Hack #83. Monitor Your Logs Automatically

Use swatch to alert you to possible problems as they happen.

Automatically generated log file summaries are fine for keeping abreast of what’s happening with your systems and networks, but if you want to know about events as they happen, you’ll need to look elsewhere. One tool that can help keep you informed in real time is swatch (http://swatch.sourceforge.net), the “Simple WATCHer.”

swatch is a highly configurable log file monitor that can watch a file for user-defined triggers and dispatch alerts in a variety of ways. It consists of a Perl program, a configuration file, and a library of actions to take when it sees a trigger in the file it is monitoring.

To install swatch, download the package, unpack it, and go into the directory that it creates. Then, run these commands:

# perl Makefile.PL
# make && make install
            

Before swatch will build, you’ll need to install the Date::Calc , Date::Parse, and Time::HiRes Perl CPAN modules. If they’re not already installed, running perl Makefile.PL will produce the following error message:

Warning: prerequisite Date::Calc 0 not found.
Warning: prerequisite Date::Parse 0 not found.
Warning: prerequisite Time::HiRes 1.12 not found.
Writing Makefile for swatch

If you already have Perl’s CPAN modules installed, simply run these commands:

# perl -MCPAN -e "install Date::Calc"
# perl -MCPAN -e "install Date::Parse"
# perl -MCPAN -e "Time::HiRes"
            

By default, swatch looks for its configuration in a file called .swatchrc in the current user’s home directory. This file contains regular expressions to watch for in the file that you are monitoring with swatch. If you want to use a different configuration file, tell swatch by using the -c command-line switch.

For instance, to use /etc/swatch/messages.conf to monitor /var/log/messages, invoke swatch like this:

# swatch -c /etc/swatch/messages.conf -t /var/log/messages
            

Here’s the general format for entries in the configuration file:

watchfor /<regex>/
<action1>
[action2]
[action3]
...

Alternatively, you can ignore specific log messages that match a regular expression by using the ignore keyword:

ignore /<regex>/

You can also specify multiple regular expressions by separating them with the pipe (|) character.

swatch is very configurable in terms of the actions it can take when a string matches a regular expression. Some useful actions that you can specify in your .swatchrc file are echo, write, exec, mail, pipe, and throttle.

The echo action simply prints the matching line to the console; additionally, you can specify what text mode it will use. Thus, lines can be printed to the console as bold, underlined, blinking, inverted, or colored text.

For instance, if you want to print a matching line in red, blinking text, use the following action:

echo blink,red

The write action is similar to the echo action, except it does not support text modes. It can, however, write the matching line to any specified user’s TTY:

write user:user2:...

The exec action allows you to execute any command:

exec <command>

You can use the $0 or $* variables to pass the entire matching line to the command that you execute, or use $1 to pass the first field in the line, $2 for the second, and so on. So, if you want to pass only the second and third fields from the matching line to the command mycommand, use an action like this:

exec "mycommand $2 $3"

In addition to the exec action, swatch can execute external commands with the pipe action. The only difference is that instead of passing arguments to the command, swatch will execute the command and pipe the matching line to it. To use this action, just put the pipe keyword followed by the command you want to use.

Alternatively, to increase performance, you can use the keep_open option to keep the pipe to the program open until swatch exits or needs to perform a different pipe action:

pipe mycommand,keep_open

The mail action is especially useful if you have an email-enabled or text-messaging-capable cell phone or pager. When using the mail action, you can list as many recipient addresses as you like, in addition to specifying a subject line. swatch will send the line that matched the regular expression to these addresses with the subject you set.

Here is the general form of the mail action:

mail addresses=address:address2:...,subject=mysubject
            

When using the mail action, be sure to escape the @ characters in the email addresses (i.e., @ becomes \@). Escape any spaces in the subject of the email as well.

One problem with executing commands or sending emails whenever a specific string occurs in a log message is that sometimes the same log message might be generated over and over again rapidly. Clearly, if this were to happen, you wouldn’t want to get paged or emailed 100 times within a 10-minute period. To alleviate this problem, swatch provides the throttle action. This action lets you suppress a specific message or any message that matches a particular regular expression for a specified amount of time.

The general form of the throttle action is:

throttle h:m:s
            

The throttle action will throttle based on the contents of the message by default. If you would like to throttle the actions based on the regular expression that caused the match, you can add ,use=regex to the end of your throttle statement.

swatch is an incredibly useful tool, but it can take some work to create a good .swatchrc file. The best way to figure out what to look for is to examine your log files for behavior that you want to monitor closely.