############################################################################### ### Swatch example config # # The configuration file is used by the swatch(8) program to determine what # types of expression patterns to look for and what type of action(s) should be # taken when a pattern is matched. # Each line should contain a keyword and a, sometimes optional, value for that # keyword. The keyword and value are separated by a space or an equal (=) sign. # # watchfor regex # ignore regex # # echo [modes] # Echo the matched line. The text mode may be normal, bold, underscore, # blink, inverse, black, red, green, yellow, blue, magenta, cyan, white, # black_h, red_h, green_h, yellow_h, blue_h, magenta_h, cyan_h, # and/or white_h. The _h colors specify a highlighting color. The other # colors are assigned to the letters. Some modes may not work on some # terminals. Normal is the default. # bell [N] # Echo the matched line, and send a bell N times (default = 1). # exec command # Execute command. The command may contain variables which are substituted # with fields from the matched line. A $N will be replaced by the Nth field # in the line. A $0 or $* will be replaced by the entire line. # mail [addresses=address:address:...][,subject=your_text_here] # Send mail to address(es) containing the matched lines as they appear # (default address is the user who is running the program). # pipe command[,keep_open] # Pipe matched lines into command. Use the keep_open option to force the # pipe to stay open until a different pipe action is run or until swatch # exits. # write [user:user:...] # Use write(1) to send matched lines to user(s). # threshold track_by=key, type= # Thresholding can be done for the complete watchfor block and/or for # individual actions. Add ``threshold=on'' as an option along with the other # threshold options when thresholding an individual action. # track_by # The value of this should be something that is unique to the # watchfor regular expression. Tip: enclose unique parts of the # regular expression in parentheses, then use the sub matches as # part of the value (e.g. track_by=``$2:$4''). # type # There are three types of thresholding. They are as follows: # limit # Perform action(s) for the first "count`` matches during # the time interval specified by ''seconds", then ignore # events for the rest of the time interval (kind of like # throttle) # threshold # Perform action(s) on each match for up to count matches # during the time interval specified by seconds # both # Perform actions(s) once per time interval after "count`` # matches occur, then ignore additional matches during the # time interval specified by ''seconds" # continue # Use this action to cause swatch to continue to try to match other # pattern/action groups after it is done with the current pattern/action # block. # quit # Use this action to cause swatch to clean up and quit immediately. ############################################################################### ## Successful SSH Login Attempts watchfor /sshd.*(: [aA]ccepted)(.*)( from )(.*)( port .*)$/ threshold track_by=$4,type=limit,count=1,seconds=60 echo bold green #mail='receiver@foo.bar',SUBJECT=sshd: Accepted connection,MAILER=sendmail -t -S smtp.foo.bar -f sender\@foo.bar ## Invalid SSH Login Attempts watchfor /sshd.*(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/ threshold track_by=$4,type=both,count=3,seconds=60 echo bold red ## Failed SSH Login Attempts watchfor /sshd.*(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/ threshold track_by=$4,type=both,count=3,seconds=60 echo bold red ## Failed SSH Login Attempts watchfor /([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from )(.*)$/ threshold track_by=$4,type=both,count)3,seconds=60 echo bold red ## Invalid sudo commands watchfor /sudo:.*[Cc]ommand not allowed/ echo bold red ## File system full watchfor /file system full/ echo bold blue ## System crashes and halts watchfor /(panic|halt)/ echo bold red ## File system errors watchfor /[Mm]edia [Ee]rror/ echo bold yellow