Swatchdog – Simple Log File Watcher in Real-Time in Linux

Swatchdog (the “Simple WATCH DOG”) is a simple Perl script for monitoring active log files on Unix-like systems such as Linux. It watches your logs based on regular expressions that you can define in a configuration file. You can run it from the command line or in the background, detached from any terminal using the daemon mode option.

Note that the program was originally called swatch (the “Simple Watcher”) but a request by the old Swiss watch company for a name change saw the developer change its name to swatchdog.

Read Also: 4 Good Open Source Log Monitoring and Management Tools for Linux

Importantly, swatchdog has grown from a script for watching logs produced by Unix’s syslog facility, and it can monitor just about any kind of logs.

How to Install Swatch in Linux

The package swatchdog is available to install from the official repositories of mainstream Linux distributions as a package “swatch” via a package manager as shown.

$ sudo apt install swatch	[On Ubuntu/Debian]
$ sudo yum install epel-release && sudo yum install swatch	[On RHEL/CentOS]
$ sudo dnf install swatch	[On Fedora 22+]

To install most latest version of swatchdog, you need to compile it from source using following commands in any Linux distribution.

$ git clone https://github.com/ToddAtkins/swatchdog.git
$ cd swatchdog/
$ perl Makefile.PL
$ make
$ sudo make install
$ sudo make realclean

Once you have installed the swatch, you need to create its configuration file (default location is /home/$USER/.swatchdogrc or .swatchrc), to determine what types of expression patterns to look for and what type of action(s) should be taken when a pattern is matched.

$ touch /home/tecmint/.swatchdogrc
OR
$ touch /home/tecmint/.swatchrc

Add your regular expression in this file and each line should contain a keyword and value (sometimes optional), separated by a space or an equal (=) sign. You need to specify a pattern and an action(s) to be taken when a pattern is matched.

We will use a simple configuration file, you can find more options in the swatchdog man page, for instance.

watchfor  /sudo/
	echo red
	[email protected], subject="Sudo Command"

Here, our regular expression is a literal string – “sudo”, means any time the string sudo appeared in the log file, would be printed to the terminal in red text and mail specify the action to be taken, which is to echo the matched pattern on the terminal and send an e-mail to the specified address, receptively.

After you have configured it, swatchdog reads the /var/log/syslog log file by default, if this file is not present, it reads /var/log/messages.

$ swatch     [On RHEL/CentOS & Fedora]
$ swatchdog  [On Ubuntu/Debian]

You can specify a different configuration file using the -c flag as shown in the following example.

First create a swatch configuration directory and a file.

$ mkdir swatch
$ touch swatch/secure.conf

Next, add the following configuration in the file to monitor failed login attempts, failed SSH login attempts, successful SSH logins from the /var/log/secure log file.

watchfor /FAILED/
echo red
[email protected], subject="Failed Login Attempt"

watchfor /ROOT LOGIN/
echo red
[email protected], subject="Successful Root Login"

watchfor /ssh.*: Failed password/
echo red
[email protected], subject="Failed SSH Login Attempt"

watchfor /ssh.*: session opened for user root/ 
echo red
[email protected], subject="Successful SSH Root Login"

Now run the Swatch by specifying the configuration file using the -c and log file using -t flag as shown.

$ swatchdog -c ~/swatch/secure.conf -t /var/log/secure

To run it in the background, use the --daemon flag; in this mode, it is detached from any terminal.

$ swatchdog ~/swatch/secure.conf -t /var/log/secure --daemon  

Now to test the swatch configuration, try to login into server from the different terminal, you see the following output printed to the terminal where Swatchdog is running.

*** swatch version 3.2.3 (pid:16531) started at Thu Jul 12 12:45:10 BST 2018

Jul 12 12:51:19 tecmint sshd[16739]: Failed password for root from 192.168.0.103 port 33324 ssh2
Jul 12 12:51:19 tecmint sshd[16739]: Failed password for root from 192.168.0.103 port 33324 ssh2
Jul 12 12:52:07 tecmint sshd[16739]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 12 12:52:07 tecmint sshd[16739]: pam_unix(sshd:session): session opened for user root by (uid=0)
Monitor Linux Logs in Real Time

Monitor Linux Logs in Real Time

You can also run multiple swatch processes to monitor various log files.

$ swatchdog -c ~/site1_watch_config -t /var/log/nginx/site1/access_log --daemon  
$ swatchdog -c ~/messages_watch_config -t /var/log/messages --daemon
$ swatchdog -c ~/auth_watch_config -t /var/log/auth.log --daemon

For more information, check out the swatchdog man page.

$ man swatchdog

Swatchdog SourceForge Repository: https://sourceforge.net/projects/swatch/

The following are some additional log monitoring guides that you will find useful:

  1. 4 Ways to Watch or Monitor Log Files in Real Time
  2. How to Create a Centralized Log Server with Rsyslog
  3. Monitor Server Logs in Real-Time with “Log.io” Tool
  4. lnav – Watch and Analyze Apache Logs from a Linux Terminal
  5. ngxtop – Monitor Nginx Log Files in Real Time in Linux

Swatchdog is a simple active log file monitoring tool for Unix-like systems such as Linux. Try it out and share your thoughts or ask any questions in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

4 Responses

  1. Rosalind Benoit says:

    I just started using Swatch(dog) today on rhel and am psyched as I was originally going to have to reinvent the wheel here. Can you help me with one thing? I need to tail a specific logfile and watch for a string indicating that there may be stuck threads in my threaded java app.

    Then I’ll execute a script to generate thread dumps if the string is found. All good, but the only problem is, the name of the logfile changes every day, as the current date is appended to the filename. So what I want is to be able to add:

    swatch --config-file=/home/myuser/swatch/td-swatch-config --tail-file=/my/app/path/logs/tomcat/stdout-stderr-********.log --daemon

    to cron and have it always know to tail today’s log, whether it be stdout-stderr-20180801.log or stdout-stderr-20190101.log, etc.

    Can you help me with that? Is there an easy way? One thing I thought of would be to put the swatch command in its own script which uses variables to define the right filename (ex. dateString={date +”%m-%d”//[-]/} tailString= ‘/opt/blackboard/logs/tomcat/stdout-stderr’+$dateString+’.log’) and then run that swatchdog script every day. But then is there more overhead on effectively killing the swatchdog process when it no longer needs to be watching a file that won’t change anymore?

    Advise pretty please : )

    • Aaron Kili says:

      @Rosalind

      “One thing I thought of would be to put the swatch command in its own script which uses variables to define the right filename (ex. dateString={date +”%m-%d”//[-]/} tailString= ‘/opt/blackboard/logs/tomcat/stdout-stderr’+$dateString+’.log’) and then run that swatchdog script every day.”

      This is the possible solution, and you have to deal with the system overhead, because as long as your threaded java app continues to run, then the swatchdog script also needs to continue running to watch stuck threads. The simple idea is continuous monitoring of a file using swatchdog, this definitely causes system overhead.

  2. neo says:

    Isn’t watch -n1 tail /var/log/syslog enough?

    • Ravi Saive says:

      @Neo,

      That’s not enough, because Swatchdog uses regular expression and pattern to monitor particular string in a log file, also it has a feature to highlight those string in bold or color fashion in the output.

Leave a Reply to Ravi Saive Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.