I find the easiest way to do it is with Parse::Syslog and File::Tail...

#!/usr/bin/perl -w
use strict;
use warnings;
use File::Tail;
use Parse::Syslog;

my $log = File::Tail->new("/var/log/syslog");
my $parser = Parse::Syslog->new($log);
while(my $sl = $parser->next) {
    print qq[
        program $sl->{program}
        with pid $sl->{pid}
        on host $sl->{host}
        said $sl->{text}
        at $sl->{timestamp}
    ];
}
[download]

Interesting. The code above does not seem to work so far. The Tail part does not seem to notice when the log file changes. I'll continue to investigate. One thing about this method that troubles me is that this involves keeping another process running full time. If the log was piped from syslog to the script instead I'd only need to ensure that syslog was running. This leads to my next question. How can data be passed from STDIN to Parse::Syslog?

#!/usr/bin/perl

use strict;
use warnings;
use Parse::Syslog;

my ($parser, $sl);

while (<>){
    $parser = Parse::Syslog->new($_);
    while($sl = $parser->next) {
        print "here\n";
        print qq[
            program $sl->{program}
            with pid $sl->{pid}
            on host $sl->{host}
            said $sl->{text}
            at $sl->{timestamp}
        ];      
    }
}
[download]

This code returns an error " No such file or directory at ./logfilter.pl line 10".

Neil Watson
watson-wilson.ca

I've played around with Simple Event Correlator, at http://kodu.neti.ee/~risto/sec/. It's a perl app (needs 5.6 or above), and is highly configurable. There's a lot of examples in the manpage. You can set alarms, actions to be triggered by certain events, etc. If you need something to monitor the system for disk failures, etc. and need something more than an updated status of what's in the syslog messages file, it might be better to go with that, instead of writing and testing your own code.

Oh, and there's also Splunk, although I can't say I've tried it. Just seen ads for it on slashdot and some other sites.