swatch

Functionality

UNIX logs watcher and filter engine

Requirements

Most versions of UNIX should work fine. Perl 4.x or better is required. tested on Solaris 2.5

Documentation

README and man pages

Installation Details

destination directories for install must already exist (including man8 and man5)

Evaluation Notes

• always read the man pages. Fields in .swatchrc __must__ be tab separated
• multiple files can be watched using multiple swatch processes and / or multiple config files.
• essentially sleeps until a log is written to a file, so not much overhead
• makes most sense to use it if there is a single LOGHOST with all the important logs going there. Does not perform correlation, but can be used to alert to possible problems. Manual correlation must be performed.
• is extremely effective if enhanced versions of login, backfinger and some other utilities are also available
• can also be used to detect sensitive conditions on multiple machines and send them by email -- I prefer single loghost

Features

• simple pattern matcher for system logs
• can watch one file
• multiple swatch processes can watch multiple files
• no correlation
• most useful when single loghost machine exists
• can send mail, run scripts, write output as actions
• did some simple detecting on my machine itself

Conclusion

It requires administrators to know some very machine specific details of the logging process (what files are used, what messages we're looking for and so on). If this is standardized, this is an invaluable tool to have. Even without it, this tool is worth a close look.

Recommendation

Further Discussion Required

This review was written by Jai Sundar Balasubramaniyan <balasujs@cs.purdue.edu> during the summer of 1997. The opinions expressed are for purposes of critical review, and do not represent any official recommendation or endorsement by COAST or Purdue University.