swatch可以实时监控系统日志文件,在匹配到特定的事件时执行指定的动作。swatch所监控的事件以及对应事件的动作都存放在swatch的配置文件中。预设的配置文件为用户根目录下的.swatchrc。
swatch的功能很多,我这里主要是通过swatch来监控Cisco路由器和H3C交换机端口状态。
我的系统环境为:Gentoo-2007.0_amd64
准备:
1、配置syslog-ng日志服务器以接收日志
2、配置cisco路由器和H3C交换机将日志发送到日志服务器
一、从这里下载最新版的swatch,目前的最新版本是
http://sourceforge.net/project/showfiles.php?group_id=68627
二、安装
#tar swatch-3.2.2.tar.gz
#cd swatch-3.2.2
#perl Makefile.PL
如果出现:
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
则需要安装这个模块,方法是:
#perl -MCPAN -e shell (配置CPAN模块安装环境)
cpaninstall Date::Calc
cpaninstall Date::Parse
cpaninstall File::Tail
cpaninstall Time::HiRes
cpanexit
#perl Makefile.PL
#make
#make test
#make install
#make realclean
三、配置
我的配置文件/usr/local/etc/netdevicerc,主要用于监控监控路由器和交换机的端口状态,一旦发生变化会发邮件报警:
watchfor = /changed stateSTATUS CHANGE\(l\)/
mail = user@yourdomain.com, from = "notify \"
watchfor指定需要在日志中通过tail配置的关键字,是正则表达式。
注意第二行,我加入了from的指令,即定义swatch发邮件时的发件人,这需要修改swatch的Actions.pm文件,这个这个文件位于:/usr/lib64/perl5/site_perl/5.8.8/Swatch/Actions.pm,在send_email子程序print MAIL_PIPE
(my $from_line = $args{'FROM'}) =~ s/:/,/g;
my @mail_body;
my $s_body;
my $temp_mess = $args{'MESSAGE'};
$temp_mess =~ s/administratively//;
if ($temp_mess =~ /Line protocol/) {
@mail_body = (split " ",$temp_mess);
$mail_body[13] =~ s/,//;
$s_body = "$mail_body[3]'s $mail_body[13] is $mail_body[17]!";
} elsif ($temp_mess =~ /h3c/) {
@mail_body = (split " ",$temp_mess);
$mail_body[11] =~ s/://;
$s_body = "$mail_body[3]'s $mail_body[11] is $mail_body[13]!";
} else {
@mail_body = (split " ",$temp_mess);
$mail_body[10] =~ s/,//;
$s_body = "$mail_body[3]'s $mail_body[10] is $mail_body[14]!";
}
对照原始文件修改以下行
print MAIL_PIPE
From: $from_line
To: $to_line
Subject: $s_body
$args{'MESSAGE'}
EOF
close(MAIL_PIPE);
}
