Circuit-Forge/turnstone
5
0
Fork 0
Code Issues 11 Pull requests 1 Projects Releases 6 Packages Wiki Activity Actions
turnstone/patterns/default.yaml
pyr0ball 1b6482701c feat: journald export + system failure patterns 
- Add scripts/export_journal.sh — dumps recent journal (priority 0-5,
  20min window) to /opt/turnstone/data/journal-export.jsonl; idempotent
  via entry_id deduplication so overlap is safe
- Add system-journal source to sources.yaml pointing at the export file
- Add 9 system-level patterns to default.yaml:
  systemd_fail, oom_kill, disk_hw_error, fs_error, kernel_error,
  ssh_brute, container_crash, smart_error, nfs_error
2026-05-11 06:54:42 -07:00

181 lines
6.8 KiB
YAML
Raw Blame History

# Turnstone pattern library — named regex patterns for log tagging at ingest time.
# Each matched pattern name is stored on RetrievedEntry.matched_patterns and
# used to boost retrieval relevance for diagnostic queries.
#
# Add domain-specific patterns here. Patterns are applied in order; multiple
# can match a single entry.
patterns:
- name: service_restart
pattern: "(restarting|restart requested|service.*start)"
severity: WARN
description: Service restart detected
- name: connection_lost
pattern: "(connection (lost|dropped|refused|timed? out)|disconnect(ed)?)"
severity: ERROR
description: Network or device connection failure
- name: auth_failure
pattern: "(auth(entication)? (failed?|error|denied)|permission denied|unauthorized)"
severity: ERROR
description: Authentication or authorization failure
- name: oom
pattern: "(out of memory|OOM|killed process|cannot allocate)"
severity: CRITICAL
description: Out-of-memory condition
- name: segfault
pattern: "(segmentation fault|segfault|SIGSEGV|core dump)"
severity: CRITICAL
description: Process crash or memory corruption
- name: disk_full
pattern: "(no space left|disk full|filesystem.*full|ENOSPC)"
severity: ERROR
description: Storage capacity exhausted
- name: timeout
pattern: "(timed? out|deadline exceeded|operation timed?)"
severity: WARN
description: Operation timeout
- name: caddy_tls_error
pattern: "(acme|certificate|tls).*(error|fail|invalid|expired|renew)"
severity: ERROR
description: Caddy TLS or certificate error
- name: caddy_config_error
pattern: "(config|caddyfile|directive).*(error|invalid|unknown|unrecognized)"
severity: ERROR
description: Caddy configuration error
- name: caddy_auth_error
pattern: "(forward_auth|basicauth|basic_auth).*(error|fail|denied|invalid|unreachable)"
severity: ERROR
description: Caddy authentication middleware failure
- name: caddy_upstream_error
pattern: "(upstream|backend|reverse.proxy).*(error|fail|unreachable|refused|timeout)"
severity: ERROR
description: Caddy upstream/backend failure
- name: service_update
pattern: "(upgraded?|updated?|installing|dpkg|apt|package).*(caddy|nginx|apache|proxy)"
severity: INFO
description: Web server package update detected
- name: power_failure
pattern: "(power (fail|loss|outage|cut)|ups|battery|shutdown.*power|lost power)"
severity: CRITICAL
description: Power failure or UPS event
- name: network_interface
pattern: "(eth[0-9]|ens[0-9]|enp[0-9]|wlan[0-9]).*(down|up|carrier|link)"
severity: WARN
description: Network interface state change
- name: ip_change
pattern: "(new ip|ip.*(changed|assigned|address)|dhcp.*(ack|offer|bound|renew))"
severity: INFO
description: IP address change or DHCP event
# ── System / journald patterns ─────────────────────────────────────────────
- name: systemd_fail
pattern: "(Failed to start|failed with result|entered failed state|start request repeated too quickly|Main process exited)"
severity: ERROR
description: systemd service failed to start or crashed
- name: oom_kill
pattern: "(Killed process|oom.kill|oom_kill_process|Out of memory: Kill|memory cgroup out of memory)"
severity: CRITICAL
description: Kernel OOM killer terminated a process
- name: disk_hw_error
pattern: "(ata[0-9]|sd[a-z]|nvme[0-9]).*(error|failed|reset|timeout|exception|EH|FAILED COMMAND)"
severity: ERROR
description: Storage device hardware error or reset
- name: fs_error
pattern: "(EXT4-fs error|XFS.*error|BTRFS.*error|I/O error|blk_update_request.*error|buffer I/O error)"
severity: ERROR
description: Filesystem or block I/O error
- name: kernel_error
pattern: "(kernel: BUG|kernel panic|Oops:|general protection fault|Call Trace|RIP:.*[0-9a-f]{16})"
severity: CRITICAL
description: Kernel bug, panic, or oops — system may be unstable
- name: ssh_brute
pattern: "(Failed password|Invalid user|authentication failure|Connection closed by authenticating user).*(sshd|ssh)"
severity: WARN
description: SSH authentication failure — possible brute force
- name: container_crash
pattern: "(container.*exited|oci runtime.*error|podman.*error|docker.*error|container.*killed|OCI.*failed)"
severity: ERROR
description: Container runtime error or unexpected exit
- name: smart_error
pattern: "(smartd|SMART.*error|reallocated sector|pending sector|uncorrectable sector|Current_Pending_Sector)"
severity: CRITICAL
description: SMART disk health warning — potential drive failure
- name: nfs_error
pattern: "(nfs.*error|nfs.*timeout|RPC.*timed out|nfs4.*server.*not responding|mount.*nfs.*failed)"
severity: ERROR
description: NFS mount or RPC timeout
# Add device/service-specific patterns below this line:
- name: qbit_tracker_error
pattern: "(tracker|announce).*(not working|error|fail|unreachable|timeout|refused|invalid)"
severity: WARN
description: qBittorrent tracker connection or announce failure
- name: qbit_port_bind
pattern: "(couldn't? listen|bind.*fail|port.*in use|listening.*fail)"
severity: CRITICAL
description: qBittorrent failed to bind listen port — firewall or port conflict
- name: qbit_disk_error
pattern: "(cannot (write|open|create)|disk.*error|i/o error|file.*fail|write.*fail)"
severity: ERROR
description: qBittorrent disk write or file access failure
- name: qbit_hash_fail
pattern: "(hash.*(check|fail|mismatch)|recheck|piece.*fail)"
severity: WARN
description: qBittorrent torrent hash verification failure — possible corrupt data
- name: qbit_peer_ban
pattern: "(peer.*ban|banned.*peer|blocked.*peer)"
severity: INFO
description: qBittorrent peer banned (encryption enforcement or bad actor)
- name: qbit_download_complete
pattern: "(download.*complet|torrent.*finish|has finished downloading)"
severity: INFO
description: qBittorrent torrent download completed
- name: qbit_ratio_limit
pattern: "(ratio.*reach|seeding.*limit|stop.*seeding|upload.*limit)"
severity: INFO
description: qBittorrent seeding ratio or time limit reached
- name: qbit_session_error
pattern: "(session.*error|couldn't? resume|resume.*fail|torrent.*error)"
severity: ERROR
description: qBittorrent session or resume data error
- name: plex_eae_failure
pattern: "(EAE timeout|EAE not running|eac3_eae.*error reading output|Error submitting packet to decoder.*I/O error)"
severity: ERROR
description: Plex EasyAudioEncoder (EAC3 Dolby audio transcoder) crashed — service restart required
# - name: avcx_device_error
# pattern: "ERR-\d{4}"
# severity: ERROR
# description: AVCX device error code
Reference in a new issue View git blame Copy permalink