{"id":22267907,"url":"https://github.com/soulgarden/logalert","last_synced_at":"2026-02-06T23:01:51.285Z","repository":{"id":139102103,"uuid":"583867218","full_name":"soulgarden/logalert","owner":"soulgarden","description":"A lightweight, memory-efficient Rust application that monitors Elasticsearch/ZincSearch for specific log events and delivers real-time alerts to Slack.","archived":false,"fork":false,"pushed_at":"2025-12-29T00:16:41.000Z","size":173,"stargazers_count":2,"open_issues_count":5,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-12-31T17:38:05.127Z","etag":null,"topics":["alerting","docker","elasticsearch","helm","k8s","logging","logs","rust","slack","zinc","zincsearch"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/soulgarden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-12-31T08:20:43.000Z","updated_at":"2025-12-29T00:08:56.000Z","dependencies_parsed_at":"2024-05-06T02:39:44.366Z","dependency_job_id":"87f021e2-b9ae-4451-bad0-70cf69bdf2c3","html_url":"https://github.com/soulgarden/logalert","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/soulgarden/logalert","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soulgarden%2Flogalert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soulgarden%2Flogalert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soulgarden%2Flogalert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soulgarden%2Flogalert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/soulgarden","download_url":"https://codeload.github.com/soulgarden/logalert/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soulgarden%2Flogalert/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29179565,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T22:12:24.066Z","status":"ssl_error","status_checked_at":"2026-02-06T22:12:09.859Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alerting","docker","elasticsearch","helm","k8s","logging","logs","rust","slack","zinc","zincsearch"],"created_at":"2024-12-03T11:09:33.431Z","updated_at":"2026-02-06T23:01:51.280Z","avatar_url":"https://github.com/soulgarden.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# logalert\n\n![Tests and linters](https://github.com/soulgarden/logalert/actions/workflows/main.yml/badge.svg)\n\nA lightweight, memory-efficient Rust application that monitors Elasticsearch/ZincSearch for specific log events and delivers real-time alerts to Slack. Designed for high-performance log monitoring in production environments with minimal resource overhead.\n\n## Features\n\n- **Low Resource Usage**: Optimized for minimal CPU and memory consumption\n- **Real-time Monitoring**: Continuous polling with configurable intervals\n- **Event Deduplication**: Intelligent message aggregation to prevent spam\n- **Template-based Queries**: Flexible Handlebars templates for search queries\n- **Robust Error Handling**: Comprehensive validation and graceful failure recovery\n- **Cloud Native**: Ready for Kubernetes deployment with Helm charts\n\n**Compatibility**: Elasticsearch 7.x, Kubernetes 1.14+\n\n## Architecture\n\nLogalert uses an **actor-based architecture** with two main components that run concurrently:\n\n### Core Components\n\n#### 1. **Watcher** (`src/watcher.rs`)\n- **Purpose**: Polls Elasticsearch/ZincSearch for new events matching specified criteria\n- **Polling Strategy**: Time-based querying using configurable intervals (1-3600 seconds)\n- **Query Engine**: Uses Handlebars templates for flexible query construction\n- **Data Pipeline**: Processes search results and forwards events to the Sender\n\n**Query Template** (`src/templates/query.hbs`):\n```json\n{\n  \"query\": {\n    \"bool\": {\n      \"filter\": [\n        {\n          \"range\": {\n            \"@timestamp\": { \"gte\": \"{{ date }}\" }\n          }\n        },\n        {\n          \"query_string\": {\n            \"query\": \"{{ query }}\"\n          }\n        }\n      ]\n    }\n  },\n  \"size\": 50,\n  \"sort\": [{ \"@timestamp\": { \"order\": \"desc\" } }]\n}\n```\n\n#### 2. **Sender** (`src/sender.rs`)\n- **Purpose**: Processes events and delivers Slack notifications\n- **Deduplication**: In-memory HashMap tracks sent messages to prevent duplicates\n- **Rate Limiting**: Aggregates events by message+namespace to reduce notification spam\n- **Cleanup**: Automatic memory cleanup of old event tracking data\n- **Template Engine**: Handlebars templates for Slack message formatting\n\n### Data Flow\n\n```\n┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐\n│   Elasticsearch │◄───│     Watcher     │    │     Sender      │\n│   /ZincSearch   │    │                 │    │                 │\n└─────────────────┘    │ • Polls every N │    │ • Deduplicates  │\n                       │   seconds       │───►│ • Aggregates    │\n┌─────────────────┐    │ • Queries with  │    │ • Sends to Slack│\n│   Config File   │───►│   templates     │    │                 │\n└─────────────────┘    │ • Parses events │    └─────────────────┘\n                       └─────────────────┘             │\n                                                       ▼\n                                              ┌─────────────────┐\n                                              │      Slack      │\n                                              └─────────────────┘\n```\n\n### Working Principles\n\n1. **Event-Driven Processing**: Uses Tokio's async runtime for concurrent operation\n2. **Memory Management**: In-memory deduplication cache with automatic cleanup\n3. **Graceful Shutdown**: Signal handling for clean application termination\n4. **Configuration Validation**: Comprehensive input validation prevents runtime errors\n5. **HTTP Resilience**: Configurable timeouts and connection limits for reliability\n\n## Configuration\n\nCreate a `config.json` file or set the `CFG_PATH` environment variable:\n\n```json\n{\n  \"is_debug\": true,\n  \"storage\": {\n    \"host\": \"http://elasticsearch.example.com\",\n    \"port\": 9200,\n    \"index_name\": \"logs-*\",\n    \"api_prefix\": \"/\",\n    \"use_auth\": true,\n    \"username\": \"admin\", \n    \"password\": \"password\"\n  },\n  \"watch_interval\": 60,\n  \"query_string\": \"level:error OR status:5*\",\n  \"slack\": {\n    \"webhook_url\": \"https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK\"\n  }\n}\n```\n\n### Configuration Parameters\n\n- **`watch_interval`**: Polling interval in seconds (1-3600)\n- **`query_string`**: Elasticsearch query string syntax for matching events\n- **`storage.index_name`**: Elasticsearch index pattern to search\n- **`storage.api_prefix`**: API endpoint prefix (usually `/` for ES, `/api` for ZincSearch)\n- **`slack.webhook_url`**: Slack incoming webhook URL for notifications\n\n## Installation\n\n### Kubernetes with Helm\n\n```bash\n# Create namespace\nmake create_namespace\n\n# Install application  \nmake helm_install\n\n# Upgrade existing installation\nmake helm_upgrade\n```\n\n### Docker\n\n```bash\n# Build and push image\nmake build\n\n# Run container\ndocker run -v $(pwd)/config.json:/app/config.json soulgarden/logalert:0.0.10\n```\n\n### From Source\n\n```bash\n# Build release binary\ncargo build --release\n\n# Run with config\nCFG_PATH=./config.json ./target/release/logalert\n```\n\n## Development\n\n```bash\n# Format code\nmake fmt\n\n# Run linting\nmake lint\n\n# Run linting with auto-fix\nmake lint_fix\n\n# Run tests\nmake test\n```\n\n## Performance Characteristics\n\n- **Memory Usage**: ~5-15MB typical runtime footprint\n- **CPU Usage**: Minimal baseline, scales with event volume\n- **Network**: Efficient HTTP/1.1 with connection pooling  \n- **Storage**: No persistent storage required - purely in-memory operation\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoulgarden%2Flogalert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsoulgarden%2Flogalert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoulgarden%2Flogalert/lists"}