swatch

swatch [options] [configuration_file]

-c configuration_file
    Specify the configuration file to use. Defaults to ~/.swatchrc.

-d
    Run in daemon mode. Swatch will detach from the terminal and run in the background.

-f logfile
    Specify the log file to monitor. This option can be used multiple times to monitor several log files.

-p pidfile
    Specify a PID file when running in daemon mode. This allows you to easily stop the daemon later.

-t
    Run in test mode. This will print the parsed configuration file and exit.

-v
    Enable verbose output.

--version
    Display the version information and exit.

Swatch is a program designed to monitor log files and react to events based on regular expressions. It reads log files line by line, searching for patterns defined in a configuration file. When a match is found, swatch can perform a variety of actions, such as logging the event, sending email notifications, running custom commands, or even writing to a database. Swatch is particularly useful for security monitoring, intrusion detection, and system administration. It's lightweight and easy to configure, making it a practical solution for real-time log analysis and alerting. While originally developed to watch security logs, it can be adapted to monitor any text-based log file by customizing the regular expressions and actions. Configuration is typically done via a configuration file (often named `.swatchrc`) that contains the regular expressions to match and actions to be performed. It's available in most standard Linux package repositories, further simplifying its use. Swatch continuously monitors logs, making it excellent for reporting problems quickly.

Swatch relies on properly formatted log files. Incorrectly formatted logs or complex event handling may require more sophisticated log analysis tools. Regular expression performance can significantly impact swatch's overall performance.

The configuration file uses a simple syntax: 'watchfor /regular_expression/ action=command'. Multiple actions can be specified for a single watchfor expression.
Valid actions include 'echo', 'mail', 'exec', and more. See the swatch man page for full details.

watchfor /Failed login/
mail=admin@example.com,subject=Failed Login Attempt
echo=bold red

When running as a daemon, Swatch handles signals such as SIGHUP to reload the configuration file without restarting the process. This allows for dynamic updates to the monitoring rules.

Swatch was developed to provide a simple and flexible means of monitoring log files in real-time. Its initial focus was on security logs, hence the name "Simple WATCHer".
Over time, it has been enhanced with features like daemonization, multiple log file support, and more robust configuration options. It filled a gap in system administration, offering a simpler alternative to more complex intrusion detection systems.

tail(1), grep(1), awk(1), sed(1)