adding exceptions to iwatch

In a previous article, we’ve seen how to install iwatch (http://blog.grs.gr/?p=455&lang=en). If you watch a directory with continuous changes, you may find useful to exclude specific types of files and/or directories.

Let’s say that you want to monitor a web server that hosts example.com, site’s file structure at /var/www/example.com and media files mostly at /var/www/example.com/uploads. Let’s say you want to skip monitoring /var/www/example.com/uploads.

Continue reading “adding exceptions to iwatch”

install iwatch on debian

http://iwatch.sourceforge.net/documentation.html

iWatch is a realtime filesystem monitoring program. Its purpose is to monitor any changes in a specific directory or file and send email notification immediately after the change. This can be very useful to watch a sensible file or directory against any changes, like files /etc/passwd,/etc/shadow or directory /bin or to monitor the root directory of a website against any unwanted changes.

apt-get install iwatch
nano /etc/default/iwatch
iwatch configuration file
# START_DAEMON:
#   should iwatch start the iwatch daemon during boot?
#   change to "true" or "yes" if needed.
START_DAEMON=true
# CONFIG_FILE:
#   configuration file for iwatch daemon
#
CONFIG_FILE=/etc/iwatch/iwatch.xml
nano /etc/iwatch/iwatch.xml

http://serverfault.com/questions/185620/iwatch-doesnt-email-me-or-appear-to-doing-anything

Firstly if you don’t want it to email your local system then change:

<contactpoint email=”root@localhost” name=”Administrator”/>

to

<contactpoint email=”someemail@gmail.com” name=”Administrator”/>

If you are ok with that then the next step is check to see if it is running

ps aux | grep iwatch

Then start it with the service command, ie

service iwatch start

Check if it is running again

ps aux | grep iwatch

Now test it out by running

touch /etc/test

And you should get an email, good luck!

Here is a good example of a configuration file

https://github.com/kiwiroy/iwatch/blob/master/iwatch.xml.example

<?xml version=”1.0″ ?>
<!DOCTYPE config SYSTEM “/etc/iwatch.dtd” >

<!– iWatch configuration –>
<!–
You can create several watch lists, each with it’s own contact point
And in this watch list you can put all directories and files you want to monitor
The path type decide how a directory is monitored, recursively or as single
directory. But it will monitor all new created directory (after iwatch
started) recursively regardless of path type.
iWatch will send email alert with guard’s email address as sender
Don’t forget to set the correct email address here
–>

<config charset=”utf-8″>
<guard email=”root@localhost” name=”IWatch”/>
<watchlist>
<title>Public Website</title>
<contactpoint email=”webmaster@localhost” name=”Web Master”/>
<path type=”single” syslog=”on”>/var/www/localhost/htdocs</path>
<path type=”single” syslog=”off”>/var/www/localhost/htdocs/About</path>
<path type=”recursive”>/var/www/localhost/htdocs/Photos</path>
</watchlist>
<watchlist>
<title>Operating System</title>
<contactpoint email=”root@localhost” name=”Administrator”/>
<path type=”recursive”>/etc/apache2</path>
<path type=”single”>/bin</path>
<path type=”single” filter=”shadow|passwd”>/etc</path>
<path type=”recursive”>/etc/mail</path>
<path type=”exception”>/etc/mail/statistics</path>
</watchlist>
<watchlist>
<title>Only Test</title>
<contactpoint email=”root@localhost” name=”Administrator”/>
<path type=”single” alert=”off” exec=”(w;ps)|mail -s %f root@localhost”>/tmp/dir1</path>
<path type=”single” events=”access,close” alert=”off” exec=”(w;ps)|mail -s %f root@localhost”>/tmp/dir2</path>
<path type=”single” events=”default,access” alert=”off” exec=”(w;ps)|mail -s ‘%f is accessed at %{%H:%M:%S}d’ root@localhost”>/tmp/dir3</path>
<path type=”single” events=”all_events” alert=”off”>/tmp/dir4</path>
<path type=”recursive”>/data/projects</path>
<path type=”regexception”>\.svn</path>
</watchlist>