2012-01-01

Realtime monitoring of syslog messages

Swatch is perl script that continuously monitor log files and acts upon patterns that may show up.
Based on some previous work, I wrote some scripts to use it as a daemon.

The following packages are needed from the EPEL repositories:
swatch-3.2.3-2.el5.noarch.rpm
perl-Mail-Sendmail-0.79-9.el5.1.noarch.rpm

While these are from the base repositories
perl-DateManip
perl-Date-Calc
perl-TimeDate

Here is the /etc/init.d/swatch

#!/bin/sh
#
# swatch: watch system log
#
# chkconfig: 345 10 99
# description: The Simple WATCHer is an automated monitoring tool \
# that is capable of alerting system administrators \
# of anything that matches the patterns described \
# in the configuration file, whilst constantly searching \
# logfiles using perl.
#
# processname: swatch
# config: /etc/sysconfig/swatch/swatch
# pidfile: /var/run/swatch.pid

CHECK_LOG="undefined_logfile"
SWATCH_CONF="undefined_conf"
SWATCH_BIN="/usr/bin/swatch"
SWATCH_PID_FILE="/var/run/swatch.pid"
SWATCH_SCRIPTDIR="/var/run"
SWATCH_LOG="/var/log/swatch"

. /etc/rc.d/init.d/functions

if [ -f /etc/sysconfig/swatch/swatch ]; then
        . /etc/sysconfig/swatch/swatch
else
        echo "/etc/sysconfig/swatch/swatch does not exists."
        exit 0
fi

if [ ! -x ${SWATCH_BIN} ]; then
        echo "File ${SWATCH_BIN} not installed!"
        exit 0
fi

if [ ! -f ${SWATCH_CONF} ]; then
        echo "File ${SWATCH_CONF} does not exist."
        exit 0
fi

prog=swatch
RETVAL=0

start() {
        echo -n $"Starting $prog: "
        daemon "$SWATCH_BIN --daemon -c $SWATCH_CONF -t $CHECK_LOG --pid-file=$SWATCH_PID_FILE --script-dir=$SWATCH_SCRIPTDIR >>$SWATCH_LOG"
        RETVAL=$?
        if [ $RETVAL = 0 ]; then
                success
        else
                failure
        fi
        echo
        return $RETVAL
}

stop() {
        echo -n $"Stopping $prog: "
        killproc "$SWATCH_BIN"
        RETVAL=$?
        if [ $RETVAL = 0 ]; then
                success
        else
                failure
        fi
        echo
        return $RETVAL
}

case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        status)
                status $prog
                RETVAL=$?
                ;;
        restart)
                stop
                start
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|status|restart}"
                exit 1
                ;;
esac

exit $RETVAL

The config files:
Where to watch: /etc/sysconfig/swatch/swatch

# log to watch
CHECK_LOG="/var/log/messages"

# regular expressions
SWATCH_CONF="/etc/sysconfig/swatch/swatchrc"

What to watch: /etc/sysconfig/swatch/swatchrc

# swatch config
watchfor   /regex_to_watch/
        mail addresses=user\@domain,subject=swatch_alert

And the logrotate stuff: /etc/logrotate.d/swatch

/var/log/swatch {
    postrotate
        /etc/init.d/swatch restart 2> /dev/null > /dev/null || true
    endscript
}

No comments:

Post a Comment