swatch

swatch [options] [filenames...]

-c
    Specifies an alternative configuration file. Defaults to ~/.swatchrc if not specified.

-t
    Specifies the tail program to use. Useful if your tail does not support -f or you want to use a different one (e.g., logtail).

-f
    Specifies the log file(s) to watch. Can be used multiple times to watch multiple files.

-i
    Specifies the interval (in seconds) that swatch sleeps before checking for new input.

-P
    Writes the process ID (PID) of swatch to the specified file.

-r
    Restarts swatch at the specified time (e.g., HH:MM). Useful for refreshing configurations or clearing state.

--daemon
    Runs swatch in the background as a daemon process.

--dump-config
    Parses the configuration file and prints the internal data structure used by swatch.

--parse-config
    Parses the configuration file and exits, reporting any errors. Useful for validating configurations.

--script-dir
    Specifies the directory where swatch should look for its helper scripts (e.g., mail_to, exec_shell).

--awk-prog
    Specifies the path to the awk executable.

--perl-prog
    Specifies the path to the perl executable.

--version
    Displays the version of swatch.

--help
    Displays a help message with command-line options.

The swatch command, short for Simple Logfile Watcher, is a powerful and versatile tool used for monitoring log files (or any data stream) in real-time. It continuously scans specified log files for patterns defined in a flexible configuration file and performs predefined actions when a match is found. This makes it an invaluable asset for system administrators for proactive problem detection. Actions can include sending email alerts, executing custom commands, ringing a terminal bell, or writing to a different log file for further analysis. This allows for automated detection and response to critical events such as security breaches, application errors, or resource exhaustion without the need for constant manual log review. Its strength lies in its highly customizable, Perl-based configuration, enabling the use of complex regular expressions for pattern matching and a wide array of programmable actions to suit various operational needs.

swatch relies heavily on its configuration file, which uses Perl regular expressions. Misconfigured regular expressions or actions can lead to unexpected behavior, excessive resource consumption, or missed alerts. For high-volume log environments, its single-threaded nature might become a bottleneck. It's also important to manage the actions it performs; for instance, 'mail' actions can flood an inbox if not throttled properly, and 'exec' actions can pose security risks if not carefully constrained by permissions and input validation.

The core of swatch's functionality lies in its configuration file, typically ~/.swatchrc or specified by -c. This file defines a set of rules, each consisting of a regular expression pattern and associated actions to perform when that pattern is matched in the log file. Common actions include echo (print to screen), bell (ring terminal bell), mail (send email), exec (execute a command), pipe (pipe output to a command), throttle (limit action frequency), and threshold (limit actions based on count). Each rule can also specify options like period to define how often an action can be performed for a given pattern.

swatch is commonly used for:
Real-time alerting on security events (e.g., failed login attempts, privilege escalations).
Monitoring application errors and warnings in custom log files.
Detecting resource exhaustion (e.g., disk full, low memory) from system logs.
Triggering automated responses to specific log entries, such as restarting a service or collecting diagnostic information.

swatch originated in the early 1990s as a powerful tool for system administrators to automate monitoring of system logs. It was initially developed by Stephen E. Kochan and Steven R. Goodwin. Its design leverages Perl's strong regular expression capabilities, making it highly flexible for pattern matching. Over the years, it has remained a staple in many Unix/Linux environments for real-time log analysis due to its simplicity and effectiveness, preceding many modern log management solutions while still being relevant for its lightweight approach.

tail(1), grep(1), awk(1), sed(1), logrotate(8), syslog-ng(8), rsyslogd(8)