Re: [logs] swatchrc file

From: swatch swatch (swatch_5at_private)
Date: Fri Jan 03 2003 - 07:52:44 PST

  • Next message: Rainer Gerhards: "RE: [logs] Syslog payload format"

    Hi,
    
    This is how my mail field looks:
    
    # Bad login attempts
           watchfor /failed/
                    echo
                    exec echo $0 | mail meat_private
                    exec echo $0 | mail -s\"Authentication Failure\"
            operators\\@mycompany.com
    
    And here is the output I get when I run the command:
    
    # /usr/local/bin/swatch -c /var/log/swatchrc -t /var/log/messages
    Can't find string terminator '"' anywhere before EOF at 
    /root/.swatch_script.24287 line 477.
    
    Therefore, SWATCH and perl do not start.
    
    I try and open .swatch_script.24287 with vi and it is an empty file (why 
    does it say the error is on line 477)?
    
    It doesn’t seem to be a perl issue but when I type ‘perl –V’ it tells me 
    version 5.8.0 is installed and when I type ‘rpm –q perl’ it says perl 5.6.0 
    (the redhat 7.2 default).  Any thoughts?  Are you sure the syntax is correct 
    with the above mail field?  Are the quotes in the right spots?  What exactly 
    does ‘operators\\@mycompany.com’ do?
    
    Thanks.
    
    
    >From: Harry Hoffman <hhoffman@ip-solutions.net>
    >To: loganalysisat_private
    >Subject: Re: [logs] swatchrc file
    >Date: Fri,  3 Jan 2003 10:05:49 +1300
    >
    >Hi,
    >   We're running swatch on linux as well. Here is how our mail fields look:
    >watchfor   /Too many open files in system/
    >         echo
    >         exec echo $0 | mail hhoffmanat_private
    >         exec echo $0 | mail -s\"Out of files on Server, please reboot\"
    >operators\\@auckland.ac.nz
    >         throttle 30:00
    >
    >HTH,
    >Harry
    >
    >
    >Quoting swatch swatch <swatch_5at_private>:
    >
    >*> #swatchrc file in /var/log
    >*>
    >*>
    >*> # Bad login attempts
    >*> watchfor        /failed/
    >*>                 echo bold
    >*>                 mail addresses=meat_private,subject=Failed
    >*> Authentication
    >*>
    >*> #Sniffing Attempts
    >*> watchfor        /promiscuous/
    >*>                 echo bold
    >*>                 mail addresses=meat_private,subject=Someone is 
    >sniffing
    >*> syslog server
    >*>
    >*> # Kernel problems or system reboots
    >*> watchfor        /panic|halt/
    >*>                 echo bold
    >*>                 mail addresses=meat_private,subject=System Reboot
    >*>
    >*>
    >*>
    >*>
    >*>
    >*>
    >*> _________________________________________________________________
    >*> MSN 8 with e-mail virus protection service: 2 months FREE*
    >*> http://join.msn.com/?page=features/virus
    >*>
    >*> _______________________________________________
    >*> LogAnalysis mailing list
    >*> LogAnalysisat_private
    >*> http://lists.shmoo.com/mailman/listinfo/loganalysis
    >*>
    >
    >
    >--
    >Harry Hoffman
    >ITSS Systems Team Leader
    >University of Auckland
    >hhoffmanat_private
    >hhoffman@ip-solutions.net
    >STANDARD DISCLAIMER:
    >**********************************************
    >*This universe shipped by weight, not volume.*
    >*Some expansion may have occured in shipping.*
    >*********************************************
    >
    >
    >-------------------------------------------------
    >This mail sent through IMP: http://horde.org/imp/
    >_______________________________________________
    >LogAnalysis mailing list
    >LogAnalysisat_private
    >http://lists.shmoo.com/mailman/listinfo/loganalysis
    
    
    _________________________________________________________________
    Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* 
    http://join.msn.com/?page=features/junkmail
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:09:35 PST