Hi, I ran 4 different SWATCH instances for the different log files (all with --daemon at the end) and all processes are running successfully from what i can tell. For the first time I was redirected back to the root prompt each time. Although, I am still not getting emails into my inbox. My swatchrc file is the same as it was in my first posting. I am stumped unless it is a firewall issue. The box SWATCH is running on is on a different subnet than what I am on. However, I have configured sendmail to forward emails to me with a smarthost. I know this works because i get nightly Tripwire reports from the same box SWATCH is on. Therefore, I don't know what I am missing. Any thoughts? By the way, each time I edit my swatchrc file i kill the perl and SWATCH processes and then restart them once the editing is finished. I assume that is fine? >From: Ed Schmollinger <schmolliat_private> >To: swatch swatch <swatch_5at_private> >CC: loganalysisat_private >Subject: Re: [logs] SWATCH configuration >Date: Fri, 3 Jan 2003 09:39:42 -0600 > >On Thu, Jan 02, 2003 at 06:57:12PM +0000, swatch swatch wrote: > > I have configured SWATCH on my syslog server, however, I am not getting >any > > emails sent to me when I purposely type in a wrong password on my ssh > > client. > > > > Attached is my swatchrc file. Could my syntax be wrong? For example, > > instead of ?mail addresses? should it be ?mail address? or only ?mail?? > > when I check my log files it tells me there was a failed login attempt, > > however, no email is sent to me. once I created the swatchrc file I ran > > the command: > > > > /usr/local/bin/swatch ?c /var/log/swatchrc ?t /var/log/syslog & > > > > Perhaps I should be using the command: > > > > /usr/local/bin/swatch ?c /var/log/swatchrc ?t /var/log/messages & > >Check in your /etc/syslog.conf to see where your logs are being >directed. The last time I looked at a Redhat box, it by default logged >to a whole bunch of different files. You can either live with that by >running a bunch of swatch instances for each of those seperate files, or >you can tell syslogd to glom everything into one big file: > >*.debug /var/log/messages > >Note that the whitespace between "*.debug" and "/var/log/messages" MUST >be tabs. > > > It tells me that swatch 3.0.4 has started?..although it doesn?t >immediately > > go back to the root prompt. Is this normal? I have to press enter to >get > > back to a root prompt?.is that normal? I see the process running by >typing > > ?ps? and then ?ps ?eaf?. When I type ?exit? at the root prompt to exit >my > > ssh session it tells me that it is still connected and doesn?t log me >out > > like it normally does, therefore, I force the disconnect by clicking on >the > > X in the top right hand corner. Then when I log back in and type ?ps? I >no > > longer see the processes of swatch and perl running. But when I type >?ps > > ?eaf? I see the 2 processes running. I also tried the commands: > >swatch tosses out 3 lines of output when it starts up. My guess is that >you got your root prompt back immediately, then the output from swatch >(which you neglected to redirect anywhere.) Your shell isn't going to >print another prompt under such circumstances until you hit enter. > >According to the swatch documentation, the appropriate way for you to >invoke swatch in your scenario is: > >/usr/local/bin/swatch -c /var/log/swatchrc -t /var/log/messages --daemon > >assuming that /var/log/messages is the file you want to monitor. Try it >without the "--daemon" to see if you get any interesting output. > > > Sorry if this is confusing, I am still very new to linux. I am running > > SWATCH on redhat 7.2. I noticed that the swatchrc file has slightly > > different syntax for UNIX and LINUX. Perhaps I am spelling something >wrong > > or am missing an = sign? > >I do not know of a reason that this should be. How is it different? Is >it a redhat-specific modification? > > > It may be that the additional perl modules which are needed are not > > installed properly. When I type rpm ?q perl it comes back with perl >5.6.0 > > which is fine. However, I thought I had installed perl 5.8.0 but I must > > have done something wrong if it tells me that perl 5.6.0 is installed. > > This is not a big deal because SWATCH only requires perl 5 or greater. >The > > reason I mention this is because I thought I also installed the >additional > > 4 modules that SWATCH needs. But I have a hunch they to did not get > > installed. Can you tell me where exactly to install them (/usr/bin or > > /usr/bin/perl5.6.0)? Or does it matter? I installed these modules by > > running make, make test, make install. Is that correct? How can I >verify > > that they are installed and the directory which they are installed in? >I > > believe I did everything correct on the SWATCH end of things but I could >be > > wrong. I have my swatchrc file in /var/log which should be fine I >think. > > I also know I put a hidden swatchrc file right under root. This file is > > empty. Does this file also need to be the same as my swatchrc file in > > /var/log? Or do I need both of them? Could that be the problem? > >The perl modules are probably installed correctly. If they were not, >then swatch would die immediately after invokation. > >Since you specify the location of swatchrc on the command line, the file >/.swatchrc won't be consulted. Remove it so that you don't confuse >yourself. > >You may find additional help on the swatch-users mailing list. > >-- >Ed Schmollinger - schmolliat_private ><< attach3 >> _________________________________________________________________ Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:02 PST