#author("2020-07-14T09:10:55+00:00","default:wikiwriter","wikiwriter") &tag(swatch); *目次 [#p9238018] #contents *関連ページ [#cf73de05] *参考情報 [#zb82afaa] -[[ログ監視ツールSwatchを試してみる – Simple IT Life:https://simple-it-life.com/2016/10/09/swatch/]] *インストール [#s7a2d3f6] -Debianの場合 # atp-get install swatch -Perlスクリプトで特に設定ファイルや起動スクリプトなどは存在しない。 *コマンドラインから使用する [#n908519a] -例えば/root/swatch.confを作成。 #pre{{ watchfor /Fatal error/ echo red }} -以下のように実行 # swatch -c /root/swatch.conf -t /tmp/test.log *自動起動設定 [#y1f16d56] -[[Swatchでログを監視して、攻撃に合わせた対策を自動で実行する方法 | OXY NOTES:https://oxynotes.com/?p=7534]]が参考になる。 -/etc/init.d/swatchを作成 #pre{{ #!/bin/bash # # swatch # # chkconfig: 2345 90 35 # description: swatch start/stop script # Source function library. . /etc/rc.d/init.d/functions PATH=/sbin:/usr/local/bin:/bin:/usr/bin mkdir -p /var/log/swatch start() { # Start daemons. ls /var/run/swatch_*.pid > /dev/null 2>&1 if [ $? -ne 0 ]; then echo -n "Starting swatch" pno=0 for conf in /etc/swatch/*.conf do pno=`expr $pno + 1` WATCHLOG=`grep "^# logfile" $conf | awk '{ print $3 }'` swatch --config-file $conf --tail-file $WATCHLOG \ --script-dir=/tmp --awk-field-syntax --use-cpan-file-tail --daemon \ --pid-file /var/run/swatch_$pno.pid \ >> /var/log/swatch/swatch.log 2>&1 RETVAL=$? [ $RETVAL != 0 ] && return $RETVAL done echo [ $RETVAL = 0 ] && touch /var/lock/subsys/swatch return $RETVAL else echo "swatch is already started" fi } stop() { # Stop daemons. ls /var/run/swatch_*.pid > /dev/null 2>&1 if [ $? -eq 0 ]; then echo -n "Shutting down swatch" for pid in /var/run/swatch_*.pid do kill $(cat $pid) rm -f $pid done echo rm -f /var/lock/subsys/swatch /tmp/.swatch_script.* else echo "swatch is not running" fi } status() { ls /var/run/swatch_*.pid > /dev/null 2>&1 if [ $? -eq 0 ]; then echo -n "swatch (pid" for pid in /var/run/swatch_*.pid do echo -n " `cat $pid`" done echo ") is running..." else echo "swatch is stopped" fi } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; status) status ;; *) echo "Usage: swatch {start|stop|restart|status}" exit 1 esac exit $RETVAL }}