In a previous article, we’ve seen how to install iwatch (http://blog.grs.gr/?p=455&lang=en). If you watch a directory with continuous changes, you may find useful to exclude specific types of files and/or directories.
Let’s say that you want to monitor a web server that hosts example.com, site’s file structure at /var/www/example.com and media files mostly at /var/www/example.com/uploads. Let’s say you want to skip monitoring /var/www/example.com/uploads.
http://iwatch.sourceforge.net/documentation.html
iWatch is a realtime filesystem monitoring program. Its purpose is to monitor any changes in a specific directory or file and send email notification immediately after the change. This can be very useful to watch a sensible file or directory against any changes, like files /etc/passwd,/etc/shadow or directory /bin or to monitor the root directory of a website against any unwanted changes.
apt-get install iwatch
nano /etc/default/iwatch
iwatch configuration file # START_DAEMON: # should iwatch start the iwatch daemon during boot? # change to "true" or "yes" if needed. START_DAEMON=true # CONFIG_FILE: # configuration file for iwatch daemon # CONFIG_FILE=/etc/iwatch/iwatch.xml
nano /etc/iwatch/iwatch.xml
http://serverfault.com/questions/185620/iwatch-doesnt-email-me-or-appear-to-doing-anything
Firstly if you don’t want it to email your local system then change:
<contactpoint email=”root@localhost” name=”Administrator”/>
to
<contactpoint email=”[email protected]” name=”Administrator”/>
If you are ok with that then the next step is check to see if it is running
ps aux | grep iwatch
Then start it with the service command, ie
service iwatch start
Check if it is running again
ps aux | grep iwatch
Now test it out by running
touch /etc/test
And you should get an email, good luck!
Here is a good example of a configuration file
https://github.com/kiwiroy/iwatch/blob/master/iwatch.xml.example
<?xml version=”1.0″ ?>
<!DOCTYPE config SYSTEM “/etc/iwatch.dtd” >
<!– iWatch configuration –>
<!–
You can create several watch lists, each with it’s own contact point
And in this watch list you can put all directories and files you want to monitor
The path type decide how a directory is monitored, recursively or as single
directory. But it will monitor all new created directory (after iwatch
started) recursively regardless of path type.
iWatch will send email alert with guard’s email address as sender
Don’t forget to set the correct email address here
–>
<config charset=”utf-8″>
<guard email=”root@localhost” name=”IWatch”/>
<watchlist>
<title>Public Website</title>
<contactpoint email=”webmaster@localhost” name=”Web Master”/>
<path type=”single” syslog=”on”>/var/www/localhost/htdocs</path>
<path type=”single” syslog=”off”>/var/www/localhost/htdocs/About</path>
<path type=”recursive”>/var/www/localhost/htdocs/Photos</path>
</watchlist>
<watchlist>
<title>Operating System</title>
<contactpoint email=”root@localhost” name=”Administrator”/>
<path type=”recursive”>/etc/apache2</path>
<path type=”single”>/bin</path>
<path type=”single” filter=”shadow|passwd”>/etc</path>
<path type=”recursive”>/etc/mail</path>
<path type=”exception”>/etc/mail/statistics</path>
</watchlist>
<watchlist>
<title>Only Test</title>
<contactpoint email=”root@localhost” name=”Administrator”/>
<path type=”single” alert=”off” exec=”(w;ps)|mail -s %f root@localhost”>/tmp/dir1</path>
<path type=”single” events=”access,close” alert=”off” exec=”(w;ps)|mail -s %f root@localhost”>/tmp/dir2</path>
<path type=”single” events=”default,access” alert=”off” exec=”(w;ps)|mail -s ‘%f is accessed at %{%H:%M:%S}d’ root@localhost”>/tmp/dir3</path>
<path type=”single” events=”all_events” alert=”off”>/tmp/dir4</path>
<path type=”recursive”>/data/projects</path>
<path type=”regexception”>\.svn</path>
</watchlist>