diff --git a/monitoring/arpwatch/README.md b/monitoring/arpwatch/README.md
new file mode 100644
index 0000000..bb3c1fc
--- /dev/null
+++ b/monitoring/arpwatch/README.md
@@ -0,0 +1,15 @@
+# ArpWatch
+Monitor stations on network
+
+# Prerequisites
+vlans
+arpwatch
+
+# Notes
+* Ignore main interface on which vlans are set
+
+# Configuration
+* Add alias to drop the emails that are being sent
+* add filter to syslog (rsyslog) to direct messages to special file
+* fix arpwatch.conf to start daemon per interface (look at notes above)
+* go
diff --git a/monitoring/arpwatch/aliases b/monitoring/arpwatch/aliases
new file mode 100644
index 0000000..6f37c6e
--- /dev/null
+++ b/monitoring/arpwatch/aliases
@@ -0,0 +1 @@
+nukemailz: /dev/null
diff --git a/monitoring/arpwatch/arpwatch.conf b/monitoring/arpwatch/arpwatch.conf
new file mode 100644
index 0000000..334298c
--- /dev/null
+++ b/monitoring/arpwatch/arpwatch.conf
@@ -0,0 +1,8 @@
+# prod setup
+eth0 -m nukemailz
+#eth1 -m nukemailz
+eth1.100 -m nukemailz
+eth1.101 -m nukemailz
+eth1.102 -m nukemailz
+eth1.103 -m nukemailz
+eth1.104 -m nukemailz
diff --git a/monitoring/arpwatch/rsyslogd-arpwatch.conf b/monitoring/arpwatch/rsyslogd-arpwatch.conf
new file mode 100644
index 0000000..f555952
--- /dev/null
+++ b/monitoring/arpwatch/rsyslogd-arpwatch.conf
@@ -0,0 +1,2 @@
+# log arpwatch in a separate file
+if $programname == 'arpwatch' then /var/log/arpwatch.log