monitor log for keyword and send email

log_watcher.service

# put this to /etc/systemd/system
[Unit]
Description=watch log events and sendout mail when something happened

[Service]
ExecStart=/root/log_watcher.sh  # change the path, and make the file executable

[Install]
WantedBy=multi-user.target

log_watcher.sh

#!/bin/bash
# Install method:
#  cp log_watcher.sh /root
#  chmod a+x /root/log_watcher.sh
#  cp log_watcher.service /etc/systemd/system
#  systemctl start log_watcher.service
#  systemctl status log_watcher.service
#  #if "active", then make it running at boot time
#  systemtcl enable log_watcher.service

# update these values
target=/var/log/messages
pattern="su: (to root)"
cache=/tmp/log_watcher_messages.prev
receiver=root@localhost

# variables
now=`date +%Y%m%d-%H%M%S`

mainloop() {
  if [ -e ${cache} ]
  then
    grep -i "${pattern}" ${target} > ${cache}.${now}
    new_record=`diff -u ${cache} ${cache}.${now} | grep -E "^\+"`
    if [ "${new_record}" != "" ]
    then
      echo -e "SUBJECT:log_watcher.sh found new logs ($now) \n\n ${new_record} \n" | /sbin/sendmail ${receiver}
      mv ${cache}.${now} ${cache}
    else
      rm ${cache}.${now}
    fi
  else
    grep "${pattern}" ${target} > ${cache}
    echo -e "SUBJECT:log_watcher.sh found new logs ($now) \n\n `cat ${cache}` \n" | /sbin/sendmail ${receiver}
  fi
}

# two methods:
# 1. uncomment the while loop below, and install a crontab like "*/2 * * * * /root/log_watcher.sh"
# 2. use the while loop below and add to system service, basically modify log_watcher.service and copy it to /etc/systemd/system
while true; do
  sleep 5
  mainloop
done