logs▌

Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules.

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.

Search and analyze your complete conversation history using jq and rg. \n \n Session logs stored as append-only JSONL files at ~/.openclaw/agents/<agentId>/sessions/ , indexed by session ID with full message transcripts including role, timestamp, content type, and token cost \n Extract user messages, assistant responses, tool calls, and metadata using jq filters; search across all sessions or within specific files using rg for keyword matching \n Common patterns provided for listing session

Search and filter logs to support incident investigation. The workflow mirrors Kibana Discover: apply a time range and scope filter, then iteratively add exclusion filters (NOT) until a small, interesting subset of logs remains—either the root cause or the key document. Optionally view logs in context (preceding and following that document) or pivot to another entity and start a fresh search. Use ES|QL only (POST /_query); do not use Query DSL.

Search, process, and archive logs with cost awareness.

Read and analyze structured wide-event logs from the local .evlog/logs/ directory to debug errors, investigate performance issues, and understand application behavior.

Use openlogs tail to retrieve recent server logs before asking the user to paste anything. Prefer the cleaned text log unless ANSI or raw terminal bytes matter.