RE: important errors to control with swatch

I agree... Not only is it very hard to find tools, but yes, you do have to
create your own RegEx filters.

I use SEC to monitor a "combined" log from my central syslog server and have
to, at times, create new filters for it. The good thing is that there are
some "generic" filters already available... For instance, Linux based
failures or events such as:

sshd accept / failure

Then you still would have to create custom filters for your specific devices
and routers etc.

I use SEC to pipe the output of the trap to a CLI email program which is
very easy to use. I make the program email my account, and for serious
issues, email my cell phone as a SMS Text Message.

It's not hard... It just takes a little bit of time.

People could create a repository of 'tested' RegEx filters for devices and
make that publicly available...

Reynold McGuire
Network Engineer
Suffolk University, Information Technology Services
Phone: 617.994.4277
Fax: 617.573.8747
PGP Public Key:
echo "send pgp key" | mail rmcguire@xxxxxxxxxxx
PGP Fingerprint:
5779 6011 FAC8 91EE FD93 B408 1296 F6FF CD7E

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Hari Sekhon
Sent: Tuesday, November 20, 2007 4:36 AM
To: Isaac Perez Moncho
Cc: focus-linux@xxxxxxxxxxxxxxxxx
Subject: Re: important errors to control with swatch

I'm also extremely interested in expanding my log watching to include a
massive amount of comprehensive pattern matching alerting.

I currently have some but need to expand it. The problem is that this is
really a difficult thing to approach because it can only catch known
patterns in this fashion. And whitelisting is really not practical in this
context as the logs generated are practically infinite and not really able
to whitelist them.

I think that there should really be a well maintained project of regexs for
this purpose, one official champion for us to build our baselines on... with
frequent updates...

Anyone got any ideas or regexs they want to share?

Isaac, you would do well to have things like "I/O Error" for disk
problems... "hardware hung"... etc etc, but this list is practically
endless, you should look at your logs and decide which ones you'd like to be
alerted on.


Hari Sekhon

Isaac Perez Moncho wrote:
I just installed swatch, and used this configuration file for the

Anyone knows any other common phrase or word that I should find the logs
for hardware and system errors?
Or what you consider important to monitor in the logs?