swatch可以实时监控系统日志文件,在匹配到特定的事件时执行指定的动作。swatch所监控的事件以及对应事件的动作都存放在swatch的配置文件中。预设的配置文件为用户根目录下的.swatchrc。
swatch的功能很多,我这里主要是通过swatch来监控Cisco路由器和H3C交换机端口状态。
我的系统环境为:Gentoo-2007.0_amd64
准备:
1、配置syslog-ng日志服务器以接收日志
2、配置cisco路由器和H3C交换机将日志发送到日志服务器
一、从这里下载最新版的swatch,目前的最新版本是
二、安装
#tar swatch-3.2.2.tar.gz
#cd swatch-3.2.2
#perl Makefile.PL
如果出现:
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
则需要安装这个模块,方法是:
#perl -MCPAN -e shell (配置CPAN模块安装环境)
cpan>install Date::Calc
cpan>install Date::Parse
cpan>install File::Tail
cpan>install Time::HiRes
cpan>exit
#perl Makefile.PL
#make
#make test
#make install
#make realclean
三、配置
我的配置文件/usr/local/etc/netdevicerc,主要用于监控监控路由器和交换机的端口状态,一旦发生变化会发邮件报警:
watchfor = /changed state|STATUS CHANGE\(l\)/
mail = user@yourdomain.com, from = "notify \<notify\@yourdomain.com\>"
watchfor指定需要在日志中通过tail配置的关键字,是正则表达式。
注意第二行,我加入了from的指令,即定义swatch发邮件时的发件人,这需要修改swatch的Actions.pm文件,这个这个文件位于:/usr/lib64/perl5/site_perl/5.8.8/Swatch/Actions.pm,在send_email子程序print MAIL_PIPE <<"EOF";前加入以下行:
(my $from_line = $args{'FROM'}) =~ s/:/,/g;
my @mail_body;
my $s_body;
my $temp_mess = $args{'MESSAGE'};
$temp_mess =~ s/administratively//;
if ($temp_mess =~ /Line protocol/) {
@mail_body = (split " ",$temp_mess);
$mail_body[13] =~ s/,//;
$s_body = "$mail_body[3]'s $mail_body[13] is $mail_body[17]!";
} elsif ($temp_mess =~ /h3c/) {
@mail_body = (split " ",$temp_mess);
$mail_body[11] =~ s/://;
$s_body = "$mail_body[3]'s $mail_body[11] is $mail_body[13]!";
} else {
@mail_body = (split " ",$temp_mess);
$mail_body[10] =~ s/,//;
$s_body = "$mail_body[3]'s $mail_body[10] is $mail_body[14]!";
}
对照原始文件修改以下行
print MAIL_PIPE <<"EOF";
From: $from_line
To: $to_line
Subject: $s_body
$args{'MESSAGE'}
EOF
close(MAIL_PIPE);
}
其中蓝色会我修改的地方。
CISCO日志例子(匹配changed state):
Sep 6 16:58:29 Cisco2821 988: Sep 6 16:58:31.052: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
Sep 6 16:58:33 Cisco2821 989: Sep 6 16:58:34.656: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to administratively down
H3C日志例子(匹配STATUS CHANGE(l))
Sep 6 22:50:13 h3c-3 h3c-03 %%10L2INF/5/PORT LINK STATUS CHANGE(l):- 1 - Ethernet1/0/23: is DOWN
四、配置启动文件
swatch可以在命令行手动启动,也可以自己编写启动脚本,我从网站找到资料自己修改了一下,只能监控一个文件。
#cat /etc/init.d/swatch
# swatch This shell script takes care of starting and stopping
# standalone swatch.
[ -x /usr/bin/swatch ] || exit 0
RETVAL=0
prog="swatch"
start() {
echo "Starting $prog: "
if [ -e /var/lock/subsys/$prog ]; then
if [ -e /proc/`cat /var/lock/subsys/$prog` ]; then
echo "cannot start $prog: $prog is already running."
return 1
fi
fi
/usr/bin/swatch $prog -t /var/log/syslog-ng/
2007/09/network/messages --daemon -c /usr/local/etc/netdevicerc --pid-file /var/lock/subsys/$prog >> /var/log/swatch.log 2>&1
[ $RETVAL -eq 0 ] && {
touch /var/lock/subsys/$prog
echo "swatch started"
return $RETVAL
}
echo "cannot start $prog"
echo
return $RETVAL
}
stop() {
echo -n "Stopping $prog: "
echo
if [ ! -e /var/lock/subsys/$prog ]; then
echo -n "cannot stop $prog: $prog is not running."
echo
return 1
fi
kill -15 `cat /var/lock/subsys/$prog`
RETVAL=$?
[ $RETVAL -eq 0 ] && {
rm -f /var/lock/subsys/$prog
echo "swatch stopped"
return $RETVAL
}
echo -n "cannot stop $prog"
echo
return $RETVAL
}
status() {
if [ -e /var/lock/subsys/$prog ]; then
echo "$prog is running."
return 1
fi
}
加入系统启动
#rc-update -a swatch default
手动启动方法为:
#/usr/bin/swatch -t /var/log/syslog-ng/
2007/09/network/messages --daemon -c /usr/local/etc/netdevicerc --pid-file /var/lock/subsys/swatch
蓝色部分的日志是根据我的日志服务器的配置来决定的。一个缺点就是过一个月要修改一下这个文件:)
五、启动
#/etc/init.d/swatch start
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
892
