Anyway use swatch before http://swatch.sourceforge.net/, it is a simple watcher for logfile I configured the following swatchrc1 file to search for authentication failure in the log file The content of the swatchrc1 file are below [root@watcher2 log]# cat /var/log/swatchrc1 #Authentication Failure watchfor /more authentication failures/ exec echo $0 | mail -s "Authentication Failure" david@xxxxxxx and I have it run as /usr/bin/swatch -c /var/log/swatchrc1 -t /var/log/messages --daemon so that it will notify me via email when it got the authentication messages in the log file as follows for example Sep 7 02:40:10 inabc.abc.com sshd(pam_unix)[31953]: 2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.10.12.30 user=david However, in the notification email, I only got the email sent by root@xxxxxxxxxxxxxxxxxxxxx with the subject of "Authentication Failure" and content as "/usr/bin/swatch -c /var/log/swatchrc1 -t /var/log/messages --daemon" I can't know the authentication failure detail from the email at all, like which account and login from where and etc. Is there a way to include in the notification email for the line of log file that it detects for example " Sep 7 02:40:10 inabc.abc.com sshd(pam_unix)[31953]: 2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.10.12.30 user=david" May I know where is the documentation for the swatchrc config ?? I want to customise it. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
