其中蓝色会我修改的地方。
CISCO日志例子(匹配changed state):
Sep 6 16:58:29 Cisco2821 988: Sep 6 16:58:31.052: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
Sep 6 16:58:33 Cisco2821 989: Sep 6 16:58:34.656: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to administratively down
H3C日志例子(匹配STATUS CHANGE(l))
Sep 6 22:50:13 h3c-3 h3c-03 %%10L2INF/5/PORT LINK STATUS CHANGE(l):- 1 - Ethernet1/0/23: is DOWN
四、配置启动文件
swatch可以在命令行手动启动,也可以自己编写启动脚本,我从网站找到资料自己修改了一下,只能监控一个文件。
#cat /etc/init.d/swatch
# swatch This shell script takes care of starting and stopping
# standalone swatch.
[ -x /usr/bin/swatch ] exit 0
RETVAL=0
prog="swatch"
start() {
echo "Starting $prog: "
if [ -e /var/lock/subsys/$prog ]; then
if [ -e /proc/`cat /var/lock/subsys/$prog` ]; then
echo "cannot start $prog: $prog is already running."
return 1
fi
fi
/usr/bin/swatch $prog -t /var/log/syslog-ng/2007/09/network/messages --daemon -c /usr/local/etc/netdevicerc --pid-file /var/lock/subsys/$prog /var/log/swatch.log 2&1
[ $RETVAL -eq 0 ] && {
touch /var/lock/subsys/$prog
echo "swatch started"
return $RETVAL
}
echo "cannot start $prog"
echo
return $RETVAL
}
stop() {
echo -n "Stopping $prog: "
echo
if [ ! -e /var/lock/subsys/$prog ]; then
echo -n "cannot stop $prog: $prog is not running."
echo
return 1
fi
kill -15 `cat /var/lock/subsys/$prog`
RETVAL=$?
[ $RETVAL -eq 0 ] && {
rm -f /var/lock/subsys/$prog
echo "swatch stopped"
return $RETVAL
}
echo -n "cannot stop $prog"
echo
return $RETVAL
}
status() {
if [ -e /var/lock/subsys/$prog ]; then
echo "$prog is running."
return 1
fi
}
加入系统启动
#rc-update -a swatch default
手动启动方法为:
#/usr/bin/swatch -t /var/log/syslog-ng/2007/09/network/messages --daemon -c /usr/local/etc/netdevicerc --pid-file /var/lock/subsys/swatch
蓝色部分的日志是根据我的日志服务器的配置来决定的。一个缺点就是过一个月要修改一下这个文件:)
五、启动
#/etc/init.d/swatch start
关于日志服务器的配置见我的这篇文章:http://blog.chinaunix.net/u/12479/showart_377164.html。