[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

any one use swatch before, how 2 attach interested line of log in the notification email ?



Anyway use swatch before http://swatch.sourceforge.net/, it is a simple watcher for logfile

I configured the following swatchrc1 file to search for authentication failure in the log
file

The content of the swatchrc1 file are below

[root watcher2 log]# cat /var/log/swatchrc1 
#Authentication Failure
watchfor /more authentication failures/
exec echo $0 | mail -s "Authentication Failure" david abc com

and I have it run as /usr/bin/swatch -c /var/log/swatchrc1 -t /var/log/messages --daemon

so that it will notify me via email when it got the authentication messages in the log file as
follows for example

Sep  7 02:40:10 inabc.abc.com sshd(pam_unix)[31953]: 2 more authentication failures; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=10.10.12.30  user=david

However, in the notification email, I only got the email sent by root localhost localdomain with
the subject of "Authentication Failure" and content as "/usr/bin/swatch -c /var/log/swatchrc1 -t
/var/log/messages --daemon"

I can't know the authentication failure detail from the email at all, like which account and login
from where and etc. 

Is there a way to include in the notification email for the line of log file that it detects for
example " Sep  7 02:40:10 inabc.abc.com sshd(pam_unix)[31953]: 2 more authentication failures;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.10.12.30  user=david"
 
May I know where is the documentation for the swatchrc config ??  I want to customise it.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]