- Install package.
composer require withaspark/log-aggregator
- Define your configuration of hosts, logging groups, and log files.
Then edit the entries.
cp config.example.json config.json
- Setup ssh public keys.
To build index
pull command fetches all log files configured to be watched and builds a
master log index containing all records.
NOTE: Deduplication is in place to eliminate duplicate records being indexed with each run, but will also eliminate identical log messages that occurred on the same host, log file, and with the same timestamp (if present).
path/to/pull <local storage directory>
To query index
query command will search the master log index for all records matching.
Simple search terms like "Page not found" as well as regular expressions are
Each log message returned from the index will contain the hostname and log file name prepended to the line. This allows filtering by hostname and log file name in addition to the search pattern.
path/to/search "<search regex>"
./search "host\.example\.com.*auth\.log.*Failed password"
To parse and store in local SQLite database
analyze command parses the master log index and stores messages to a local
SQLite database for easier integration for other use-cases and extensions.
NOTE: This feature requires the PHP pdo-sqlite extension be installed.
The database and tables will automatically be created, as needed, and saved to
Log messages are saved to the
logs table. Available columns include:
||Unique ID of the row. For future use.|
||The SHA-1 hash of the original log message. Used for deduplication.|
||The full hostname used to make the connection to the host when pulling the logs.|
||The name of the log file the message was found in.|
||The full log message.|
||The datetime the message was first seen by the
To tail logs
tail command can be used to simultaneously tail all of the configured
c to exit.
- Accept config file as commandline argument. This would allow separate config files for different scenarios and commands. In lieu of this feature, we may add support for a command-line option to scope by host, log group, and/or log file.
- Config file validation to minimize unhelpful error messages.
- Handle losses of connectivity to remote hosts.
- Add default log groups that require only hosts, e.g., syslog, apache, nginx, etc.