Skip to main content

Generate structured postmortem drafts from journalctl, syslog, auth.log and dmesg

Project description

syslog-postmortem

PyPI version License: MIT

Generate a structured postmortem draft from system logs in seconds — no more reconstructing incident timelines by hand.

Pulls from journalctl, /var/log/syslog, /var/log/auth.log and /var/log/dmesg, correlates events, detects patterns, and produces a ready-to-edit Markdown or HTML postmortem.


✨ What it does

Given a time window and optional service list, syslog-postmortem:

  1. Collects entries from journalctl (primary) and /var/log files (supplement)
  2. Deduplicates repeated messages and counts occurrences
  3. Detects patterns — OOM kills, service crashes, auth bursts, disk exhaustion, cascading failures, connection errors
  4. Builds a timeline sorted chronologically with severity icons
  5. Identifies contributing factors automatically (restart loops, cascade chains, error bursts)
  6. Generates action items from pattern hints
  7. Outputs a complete Markdown postmortem ready to edit and share

📥 Installation

pip install syslog-postmortem

🛠 Usage

postmortem --from "2026-05-10 14:00" --to "2026-05-10 16:00"
# Focus on specific services
postmortem --from "2026-05-10 14:00" --to "2026-05-10 16:00" \
           --services nginx,postgresql,redis \
           --title "Database outage" \
           --output incident-2026-05-10.md

# HTML output
postmortem --from "2026-05-10 14:00" --to "2026-05-10 16:00" \
           --format html --output report.html

# journalctl only (skip /var/log files)
postmortem --from "2026-05-10 14:00" --to "2026-05-10 16:00" --no-files

📋 Options

Option Description
--from DATETIME Start of incident window required
--to DATETIME End of incident window required
--title TEXT Postmortem title (default: Incident YYYY-MM-DD)
--services LIST Comma-separated services to focus on
--output FILE Output path (default: postmortem_YYYYMMDD_HHMM.md)
--format markdown (default) or html
--no-files Skip /var/log parsing, use journalctl only
--priorities journalctl priority filter (default: 0..4)

📄 Output structure

# Postmortem: Database outage

| | |
|---|---|
| **Date** | 2026-05-10 |
| **Window** | 2026-05-10 14:00 → 2026-05-10 16:00 |
| **Duration** | 2h 0m |
| **Severity** | Critical |

## Summary
Analysis of 1,243 raw log entries (89 unique events after deduplication)...
First anomaly detected at **14:03:22** in **postgresql** (CRITICAL).

## Timeline
| Time | Service | Severity | Event |
|------|---------|----------|-------|
| 14:03:22 | `postgresql` | ⛔ CRITICAL | could not connect to server |
| 14:03:45 | `nginx` | 🔴 ERROR | upstream connect error |

## Contributing Factors
- **Service instability**: `postgresql` triggered restart-loop detection 4 time(s)
- **Cascading failure**: `nginx` errors began 23s after first `postgresql` critical event

## Action Items
- [ ] Investigate postgresql restart cause; check dependencies and configuration
- [ ] Verify the downstream service is running and listening on the expected port

🔍 Detected patterns

Pattern Triggers
OOM Killer out of memory, oom_kill, killed process
Disk Full no space left on device, disk full
Kernel Error kernel: BUG, segfault, general protection
Service Failed failed to start, unit entered failed state
Process Crash segmentation fault, core dump, aborted
Connection Refused connection refused, upstream connect error
Timeout timed out, ETIMEDOUT, request timeout
Auth Failure Failed password, authentication failure, invalid user
SSL/TLS Error certificate expired, TLS handshake failed
Database Error could not connect to database, max connections reached
High Load load average spike, cpu throttled

📝 License

MIT — see LICENSE.

🌐 Connect

GitHub

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

syslog_postmortem-1.0.0.tar.gz (16.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

syslog_postmortem-1.0.0-py3-none-any.whl (17.3 kB view details)

Uploaded Python 3

File details

Details for the file syslog_postmortem-1.0.0.tar.gz.

File metadata

  • Download URL: syslog_postmortem-1.0.0.tar.gz
  • Upload date:
  • Size: 16.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.2

File hashes

Hashes for syslog_postmortem-1.0.0.tar.gz
Algorithm Hash digest
SHA256 04cc9f6550b179ca6f0d53141a9c1e1ee500d8e5e87f4b07131ef5e52bad1274
MD5 f1cc7e82c443f37a288fe7d8c7a4bf4d
BLAKE2b-256 ed1709eba0cde02b0544010617f3b56b042cbf59335b6be4a63f81360e7d30e5

See more details on using hashes here.

File details

Details for the file syslog_postmortem-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for syslog_postmortem-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2e147eba58d7b66d4df134c3ab545d3d230a553628fc0c4aca66d322d799b522
MD5 d158749dfb2c366db5d3d1b4aa911d69
BLAKE2b-256 681ffc36d5215aadac3525b8c812f09f066521207851e2bb2ed56a18b02f7367

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page