Automated System Monitoring and Notification With Swatch
Stephen E. Hansen & E. Todd Atkins
Stanford University
Abstract
This paper describes an approach to monitoring events on a large
number of servers and workstations. While modern UNIX systems are
capable of logging a variety of information concerning the health and
status of their hardware and operating system software, they are
generally not configured to do so. Even when this information is
logged, it is often hidden in places that are either not monitored
regularly or are susceptible to deletion or modification by a
successful intruder. Also, a system administrator must often monitor
several, perhaps dozens, of systems. To address these problems, our
approach begins with the modification of certain system programs to
enhance their logging capabilities. In addition, our approach calls
for the logging facilities on each of these systems to be configured
in such a way as to send a copy of the critical system and security
related information to a dependable, secure, central logging host
system. As one might expect, this central log can see a megabyte or
more of data in a single day. To keep a system administrator from
being overwhelmed by a large quantity of data we have developed an
easily configurable log file filter/monitor, called swatch. Swatch
monitors log files and acts to filter out unwanted data and take one
or more user specified actions (ring bell, send mail, execute a
script, etc.) based upon patterns in the log.
Download the full text of this paper:
POSTSCRIPT (133,818 bytes)
PDF (56,398 bytes)
To Become a USENIX Member, please see our
Membership Information.