changedfiles is a framework for filesystem replication, security monitoring, and/or automatic file transformations--essentially any application where you'd poll files or directories and either do something to them or send them somewhere else (or both). The difference is that the kernel tells you when they change instead of you having to poll. It's an easy real time FTP push mirror to one or multiple sites. It's also a full fledged MySQL client, so you can do realtime database operations (for example, batch imports). It consists of two parts: a kernel module (works with Linux kernel version 2.4) which reports to a device whenever a file on the filesystem changes, and a daemon which runs in user space and can be configured to do almost any action when a change to a file matching the one of the patterns it looks for is reported. The kernel module is SMP safe and has been tested on Intel, PowerPC, and Alpha.
LooperNG is an intelligent event routing daemon. Primarily used for Network Management, this application can be used to accomplish a variety of tasks related to logging and alerting such as trap forwarding/exploding, event enrichment, converting event formats (syslog->SNMP, SNMP->flatfile, syslog->Netcool), etc. It uses a system of input and output modules to interface with the event sources/sinks and a "rules file" to control the flow of the events.
Worm Report is a very simple Perl script to filter out the known worm (Code Red, Nimda) hits from the access log, and put them into their own files named for the IP/Host that has been "wormed". A basic report containing the count, hostname, ip, and a guess at the parent domain is then printed to STDOUT to facilitate contacting these individuals. Adding a new worm requires adding a new worm hit string to the DATA section of the script, nothing so fancy (or exhaustive) as an Apache module.
svclean is a set of utilities for enhancing svscan and supervise. With these tools, you get clean shutdown (i.e. services are guaranteed to be stopped before their loggers, so no logs are lost) and supervised logging of svscan's and supervise's output (so if the last-resort logger is killed, it can be restarted). These features are practically necessary for running svscan as process 1, but are useful even when svscan does not run as process 1.
socklog cooperates with the runit package to create a small and secure replacement for syslogd. socklog supports system logging through Unix domain sockets (/dev/log) and UDP sockets (0.0.0.0:514) with the help of runit's runsvdir, runsv, and svlogd. socklog provides a different network logging concept, and also does log event notification. svlogd has built in log file rotation based on file size, so there is no need for any cron jobs to rotate the logs. socklog is small, secure, and reliable.