Under Linux, what's a simple way to automatically watch a logfile, and email me if a certain string appears? I have an application that will log certain failures to a logfile, but has no built-in way of sending alerts or executing scripts on failure. I suppose I could rig something up with tail -f and some shell scripts, but I'd rather use an existing maintained tool if it exists.
I checked out several of the options mentioned on this page, and ended up using something far simpler: swatch.
Those other systems are great for dealing with existing system logs, or with software where you don't have control over the output. I just didn't want to write a bunch of code to do email notifications just yet. So I just created a swatch file like this:
And then started it up with
It's crude, but since I control the logfile output, I don't need anything more complicated yet.
Before we went to a heavyweight solution (Zenoss) we used to use logcheck which is a part of Debian but can easily be ported to other distros as well. I was using it on Gentoo. Distros like RHEL come with logwatch, which does something similar.
The best way is to use a log analysis program.
OSSEC, for example, is free/open source and allows you to watch as many log files as you want and to generate email alerts (or even active responses) for certain events.
Link: http://www.ossec.net
I know, hacking a shell script is fun, but way less stable than a mature program being developed for years. Plus, if in the future you need to extend your script or add more triggers, it becomes way more complicated. OSSEC (and other tools) have this framework done for you.
LoFiMo (Log File Monitor) on Sourceforge should get you started or NuHe might work, but I am less familiar with it.
I found a tool called tenshi that appears to do exactly what I need it to do. It's included in the default Debian repos which is nice, unfortunately not in the RHEL/CentOS ones (I have a mix of both OS's as servers).
I know an answer has already been accepted but rsyslog is much more robust and has built-in filtering, SMTP alerts, and non-syslog based file-watching abilities for applications that do not use syslog. It's now the standard syslog implementation on Ubuntu 10.x.