Re: [logs] swatchrc file

From: swatch swatch (swatch_5at_private)
Date: Fri Jan 03 2003 - 07:52:44 PST

  • Next message: Rainer Gerhards: "RE: [logs] Syslog payload format" 

    Hi,

This is how my mail field looks:

# Bad login attempts
       watchfor /failed/
                echo
                exec echo $0 | mail meat_private
                exec echo $0 | mail -s\"Authentication Failure\"
        operators\\@mycompany.com

And here is the output I get when I run the command:

# /usr/local/bin/swatch -c /var/log/swatchrc -t /var/log/messages
Can't find string terminator '"' anywhere before EOF at 
/root/.swatch_script.24287 line 477.

Therefore, SWATCH and perl do not start.

I try and open .swatch_script.24287 with vi and it is an empty file (why 
does it say the error is on line 477)?

It doesn’t seem to be a perl issue but when I type ‘perl –V’ it tells me 
version 5.8.0 is installed and when I type ‘rpm –q perl’ it says perl 5.6.0 
(the redhat 7.2 default).  Any thoughts?  Are you sure the syntax is correct 
with the above mail field?  Are the quotes in the right spots?  What exactly 
does ‘operators\\@mycompany.com’ do?

Thanks.


>From: Harry Hoffman <hhoffman@ip-solutions.net>
>To: loganalysisat_private
>Subject: Re: [logs] swatchrc file
>Date: Fri,  3 Jan 2003 10:05:49 +1300
>
>Hi,
>   We're running swatch on linux as well. Here is how our mail fields look:
>watchfor   /Too many open files in system/
>         echo
>         exec echo $0 | mail hhoffmanat_private
>         exec echo $0 | mail -s\"Out of files on Server, please reboot\"
>operators\\@auckland.ac.nz
>         throttle 30:00
>
>HTH,
>Harry
>
>
>Quoting swatch swatch <swatch_5at_private>:
>
>*> #swatchrc file in /var/log
>*>
>*>
>*> # Bad login attempts
>*> watchfor        /failed/
>*>                 echo bold
>*>                 mail addresses=meat_private,subject=Failed
>*> Authentication
>*>
>*> #Sniffing Attempts
>*> watchfor        /promiscuous/
>*>                 echo bold
>*>                 mail addresses=meat_private,subject=Someone is 
>sniffing
>*> syslog server
>*>
>*> # Kernel problems or system reboots
>*> watchfor        /panic|halt/
>*>                 echo bold
>*>                 mail addresses=meat_private,subject=System Reboot
>*>
>*>
>*>
>*>
>*>
>*>
>*> _________________________________________________________________
>*> MSN 8 with e-mail virus protection service: 2 months FREE*
>*> http://join.msn.com/?page=features/virus
>*>
>*> _______________________________________________
>*> LogAnalysis mailing list
>*> LogAnalysisat_private
>*> http://lists.shmoo.com/mailman/listinfo/loganalysis
>*>
>
>
>--
>Harry Hoffman
>ITSS Systems Team Leader
>University of Auckland
>hhoffmanat_private
>hhoffman@ip-solutions.net
>STANDARD DISCLAIMER:
>**********************************************
>*This universe shipped by weight, not volume.*
>*Some expansion may have occured in shipping.*
>*********************************************
>
>
>-------------------------------------------------
>This mail sent through IMP: http://horde.org/imp/
>_______________________________________________
>LogAnalysis mailing list
>LogAnalysisat_private
>http://lists.shmoo.com/mailman/listinfo/loganalysis


_________________________________________________________________
Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:09:35 PST