Swatch is a simple program written in the Perl programming language that is designed to monitor log files. It allows you to automatically scan log files for particular entries and then take appropriate action, such as sending you mail, printing a message on your screen, or running a program. There are a few other similar tools available, and we hope that more might be written in the near future, but we'll explain Swatch here as an example of how to automate monitoring of your log files. Swatch allows a great deal of flexibility, although it offers no debugging facility for complicated configuration and it has a temperamental configuration file syntax.
Swatch was developed by E. Todd Atkins at Stanford's EE Computer Facility to automatically scan log files. Swatch is not currently included as standard software with any UNIX distribution, but it is available via anonymous FTP from ftp://sierra.stanford.edu/swatch or ftp://coast.cs.purdue.edu/pub/tools/swatch .
Swatch has two modes of operation. It can be run in batch, scanning a log file according to a preset configuration. Alternatively, Swatch can monitor your log files in real time, looking at lines as they are added.
Swatch is run from the command line:
% swatch options input-source
The following are the ones that you will most likely use when running Swatch:
The Swatch options given below allow you to change the separator that the program uses when interpreting its files. They are probably of limited use in most applications:
The input source is specified by one of the following arguments:
Swatch's operation is controlled by a configuration file. Each line of the file consists of four tab-delimited fields, and has the form:
/pattern/[,/pattern/,...] action[,action,...] [[[HH:]MM:]SS] [start:length]
The first field specifies a pattern which is scanned for on each line of the log file. The pattern is in the form of a Perl regular expression, which is similar to regular expressions used by egrep . If more than one pattern is specified, then a match on either pattern will signify a match.
The second field specifies an action to be taken each time the pattern in the first field is matched. Swatch supports the following actions:
The third and fourth fields are optional. They give you a technique for controlling identical lines which are sent to the log file. If you specify a time, then Swatch will not alert you for identical lines which are sent to the log file within the specified period of time. Instead, Swatch will merely notify you when the first line is triggered, and then after the specified period of time has passed. The fourth field specifies the location within the log file where the timestamp takes place.
For example, on one system, you may have a process which generates the following message repeatedly in the log file:
Apr 3 01:01:00 next routed: bind: Bad file number Apr 3 02:01:00 next routed: bind: Bad file number Apr 3 03:01:00 next routed: bind: Bad file number Apr 3 04:01:00 next routed: bind: Bad file number
You can catch the log file message with the following Swatch configuration line:
/routed.*bind/ echo 24:00:00 0:16
This line should cause Swatch to report the routed message only once a day, with the following message:
*** The following was seen 20 times in the last 24 hours(s): ==> next routed: bind: Bad file number
Be sure that you use the tab character to separate the fields in your configuration file. If you use spaces, you may get an error message like this: