turnstone/patterns/sources-cluster.yaml

# Turnstone log sources — Heimdall cluster glean.
# Covers: Heimdall (local), Navi, Sif, Cass, Strahl (SSH-collected),
#         Docker services on Heimdall, and network device syslog.
#
# Collected by scripts/collect_cluster_logs.sh before each glean run.
# All paths are container-side (/data/ = bind-mount of /devl/turnstone-cluster/data/).
#
# Cron (collect + glean, every 15 min):
#   */15 * * * * bash /Library/Development/CircuitForge/turnstone/scripts/collect_cluster_logs.sh && \
#     docker exec turnstone-cluster python scripts/glean_corpus.py \
#       --sources /patterns/sources-cluster.yaml --db /data/turnstone.db \
#       >> /var/log/turnstone-cluster-glean.log 2>&1

sources:
  # ── Heimdall (local) ─────────────────────────────────────────────────────────
  - id: heimdall-journal
    path: /data/heimdall-journal.jsonl

  - id: heimdall-dmesg
    path: /data/heimdall-dmesg.txt

  # ── Remote cluster nodes (SSH-collected journals) ────────────────────────────
  - id: navi-journal
    path: /data/navi-journal.jsonl

  - id: sif-journal
    path: /data/sif-journal.jsonl

  - id: cass-journal
    path: /data/cass-journal.jsonl

  - id: strahl-journal
    path: /data/strahl-journal.jsonl

  # ── Docker services on Heimdall ──────────────────────────────────────────────
  - id: docker-cf-orch-coordinator
    path: /data/docker-cf-orch-coordinator.jsonl

  - id: docker-cf-web
    path: /data/docker-cf-web.jsonl

  - id: docker-cf-directus
    path: /data/docker-cf-directus.jsonl

  - id: docker-caddy-proxy
    path: /data/docker-caddy-proxy.jsonl

  # ── Network syslog (router, switches, UniFi APs) ─────────────────────────────
  # Written by syslog-receiver.service (UDP 5140 → /devl/turnstone-cluster/data/network-syslog.txt).
  # Configure devices to send syslog to Heimdall:5140.
  # UniFi: Settings → System → Remote Logging → Syslog Host = <YOUR_HOST_IP>:5140
  # Ubiquiti EdgeRouter: set system syslog host <YOUR_HOST_IP> facility all level debug
  # Managed switches: varies by vendor — target <YOUR_HOST_IP> UDP 5140
  - id: network-syslog
    path: /data/network-syslog.txt