Monitor Logs in Real-time with Swatch
Though limited in its abilities, Swatch is a very powerful tool to implement alongside other security products to proactively monitor system logs. Swatch gives systems administrators great log-monitoring options. It’s a perfect tool for monitoring SSH or
Swatch stands for ‘simple watcher’ or ‘Syslog watcher’, depending on whom you ask. Either way, it is a helpful program that does your log-watching, and alerts you only when things that you are specifically looking for get logged. Note that Swatch is a Perl program that regularly sweeps the main log files and looks for certain keywords that you can define. It can be run in two ways — in the background as a daemon or as a cron job. You can configure Swatch to notify you of any events in the messages or syslog files that might indicate a security problem. However, Swatch can also be used to flag just about any kind of activity: a certain program being used, a certain user logging in, or anything that might appear in a log file. Swatch can even be configured to watch application-specific log files instead of the general log files that it does by default. It is a Linux tool and it helps in monitoring the log files as they are being written. It then takes the necessary action if it finds something that it is configured to look for. This tool can be used to proactively scan log files in real-time for various suspicious activities, error messages or specific keywords.
Swatch basically started out as a simple watchdog for actively monitoring the log files produced by UNIX's syslog facility. Since then, it has evolved into a utility that can monitor just about any type of log. One can consider Swatch as a command line utility and it can be started by issuing a swatch command with various settings after it.
Please note that certain events that are logged have a great significance from a security standpoint. The default items that Swatch looks for are a good start. Bad logins criteria: The words Invalid, Repeated, or Incomplete appear in the message file. System crashes criteria: The words panic or halt appear in the log files. System reboots criteria: The banner of your OS should appear in the log files only when you reboot.
How to install Swatch
Swatch requires Perl 5 or higher. If you have a fairly new installation of Linux or BSD, then you should have a sufficiently current version. 1. Swatch requires multiple Perl modules to be installed in order to function correctly. You must first install CPAN and download each module via the CPAN console. In order to install these modules, you may be prompted to install additional modules as well. The configuration process will tell you if the required modules are missing.