Google Site SearchFN Site Search FN Blog Login FN Blog Login
Site Navigation:
 
 

HOWTO: Actively monitor log files.

by Gavin Henry on February 29, 2004.

UPDATE 2004-05-07:
Swatch 3.1 has now been released.
You can download the Swatch 3.1 RPMS I made (They should work on RH 8-9 too):

Swatch 3.1 RPM
Swatch 3.1 SRPM


UPDATE 2004-03-06:
After a few e-mails informing me that the Swatch project has been abandoned, I e-mailed Todd, the author, to confirm. Well, it has not, and version 3.1 should be released soon.

I thought since people will continue using it now, I should make an RPM for it:

Swatch RPM
Swatch SRPM
md5sums
swatch.spec
gpg key

This has also been submited to Fedora.us Extras here.
And Todd has been informed.


Introduction:

I came across a great tool when setting up a honeynet last year.

It's is called Swatch and I discovered it whilst following a GenII Honeynet guide.

The Simple WATCHer is an automated monitoring tool that is capable of alerting system administrators of anything that matches the patterns described in the configuration file, whilst constantly searching logfiles using perl.

An example of this would be what the Honeynet project used it for in the GenII Honeynet guide; to log outgoing network connections. I recently set it up so when someone visits a site they shouldn't have, I get an e-mail immediately, saying what site they have visited.

Installation:

First we need to download it. It's available from the Swatch site.

Extract it to a directory: tar -xzvf swatch-3.0.8.tar.gz It's best to read the README file and INSTALL file. But I will describe the steps here:

To install, simply issue the following commands in the swatch directory (make install as root):

perl Makefile.PL
make
make test
make install
make realclean
Swatch installs just like a CPAN module. If you are not familiar with this process then you may want to read about it by issuing the command: man ExtUtils::MakeMaker Use the perldoc command if your man cannot find the document.

If you see messages like these:

Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
then you need to install the CPAN module(s) that it doesn't find. You can find these modules at search.cpan.org or if you followed my HOWTO on apt, you will already be setup to download the necessary packages.

simply: apt-get install perl-Date-Calc perl-File-Tail perl-TimeDate perl-Bit-Vector should also be installed with those, but apt takes care of that.

You can also use the command: perl -MCPAN -e shell and get an interactive installer/shell, to install the perl modules. The shell is very simple and handles all dependancies. However, with any installer, manual intervention may be required to install the latest required package.

We now need to create a ${HOME}/.swatchrc file. Ours will be simple, but for more options type: man swatch

Swatch can not only send an e-mail but also:

  • Echo the matched line, in various colours, shapes and sizes,
  • Echo the matched line, and send a bell numerous times.
  • Execute command. The command may contain variables which are substituted with fields from the matched line — very handy.
  • Send matched lines to users.

And more, again see the man page for details.

Our file will send an e-mail to me when it sees someone log into my machine. If you are on the machine, it would be better to echo a message or bell.

My ${HOME}/.swatchrc file would be (see the examples folder in the swatch directory for more info):

#
# Swatchrc file for monitoring ssh access via /var/log/messages to see what people are doing.
#
                                                                                                                            
watchfor   /sshd/
        mail=ghenry@fedoranews.org, subject=----PLEASE INVESTIGATE SSH ACCESS----
        throttle 01:00

So when, sshd is picked up in /var/log/messages, I get an e-mail with the above subject and the offending line in /var/log/messages, like so:

Feb 29 22:14:11 whitehat sshd(pam_unix)[8705]: session opened for user ghenry

NOTE: throttle means that if multiple instances of the message appear within 1 minute, they will not be e-mailed. See man swatch for more info.

To get Swatch running type (as root): swatch --config-file=/home/yourname/.swatchrc --tail-file=/var/log/messages & Or enter it into /etc/rc.local without the & symbol at the end, so that it starts on reboot.

Conclusion:

There are a lot more options for configuration, so have a good read of the example files and the man page. This amount of configuration makes Swatch a truly flexible and useful tool. I hope you have fun with it.

Well, that's it for now. For any comments or corrections, please e-mail me.