Swatchdog – Simple Log File Watcher in Real-Time in Linux

Swatchdog (the “Simple WATCH DOG”) is a simple Perl script for monitoring active log files on Unix-like systems such as Linux. It watches your logs based on regular expressions that you can define in a configuration file. You can run it from the command line or in the background, detached from any terminal using the daemon mode option.

Note that the program was originally called swatch (the “Simple Watcher”) but a request by the old Swiss watch company for a name change saw the developer change its name to swatchdog.

Importantly, swatchdog has grown from a script for watching logs produced by Unix’s syslog facility, and it can monitor just about any kind of logs.

How to Install Swatch in Linux

The package swatchdog is available to install from the official repositories of mainstream Linux distributions as a package “swatch” via a package manager as shown.

$ sudo apt install swatch	[On Ubuntu/Debian]
$ sudo yum install epel-release && sudo yum install swatch	[On RHEL/CentOS]
$ sudo dnf install swatch	[On Fedora 22+]

To install most latest version of swatchdog, you need to compile it from source using following commands in any Linux distribution.

$ git clone
$ cd swatchdog/
$ perl Makefile.PL
$ make
$ sudo make install
$ sudo make realclean

Once you have installed the swatch, you need to create its configuration file (default location is /home/$USER/.swatchdogrc or .swatchrc), to determine what types of expression patterns to look for and what type of action(s) should be taken when a pattern is matched.

$ touch /home/letscodify/.swatchdogrc
$ touch /home/letscodify/.swatchrc

Add your regular expression in this file and each line should contain a keyword and value (sometimes optional), separated by a space or an equal (=) sign. You need to specify a pattern and an action(s) to be taken when a pattern is matched.

We will use a simple configuration file, you can find more options in the swatchdog man page, for instance.

watchfor  /sudo/
 echo red, subject="Sudo Command"

Here, our regular expression is a literal string – “sudo”, means any time the string sudo appeared in the log file, would be printed to the terminal in red text and mail specify the action to be taken, which is to echo the matched pattern on the terminal and send an e-mail to the specified address, receptively.

After you have configured it, swatchdog reads the /var/log/syslog log file by default, if this file is not present, it reads /var/log/messages.

$ swatch     [On RHEL/CentOS & Fedora]
$ swatchdog  [On Ubuntu/Debian]

You can specify a different configuration file using the -c flag as shown in the following example.

First create a swatch configuration directory and a file.

$ mkdir swatch
$ touch swatch/secure.conf

Next, add the following configuration in the file to monitor failed login attempts, failed SSH login attempts, successful SSH logins from the /var/log/secure log file.

watchfor /FAILED/
echo red, subject="Failed Login Attempt"

watchfor /ROOT LOGIN/
echo red, subject="Successful Root Login"

watchfor /ssh.*: Failed password/
echo red, subject="Failed SSH Login Attempt"

watchfor /ssh.*: session opened for user root/ 
echo red, subject="Successful SSH Root Login"

Now run the Swatch by specifying the configuration file using the -c and log file using -t flag as shown.

$ swatchdog -c ~/swatch/secure.conf -t /var/log/secure

To run it in the background, use the --daemon flag; in this mode, it is detached from any terminal.

$ swatchdog ~/swatch/secure.conf -t /var/log/secure --daemon  

Now to test the swatch configuration, try to login into server from the different terminal, you see the following output printed to the terminal where Swatchdog is running.

*** swatch version 3.2.3 (pid:16531) started at Thu Jul 12 12:45:10 BST 2018

Jul 12 12:51:19 letscodify sshd[16739]: Failed password for root from port 33324 ssh2
Jul 12 12:51:19 letscodify sshd[16739]: Failed password for root from port 33324 ssh2
Jul 12 12:52:07 letscodify sshd[16739]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 12 12:52:07 letscodify sshd[16739]: pam_unix(sshd:session): session opened for user root by (uid=0)

Monitor Linux Logs in Real Time

You can also run multiple swatch processes to monitor various log files.

$ swatchdog -c ~/site1_watch_config -t /var/log/nginx/site1/access_log --daemon  
$ swatchdog -c ~/messages_watch_config -t /var/log/messages --daemon
$ swatchdog -c ~/auth_watch_config -t /var/log/auth.log --daemon

For more information, check out the swatchdog man page.

$ man swatchdog

Swatchdog SourceForge Repository:

Swatchdog is a simple active log file monitoring tool for Unix-like systems such as Linux. Try it out and share your thoughts or ask any questions in the comments section

Be the first to comment

Leave a Reply

Your email address will not be published.