Runit is a great package that provides process supervision and can be used as a replacement for ‘sysvinit’. The author of the package has also made a syslogd replacement called socklog which works well with runit.
Logwatch is a collection of scripts that can be used to notify you of changes to your logs. Out of the box on a Debian machine, though, logwatch will not be able to read all the logs spat out by socklog. The default setup produces logs that have the log facility and level appended to the log entry and the hostname removed:
authpriv.info: Aug 21 20:45:44 sshd: pam_unix(sshd...
The following configs should be placed in the /etc/logwatch directory so they are not overwritten on package upgrades:
LogFile = Archive = LogFile = socklog/*/current Archive = socklog/*/@* *RemoveFacility *ExpandRepeats *RemoveService = talkd,telnetd,inetd,nfsd,/sbin/mingetty *ApplyStdDate
Logfile = Archive = LogFile = socklog/*/current Archive = socklog/*/@* *RemoveFacility *ExpandRepeats *RemoveService = talkd,telnetd,inetd,nfsd,/sbin/mingetty *ApplyStdDate
LogFile = Archive = LogFile = socklog/auth/current Archive = socklog/auth/@* *RemoveFacility *ExpandRepeats *ApplyStdDate
LogFile = LogFile = socklog/mail/current Archive = Archive = socklog/mail/@* *RemoveFacility
LogFile = socklog/kern/current Archive = socklog/kern/@* *RemoveFacility *ExpandRepeats *ApplyStdDate
There may be others needed for your own system. All these configurations reference the script RemoveFacility does the bit of removing the facility and level from each log entry.
and also the onlyhost script which is used to restrict entries by host but since the hostname is not even there we just return them all: