On Thu, Jan 02, 2003 at 06:57:12PM +0000, swatch swatch wrote: > I have configured SWATCH on my syslog server, however, I am not getting any > emails sent to me when I purposely type in a wrong password on my ssh > client. > > Attached is my swatchrc file. Could my syntax be wrong? For example, > instead of ?mail addresses? should it be ?mail address? or only ?mail?? > when I check my log files it tells me there was a failed login attempt, > however, no email is sent to me. once I created the swatchrc file I ran > the command: > > /usr/local/bin/swatch ?c /var/log/swatchrc ?t /var/log/syslog & > > Perhaps I should be using the command: > > /usr/local/bin/swatch ?c /var/log/swatchrc ?t /var/log/messages & Check in your /etc/syslog.conf to see where your logs are being directed. The last time I looked at a Redhat box, it by default logged to a whole bunch of different files. You can either live with that by running a bunch of swatch instances for each of those seperate files, or you can tell syslogd to glom everything into one big file: *.debug /var/log/messages Note that the whitespace between "*.debug" and "/var/log/messages" MUST be tabs. > It tells me that swatch 3.0.4 has started?..although it doesn?t immediately > go back to the root prompt. Is this normal? I have to press enter to get > back to a root prompt?.is that normal? I see the process running by typing > ?ps? and then ?ps ?eaf?. When I type ?exit? at the root prompt to exit my > ssh session it tells me that it is still connected and doesn?t log me out > like it normally does, therefore, I force the disconnect by clicking on the > X in the top right hand corner. Then when I log back in and type ?ps? I no > longer see the processes of swatch and perl running. But when I type ?ps > ?eaf? I see the 2 processes running. I also tried the commands: swatch tosses out 3 lines of output when it starts up. My guess is that you got your root prompt back immediately, then the output from swatch (which you neglected to redirect anywhere.) Your shell isn't going to print another prompt under such circumstances until you hit enter. According to the swatch documentation, the appropriate way for you to invoke swatch in your scenario is: /usr/local/bin/swatch -c /var/log/swatchrc -t /var/log/messages --daemon assuming that /var/log/messages is the file you want to monitor. Try it without the "--daemon" to see if you get any interesting output. > Sorry if this is confusing, I am still very new to linux. I am running > SWATCH on redhat 7.2. I noticed that the swatchrc file has slightly > different syntax for UNIX and LINUX. Perhaps I am spelling something wrong > or am missing an = sign? I do not know of a reason that this should be. How is it different? Is it a redhat-specific modification? > It may be that the additional perl modules which are needed are not > installed properly. When I type rpm ?q perl it comes back with perl 5.6.0 > which is fine. However, I thought I had installed perl 5.8.0 but I must > have done something wrong if it tells me that perl 5.6.0 is installed. > This is not a big deal because SWATCH only requires perl 5 or greater. The > reason I mention this is because I thought I also installed the additional > 4 modules that SWATCH needs. But I have a hunch they to did not get > installed. Can you tell me where exactly to install them (/usr/bin or > /usr/bin/perl5.6.0)? Or does it matter? I installed these modules by > running make, make test, make install. Is that correct? How can I verify > that they are installed and the directory which they are installed in? I > believe I did everything correct on the SWATCH end of things but I could be > wrong. I have my swatchrc file in /var/log which should be fine I think. > I also know I put a hidden swatchrc file right under root. This file is > empty. Does this file also need to be the same as my swatchrc file in > /var/log? Or do I need both of them? Could that be the problem? The perl modules are probably installed correctly. If they were not, then swatch would die immediately after invokation. Since you specify the location of swatchrc on the command line, the file /.swatchrc won't be consulted. Remove it so that you don't confuse yourself. You may find additional help on the swatch-users mailing list. -- Ed Schmollinger - schmolliat_private
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:10:02 PST