Chinaunix首页 | 论坛 | 博客
  • 博客访问: 53219
  • 博文数量: 27
  • 博客积分: 430
  • 博客等级: 下士
  • 技术积分: 430
  • 用 户 组: 普通用户
  • 注册时间: 2011-01-14 10:54
文章分类

全部博文(27)

文章存档

2013年(9)

2011年(18)

我的朋友

分类: 网络与安全

2011-01-14 16:24:22

  swatch可以实时监控系统日志文件,在匹配到特定的事件时执行指定的动作。swatch所监控的事件以及对应事件的动作都存放在swatch的配置文件中。预设的配置文件为用户根目录下的.swatchrc。

  swatch的功能很多,我这里主要是通过swatch来监控Cisco路由器和H3C交换端口状态。

  我的系统环境为:Gentoo-2007.0_amd64

  准备:

  1、配置syslog-ng日志服务器以接收日志

  2、配置cisco路由器和H3C交换机将日志发送到日志服务器

  一、从这里下载最新版的swatch,目前的最新版本是

  

  二、安装

  #tar swatch-3.2.2.tar.gz

  #cd swatch-3.2.2

  #perl Makefile.PL

  如果出现:

  Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.

  Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.

  Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.

  Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.

  则需要安装这个模块,方法是:

  #perl -MCPAN -e shell (配置CPAN模块安装环境)

  cpan>install Date::Calc

  cpan>install Date::Parse

  cpan>install File::Tail

  cpan>install Time::HiRes

  cpan>exit

  #perl Makefile.PL

  #make

  #make test

  #make install

  #make realclean

  三、配置

  我的配置文件/usr/local/etc/netdevicerc,主要用于监控监控路由器和交换机的端口状态,一旦发生变化会发邮件报警:

  watchfor = /changed state|STATUS CHANGE(l)/

  mail = user@yourdomain.com, from = "notify "

  watchfor指定需要在日志中通过tail配置的关键字,是正则表达式。

  注意第二行,我加入了from的指令,即定义swatch发邮件时的发件人,这需要修改swatch的Actions.pm文件,这个这个文件位于:/usr/lib64/perl5/site_perl/5.8.8/Swatch/Actions.pm,在send_email子程序print MAIL_PIPE <<"EOF";前加入以下行:

  (my $from_line = $args) =~ s/:/,/g;

  my @mail_body;

  my $s_body;

  my $temp_mess = $args;

  $temp_mess =~ s/administratively//;

  if ($temp_mess =~ /Line protocol/) {

  @mail_body = (split " ",$temp_mess);

  $mail_body[13] =~ s/,//;

  $s_body = "$mail_body[3]'s $mail_body[13] is $mail_body[17]!";

  } elsif ($temp_mess =~ /h3c/) {

  @mail_body = (split " ",$temp_mess);

  $mail_body[11] =~ s/://;

  $s_body = "$mail_body[3]'s $mail_body[11] is $mail_body[13]!";

  } else {

  @mail_body = (split " ",$temp_mess);

  $mail_body[10] =~ s/,//;

  $s_body = "$mail_body[3]'s $mail_body[10] is $mail_body[14]!";

  }

  对照原始文件修改以下行

  print MAIL_PIPE <<"EOF";

  From: $from_line

  To: $to_line

  Subject: $s_body

  $args

  EOF

  close(MAIL_PIPE);

  }

  其中蓝色会我修改的地方。

  CISCO日志例子(匹配changed state):

  Sep 6 16:58:29 Cisco2821 988: Sep 6 16:58:31.052: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down

  Sep 6 16:58:33 Cisco2821 989: Sep 6 16:58:34.656: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to administratively down

  H3C日志例子(匹配STATUS CHANGE(l))

  Sep 6 22:50:13 h3c-3 h3c-03 %%10L2INF/5/PORT LINK STATUS CHANGE(l):- 1 - Ethernet1/0/23: is DOWN

  四、配置启动文件

  swatch可以在命令行手动启动,也可以自己编写启动脚本,我从网站找到资料自己修改了一下,只能监控一个文件。

  #cat /etc/init.d/swatch

  # swatch This shell script takes care of starting and stopping

  # standalone swatch.

  [ -x /usr/bin/swatch ] || exit 0

  RETVAL=0

  prog="swatch"

  start() {

  echo "Starting $prog: "

  if [ -e /var/lock/subsys/$prog ]; then

  if [ -e /proc/`cat /var/lock/subsys/$prog` ]; then

  echo "cannot start $prog: $prog is already running."

  return 1

  fi

  fi

  /usr/bin/swatch $prog -t /var/log/syslog-ng/2007/09/network/messages --daemon -c /usr/local/etc/netdevicerc --pid-file /var/lock/subsys/$prog >> /var/log/swatch.log 2>&1

  [ $RETVAL -eq 0 ] && {

  touch /var/lock/subsys/$prog

  echo "swatch started"

  return $RETVAL

  }

  echo "cannot start $prog"

  echo

  return $RETVAL

  }

  stop() {

  echo -n "Stopping $prog: "

  echo

  if [ ! -e /var/lock/subsys/$prog ]; then

  echo -n "cannot stop $prog: $prog is not running."

  echo

  return 1

  fi

  kill -15 `cat /var/lock/subsys/$prog`

  RETVAL=$?

  [ $RETVAL -eq 0 ] && {

  rm -f /var/lock/subsys/$prog

  echo "swatch stopped"

  return $RETVAL

  }

  echo -n "cannot stop $prog"

  echo

  return $RETVAL

  }

  status() {

  if [ -e /var/lock/subsys/$prog ]; then

  echo "$prog is running."

  return 1

  fi

  }

  加入系统启动

  #rc-update -a swatch default

  手动启动方法为:

  #/usr/bin/swatch -t /var/log/syslog-ng/2007/09/network/messages --daemon -c /usr/local/etc/netdevicerc --pid-file /var/lock/subsys/swatch

  蓝色部分的日志是根据我的日志服务器的配置来决定的。一个缺点就是过一个月要修改一下这个文件:)

  五、启动

  #/etc/init.d/swatch start

阅读(1399) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~