filter-syslog 2.0

filter-syslog is the tool that we (two groups at Stanford) use to mail any "interesting" lines from syslog to us each night. It runs as part of an analyze rule in newsyslog.

Some time back in internal discussions, the idea came up that it would be nice to filter out a range of lines, given a regex to match the start and another to match the end. This would let us filter out blocks of lines that are otherwise awkward to match, or whose specific details may change, like system reboots. At the time, I thought this would be easy. It turned out to require almost a complete rewrite of the state logic to deal with several of the tricky cases (seeing the range start but not the range end, several possible ranges that start with the same regex but have different ends, a range inside another possible range that fails). But I think I have all the cases taken care of now.

Separately, a co-worker had started using filter-syslog with raw regexes to filter Apache error logs, something that I thought should be easier. So I added support for parsing Apache error logs, stripping the timestamp and client IP, and matching them as a "program" of apache-level where level is the logging level.

These were big enough changes, particularly with the state rewrite, that it felt like it warranted a 2.0 release.

You can get the latest version from the filter-syslog distribution page. I'll upload new Debian packages to my personal repository, but probably not until tomorrow.