Swatch crashing

Help
Redmage123
2012-03-15
2013-04-25
  • Redmage123
    Redmage123
    2012-03-15

    Hello all,

    I'm running SWATCH on a RHEL6 system.  The installed rpm is:
    swatch-3.2.3-2.el6.noarch

    I run swatch as a daemon process, the problem is that when it finds a pattern, it crashes out with the following error:

    ^[[1m2012-03-15T09:17:03.223733+00:00 metstore bbrelin: SYSMON WARNING - polling /var/adm/messages from www1 failed
    ^[[0mInvalid attribute name "failed at /usr/share/perl5/vendor_perl/Swatch/Actions.pm line 68

    I've googled this, but didn't really get any satisfactory answers.

    Anybody have any ideas?

    Thanks,

    redmage123

    My swatch config file looks like this:

    # Bad login attempts
    watchfor /failed/
    echo bold
    echo "Failed login attempt" >> /var/log/swatchalerts

    #Sniffing Attempts
    watchfor /promiscuous/
    #echo bold
    echo "Ethernet sniffing attempt detected" >> /var/log/swatchalerts

    # Kernel problems or system reboots
    watchfor /panic|halt|oops/
    #echo bold
    echo "Kernel panic seen!" >> /var/log/swatchalerts

    watchfor /oom/
    #echo bold
    echo "Out of memory errors" >> /var/log/swatchalerts

    watchfor /No space left on device/
    #echo bold
    echo "Disk full error" >> /var/log/swatchalerts

    watchfor /kernel:\s+d:\s*.*error.*/
    #echo bold
    echo "Disk I/O error" >> /var/log/swatchalerts

    watchfor /kernel:\s+I\/O error/
    #echo bold
    echo "I/O error" >> /var/log/swatchalerts

    watchfor /error:\s+PAM:\s+Authentication failure/
    #echo bold
    echo "PAM Authentication error" >> /var/log/swatchalerts

    watchfor /segfault/
    #echo bold
    echo "Segmentation fault" >> /var/log/swatchalerts


     
  • No help here.  For what it is worth, I've been running swatch since the mid-90s and don't recall ever seeing that message.  Currently, swatch-3.2.3, perl-5.12.2, CentOS 5.8

    But let's see.  Line 68 of Actions.pm lives inside the 'echo' subroutine, which handles executing the 'echo' command - that makes sense, given your config file:

        print colored("$args{'MESSAGE'}\n", @{$args{'MODES'}});

    The entire subroutine:
    use Term::ANSIColor;
    sub echo {
      my %args = (
                  'MODES' => ,
                  @_
                 );
      return if (exists($args{'WHEN'}) and not inside_time_window($args{'WHEN'}));

      return if (exists($args{'THRESHOLDING'})
                 and $args{'THRESHOLDING'} eq 'on'
                 and not &Swatch::Threshold::threshold(%args));

      if (${$args{'MODES'}} =~ /^normal$/i) { # for backward compatability
        print "$args{'MESSAGE'}\n";
      } else {
        print colored("$args{'MESSAGE'}\n", @{$args{'MODES'}});
      }
    }

    'colored' is a method imported from Term::ANSIColor - you've verified that you have Term::ANSIColor installed?  I'm shooting from the hip here, not claiming to be particularly insightful.

    -sk

     
  • Redmage123
    Redmage123
    2012-03-15

    I did verify that Term::ANSIColor is installed on this system….Created a quick and dirty perl program that imported the module…No errors found.

    • redmage123