Generate structured postmortem drafts from journalctl, syslog, auth.log and dmesg
Project description
syslog-postmortem
Generate a structured postmortem draft from system logs in seconds — no more reconstructing incident timelines by hand.
Pulls from journalctl, /var/log/syslog, /var/log/auth.log and /var/log/dmesg, correlates events, detects patterns, and produces a ready-to-edit Markdown or HTML postmortem.
✨ What it does
Given a time window and optional service list, syslog-postmortem:
- Collects entries from
journalctl(primary) and/var/logfiles (supplement) - Deduplicates repeated messages and counts occurrences
- Detects patterns — OOM kills, service crashes, auth bursts, disk exhaustion, cascading failures, connection errors
- Builds a timeline sorted chronologically with severity icons
- Identifies contributing factors automatically (restart loops, cascade chains, error bursts)
- Generates action items from pattern hints
- Outputs a complete Markdown postmortem ready to edit and share
📥 Installation
pip install syslog-postmortem
🛠 Usage
postmortem --from "2026-05-10 14:00" --to "2026-05-10 16:00"
# Focus on specific services
postmortem --from "2026-05-10 14:00" --to "2026-05-10 16:00" \
--services nginx,postgresql,redis \
--title "Database outage" \
--output incident-2026-05-10.md
# HTML output
postmortem --from "2026-05-10 14:00" --to "2026-05-10 16:00" \
--format html --output report.html
# journalctl only (skip /var/log files)
postmortem --from "2026-05-10 14:00" --to "2026-05-10 16:00" --no-files
📋 Options
| Option | Description |
|---|---|
--from DATETIME |
Start of incident window required |
--to DATETIME |
End of incident window required |
--title TEXT |
Postmortem title (default: Incident YYYY-MM-DD) |
--services LIST |
Comma-separated services to focus on |
--output FILE |
Output path (default: postmortem_YYYYMMDD_HHMM.md) |
--format |
markdown (default) or html |
--no-files |
Skip /var/log parsing, use journalctl only |
--priorities |
journalctl priority filter (default: 0..4) |
📄 Output structure
# Postmortem: Database outage
| | |
|---|---|
| **Date** | 2026-05-10 |
| **Window** | 2026-05-10 14:00 → 2026-05-10 16:00 |
| **Duration** | 2h 0m |
| **Severity** | Critical |
## Summary
Analysis of 1,243 raw log entries (89 unique events after deduplication)...
First anomaly detected at **14:03:22** in **postgresql** (CRITICAL).
## Timeline
| Time | Service | Severity | Event |
|------|---------|----------|-------|
| 14:03:22 | `postgresql` | ⛔ CRITICAL | could not connect to server |
| 14:03:45 | `nginx` | 🔴 ERROR | upstream connect error |
## Contributing Factors
- **Service instability**: `postgresql` triggered restart-loop detection 4 time(s)
- **Cascading failure**: `nginx` errors began 23s after first `postgresql` critical event
## Action Items
- [ ] Investigate postgresql restart cause; check dependencies and configuration
- [ ] Verify the downstream service is running and listening on the expected port
🔍 Detected patterns
| Pattern | Triggers |
|---|---|
| OOM Killer | out of memory, oom_kill, killed process |
| Disk Full | no space left on device, disk full |
| Kernel Error | kernel: BUG, segfault, general protection |
| Service Failed | failed to start, unit entered failed state |
| Process Crash | segmentation fault, core dump, aborted |
| Connection Refused | connection refused, upstream connect error |
| Timeout | timed out, ETIMEDOUT, request timeout |
| Auth Failure | Failed password, authentication failure, invalid user |
| SSL/TLS Error | certificate expired, TLS handshake failed |
| Database Error | could not connect to database, max connections reached |
| High Load | load average spike, cpu throttled |
📝 License
MIT — see LICENSE.
🌐 Connect
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file syslog_postmortem-1.0.0.tar.gz.
File metadata
- Download URL: syslog_postmortem-1.0.0.tar.gz
- Upload date:
- Size: 16.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
04cc9f6550b179ca6f0d53141a9c1e1ee500d8e5e87f4b07131ef5e52bad1274
|
|
| MD5 |
f1cc7e82c443f37a288fe7d8c7a4bf4d
|
|
| BLAKE2b-256 |
ed1709eba0cde02b0544010617f3b56b042cbf59335b6be4a63f81360e7d30e5
|
File details
Details for the file syslog_postmortem-1.0.0-py3-none-any.whl.
File metadata
- Download URL: syslog_postmortem-1.0.0-py3-none-any.whl
- Upload date:
- Size: 17.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2e147eba58d7b66d4df134c3ab545d3d230a553628fc0c4aca66d322d799b522
|
|
| MD5 |
d158749dfb2c366db5d3d1b4aa911d69
|
|
| BLAKE2b-256 |
681ffc36d5215aadac3525b8c812f09f066521207851e2bb2ed56a18b02f7367
|