Configuring and Running Swatch
Swatch is a command line utility and you start it by issuing a swatch command with various settings after it. Table 8.1 lists and describes the swatch options.
Table 8.1. Swatch Command Options
Runs Swatch using the configuration filename indicated. The default is ./swatchrc if no option is given.
Restarts Swatch at the indicated time. Also can be used with a + to have it restart at a given elapsed time after the current time. This can be used to have it refresh the view of the log file it has.
This statement followed by a regular expression tells Swatch to use the expression to delineate the boundaries between each input record and line in the log file. The default is a carriage return, but if your operating system uses something different, you can change it here.
Runs Swatch as a system daemon. Accomplishes the same thing as running Swatch with the & (ampersand) switch.
For example, running this command:
./swatch --config-file /home/john/my-swatch-config --
will run Swatch using the configuration file found at /home/john/my-swatch-config instead of the default config file. It will also run it as a background process or daemon. The above options may be issued alone or together.
Table 8.2 lists and describes some additional options that you can use to control how Swatch reads the log files. You can only use one of these switches at a time.
Table 8.2. Swatch Log File Options
Makes Swatch do a complete pass through the indicated file. Use this when the file being examined is created anew each time.
Instead of reading a file, you can have Swatch read input directly piped from the indicated program.
Reads only the newly added lines in file. This is the default operation for Swatch on log files, since new entries are usually appended to the end of an existing file. This is much faster than rereading a whole file every time, especially with log files that can get quite big, such as Web server logs.
For example, running Swatch with this command:
./swatch --examine messages --daemon
has Swatch search the entire messages file every time it runs, rather than just checking for newly added lines.
Swatch normally scans the UNIX messages file or, if there is no messages file, it defaults to the syslog file. Using these switches in Table 8.2, you could have Swatch look at any log file you want, such as the security logs or even an application-specific log file like nessus.messages.