as much old log data around as you think you’ll need.

But who’s got the time to actually read all those log messages?

swatch (the “Simple WATCHer”) does. swatch, a free log-monitoring utility written 100% in Perl, monitors logs as they’re being written and takes action when it finds something you’ve told it to look out for. Swatch does for logs what tripwire does for system-file integrity.

Installing Swatch

There are two ways to install swatch. First, of course, is via whatever binary package of swatch your Linux distribution of choice provides. (I use the term loosely here; “executable package” is more precise.) The current version of Mandrake has an RPM package of swatch, but none of the other most popular distributions (i.e., Red Hat, SuSE, Slackware, or Debian) appear to.

This is just as well, though, since the second way to install swatch is quite interesting. swatch’s source distribution, available from, includes a sophisticated script called Makefile.PL that automatically checks for all necessary Perl modules (see Should We Let Perl Download and Install Its Own Modules? later in this chapter) and uses Perl 5’s CPAN functionality to download ...

Get Building Secure Servers with Linux now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.