[logs] Error messages from syslogd

[Russell Fulton]

Marcus J. Ranum wrote:
> Justin Mitchell wrote:
>   
>> Regular expressions, experience, and research are priceless (w/ an emphasis on 
>> regular expressions).
>>     
>
> #include <rants/mjr-why-regexps-are-the-wrong-thing.h>
>
>   
for those who missed the original

http://lists.jammed.com/loganalysis/2002/06/0015.html

Marcus:   I've reread that post and largely agree with it (although,
being a rant some points are a bit over stated ;).  I am working on a
log management system written in ruby  and yes,  it uses REs. I'll add
one other bitch to your list -- SELMS (Simple Extensible Log Management
System) keeps all the patterns in a structured configuration file and RE
are a pain to parse.  The way I got around it was to terminate REs with
a <tab>  and grab every thing from the start of the RE to the <tab> and
pass the lot to Ruby to check (and return the compiled version as an
object which is then stored or an error message).  It works but isn't
beautiful.  I digress...

Given a different expression matching library it would be reasonably
straight forward to add it to SELMS  -- that is what the Extensible bit
is about ;)

So does anyone have such a matching library that they can Open Source?  
Even some thing that I can start from?  Libpcre if all else fails I
guess?   Hmmm... may be I'll talk to my friends in CS and Software
Engineering -- that might make a good student project.

I will be releasing SELMS later this year -- it is an out growth from my
sl2 and sl3 scripts that are already linked in the log analysis web
site.  If anyone is using either of them then SELMS is pretty well a
drop in replacement but does much more.  I have just added 'real time'
alerting, as opposed to the periodic 'artificial ignorance' stuff which
is similar to sl3.  Once we have the real time stuff running in
production for a few months I'll put it up on RubyForge and announce it
in the obvious places.

Russell