Swatch Problem-Couldn't send email notification

andrapgm03 · 11-29-2010, 06:43 AM

Hello everyone and Linux Guru's

Here I've sort a problem, dealing with swatch.
I wonder why my swatch configuration can't sending an email notification to my mail, which I mean to sent the output file into email.

Swatch running like a charm on my system and success to give the log files for the file that swatch monitoring..

here's my output

Code:

root@ubuntusecurity:/home/andrewraharjo# swatch -c /root/.swatchrc -t /var/log/auth.log

*** swatch version 3.2.3 (pid:6773) started at Mon Nov 29 19:33:39 WIT 2010

Nov 29 19:34:46 ubuntusecurity sudo: pam_unix(sudo:auth): authentication failure; logname=andrewraharjo uid=0 euid=0 tty=/dev/pts/2 ruser=andrewraharjo rhost=ubuntusecurity  user=andrewraharjo
Nov 29 19:35:31 ubuntusecurity sudo: andrewraharjo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/andrewraharjo ; USER=root ; COMMAND=us
Nov 29 19:35:45 ubuntusecurity sudo: andrewraharjo : TTY=pts/2 ; PWD=/home/andrewraharjo ; USER=root ; COMMAND=/bin/su

here's my swatch configuration files

Code:

#SWATCH CONFIG FILE

watchfor = /FAILED su for root/
        echo bold
        exec echo "Subject: auth:FAILED su for root\n\n$_\n" | sendmail "andrew2raharjo@gmail.com"

watchfor /sudo:/
        echo bold
        exec echo "Subject: auth:FAILED su for root\n\n$_\n" | sendmail "andrew2raharjo@gmail.com"
        throttle 01:00

watchfor /sudo:.*command not allowed/
        exec echo "Subject: auth:FAILED su for root\n\n$_\n" | sendmail "andrew2raharjo@gmail.com"
        echo bold red

my question is;
Why I didn't get any alert message (email notification to andrew2raharjo@gmail.com) from swatch for printed log on my system ?

Please somebody help me, any suggestion, I will appreciate it...I'm totally desperate about my system. I getting confused....

Best Regards,
Andrew

andrapgm03 · 11-29-2010, 06:46 AM

Yayyy..It works...

hmm....I've seen I haven't allow my mod for my swatch logging files

so I tried to change my swatch mod, cause I'm running it with a simple bash scripting...

It appears on andrew2raharjo@gmail.com

Code:

Nov 29 19:34:46 ubuntusecurity sudo: pam_unix(sudo:auth): authentication failure; logname=authtest uid=0 euid=0 tty=/dev/pts/2 ruser=andrewraharjo rhost=ubuntusecurity  user=xxx

yes..it works for several hours, today I tried to log again the 'failed sudo' but it will not appears periodically on andrew2raharjo@gmail.com...

so what's the problem ? I didn't get the e-mail for the alerting message, even I've done 'ssh-remote' and tried to enter the wrong password on my system. I wouldn't sent another email for each error messages...

now I wonder why how to run swatch on daemon mode then log it into new file and about email alerting periodically..

andrapgm03 · 01-02-2011, 02:38 AM

Why I still can't get email message from swatch error message ? Nothing email error message in my gmail....Somebody please help...why swatch can't send error report into my gmail...??

beaknit · 02-03-2011, 10:21 AM

I'm having the same issue.

What version are you running? I've got 3.2.1 from the Ubuntu 8.04 apt repo.

beaknit · 02-03-2011, 10:51 AM

Also, what MTA are you using? I've got Exim4.

beaknit · 02-03-2011, 12:17 PM

I found the issue. By default, swatch sends mails with 'sendmail -oi -t -odq' That sends them straight to the queue with no attempt at delivery. It waits till the queue runner comes around. (30 minutes, by default.)