A CLI tool to analyze journalctl logs with specific parsers and LLM integration.
Project description
LogWatch Analyzer
LogWatch Analyzer is a command-line tool to analyze system logs from journalctl on Linux systems. It uses a YAML configuration file to define specific analysis tasks and can leverage a Large Language Model (LLM) via Ollama, Gemini, or other providers for in-depth analysis and report generation.
Features
- Configurable Analysis: Define which logs to analyze directly in the
config.yamlfile. - Specific Parsers: Includes optimized parsers for common events like failed SSH logins and kernel errors.
- LLM Integration: Utilizes a Large Language Model for generic analysis and generating human-readable reports.
- Flexible Output: Displays results in formatted tables in the terminal or generates reports in Markdown format.
- Simple CLI Interface: Easy to use with arguments to list tasks, run specific ones, and set time windows.
Installation
You can install LogWatch Analyzer from PyPI:
pip install logwatch-analyzer
Configuration
To use LogWatch Analyzer, you need a config.yaml file. The script looks for this file in the following locations, in order of priority:
~/.config/logwatch/config.yaml(Recommended for users)config.yamlin the current directory where you run the command.
Create the file in one of these locations. The recommended approach is to create a user-specific configuration:
mkdir -p ~/.config/logwatch
touch ~/.config/logwatch/config.yaml
Then, paste the following content into your config.yaml file and customize it to your needs.
# Configuration file for LogWatch
# Section for LLM provider configuration
# NOTE: The model names provided below are examples.
# Please replace them with the actual models you intend to use.
llm_providers:
ollama:
type: "ollama"
api_url: "http://localhost:11434/api/generate"
model: "gemma3:12b" # Example model
timeout: 120 # Request timeout in seconds
gemma:
type: "gemma"
# The URL for Gemma-3-27b-it. Change it if you want to use another model.
api_url: "https://generativelanguage.googleapis.com/v1beta/models/gemma-3-27b-it:generateContent"
# The API key will be read from the environment variable specified here.
api_key_env: "GEMINI_API_KEY"
timeout: 60 # Request timeout in seconds
gemini:
type: "gemini"
# The URL for Gemini 1.5 Flash. Change it if you want to use another model.
api_url: "https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-flash:generateContent"
# The API key will be read from the environment variable specified here.
api_key_env: "GEMINI_API_KEY"
timeout: 60 # Request timeout in seconds
openrouter:
type: "openrouter"
api_url: "https://openrouter.ai/api/v1/"
# You can change the model here. Examples: "google/gemma-2-9b-it", "anthropic/claude-3-haiku"
model: "qwen/qwen-2.5-coder-32b-instruct:free" # Example model
api_key_env: "OPENROUTER_API_KEY"
timeout: 60 # Request timeout in seconds
# Choose which LLM provider to use from the ones defined above.
active_llm_provider: "gemini"
# Definition of log analysis tasks
logs:
- name: "SSH Failed Logins"
command: "journalctl -u sshd -p err -o json --no-pager --since '1 day ago'"
parser: "ssh_parser"
# Filters to ignore irrelevant logs (examples)
filters:
- "pam_unix(sshd:auth): authentication failure" # Often redundant if you only look at "Failed password"
- name: "Sudo Usage"
command: "journalctl /usr/bin/sudo -o json --no-pager --since '1 day ago'"
parser: "llm_parser"
filters:
- "pam_unix(sudo:session): session opened for user root"
- "pam_unix(sudo:session): session closed for user root"
- name: "Kernel Errors"
command: "journalctl -k -p err -o json --no-pager --since '1 day ago'"
parser: "kernel_parser"
filters: []
- name: "General System Analysis"
command: "journalctl -p err -o json --no-pager --since '1 hour ago'"
parser: "llm_parser"
filters: []
Usage
The tool is available as the logwatch command.
List all available tasks
To see a list of all tasks defined in your config.yaml:
logwatch --list
Run a specific task
To execute a single analysis task:
logwatch --task "SSH Failed Logins"
Run all tasks
To run all tasks in sequence:
logwatch
Generate a Report File
For tasks that use the llm_parser, you can save the generated report to a Markdown file:
logwatch --task "Sudo Usage" --output report_sudo.md
Override the Time Window
You can specify a different time range from the one in the configuration file on the fly:
logwatch --task "Kernel Errors" --since "2 hours ago"
License
This project is licensed under the MIT License. See the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file logwatch_analyzer-0.1.4.tar.gz.
File metadata
- Download URL: logwatch_analyzer-0.1.4.tar.gz
- Upload date:
- Size: 8.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bfabaa305c3fe0559ac20651473547f1f7a259c0230b8a9924337dd93d138092
|
|
| MD5 |
c0f6e4ad719ec9cef65686260a90b0fb
|
|
| BLAKE2b-256 |
5a1742ebb86fb5f9f9fb90daa4089abcc8c3c20ac45e932d16e2ca8361a2e0c4
|
File details
Details for the file logwatch_analyzer-0.1.4-py3-none-any.whl.
File metadata
- Download URL: logwatch_analyzer-0.1.4-py3-none-any.whl
- Upload date:
- Size: 11.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b3b72c8de8b319e241ef51ab0d2fe30f6eed9fc1245acb39e0cbf49d555bd9d1
|
|
| MD5 |
6934842345a01ad381ab24a4d33feacc
|
|
| BLAKE2b-256 |
194c73edd1a247ac1e7ba8570b17520df3f3120c4af2f95afbd111e4e3a8d37a
|
