Advanced Registry Operations Curriculum
Using Swatch

Notes:
------
* Commands preceded with "$" imply that you should execute the command as
  a general user - not as root.
* Commands preceded with "#" imply that you should be working as root.
* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") 
  imply that you are executing commands on remote equipment, or within 
  another program.

Exercises
---------

0. Log in to your PC or open a terminal window as the sysadmin user.

1. Let's enable logging of everything to a single file:

	$ sudo vi /etc/syslog-ng/syslog-ng.conf

	- Add this line at the end of the file:

destination everything {
  file("/var/log/everything"
    template("$DATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no)
  );
};
log { source(s_all); destination(everything); };

... this will enable logging of ALL messages to a single file, so that we
can run a monitoring script on the messages.

	- Now re-initialize Syslog:

	$ sudo /etc/init.d/syslogd restart

2. Enable a daily automated script to truncate the log file so it doesn't
grow too big:

	$ sudo vi /etc/logrotate.d/everything
	
	- In the file add the following:

/var/log/everything {
  daily
  copytruncate
  rotate 1
  postrotate
	/etc/init.d/swatch restart
  endscript
}


2. Install swatch

	$ sudo apt-get install swatch

3. Create the file /etc/swatch.conf and add the following rules in the file:

	$ sudo vi /etc/swatch.conf

watchfor /PRIV_AUTH_PASS/
	mail=sysadmin,subject=Mode de enable habilitado
	threshold type=limit,count=1,seconds=3600

watchfor /CONFIG_I/
	mail=sysadmin,subject=Configuracion de enrutador
	threshold type=limit,count=1,seconds=3600

watchfor /LINK-3-UPDOWN/
	mail=sysadmin,subject=Cambio del estado de link
	threshold type=limit,count=1,seconds=3600

watchfor /SSH/
	mail=sysadmin,subject=Coneccion a traves SSH
	threshold type=limit,count=1,seconds=3600

watchfor /ssh/
	mail=sysadmin,subject=Coneccion a traves ssh
	threshold type=limit,count=1,seconds=3600

4. Start swatch:

	# swatch -c /etc/swatch.conf --daemon

	Check that it is running:

	# ps ax | grep swatch

5. Log in to your router, and run some "config" commands (example below):

	$ ssh rancid@grupoX-rtr		[donde "X" es .65 or .129]
	pc1-pcx-rtr> enable
        Password: <course password>
	pc1-pcx-rtr# config terminal
	pc1-pcx-rtr(config)# int FastEthernet0/0
	pc1-pcx-rtr(config-int)# description Description Change for FastEthernet0/0 for Swatch
	pc1-pcx-rtr(config-int)# ctrl-z
	pc1-pcx-rtr# write memory
	pc1-pcx-rtr# exit

6. Verify that you are receiving emails to the sysadmin user from Swatch

	$ su - sysadmin
	$ mutt -f /var/mail/sysadmin