Network Management Workshop

Using Swatch

1. Let's enable logging of everything to a single file:

- Edit /etc/syslog-ng/syslog-ng.conf, and add this at the end:

destination everything {
  file("/var/log/everything"
    template("$DATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no)
  );
};
log { source(s_all); destination(everything); };


... this will enable logging of ALL messages to a single file, so that we
can run a monitoring script on the messages.

2. Enable a daily automated script to truncate the log file so it doesn't
grow too big:

Create the file /etc/logrotate.d/everything

/var/log/everything {
  daily
  copytruncate
  rotate 1
  postrotate
	/etc/init.d/swatch restart
  endscript
}


2. Install swatch

	# apt-get install swatch

3. Create the file /etc/swatch.conf, and put this in it:

watchfor /PRIV_AUTH_PASS/
	mail=mgmt,subject=Enable mode entered
	threshold type=limit,count=1,seconds=3600

watchfor /CONFIG_I/
	mail=mgmt,subject=Router config
	threshold type=limit,count=1,seconds=3600

watchfor /LINK-3-UPDOWN/
	mail=mgmt,subject=Link state change
	threshold type=limit,count=1,seconds=3600

4. Start swatch:

	# swatch -c /etc/swatch.conf --daemon

	Check that it is running:

	# ps ax | grep swatch

5. Log in to your router, and run some "config" commands

6. Check that mails are coming in:

	# mutt -f /var/mail/mgmt