pyr0ball
bbe4b1e360
Ingest pipeline (journald / Caddy / Docker-wrapped formats) with per-source state tracking (repeat dedup, out-of-order detection), named pattern tagging at ingest time, and idempotent SHA1-keyed writes. FTS5 search layer with porter stemmer, severity/source/pattern/time filters, and BM25 ranking. MCP server (FastMCP stdio) with three tools: search_logs, diagnose, list_log_sources — compatible with both Claude Code and Copilot CLI. WAL mode enabled on all connections. FTS index auto-built after ingest. MCP configs included for Claude Code (.mcp.json) and Copilot CLI (.github/copilot/mcp.json).
88 lines
3 KiB
YAML
88 lines
3 KiB
YAML
# Turnstone pattern library — named regex patterns for log tagging at ingest time.
|
|
# Each matched pattern name is stored on RetrievedEntry.matched_patterns and
|
|
# used to boost retrieval relevance for diagnostic queries.
|
|
#
|
|
# Add domain-specific patterns here. Patterns are applied in order; multiple
|
|
# can match a single entry.
|
|
|
|
patterns:
|
|
- name: service_restart
|
|
pattern: "(restarting|restart requested|service.*start)"
|
|
severity: WARN
|
|
description: Service restart detected
|
|
|
|
- name: connection_lost
|
|
pattern: "(connection (lost|dropped|refused|timed? out)|disconnect(ed)?)"
|
|
severity: ERROR
|
|
description: Network or device connection failure
|
|
|
|
- name: auth_failure
|
|
pattern: "(auth(entication)? (failed?|error|denied)|permission denied|unauthorized)"
|
|
severity: ERROR
|
|
description: Authentication or authorization failure
|
|
|
|
- name: oom
|
|
pattern: "(out of memory|OOM|killed process|cannot allocate)"
|
|
severity: CRITICAL
|
|
description: Out-of-memory condition
|
|
|
|
- name: segfault
|
|
pattern: "(segmentation fault|segfault|SIGSEGV|core dump)"
|
|
severity: CRITICAL
|
|
description: Process crash or memory corruption
|
|
|
|
- name: disk_full
|
|
pattern: "(no space left|disk full|filesystem.*full|ENOSPC)"
|
|
severity: ERROR
|
|
description: Storage capacity exhausted
|
|
|
|
- name: timeout
|
|
pattern: "(timed? out|deadline exceeded|operation timed?)"
|
|
severity: WARN
|
|
description: Operation timeout
|
|
|
|
- name: caddy_tls_error
|
|
pattern: "(acme|certificate|tls).*(error|fail|invalid|expired|renew)"
|
|
severity: ERROR
|
|
description: Caddy TLS or certificate error
|
|
|
|
- name: caddy_config_error
|
|
pattern: "(config|caddyfile|directive).*(error|invalid|unknown|unrecognized)"
|
|
severity: ERROR
|
|
description: Caddy configuration error
|
|
|
|
- name: caddy_auth_error
|
|
pattern: "(forward_auth|basicauth|basic_auth).*(error|fail|denied|invalid|unreachable)"
|
|
severity: ERROR
|
|
description: Caddy authentication middleware failure
|
|
|
|
- name: caddy_upstream_error
|
|
pattern: "(upstream|backend|reverse.proxy).*(error|fail|unreachable|refused|timeout)"
|
|
severity: ERROR
|
|
description: Caddy upstream/backend failure
|
|
|
|
- name: service_update
|
|
pattern: "(upgraded?|updated?|installing|dpkg|apt|package).*(caddy|nginx|apache|proxy)"
|
|
severity: INFO
|
|
description: Web server package update detected
|
|
|
|
- name: power_failure
|
|
pattern: "(power (fail|loss|outage|cut)|ups|battery|shutdown.*power|lost power)"
|
|
severity: CRITICAL
|
|
description: Power failure or UPS event
|
|
|
|
- name: network_interface
|
|
pattern: "(eth[0-9]|ens[0-9]|enp[0-9]|wlan[0-9]).*(down|up|carrier|link)"
|
|
severity: WARN
|
|
description: Network interface state change
|
|
|
|
- name: ip_change
|
|
pattern: "(new ip|ip.*(changed|assigned|address)|dhcp.*(ack|offer|bound|renew))"
|
|
severity: INFO
|
|
description: IP address change or DHCP event
|
|
|
|
# Add device/service-specific patterns below this line:
|
|
# - name: ext_device_device_error
|
|
# pattern: "ERR-\d{4}"
|
|
# severity: ERROR
|
|
# description: EXT_DEVICE device error code
|