Initial cross-server log inventory + anomaly scan

- 10 hosts (mo1, ams, ams2, ro1, ca1, ca2, ca3, fr1, sony, termux) - discover-logs.sh: portable inventory (Linux/FreeBSD/Termux) - scan-anomalies.sh: ERROR/WARN/CRITICAL counts + journalctl + kubectl - run-all.sh: parallel SSH fan-out - build-summary.py: aggregates into reports/SUMMARY.md - 5 HIGH-severity findings identified on ro1 (apache scanner traffic, mount_monitor warnings)
2026-04-10 21:49:17 +00:00
parent cabf4c587f
commit e96a8b03fc
26 changed files with 1636 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -1,3 +1,52 @@
 # log_analysis

-Cross-server log inventory and anomaly reports
+Cross-server log inventory and anomaly scanning across the rpert infrastructure
+(10 hosts: mo1, ams, ams2, ro1, ca1, ca2, ca3, fr1, sony, termux).
+
+## Layout
+
+```
+log_analysis/
+├── README.md
+├── scripts/
+│   ├── discover-logs.sh    # portable log inventory (Linux/FreeBSD/Termux)
+│   ├── scan-anomalies.sh   # ERROR/WARN/CRITICAL counts + journalctl scan
+│   └── run-all.sh          # fan out both scripts to every host via SSH
+├── logs/
+│   └── inventory/<host>.csv   # path,size_bytes,mtime,service
+├── anomalies/
+│   └── <host>.txt             # raw anomaly findings per host
+└── reports/
+    └── SUMMARY.md             # cross-host roll-up + recommendations
+```
+
+## Hosts
+
+| Host    | OS       | SSH                       |
+|---------|----------|---------------------------|
+| mo1     | Debian   | local                     |
+| ams     | FreeBSD  | `ssh ams` (sudo -n)       |
+| ams2    | FreeBSD  | `ssh ams2` (sudo -n)      |
+| ro1     | FreeBSD  | `ssh ro1` (sudo -n)       |
+| ca1     | Ubuntu   | `ssh ca1`                 |
+| ca2     | Debian   | `ssh ca2`                 |
+| ca3     | Debian   | `ssh -p 15120 ca3`        |
+| fr1     | Ubuntu   | `ssh fr1`                 |
+| sony    | Debian   | `ssh sony` (laptop)       |
+| termux  | Android  | `ssh -p 8022 termux`      |
+
+## Usage
+
+```bash
+./scripts/run-all.sh        # discovery + anomaly scan, all hosts
+git add -A && git commit -m "refresh $(date -I)" && git push
+```
+
+Reports land in `reports/SUMMARY.md`.
+
+## Notes
+
+- FreeBSD hosts use `sudo -n` + `BatchMode=yes` (per memory).
+- Discovery uses `locate`/`plocate` where available, falls back to scanning
+  `/var/log` with `du`. `find` is avoided per project preference.
+- Sony and Termux may be offline; the runner skips unreachable hosts.
--- a/anomalies/ams.txt
+++ b/anomalies/ams.txt
@@ -0,0 +1,31 @@
+=== Anomaly scan: ams.3z8.pw (2026-04-10T21:46:07Z) ===
+
+--- recent log files (mtime < 7d) ---
+/var/log/borg-backup.log	errors=21	warns=0	size=6198346
+    > M /usr/local/www/apache24/error/HTTP_INTERNAL_SERVER_ERROR.html.var
+    > M /usr/local/www/apache24/error/HTTP_PRECONDITION_FAILED.html.var
+    > [2026-03-12 02:00:01] BACKUP FAILED with exit code 2
+    > [2026-03-13 02:00:01] BACKUP FAILED with exit code 2
+    > [2026-03-14 02:00:01] BACKUP FAILED with exit code 2
+/var/log/debug.log.0.bz2	errors=1	warns=0	size=55238
+    > Binary file (standard input) matches
+
+--- /var/log disk usage ---
+ 13M	/var/log
+ 92K	/var/log/maillog.4.bz2
+ 96K	/var/log/maillog.3.bz2
+104K	/var/log/maillog.6.bz2
+108K	/var/log/maillog.2.bz2
+120K	/var/log/debug.log
+120K	/var/log/maillog.1.bz2
+124K	/var/log/maillog.0.bz2
+340K	/var/log/cron
+344K	/var/log/messages
+512K	/var/log/bsdinstall_log
+512K	/var/log/utx.log.1
+672K	/var/log/auth.log
+928K	/var/log/letsencrypt
+1.3M	/var/log/maillog
+6.0M	/var/log/borg-backup.log
+
+--- top 15 largest files under /var/log ---
--- a/anomalies/ams2.txt
+++ b/anomalies/ams2.txt
@@ -0,0 +1,25 @@
+=== Anomaly scan: ams2.3z8.pw (2026-04-10T21:45:59Z) ===
+
+--- recent log files (mtime < 7d) ---
+/var/log/borg/cron.log	errors=1	warns=0	size=265522
+    > M /etc/periodic/security/520.pfdenied
+
+--- /var/log disk usage ---
+7.7M	/var/log
+ 68K	/var/log/auth.log.6.bz2
+ 72K	/var/log/auth.log.0.bz2
+ 72K	/var/log/auth.log.3.bz2
+ 72K	/var/log/auth.log.4.bz2
+ 72K	/var/log/auth.log.5.bz2
+ 76K	/var/log/bsdinstall_log
+ 84K	/var/log/maillog.2.bz2
+160K	/var/log/cron
+628K	/var/log/borg
+640K	/var/log/maillog
+672K	/var/log/debug.log
+704K	/var/log/auth.log
+704K	/var/log/daemon.log
+704K	/var/log/messages
+1.6M	/var/log/letsencrypt
+
+--- top 15 largest files under /var/log ---
--- a/anomalies/ca1.txt
+++ b/anomalies/ca1.txt
@@ -0,0 +1,41 @@
+=== Anomaly scan: ca1.rspworks.tech (2026-04-10T21:46:10Z) ===
+
+--- journalctl -p err --since '24 hours ago' ---
+-- No entries --
+
+--- recent log files (mtime < 7d) ---
+
+--- /var/log disk usage ---
+372M	/var/log
+852K	/var/log/ufw.log.2.gz
+1.3M	/var/log/syslog.3.gz
+1.4M	/var/log/syslog.2.gz
+1.6M	/var/log/auth.log
+1.7M	/var/log/mail.log
+3.4M	/var/log/auth.log.1
+6.1M	/var/log/kern.log
+6.1M	/var/log/sysstat
+6.1M	/var/log/ufw.log
+7.3M	/var/log/ufw.log.1
+7.4M	/var/log/kern.log.1
+7.9M	/var/log/btmp.1
+8.7M	/var/log/syslog
+9.5M	/var/log/syslog.1
+296M	/var/log/journal
+
+--- top 15 largest files under /var/log ---
+ 440136579  /var/log
+ 360710144  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8
+ 360710144  /var/log/journal
+  58720256  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/system@ab13cdfa37454491a79434767401386e-00000000003adb5c-00064cb3c1ed363d.journal
+  58720256  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/system@9e6ecb5b9f514c72a5570e68825ad6a7-00000000003ca351-00064d43484e2748.journal
+  50331648  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/system@fec4a914b99c4953ab02aad708666ef9-00000000003f6f27-00064e81484ba094.journal
+  50331648  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/system@9e6ecb5b9f514c72a5570e68825ad6a7-00000000003defff-00064ddfb0de2946.journal
+  25165824  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/system@9e6ecb5b9f514c72a5570e68825ad6a7-00000000003f15ad-00064e58095423d3.journal
+  25165824  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/system@00064d3b8778fc5f-b4dcd1bdd4b96ecb.journal~
+   9868554  /var/log/syslog.1
+   9053714  /var/log/syslog
+   8388608  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/user-1000.journal
+   8388608  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/user-1000@fec4a914b99c4953ab02aad708666ef9-00000000003f6f26-00064e81484b121d.journal
+   8388608  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/user-1000@ab13cdfa37454491a79434767401386e-00000000003c27c9-00064d143295a90c.journal
+   8388608  /var/log/journal/6f9b28a107671d35d565db8d4fdf10a8/user-1000@ab13cdfa37454491a79434767401386e-00000000003afdc3-00064cc380be60fc.journal
--- a/anomalies/ca2.txt
+++ b/anomalies/ca2.txt
@@ -0,0 +1,41 @@
+=== Anomaly scan: ip-51-79-3-199 (2026-04-10T21:46:10Z) ===
+
+--- journalctl -p err --since '24 hours ago' ---
+-- No entries --
+
+--- recent log files (mtime < 7d) ---
+
+--- /var/log disk usage ---
+463M	/var/log
+532K	/var/log/syslog.3.gz
+576K	/var/log/ufw.log.4.gz
+844K	/var/log/auth.log.3.gz
+1.1M	/var/log/kern.log.3.gz
+1.1M	/var/log/kern.log.4.gz
+1.1M	/var/log/syslog.4.gz
+1.1M	/var/log/ufw.log.2.gz
+1.1M	/var/log/ufw.log.3.gz
+1.2M	/var/log/btmp
+1.6M	/var/log/auth.log
+1.6M	/var/log/auth.log.4.gz
+3.3M	/var/log/auth.log.1
+3.8M	/var/log/ufw.log.1
+33M	/var/log/btmp.1
+409M	/var/log/journal
+
+--- top 15 largest files under /var/log ---
+ 485391370  /var/log
+ 428663992  /var/log/journal
+ 428659896  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6
+  45110984  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system@86c54d3ff5d441bb8055b2ee8b5a63e9-00000000000292e8-00064c3d93bf6cf5.journal
+  44732968  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system@86c54d3ff5d441bb8055b2ee8b5a63e9-0000000000037922-00064c84af763c31.journal
+  44467312  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system@86c54d3ff5d441bb8055b2ee8b5a63e9-0000000000053500-00064d0111ffd3c7.journal
+  44453136  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system@86c54d3ff5d441bb8055b2ee8b5a63e9-0000000000045881-00064cc7fd5e30a1.journal
+  43759864  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system@86c54d3ff5d441bb8055b2ee8b5a63e9-0000000000000be2-00064b9f844d6876.journal
+  43717416  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system@86c54d3ff5d441bb8055b2ee8b5a63e9-000000000001be8a-00064bffa0a97a8a.journal
+  43173456  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system@86c54d3ff5d441bb8055b2ee8b5a63e9-000000000000eb50-00064bcebd787df5.journal
+  41980912  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system@86c54d3ff5d441bb8055b2ee8b5a63e9-00000000000612ff-00064d4e811ecc56.journal
+  34127232  /var/log/btmp.1
+  25165824  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/system.journal
+   8388608  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/user-1001.journal
+   4543296  /var/log/journal/b02dc037a34a4cb8a15b01d75132a0f6/user-1001@de6260ca127840deab7e231baa6cfc8a-000000000006158d-00064d54160e10b6.journal
--- a/anomalies/ca3.txt
+++ b/anomalies/ca3.txt
@@ -0,0 +1,42 @@
+=== Anomaly scan: ca3.3z8.pw (2026-04-10T21:46:10Z) ===
+
+--- journalctl -p err --since '24 hours ago' ---
+-- Journal begins at Sat 2026-03-21 16:10:27 UTC, ends at Fri 2026-04-10 21:46:10 UTC. --
+-- No entries --
+
+--- recent log files (mtime < 7d) ---
+
+--- /var/log disk usage ---
+41M	/var/log
+0	/var/log/btmp
+4.0K	/var/log/auth.log
+4.0K	/var/log/debug
+4.0K	/var/log/messages
+4.0K	/var/log/private
+8.0K	/var/log/alternatives.log
+8.0K	/var/log/faillog
+8.0K	/var/log/lastlog
+8.0K	/var/log/runit
+12K	/var/log/wtmp
+28K	/var/log/daemon.log
+32K	/var/log/syslog
+100K	/var/log/apt
+136K	/var/log/dpkg.log
+41M	/var/log/journal
+
+--- top 15 largest files under /var/log ---
+  42593888  /var/log
+  41951232  /var/log/journal
+  41947136  /var/log/journal/55590223568e4ab1b9338e2426cfb245
+  25165824  /var/log/journal/55590223568e4ab1b9338e2426cfb245/system.journal
+   8388608  /var/log/journal/55590223568e4ab1b9338e2426cfb245/user-1000.journal
+   8388608  /var/log/journal/55590223568e4ab1b9338e2426cfb245/system@83232735e3e24ff5ace21763d35e7781-0000000000000001-000610a6d481f748.journal
+    292292  /var/log/lastlog
+    137512  /var/log/dpkg.log
+     91195  /var/log/apt
+     63092  /var/log/apt/term.log
+     32032  /var/log/faillog
+     28775  /var/log/syslog
+     28345  /var/log/daemon.log
+     12428  /var/log/apt/eipp.log.xz
+     11579  /var/log/apt/history.log
--- a/anomalies/fr1.txt
+++ b/anomalies/fr1.txt
@@ -0,0 +1,43 @@
+=== Anomaly scan: fr1.3z8.pw (2026-04-10T21:46:42Z) ===
+
+--- journalctl -p err --since '24 hours ago' ---
+-- No entries --
+
+--- kubectl get events --all-namespaces (warnings) ---
+
+--- recent log files (mtime < 7d) ---
+
+--- /var/log disk usage ---
+2.3G	/var/log
+2.3M	/var/log/mail.log.1
+2.4M	/var/log/borg-backup.log
+2.8M	/var/log/borg
+2.9M	/var/log/syslog.3.gz
+3.0M	/var/log/auth.log.1
+3.8M	/var/log/syslog.2.gz
+5.2M	/var/log/postfix.log
+6.1M	/var/log/kern.log
+6.1M	/var/log/ufw.log
+7.3M	/var/log/ufw.log.1
+7.4M	/var/log/kern.log.1
+13M	/var/log/btmp.1
+38M	/var/log/syslog
+47M	/var/log/syslog.1
+2.2G	/var/log/journal
+
+--- top 15 largest files under /var/log ---
+2424100146  /var/log
+2256551936  /var/log/journal
+2256547840  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-0000000000a63802-00064ee25f15ebf5.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-0000000000a486e1-00064ebf45be6c08.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-0000000000a2d51d-00064e9ca8d04650.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-0000000000a11a97-00064e79b0d30b2f.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-00000000009f4c9f-00064e56b4e1c853.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-00000000009d71f8-00064e33e5548a49.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-00000000009ba218-00064e112c8993aa.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-000000000099c686-00064def3633af5b.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-000000000097e720-00064dcc67deca0d.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-0000000000961320-00064da9dc769b56.journal
+ 125829120  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/user-1000@27dcfd2fef7244188c973786553a5804-0000000000941583-00064d8712b97fc5.journal
+ 109051904  /var/log/journal/7a3fd67a924c4186bb3081ae4975373c/system@32d91142d7d0427bb5e4c170c7a73604-0000000000917d56-00064d56478ea870.journal
--- a/anomalies/mo1.txt
+++ b/anomalies/mo1.txt
@@ -0,0 +1,79 @@
+=== Anomaly scan: mo1.3z8.pw (2026-04-10T21:46:10Z) ===
+
+--- journalctl -p err --since '24 hours ago' ---
+Apr 09 23:02:18 mo1.3z8.pw sudo[1989355]: pam_unix(sudo:auth): conversation failed
+Apr 09 23:02:18 mo1.3z8.pw sudo[1989355]: pam_unix(sudo:auth): auth could not identify password for [rpert]
+Apr 09 23:16:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 09 23:33:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 09 23:59:51 mo1.3z8.pw sudo[4140045]: pam_unix(sudo:auth): conversation failed
+Apr 09 23:59:51 mo1.3z8.pw sudo[4140045]: pam_unix(sudo:auth): auth could not identify password for [rpert]
+Apr 10 00:02:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 00:49:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 01:00:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 01:05:16 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 01:10:33 mo1.3z8.pw sudo[2570337]: pam_unix(sudo:auth): conversation failed
+Apr 10 01:10:33 mo1.3z8.pw sudo[2570337]: pam_unix(sudo:auth): auth could not identify password for [rpert]
+Apr 10 02:16:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 03:51:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 04:08:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 05:01:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 05:36:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 05:59:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 07:19:31 mo1.3z8.pw sudo[3980992]: pam_unix(sudo:auth): conversation failed
+Apr 10 07:19:31 mo1.3z8.pw sudo[3980992]: pam_unix(sudo:auth): auth could not identify password for [rpert]
+Apr 10 09:52:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 10:21:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 10:56:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 11:07:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 11:42:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 12:11:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 12:16:16 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 12:57:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 13:08:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 13:13:16 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 13:36:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 13:41:16 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 14:34:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 14:39:16 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 15:14:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 15:31:15 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+Apr 10 15:36:16 mo1.3z8.pw systemd[11617]: Failed to start mbsync.service - Mailbox synchronization (mbsync).
+
+--- kubectl get events --all-namespaces (warnings) ---
+
+--- recent log files (mtime < 7d) ---
+
+--- /var/log disk usage ---
+822M	/var/log
+524K	/var/log/kern.log.1
+600K	/var/log/auth.log.2.gz
+908K	/var/log/auth.log.3.gz
+1016K	/var/log/btmp
+1.1M	/var/log/auth.log.4.gz
+1.5M	/var/log/syslog.4.gz
+2.3M	/var/log/auth.log
+3.0M	/var/log/syslog.2.gz
+4.3M	/var/log/auth.log.1
+6.9M	/var/log/syslog.3.gz
+18M	/var/log/rclone-media.log
+23M	/var/log/btmp.1
+39M	/var/log/syslog.1
+65M	/var/log/syslog
+655M	/var/log/journal
+
+--- top 15 largest files under /var/log ---
+ 916304891  /var/log
+ 740593040  /var/log/journal
+ 740588944  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4
+ 128611656  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/system@988ab89fd22f4f208176d25bc2f2470d-0000000000074a21-00064d0e5525584b.journal
+ 109051904  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/system.journal
+  75985176  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/system@988ab89fd22f4f208176d25bc2f2470d-000000000013e463-00064e5f5e0e5175.journal
+  74216752  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/system@988ab89fd22f4f208176d25bc2f2470d-000000000010fac9-00064e02e1bb1c0d.journal
+  70106232  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/system@988ab89fd22f4f208176d25bc2f2470d-00000000000db4af-00064d7f051b8ba1.journal
+  67501427  /var/log/syslog
+  58720256  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/system@00064d7ec2d5b400-62e4a0e0b73c867c.journal~
+  46971424  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/user-1001@01eac76beb704389b4f9ca118b11b2f8-00000000000db4ec-00064d7f051d3e37.journal
+  45807768  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/user-1001@01eac76beb704389b4f9ca118b11b2f8-000000000013e47d-00064e5f64861672.journal
+  40099593  /var/log/syslog.1
+  28811960  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/user-1001@01eac76beb704389b4f9ca118b11b2f8-000000000010fad6-00064e02e39cd4e3.journal
+  25165824  /var/log/journal/a9f1f6828f9a4d60a85e1079cc2c6bc4/user-1001@00064d7ec2f1014e-21c53d09549b2cc2.journal~
--- a/anomalies/ro1.txt
+++ b/anomalies/ro1.txt
@@ -0,0 +1,65 @@
+=== Anomaly scan: ro1-3z8-pw.novalocal (2026-04-10T21:46:09Z) ===
+
+--- recent log files (mtime < 7d) ---
+/var/log/borg-backup.log	errors=5	warns=0	size=13318316
+    > M /usr/local/www/apache24/error/HTTP_INTERNAL_SERVER_ERROR.html.var
+    > M /usr/local/www/apache24/error/HTTP_PRECONDITION_FAILED.html.var
+    > M /usr/local/www/apache24/error/HTTP_INTERNAL_SERVER_ERROR.html.var
+    > M /usr/local/www/apache24/error/HTTP_PRECONDITION_FAILED.html.var
+    > M /usr/local/www/i47i.tk/wp-content/plugins/redis-cache/dependencies/predis/predis/src/Command/Redis/FAILOVER.php
+/var/log/freedns-ssl-error.log	errors=72	warns=0	size=1343992
+    > [Thu Mar 19 17:06:45.696498 2026] [authz_core:error] [pid 59340] [client 20.151.11.236:41914] AH01630: client denied by server configuration: /usr/local/www/apache24/cgi-bin
+    > [Sat Mar 21 05:45:17.976155 2026] [authz_core:error] [pid 97472] [client 20.151.11.236:31811] AH01630: client denied by server configuration: /usr/local/www/apache24/cgi-bin
+    > [Sat Mar 21 06:41:09.566838 2026] [authz_core:error] [pid 69202] [client 172.235.235.248:54732] AH01630: client denied by server configuration: /usr/local/www/apache24/cgi-bin
+    > [Sun Mar 22 03:00:13.267508 2026] [authz_core:error] [pid 9998] [client 185.177.72.52:18966] AH01630: client denied by server configuration: /usr/local/www/freedns-placeholder/.htaccess
+    > [Sun Mar 22 03:00:13.502429 2026] [authz_core:error] [pid 69202] [client 185.177.72.52:18982] AH01630: client denied by server configuration: /usr/local/www/freedns-placeholder/.htaccess
+/var/log/httpd/i47i.tk-error.log	errors=51	warns=0	size=400820
+    > [Thu Mar 19 18:50:37.024880 2026] [authz_core:error] [pid 59307] [client 20.222.18.47:21485] AH01630: client denied by server configuration: /usr/local/www/apache24/cgi-bin
+    > [Fri Mar 20 11:42:47.077024 2026] [authz_core:error] [pid 69861] [client 23.100.100.188:3532] AH01630: client denied by server configuration: /usr/local/www/apache24/cgi-bin
+    > [Tue Mar 24 23:57:24.319230 2026] [authz_core:error] [pid 81828] [client 85.203.23.121:52441] AH01630: client denied by server configuration: /usr/local/www/apache24/cgi-bin, referer: http://i47i.tk/cgi-bin/cgi-bin/sql.php
+    > [Wed Mar 25 02:04:05.820795 2026] [authz_core:error] [pid 81829] [client 20.222.18.47:22936] AH01630: client denied by server configuration: /usr/local/www/apache24/cgi-bin
+    > [Wed Mar 25 18:35:40.714323 2026] [authz_core:error] [pid 32775] [client 20.151.201.236:22849] AH01630: client denied by server configuration: /usr/local/www/apache24/cgi-bin
+/var/log/manual-upgrades/upgrade-2026-04-05_0400.log	errors=3	warns=0	size=2495
+    > [36;1mWarning:[0m Failed to create directory '/nonexistent/.wp-cli/cache/': mkdir(): Permission denied.
+    >   FAILED: apache24 php_fpm jellyfin flood redis
+    > {"id":"ZAa6Ntdv1W5c","time":1775361630,"expires":1775404830,"event":"message","topic":"rspworks-updates","title":"Manual Upgrade ERRORS — ro1-3z8-pw.novalocal","message":"1 services running\n\nUpdated:\\n• WordPress: 3 plugins\n\nErrors:\\n• Service down: apache24\\n• Service down: php_fpm\\n• Service down: jellyfin\\n• Service down: flood\\n• Service down: redis","priority":4,"tags":["warning","package"]}
+/var/log/messages	errors=0	warns=886	size=512303
+/var/log/mount_monitor.log	errors=0	warns=1808	size=526613
+/var/log/mount_monitor.log.old	errors=7	warns=3614	size=1048798
+    > [2026-03-24 13:05:30] CRITICAL: Mount is hung (ls command timed out)
+    > [2026-03-24 13:06:28] FAILED: Mount still not responding after recovery attempt
+    > [2026-03-24 13:10:30] CRITICAL: Mount is hung (ls command timed out)
+    > [2026-03-24 13:11:28] FAILED: Mount still not responding after recovery attempt
+    > [2026-03-24 13:15:35] CRITICAL: Mount is hung (ls command timed out)
+/var/log/rclone_1fichier.log	errors=6	warns=0	size=3527222
+    > 2026/03/24 13:06:28 ERROR : IO error: couldn't list files: Post "https://api.1fichier.com/v1/file/ls.cgi": dial tcp: lookup api.1fichier.com: i/o timeout
+    > 2026/03/24 13:10:30 ERROR : IO error: couldn't list files: Post "https://api.1fichier.com/v1/file/ls.cgi": dial tcp: lookup api.1fichier.com: i/o timeout
+    > 2026/03/24 13:11:28 ERROR : IO error: couldn't list files: Post "https://api.1fichier.com/v1/file/ls.cgi": dial tcp 5.39.224.140:443: i/o timeout
+    > 2026/03/24 13:15:35 ERROR : IO error: couldn't list files: Post "https://api.1fichier.com/v1/file/ls.cgi": net/http: TLS handshake timeout
+    > 2026/03/30 06:45:30 ERROR : IO error: couldn't list files: Post "https://api.1fichier.com/v1/file/ls.cgi": dial tcp 5.39.224.140:443: i/o timeout
+/var/log/webmail-ssl-error.log	errors=62	warns=0	size=28197
+    > [Fri Jan 09 22:57:32.624107 2026] [authz_core:error] [pid 67028] [client 146.19.168.250:51646] AH01630: client denied by server configuration: /usr/local/www/roundcube/config/.env
+    > [Fri Jan 09 22:57:45.572560 2026] [authz_core:error] [pid 67028] [client 146.19.168.250:51646] AH01630: client denied by server configuration: /usr/local/www/roundcube/config/config.php
+    > [Fri Jan 09 22:57:47.072687 2026] [authz_core:error] [pid 67028] [client 146.19.168.250:51646] AH01630: client denied by server configuration: /usr/local/www/roundcube/config/database.php
+    > [Fri Jan 09 22:57:47.392299 2026] [authz_core:error] [pid 67028] [client 146.19.168.250:51646] AH01630: client denied by server configuration: /usr/local/www/roundcube/config/mail.php
+    > [Fri Jan 09 22:57:47.693547 2026] [authz_core:error] [pid 67028] [client 146.19.168.250:51646] AH01630: client denied by server configuration: /usr/local/www/roundcube/config/app.php
+
+--- /var/log disk usage ---
+ 95M	/var/log
+960K	/var/log/httpd-nextcloud-access.log
+1.1M	/var/log/mount_monitor.log.old
+1.3M	/var/log/freedns-ssl-error.log
+1.9M	/var/log/freedns-access.log
+2.2M	/var/log/matomo-access.log
+2.6M	/var/log/flood.log
+3.3M	/var/log/httpd-access.log
+3.4M	/var/log/rclone_1fichier.log
+4.3M	/var/log/freedns-ssl-access.log
+5.6M	/var/log/httpd-error.log
+6.2M	/var/log/redis
+9.3M	/var/log/letsencrypt
+9.8M	/var/log/httpd
+ 13M	/var/log/borg-backup.log
+ 24M	/var/log/webmail-ssl-access.log
+
+--- top 15 largest files under /var/log ---
--- a/anomalies/sony.txt
+++ b/anomalies/sony.txt
@@ -0,0 +1,140 @@
+=== Anomaly scan: sony (2026-04-10T21:50:12Z) ===
+
+--- journalctl -p err --since '24 hours ago' ---
+Apr 10 19:24:30 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:24:30 sony kwin_wayland[1565]: pw.core: 0x5608ecf12a10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:24:31 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:24:31 sony kwin_wayland[1565]: pw.core: 0x5608ecf12a10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:24:35 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:24:35 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:24:56 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:24:56 sony kwin_wayland[1565]: pw.core: 0x5608ecdcca70: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:25:00 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:25:00 sony kwin_wayland[1565]: pw.core: 0x5608ecedaee0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:25:00 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:25:00 sony kwin_wayland[1565]: pw.core: 0x5608ecedaee0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:00 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:00 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:00 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:00 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:00 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:01 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:01 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:01 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:01 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:21 sony kwin_wayland[1565]: pw.core: 0x5608ecf12a10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:28:21 sony kwin_wayland[1565]: pw.core: 0x5608ecf12a10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:29:23 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:29:23 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:29:24 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:29:24 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:30:29 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:31:40 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:31:40 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:31:41 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:31:41 sony kwin_wayland[1565]: pw.core: 0x5608eca68270: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:34:48 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:34:48 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:34:48 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:34:48 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:34:48 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:34:49 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:34:49 sony kwin_wayland[1565]: pw.core: 0x5608eccde2f0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:35:03 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:35:03 sony kwin_wayland[1565]: pw.core: 0x5608eca8c330: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:35:03 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:35:04 sony kwin_wayland[1565]: pw.core: 0x5608ec94dd90: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:35:04 sony kwin_wayland[1565]: pw.core: 0x5608eca8e7a0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:38:28 sony kwin_wayland[1565]: pw.core: 0x5608eca8e7a0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:38:28 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:58:55 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 19:58:55 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:03:51 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:03:51 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:03:51 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:10:56 sony kwin_wayland[1565]: pw.core: 0x5608eca8e7a0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:10:56 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:10:56 sony kwin_wayland[1565]: pw.core: 0x5608eca8e7a0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:25 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:25 sony kwin_wayland[1565]: pw.core: 0x5608eca5f490: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:25 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:25 sony kwin_wayland[1565]: pw.core: 0x5608eca5f490: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:26 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:26 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:34 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:34 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:34 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:34 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:34 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:34 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:35 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:53 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:53 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:56 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:12:56 sony kwin_wayland[1565]: pw.core: 0x5608ecedaee0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:37 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:37 sony kwin_wayland[1565]: pw.core: 0x5608ecedaee0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:37 sony kwin_wayland[1565]: pw.core: 0x5608eca89820: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:37 sony kwin_wayland[1565]: pw.core: 0x5608eca98ff0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:37 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:38 sony kwin_wayland[1565]: pw.core: 0x5608ecedaee0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:38 sony kwin_wayland[1565]: pw.core: 0x5608eca89820: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:38 sony kwin_wayland[1565]: pw.core: 0x5608eca98ff0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:38 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:38 sony kwin_wayland[1565]: pw.core: 0x5608ecedaee0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:38 sony kwin_wayland[1565]: pw.core: 0x5608eca89820: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:14:38 sony kwin_wayland[1565]: pw.core: 0x5608eca98ff0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:18:30 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:18:30 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:18:30 sony kwin_wayland[1565]: pw.core: 0x5608eca89820: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:18:30 sony kwin_wayland[1565]: pw.core: 0x5608ecedaee0: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:00 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:00 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:00 sony kwin_wayland[1565]: pw.core: 0x5608eca89820: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:00 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:00 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:00 sony kwin_wayland[1565]: pw.core: 0x5608ec42fb10: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:01 sony kwin_wayland[1565]: pw.core: 0x5608eca5f490: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:01 sony kwin_wayland[1565]: pw.core: 0x5608eca89820: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:10 sony kwin_wayland[1565]: pw.core: 0x5608eccbd420: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:10 sony kwin_wayland[1565]: pw.core: 0x5608ec77a790: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:10 sony kwin_wayland[1565]: pw.core: 0x5608ec9faf80: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 20:19:10 sony kwin_wayland[1565]: pw.core: 0x5608eca5f490: can't find protocol 'PipeWire:Protocol:Native': Operation not supported
+Apr 10 21:29:28 sony pulseaudio[2074]: listen(): Address already in use
+
+--- recent log files (mtime < 7d) ---
+
+--- /var/log disk usage ---
+975M	/var/log
+44K	/var/log/Xorg.4.log
+48K	/var/log/Xorg.0.log
+48K	/var/log/Xorg.2.log.old
+52K	/var/log/Xorg.2.log
+64K	/var/log/cups
+80K	/var/log/dpkg.log
+176K	/var/log/dpkg.log.1
+328K	/var/log/apt
+348K	/var/log/wtmp
+5.2M	/var/log/borg
+8.0M	/var/log/sysstat
+16M	/var/log/installer
+22M	/var/log/btmp.1
+43M	/var/log/btmp
+881M	/var/log/journal
+
+--- top 15 largest files under /var/log ---
+1044955349  /var/log
+ 946458048  /var/log/journal
+ 946453952  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191
+  88073456  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000a34940-00064d26d0195621.journal
+  63504120  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000a69958-00064d5ff691b4bf.journal
+  62967088  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000af4d40-00064e327ccda35d.journal
+  61736360  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000a8de97-00064d86d8f9bd3e.journal
+  61211680  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000ad27b8-00064df90e8ad1b4.journal
+  59695360  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000aaf970-00064db69212e347.journal
+  52503040  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000b998d6-00064ef8d98ae458.journal
+  51122088  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000b19523-00064e6770b00a37.journal
+  48994704  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000b6e73c-00064ecb4656be5a.journal
+  48922288  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000b310e6-00064e88c632bfd4.journal
+  48506288  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000b84345-00064ee40729abfa.journal
+  48217128  /var/log/journal/d6ca70e2890c410d83487a70a6f3f191/system@3535f37826724a348121d0df1b9e4792-0000000000b45d3b-00064ea125adf352.journal
--- a/anomalies/termux.txt
+++ b/anomalies/termux.txt
@@ -0,0 +1,7 @@
+=== Anomaly scan: localhost (2026-04-10T21:46:49Z) ===
+
+--- recent log files (mtime < 7d) ---
+
+--- /var/log disk usage ---
+
+--- top 15 largest files under /var/log ---
--- a/logs/inventory/ams.csv
+++ b/logs/inventory/ams.csv
@@ -0,0 +1,31 @@
+"/var/log/auth.log",626832,"","auth.log"
+"/var/log/auth.log.0.bz2",76694,"","auth.log.0.bz2"
+"/var/log/auth.log.1.bz2",78966,"","auth.log.1.bz2"
+"/var/log/auth.log.2.bz2",73297,"","auth.log.2.bz2"
+"/var/log/auth.log.3.bz2",75151,"","auth.log.3.bz2"
+"/var/log/auth.log.4.bz2",76408,"","auth.log.4.bz2"
+"/var/log/auth.log.5.bz2",75882,"","auth.log.5.bz2"
+"/var/log/auth.log.6.bz2",76375,"","auth.log.6.bz2"
+"/var/log/borg-backup.log",6198346,"","borg-backup.log"
+"/var/log/daemon.log",2515,"","daemon.log"
+"/var/log/daemon.log.0.bz2",266,"","daemon.log.0.bz2"
+"/var/log/debug.log",121837,"","debug.log"
+"/var/log/debug.log.0.bz2",55238,"","debug.log.0.bz2"
+"/var/log/debug.log.1.bz2",58823,"","debug.log.1.bz2"
+"/var/log/debug.log.2.bz2",57540,"","debug.log.2.bz2"
+"/var/log/debug.log.3.bz2",49217,"","debug.log.3.bz2"
+"/var/log/debug.log.4.bz2",48300,"","debug.log.4.bz2"
+"/var/log/debug.log.5.bz2",48508,"","debug.log.5.bz2"
+"/var/log/debug.log.6.bz2",48756,"","debug.log.6.bz2"
+"/var/log/devd.log",58,"","devd.log"
+"/var/log/dmesg.today",277,"","dmesg.today"
+"/var/log/dmesg.yesterday",140,"","dmesg.yesterday"
+"/var/log/mail-archive.log",209,"","mail-archive.log"
+"/var/log/messages",350286,"","messages"
+"/var/log/ppp.log",58,"","ppp.log"
+"/var/log/redis/redis.log",28083,"","redis"
+"/var/log/utx.log",2028,"","utx.log"
+"/var/log/utx.log.0",17784,"","utx.log.0"
+"/var/log/utx.log.1",480176,"","utx.log.1"
+"/var/log/utx.log.2",11336,"","utx.log.2"
+"/var/log/wg-restart.log",1689,"","wg-restart.log"
--- a/logs/inventory/ams2.csv
+++ b/logs/inventory/ams2.csv
@@ -0,0 +1,73 @@
+"/var/log/auth.log",663845,"","auth.log"
+"/var/log/auth.log.0.bz2",71672,"","auth.log.0.bz2"
+"/var/log/auth.log.1.bz2",69293,"","auth.log.1.bz2"
+"/var/log/auth.log.2.bz2",65703,"","auth.log.2.bz2"
+"/var/log/auth.log.3.bz2",72685,"","auth.log.3.bz2"
+"/var/log/auth.log.4.bz2",73035,"","auth.log.4.bz2"
+"/var/log/auth.log.5.bz2",70234,"","auth.log.5.bz2"
+"/var/log/auth.log.6.bz2",65569,"","auth.log.6.bz2"
+"/var/log/borg-backup.log",64409,"","borg-backup.log"
+"/var/log/borg/backup-20260223.log",17591,"","borg"
+"/var/log/borg/backup-20260224.log",3325,"","borg"
+"/var/log/borg/backup-20260225.log",3651,"","borg"
+"/var/log/borg/backup-20260226.log",22157,"","borg"
+"/var/log/borg/backup-20260227.log",4416,"","borg"
+"/var/log/borg/backup-20260228.log",4062,"","borg"
+"/var/log/borg/backup-20260301.log",4371,"","borg"
+"/var/log/borg/backup-20260302.log",4545,"","borg"
+"/var/log/borg/backup-20260303.log",4410,"","borg"
+"/var/log/borg/backup-20260304.log",4545,"","borg"
+"/var/log/borg/backup-20260305.log",4545,"","borg"
+"/var/log/borg/backup-20260306.log",4545,"","borg"
+"/var/log/borg/backup-20260307.log",4545,"","borg"
+"/var/log/borg/backup-20260308.log",4719,"","borg"
+"/var/log/borg/backup-20260309.log",4967,"","borg"
+"/var/log/borg/backup-20260310.log",4926,"","borg"
+"/var/log/borg/backup-20260311.log",6186,"","borg"
+"/var/log/borg/backup-20260312.log",3690,"","borg"
+"/var/log/borg/backup-20260313.log",3690,"","borg"
+"/var/log/borg/backup-20260314.log",3822,"","borg"
+"/var/log/borg/backup-20260315.log",5292,"","borg"
+"/var/log/borg/backup-20260316.log",3109,"","borg"
+"/var/log/borg/backup-20260317.log",5647,"","borg"
+"/var/log/borg/backup-20260318.log",4969,"","borg"
+"/var/log/borg/backup-20260319.log",5398,"","borg"
+"/var/log/borg/backup-20260320.log",5269,"","borg"
+"/var/log/borg/backup-20260321.log",5291,"","borg"
+"/var/log/borg/backup-20260322.log",5255,"","borg"
+"/var/log/borg/backup-20260323.log",5249,"","borg"
+"/var/log/borg/backup-20260324.log",5386,"","borg"
+"/var/log/borg/backup-20260325.log",5386,"","borg"
+"/var/log/borg/backup-20260326.log",5478,"","borg"
+"/var/log/borg/backup-20260327.log",11201,"","borg"
+"/var/log/borg/backup-20260328.log",5834,"","borg"
+"/var/log/borg/backup-20260329.log",5527,"","borg"
+"/var/log/borg/backup-20260330.log",3996,"","borg"
+"/var/log/borg/backup-20260331.log",3862,"","borg"
+"/var/log/borg/backup-20260401.log",3915,"","borg"
+"/var/log/borg/backup-20260402.log",3915,"","borg"
+"/var/log/borg/backup-20260403.log",7991,"","borg"
+"/var/log/borg/backup-20260404.log",5688,"","borg"
+"/var/log/borg/cron.log",265522,"","borg"
+"/var/log/daemon.log",662414,"","daemon.log"
+"/var/log/daemon.log.0.bz2",53998,"","daemon.log.0.bz2"
+"/var/log/daemon.log.1.bz2",53935,"","daemon.log.1.bz2"
+"/var/log/daemon.log.2.bz2",52538,"","daemon.log.2.bz2"
+"/var/log/daemon.log.3.bz2",54597,"","daemon.log.3.bz2"
+"/var/log/daemon.log.4.bz2",54054,"","daemon.log.4.bz2"
+"/var/log/debug.log",653461,"","debug.log"
+"/var/log/debug.log.0.bz2",47990,"","debug.log.0.bz2"
+"/var/log/debug.log.1.bz2",48771,"","debug.log.1.bz2"
+"/var/log/debug.log.2.bz2",48903,"","debug.log.2.bz2"
+"/var/log/debug.log.3.bz2",48640,"","debug.log.3.bz2"
+"/var/log/debug.log.4.bz2",49680,"","debug.log.4.bz2"
+"/var/log/devd.log",59,"","devd.log"
+"/var/log/dmesg.today",0,"","dmesg.today"
+"/var/log/dmesg.yesterday",106,"","dmesg.yesterday"
+"/var/log/messages",663378,"","messages"
+"/var/log/ppp.log",59,"","ppp.log"
+"/var/log/utx.log",854,"","utx.log"
+"/var/log/utx.log.0",4916,"","utx.log.0"
+"/var/log/utx.log.1",20121,"","utx.log.1"
+"/var/log/utx.log.2",6270,"","utx.log.2"
+"/var/log/wg-restart.log",899,"","wg-restart.log"
--- a/logs/inventory/ca1.csv
+++ b/logs/inventory/ca1.csv
@@ -0,0 +1,92 @@
+"/var/log/alternatives.log",444,"2026-04-09 13:57:34","alternatives.log"
+"/var/log/alternatives.log.1",13075,"2026-03-29 09:14:43","alternatives.log.1"
+"/var/log/apport.log",0,"2025-12-20 04:08:10","apport.log"
+"/var/log/apt/eipp.log.xz",44976,"2026-04-09 20:31:29","apt"
+"/var/log/apt/history.log",4233,"2026-04-09 20:31:40","apt"
+"/var/log/apt/history.log.1.gz",9089,"2026-03-31 06:47:12","apt"
+"/var/log/apt/term.log",23109,"2026-04-09 20:31:40","apt"
+"/var/log/apt/term.log.1.gz",26777,"2026-03-31 06:47:12","apt"
+"/var/log/auth.log",1597500,"2026-04-10 21:46:08","auth.log"
+"/var/log/auth.log.1",3503624,"2026-04-05 00:00:01","auth.log.1"
+"/var/log/auth.log.2.gz",406281,"2026-03-29 00:00:01","auth.log.2.gz"
+"/var/log/auth.log.3.gz",408056,"2026-03-22 00:00:01","auth.log.3.gz"
+"/var/log/borg/backup-20260223.log",17687,"2026-02-23 03:13:53","borg"
+"/var/log/borg/backup-20260224.log",4488,"2026-02-24 03:19:34","borg"
+"/var/log/borg/backup-20260225.log",5558,"2026-02-25 03:06:02","borg"
+"/var/log/borg/backup-20260226.log",5299,"2026-02-26 03:04:17","borg"
+"/var/log/borg/backup-20260227.log",4831,"2026-02-27 03:14:48","borg"
+"/var/log/borg/backup-20260228.log",3944,"2026-02-28 03:06:34","borg"
+"/var/log/borg/backup-20260301.log",4249,"2026-03-01 03:14:17","borg"
+"/var/log/borg/backup-20260302.log",4457,"2026-03-02 03:09:35","borg"
+"/var/log/borg/backup-20260303.log",4284,"2026-03-03 03:26:37","borg"
+"/var/log/borg/backup-20260304.log",4284,"2026-03-04 03:20:06","borg"
+"/var/log/borg/backup-20260305.log",5314,"2026-03-05 03:16:48","borg"
+"/var/log/borg/backup-20260306.log",142179,"2026-03-06 03:44:37","borg"
+"/var/log/borg/backup-20260307.log",161491,"2026-03-07 19:01:42","borg"
+"/var/log/borg/backup-20260308.log",4029,"2026-03-08 03:29:01","borg"
+"/var/log/borg/backup-20260309.log",3128,"2026-03-09 03:16:46","borg"
+"/var/log/borg/backup-20260310.log",3225,"2026-03-10 03:14:59","borg"
+"/var/log/borg/backup-20260311.log",4354,"2026-03-11 03:16:30","borg"
+"/var/log/borg/backup-20260312.log",4417,"2026-03-12 03:14:53","borg"
+"/var/log/borg/backup-20260313.log",3735,"2026-03-13 03:12:33","borg"
+"/var/log/borg/backup-20260314.log",4997,"2026-03-14 03:14:35","borg"
+"/var/log/borg/backup-20260315.log",5159,"2026-03-15 03:01:02","borg"
+"/var/log/borg/backup-20260316.log",4477,"2026-03-16 03:13:33","borg"
+"/var/log/borg/backup-20260317.log",5176,"2026-03-17 03:04:05","borg"
+"/var/log/borg/backup-20260318.log",5607,"2026-03-18 03:31:14","borg"
+"/var/log/borg/backup-20260319.log",5814,"2026-03-19 03:04:23","borg"
+"/var/log/borg/backup-20260320.log",5538,"2026-03-20 03:17:58","borg"
+"/var/log/borg/backup-20260321.log",4998,"2026-03-21 03:24:34","borg"
+"/var/log/borg/backup-20260322.log",4328,"2026-03-22 03:09:31","borg"
+"/var/log/borg/backup-20260323.log",4344,"2026-03-23 03:04:32","borg"
+"/var/log/borg/backup-20260324.log",5678,"2026-03-24 03:16:31","borg"
+"/var/log/borg/backup-20260325.log",4255,"2026-03-25 03:04:17","borg"
+"/var/log/borg/backup-20260326.log",5367,"2026-03-26 03:35:49","borg"
+"/var/log/borg/backup-20260327.log",5237,"2026-03-27 03:25:07","borg"
+"/var/log/borg/backup-20260328.log",5843,"2026-03-28 03:07:25","borg"
+"/var/log/borg/backup-20260329.log",4255,"2026-03-29 03:01:46","borg"
+"/var/log/borg/backup-20260330.log",6246,"2026-03-30 03:00:49","borg"
+"/var/log/borg/backup-20260331.log",5719,"2026-03-31 03:28:05","borg"
+"/var/log/borg/backup-20260401.log",5650,"2026-04-01 03:03:21","borg"
+"/var/log/borg/backup-20260402.log",5392,"2026-04-02 03:27:44","borg"
+"/var/log/borg/backup-20260403.log",5679,"2026-04-03 03:16:16","borg"
+"/var/log/borg/backup-20260404.log",5921,"2026-04-04 03:05:48","borg"
+"/var/log/borg/backup-20260405.log",4686,"2026-04-05 03:18:53","borg"
+"/var/log/borg/backup-20260406.log",4598,"2026-04-06 03:25:11","borg"
+"/var/log/borg/backup-20260407.log",5538,"2026-04-07 03:21:12","borg"
+"/var/log/borg/backup-20260408.log",5026,"2026-04-08 03:05:46","borg"
+"/var/log/borg/backup-20260409.log",4768,"2026-04-09 03:30:10","borg"
+"/var/log/borg-backup.log",2684,"2026-03-07 03:25:01","borg-backup.log"
+"/var/log/daemon.log",0,"2026-03-15 16:21:08","daemon.log"
+"/var/log/dmesg",47086,"2026-04-02 21:55:41","dmesg"
+"/var/log/dmesg.0",48781,"2026-03-17 17:18:56","dmesg.0"
+"/var/log/dmesg.1.gz",15093,"2026-02-24 08:59:15","dmesg.1.gz"
+"/var/log/dmesg.2.gz",14842,"2026-02-10 21:55:30","dmesg.2.gz"
+"/var/log/docker-upgrades/upgrade-2026-02-22_0414.log",242285,"2026-02-22 04:17:38","docker-upgrades"
+"/var/log/docker-upgrades/upgrade-2026-03-01_0425.log",316644,"2026-03-01 04:28:46","docker-upgrades"
+"/var/log/docker-upgrades/upgrade-2026-03-08_0400.log",36720,"2026-03-08 04:02:14","docker-upgrades"
+"/var/log/docker-upgrades/upgrade-2026-03-15_0419.log",43143,"2026-03-15 04:22:04","docker-upgrades"
+"/var/log/dpkg.log",31480,"2026-04-09 20:31:40","dpkg.log"
+"/var/log/dpkg.log.1",378135,"2026-03-31 06:47:12","dpkg.log.1"
+"/var/log/fail2ban.log",275707,"2026-04-10 21:45:08","fail2ban.log"
+"/var/log/fail2ban.log.1",120226,"2026-04-04 23:56:38","fail2ban.log.1"
+"/var/log/fail2ban.log.2.gz",46502,"2026-03-28 23:41:13","fail2ban.log.2.gz"
+"/var/log/fail2ban.log.3.gz",75922,"2026-03-21 23:59:40","fail2ban.log.3.gz"
+"/var/log/kern.log",6312924,"2026-04-10 21:45:55","kern.log"
+"/var/log/kern.log.1",7697163,"2026-04-04 23:59:51","kern.log.1"
+"/var/log/kern.log.2.gz",869113,"2026-03-28 23:59:55","kern.log.2.gz"
+"/var/log/kern.log.3.gz",786862,"2026-03-21 23:59:58","kern.log.3.gz"
+"/var/log/landscape/sysinfo.log",0,"2024-05-29 10:04:47","landscape"
+"/var/log/mail.log",1710695,"2026-04-10 21:39:19","mail.log"
+"/var/log/mail.log.1",543852,"2026-04-04 23:36:15","mail.log.1"
+"/var/log/mail.log.2.gz",104737,"2026-03-28 23:54:03","mail.log.2.gz"
+"/var/log/mail.log.3.gz",166562,"2026-03-22 00:00:00","mail.log.3.gz"
+"/var/log/syslog",9053418,"2026-04-10 21:46:08","syslog"
+"/var/log/syslog.2.gz",1414079,"2026-03-29 00:00:01","syslog.2.gz"
+"/var/log/syslog.3.gz",1301609,"2026-03-22 00:00:01","syslog.3.gz"
+"/var/log/ubuntu-advantage-apt-hook.log",0,"2025-12-20 10:27:04","ubuntu-advantage-apt-hook.log"
+"/var/log/ubuntu-advantage.log",0,"2026-01-01 00:00:24","ubuntu-advantage.log"
+"/var/log/ufw.log",6312785,"2026-04-10 21:45:55","ufw.log"
+"/var/log/ufw.log.1",7643908,"2026-04-04 23:59:51","ufw.log.1"
+"/var/log/ufw.log.2.gz",868593,"2026-03-28 23:59:55","ufw.log.2.gz"
+"/var/log/ufw.log.3.gz",853018,"2026-03-21 23:59:58","ufw.log.3.gz"
--- a/logs/inventory/ca2.csv
+++ b/logs/inventory/ca2.csv
@@ -0,0 +1,48 @@
+"/var/log/alternatives.log",444,"2026-04-09 13:59:37","alternatives.log"
+"/var/log/alternatives.log.1",5445,"2026-03-30 17:54:08","alternatives.log.1"
+"/var/log/alternatives.log.2.gz",1954,"2026-02-25 05:43:51","alternatives.log.2.gz"
+"/var/log/apt/eipp.log.xz",25188,"2026-04-09 14:04:01","apt"
+"/var/log/apt/history.log",1064,"2026-04-09 14:04:02","apt"
+"/var/log/apt/history.log.1.gz",4112,"2026-03-30 17:56:06","apt"
+"/var/log/apt/history.log.2.gz",6320,"2026-02-25 06:18:18","apt"
+"/var/log/apt/term.log",6090,"2026-04-09 14:04:02","apt"
+"/var/log/apt/term.log.1.gz",11373,"2026-03-30 17:56:06","apt"
+"/var/log/apt/term.log.2.gz",22264,"2026-02-25 06:18:18","apt"
+"/var/log/auth.log",1668482,"2026-04-10 21:46:08","auth.log"
+"/var/log/auth.log.1",3431218,"2026-04-05 00:00:03","auth.log.1"
+"/var/log/auth.log.2.gz",499310,"2026-03-29 00:00:07","auth.log.2.gz"
+"/var/log/auth.log.3.gz",861858,"2026-03-21 23:59:31","auth.log.3.gz"
+"/var/log/auth.log.4.gz",1616911,"2026-03-15 00:00:28","auth.log.4.gz"
+"/var/log/cloud-init-output.log",9494,"2026-02-25 05:52:50","cloud-init-output.log"
+"/var/log/cloud-init.log",236203,"2026-02-25 05:52:50","cloud-init.log"
+"/var/log/cron.log",19007,"2026-04-10 21:17:01","cron.log"
+"/var/log/cron.log.1",22552,"2026-04-04 23:17:01","cron.log.1"
+"/var/log/cron.log.2.gz",2630,"2026-03-28 23:17:01","cron.log.2.gz"
+"/var/log/cron.log.3.gz",2673,"2026-03-21 23:17:01","cron.log.3.gz"
+"/var/log/cron.log.4.gz",2606,"2026-03-14 23:17:01","cron.log.4.gz"
+"/var/log/daemon.log",64397,"2026-02-25 05:41:19","daemon.log"
+"/var/log/dpkg.log",6312,"2026-04-09 14:04:02","dpkg.log"
+"/var/log/dpkg.log.1",159751,"2026-03-30 17:56:06","dpkg.log.1"
+"/var/log/dpkg.log.2.gz",27758,"2026-02-25 06:18:18","dpkg.log.2.gz"
+"/var/log/fail2ban.log",318706,"2026-04-10 21:39:38","fail2ban.log"
+"/var/log/fail2ban.log.1",307564,"2026-04-04 23:58:58","fail2ban.log.1"
+"/var/log/fail2ban.log.2.gz",75260,"2026-03-28 23:59:43","fail2ban.log.2.gz"
+"/var/log/fail2ban.log.3.gz",41764,"2026-03-21 23:55:40","fail2ban.log.3.gz"
+"/var/log/fontconfig.log",783,"2026-03-30 17:54:07","fontconfig.log"
+"/var/log/kern.log",0,"2026-03-29 00:00:18","kern.log"
+"/var/log/kern.log.1",36335,"2026-03-27 07:37:32","kern.log.1"
+"/var/log/kern.log.2.gz",479537,"2026-03-18 04:08:03","kern.log.2.gz"
+"/var/log/kern.log.3.gz",1073701,"2026-03-15 00:00:22","kern.log.3.gz"
+"/var/log/kern.log.4.gz",1103769,"2026-03-08 00:00:06","kern.log.4.gz"
+"/var/log/messages",46107,"2026-02-25 05:41:10","messages"
+"/var/log/syslog",39618,"2026-04-10 21:17:01","syslog"
+"/var/log/syslog.2.gz",71372,"2026-03-29 00:00:18","syslog.2.gz"
+"/var/log/syslog.3.gz",543639,"2026-03-22 00:00:29","syslog.3.gz"
+"/var/log/syslog.4.gz",1140908,"2026-03-15 00:00:42","syslog.4.gz"
+"/var/log/ufw.log",0,"2026-03-22 00:00:32","ufw.log"
+"/var/log/ufw.log.1",3883463,"2026-03-18 04:08:03","ufw.log.1"
+"/var/log/ufw.log.2.gz",1073701,"2026-03-15 00:00:22","ufw.log.2.gz"
+"/var/log/ufw.log.3.gz",1103769,"2026-03-08 00:00:06","ufw.log.3.gz"
+"/var/log/ufw.log.4.gz",587773,"2026-03-01 00:00:05","ufw.log.4.gz"
+"/var/log/user.log",0,"2026-03-01 00:00:14","user.log"
+"/var/log/user.log.1",863,"2026-02-25 04:42:04","user.log.1"
--- a/logs/inventory/ca3.csv
+++ b/logs/inventory/ca3.csv
@@ -0,0 +1,9 @@
+"/var/log/alternatives.log",4186,"2026-03-21 17:01:09","alternatives.log"
+"/var/log/apt/eipp.log.xz",12428,"2026-03-31 21:36:43","apt"
+"/var/log/apt/history.log",11579,"2026-03-31 21:36:51","apt"
+"/var/log/apt/term.log",63092,"2026-03-31 21:36:51","apt"
+"/var/log/auth.log",1476,"2024-02-05 18:44:54","auth.log"
+"/var/log/daemon.log",28345,"2024-02-05 18:44:55","daemon.log"
+"/var/log/dpkg.log",137512,"2026-03-31 21:36:51","dpkg.log"
+"/var/log/messages",281,"2024-02-05 18:42:59","messages"
+"/var/log/syslog",28775,"2024-02-05 18:44:55","syslog"
--- a/logs/inventory/fr1.csv
+++ b/logs/inventory/fr1.csv
@@ -0,0 +1,106 @@
+"/var/log/alternatives.log",444,"2026-04-09 13:58:06","alternatives.log"
+"/var/log/alternatives.log.1",12764,"2026-03-29 09:14:11","alternatives.log.1"
+"/var/log/apport.log",0,"2026-02-04 00:00:06","apport.log"
+"/var/log/apt/eipp.log.xz",43500,"2026-04-09 21:23:59","apt"
+"/var/log/apt/history.log",5998,"2026-04-09 21:41:55","apt"
+"/var/log/apt/history.log.1.gz",2817,"2026-03-31 06:57:53","apt"
+"/var/log/apt/term.log",30609,"2026-04-09 21:41:55","apt"
+"/var/log/apt/term.log.1.gz",7201,"2026-03-31 06:57:53","apt"
+"/var/log/auth.log",1975430,"2026-04-10 21:46:09","auth.log"
+"/var/log/auth.log.1",3123876,"2026-04-05 00:00:01","auth.log.1"
+"/var/log/auth.log.2.gz",331548,"2026-03-28 23:59:49","auth.log.2.gz"
+"/var/log/auth.log.3.gz",395408,"2026-03-22 00:00:02","auth.log.3.gz"
+"/var/log/bootstrap.log",1,"2020-08-01 05:42:09","bootstrap.log"
+"/var/log/borg/backup-20260223.log",23653,"2026-02-23 03:19:55","borg"
+"/var/log/borg/backup-20260224.log",3611,"2026-02-24 03:19:25","borg"
+"/var/log/borg/backup-20260225.log",5328,"2026-02-25 03:21:37","borg"
+"/var/log/borg/backup-20260226.log",4947,"2026-02-26 03:06:52","borg"
+"/var/log/borg/backup-20260227.log",7327,"2026-02-27 03:29:47","borg"
+"/var/log/borg/backup-20260228.log",4404,"2026-02-28 03:29:47","borg"
+"/var/log/borg/backup-20260301.log",4574,"2026-03-01 03:15:46","borg"
+"/var/log/borg/backup-20260302.log",7074,"2026-03-02 03:02:08","borg"
+"/var/log/borg/backup-20260303.log",4744,"2026-03-03 03:03:52","borg"
+"/var/log/borg/backup-20260304.log",4953,"2026-03-04 03:42:21","borg"
+"/var/log/borg/backup-20260305.log",6534,"2026-03-05 03:22:34","borg"
+"/var/log/borg/backup-20260306.log",6792,"2026-03-06 03:23:15","borg"
+"/var/log/borg/backup-20260307.log",4602,"2026-03-07 03:13:48","borg"
+"/var/log/borg/backup-20260308.log",3890,"2026-03-08 03:02:24","borg"
+"/var/log/borg/backup-20260309.log",3968,"2026-03-09 03:19:55","borg"
+"/var/log/borg/backup-20260310.log",3044,"2026-03-10 03:15:29","borg"
+"/var/log/borg/backup-20260311.log",4528,"2026-03-11 03:16:46","borg"
+"/var/log/borg/backup-20260312.log",4246,"2026-03-12 03:24:15","borg"
+"/var/log/borg/backup-20260313.log",4246,"2026-03-13 03:23:31","borg"
+"/var/log/borg/backup-20260314.log",4105,"2026-03-14 03:31:23","borg"
+"/var/log/borg/backup-20260315.log",4386,"2026-03-15 03:11:51","borg"
+"/var/log/borg/backup-20260316.log",181139,"2026-03-16 13:50:37","borg"
+"/var/log/borg/backup-20260317.log",4396,"2026-03-17 03:07:52","borg"
+"/var/log/borg/backup-20260318.log",380400,"2026-03-18 03:25:20","borg"
+"/var/log/borg/backup-20260319.log",813842,"2026-03-19 03:16:43","borg"
+"/var/log/borg/backup-20260320.log",6116,"2026-03-20 03:07:58","borg"
+"/var/log/borg/backup-20260321.log",896813,"2026-03-21 03:26:37","borg"
+"/var/log/borg/backup-20260322.log",117634,"2026-03-22 03:28:25","borg"
+"/var/log/borg/backup-20260323.log",6285,"2026-03-23 03:05:08","borg"
+"/var/log/borg/backup-20260324.log",82306,"2026-03-24 03:21:37","borg"
+"/var/log/borg/backup-20260325.log",134429,"2026-03-25 03:31:25","borg"
+"/var/log/borg/backup-20260326.log",6477,"2026-03-26 03:11:22","borg"
+"/var/log/borg/backup-20260327.log",5384,"2026-03-27 03:42:48","borg"
+"/var/log/borg/backup-20260328.log",475,"2026-03-28 03:08:01","borg"
+"/var/log/borg-backup.log",2445959,"2026-03-23 03:30:25","borg-backup.log"
+"/var/log/dist-upgrade/20251231-1927/main.log",894,"2025-12-31 19:27:27","dist-upgrade"
+"/var/log/dist-upgrade/apt.log",63330,"2025-12-31 19:33:44","dist-upgrade"
+"/var/log/dist-upgrade/apt-term.log",244692,"2025-12-31 19:34:05","dist-upgrade"
+"/var/log/dist-upgrade/eipp.log.xz",26500,"2025-12-31 19:33:52","dist-upgrade"
+"/var/log/dist-upgrade/history.log",77010,"2025-12-31 19:34:05","dist-upgrade"
+"/var/log/dist-upgrade/main.log",42845,"2025-12-31 19:34:08","dist-upgrade"
+"/var/log/dist-upgrade/xorg_fixup.log",78,"2025-12-31 19:34:08","dist-upgrade"
+"/var/log/dmesg",46202,"2026-04-02 21:55:43","dmesg"
+"/var/log/dmesg.0",44606,"2026-03-30 13:23:27","dmesg.0"
+"/var/log/dmesg.1.gz",13808,"2026-03-17 15:35:26","dmesg.1.gz"
+"/var/log/dmesg.2.gz",14230,"2026-02-24 08:57:49","dmesg.2.gz"
+"/var/log/dmesg.3.gz",14323,"2026-02-10 22:01:38","dmesg.3.gz"
+"/var/log/docker-upgrades/upgrade-2026-02-22_0428.log",28151,"2026-02-22 04:29:20","docker-upgrades"
+"/var/log/docker-upgrades/upgrade-2026-03-01_0421.log",34035,"2026-03-01 04:22:20","docker-upgrades"
+"/var/log/docker-upgrades/upgrade-2026-03-08_0417.log",6737,"2026-03-08 04:18:00","docker-upgrades"
+"/var/log/docker-upgrades/upgrade-2026-03-15_0414.log",14263,"2026-03-15 04:14:56","docker-upgrades"
+"/var/log/dpkg.log",45855,"2026-04-09 21:41:55","dpkg.log"
+"/var/log/dpkg.log.1",122623,"2026-03-31 06:57:53","dpkg.log.1"
+"/var/log/fail2ban.log",313271,"2026-04-10 21:39:26","fail2ban.log"
+"/var/log/fail2ban.log.1",201136,"2026-04-04 23:54:00","fail2ban.log.1"
+"/var/log/fail2ban.log.2.gz",54841,"2026-03-28 23:55:54","fail2ban.log.2.gz"
+"/var/log/fail2ban.log.3.gz",87608,"2026-03-21 23:57:37","fail2ban.log.3.gz"
+"/var/log/fontconfig.log",3080,"2026-02-26 22:17:31","fontconfig.log"
+"/var/log/kern.log",6331059,"2026-04-10 21:46:25","kern.log"
+"/var/log/kern.log.1",7672138,"2026-04-05 00:00:01","kern.log.1"
+"/var/log/kern.log.2.gz",875287,"2026-03-28 23:59:45","kern.log.2.gz"
+"/var/log/kern.log.3.gz",905871,"2026-03-22 00:00:01","kern.log.3.gz"
+"/var/log/landscape/sysinfo.log",0,"2020-08-01 05:13:07","landscape"
+"/var/log/mail.log",1330690,"2026-04-10 21:45:58","mail.log"
+"/var/log/mail.log.1",2344562,"2026-04-04 23:52:06","mail.log.1"
+"/var/log/mail.log.2.gz",168986,"2026-03-28 23:57:21","mail.log.2.gz"
+"/var/log/mail.log.3.gz",557593,"2026-03-21 23:59:43","mail.log.3.gz"
+"/var/log/nginx/access.log",120243,"2026-04-10 21:42:54","nginx"
+"/var/log/nginx/access.log.1",150946,"2026-04-09 23:55:29","nginx"
+"/var/log/nginx/access.log.2.gz",21286,"2026-04-08 23:54:14","nginx"
+"/var/log/nginx/access.log.3.gz",42787,"2026-04-07 23:59:56","nginx"
+"/var/log/nginx/access.log.4.gz",10982,"2026-04-07 00:00:01","nginx"
+"/var/log/nginx/error.log",3822,"2026-04-10 19:27:59","nginx"
+"/var/log/nginx/error.log.1",18722,"2026-04-09 23:55:29","nginx"
+"/var/log/nginx/error.log.2.gz",3161,"2026-04-08 20:37:10","nginx"
+"/var/log/nginx/error.log.3.gz",11513,"2026-04-07 23:59:36","nginx"
+"/var/log/nginx/error.log.4.gz",888,"2026-04-06 23:58:49","nginx"
+"/var/log/nginx/ttrss_access.log",0,"2026-03-15 00:00:04","nginx"
+"/var/log/nginx/ttrss_error.log",0,"2026-03-13 00:00:02","nginx"
+"/var/log/php8.1-fpm.log",0,"2026-01-04 00:00:02","php8.1-fpm.log"
+"/var/log/php8.3-fpm.log",0,"2026-03-22 00:00:02","php8.3-fpm.log"
+"/var/log/php8.3-fpm.log.1",152,"2026-03-16 14:38:51","php8.3-fpm.log.1"
+"/var/log/postfix.log",5411070,"2026-02-02 23:37:02","postfix.log"
+"/var/log/syslog",39541775,"2026-04-10 21:46:28","syslog"
+"/var/log/syslog.2.gz",3947946,"2026-03-29 00:00:00","syslog.2.gz"
+"/var/log/syslog.3.gz",3025463,"2026-03-22 00:00:02","syslog.3.gz"
+"/var/log/ubuntu-advantage-apt-hook.log",0,"2025-12-31 19:24:17","ubuntu-advantage-apt-hook.log"
+"/var/log/ubuntu-advantage.log",0,"2026-02-01 00:00:06","ubuntu-advantage.log"
+"/var/log/ufw.log",6323723,"2026-04-10 21:46:25","ufw.log"
+"/var/log/ufw.log.1",7563386,"2026-04-05 00:00:01","ufw.log.1"
+"/var/log/ufw.log.2.gz",875043,"2026-03-28 23:59:45","ufw.log.2.gz"
+"/var/log/ufw.log.3.gz",889229,"2026-03-22 00:00:01","ufw.log.3.gz"
+"/var/log/voicemail-transcribe.log",1542001,"2026-04-10 21:45:53","voicemail-transcribe.log"
--- a/logs/inventory/mo1.csv
+++ b/logs/inventory/mo1.csv
@@ -0,0 +1,50 @@
+"/var/log/alternatives.log",444,"2026-04-09 13:58:39","alternatives.log"
+"/var/log/alternatives.log.1",2106,"2026-03-28 10:28:14","alternatives.log.1"
+"/var/log/alternatives.log.2.gz",2179,"2026-02-25 06:52:45","alternatives.log.2.gz"
+"/var/log/apt/eipp.log.xz",30208,"2026-04-10 06:54:08","apt"
+"/var/log/apt/history.log",2132,"2026-04-10 06:54:10","apt"
+"/var/log/apt/history.log.1.gz",3926,"2026-03-31 07:51:09","apt"
+"/var/log/apt/history.log.2.gz",9591,"2026-02-27 03:21:53","apt"
+"/var/log/apt/term.log",11206,"2026-04-10 06:54:10","apt"
+"/var/log/apt/term.log.1.gz",10759,"2026-03-31 07:51:09","apt"
+"/var/log/apt/term.log.2.gz",31943,"2026-02-27 03:21:53","apt"
+"/var/log/auth.log",2328595,"2026-04-10 21:45:05","auth.log"
+"/var/log/auth.log.1",4497091,"2026-04-05 00:00:03","auth.log.1"
+"/var/log/auth.log.2.gz",612106,"2026-03-29 00:00:02","auth.log.2.gz"
+"/var/log/auth.log.3.gz",927025,"2026-03-22 00:00:01","auth.log.3.gz"
+"/var/log/auth.log.4.gz",1074181,"2026-03-15 00:00:10","auth.log.4.gz"
+"/var/log/cloud-init-output.log",7155,"2026-02-23 20:09:45","cloud-init-output.log"
+"/var/log/cloud-init.log",161364,"2026-02-23 20:09:45","cloud-init.log"
+"/var/log/cron.log",230482,"2026-04-10 21:45:01","cron.log"
+"/var/log/cron.log.1",262751,"2026-04-05 00:00:02","cron.log.1"
+"/var/log/cron.log.2.gz",32027,"2026-03-29 00:00:01","cron.log.2.gz"
+"/var/log/cron.log.3.gz",27210,"2026-03-22 00:00:01","cron.log.3.gz"
+"/var/log/cron.log.4.gz",2814,"2026-03-14 23:17:01","cron.log.4.gz"
+"/var/log/daemon.log",350423,"2026-02-23 19:52:47","daemon.log"
+"/var/log/daemon.log.1",302076,"2026-02-22 00:00:12","daemon.log.1"
+"/var/log/dpkg.log",14705,"2026-04-10 06:54:10","dpkg.log"
+"/var/log/dpkg.log.1",148161,"2026-03-31 07:51:09","dpkg.log.1"
+"/var/log/dpkg.log.2.gz",40791,"2026-02-27 03:21:53","dpkg.log.2.gz"
+"/var/log/fail2ban.log",227779,"2026-04-10 21:33:00","fail2ban.log"
+"/var/log/fail2ban.log.1",273331,"2026-04-04 23:58:53","fail2ban.log.1"
+"/var/log/fail2ban.log.2.gz",70980,"2026-03-28 23:55:57","fail2ban.log.2.gz"
+"/var/log/fail2ban.log.3.gz",47472,"2026-03-21 23:59:19","fail2ban.log.3.gz"
+"/var/log/fontconfig.log",1901,"2026-04-08 19:09:34","fontconfig.log"
+"/var/log/git-bundle-backup.log",10056,"2026-04-10 03:00:24","git-bundle-backup.log"
+"/var/log/gitea-borg-backup.log",6500,"2026-04-10 20:00:01","gitea-borg-backup.log"
+"/var/log/kern.log",41872,"2026-04-09 20:32:40","kern.log"
+"/var/log/kern.log.1",531229,"2026-04-02 22:01:09","kern.log.1"
+"/var/log/kern.log.2.gz",29450,"2026-03-28 18:58:21","kern.log.2.gz"
+"/var/log/kern.log.3.gz",367869,"2026-03-21 09:04:40","kern.log.3.gz"
+"/var/log/kern.log.4.gz",8792,"2026-03-14 23:49:28","kern.log.4.gz"
+"/var/log/messages",2277,"2026-02-23 19:52:39","messages"
+"/var/log/rclone-media.log",18327234,"2026-04-10 21:45:33","rclone-media.log"
+"/var/log/syslog",67501427,"2026-04-10 21:46:09","syslog"
+"/var/log/syslog.2.gz",3058561,"2026-03-29 00:00:04","syslog.2.gz"
+"/var/log/syslog.3.gz",7227084,"2026-03-22 00:00:04","syslog.3.gz"
+"/var/log/syslog.4.gz",1477465,"2026-03-15 00:00:07","syslog.4.gz"
+"/var/log/user.log",9179,"2026-04-10 11:40:23","user.log"
+"/var/log/user.log.1",17065,"2026-04-04 15:50:54","user.log.1"
+"/var/log/user.log.2.gz",1151,"2026-03-28 20:10:30","user.log.2.gz"
+"/var/log/user.log.3.gz",668,"2026-03-21 01:31:32","user.log.3.gz"
+"/var/log/user.log.4.gz",249,"2026-03-15 23:45:31","user.log.4.gz"
--- a/logs/inventory/ro1.csv
+++ b/logs/inventory/ro1.csv
@@ -0,0 +1,59 @@
+"/var/log/auth.log",249618,"","auth.log"
+"/var/log/auth.log.0.bz2",74572,"","auth.log.0.bz2"
+"/var/log/auth.log.1.bz2",75580,"","auth.log.1.bz2"
+"/var/log/auth.log.2.bz2",72352,"","auth.log.2.bz2"
+"/var/log/auth.log.3.bz2",67674,"","auth.log.3.bz2"
+"/var/log/auth.log.4.bz2",65672,"","auth.log.4.bz2"
+"/var/log/auth.log.5.bz2",73896,"","auth.log.5.bz2"
+"/var/log/auth.log.6.bz2",79217,"","auth.log.6.bz2"
+"/var/log/borg-backup.log",13318316,"","borg-backup.log"
+"/var/log/certbot-renew.log",120570,"","certbot-renew.log"
+"/var/log/daemon.log",779089,"","daemon.log"
+"/var/log/daemon.log.0.bz2",31246,"","daemon.log.0.bz2"
+"/var/log/daemon.log.1.bz2",30848,"","daemon.log.1.bz2"
+"/var/log/daemon.log.2.bz2",31503,"","daemon.log.2.bz2"
+"/var/log/debug.log",89382,"","debug.log"
+"/var/log/devd.log",65,"","devd.log"
+"/var/log/dmesg.today",0,"","dmesg.today"
+"/var/log/dmesg.yesterday",251,"","dmesg.yesterday"
+"/var/log/flood.log",2660480,"","flood.log"
+"/var/log/freedns-access.log",1923352,"","freedns-access.log"
+"/var/log/freedns-error.log",34093,"","freedns-error.log"
+"/var/log/freedns-ssl-access.log",4410711,"","freedns-ssl-access.log"
+"/var/log/freedns-ssl-error.log",1343992,"","freedns-ssl-error.log"
+"/var/log/httpd-access.log",3382629,"","httpd-access.log"
+"/var/log/httpd-error.log",5787754,"","httpd-error.log"
+"/var/log/httpd-flood-access.log",1590,"","httpd-flood-access.log"
+"/var/log/httpd-flood-error.log",432900,"","httpd-flood-error.log"
+"/var/log/httpd-jellyfin-error.log",467100,"","httpd-jellyfin-error.log"
+"/var/log/httpd-nextcloud-access.log",932361,"","httpd-nextcloud-access.log"
+"/var/log/httpd-nextcloud-error.log",4823,"","httpd-nextcloud-error.log"
+"/var/log/httpd-radicale-access.log",544314,"","httpd-radicale-access.log"
+"/var/log/httpd-radicale-error.log",176540,"","httpd-radicale-error.log"
+"/var/log/httpd/i47i.tk-access.log",9705942,"","httpd"
+"/var/log/httpd/i47i.tk-error.log",400820,"","httpd"
+"/var/log/manual-upgrades/upgrade-2026-03-08_0400.log",5210,"","manual-upgrades"
+"/var/log/manual-upgrades/upgrade-2026-03-15_0400.log",4452,"","manual-upgrades"
+"/var/log/manual-upgrades/upgrade-2026-03-22_0400.log",3531,"","manual-upgrades"
+"/var/log/manual-upgrades/upgrade-2026-03-29_0400.log",2700,"","manual-upgrades"
+"/var/log/matomo-access.log",2246346,"","matomo-access.log"
+"/var/log/matomo-error.log",205073,"","matomo-error.log"
+"/var/log/messages",511888,"","messages"
+"/var/log/mount_monitor.log",526613,"","mount_monitor.log"
+"/var/log/mount_monitor.log.old",1048798,"","mount_monitor.log.old"
+"/var/log/nextcloud/nextcloud.log",31242,"","nextcloud"
+"/var/log/php-fpm.log",1536,"","php-fpm.log"
+"/var/log/ppp.log",65,"","ppp.log"
+"/var/log/radicale.log",0,"","radicale.log"
+"/var/log/rclone_1fichier.log",3527081,"","rclone_1fichier.log"
+"/var/log/redis/redis.log",6484550,"","redis"
+"/var/log/syncthing.log",12201,"","syncthing.log"
+"/var/log/utx.log",0,"","utx.log"
+"/var/log/utx.log.0",1850,"","utx.log.0"
+"/var/log/utx.log.1",32191,"","utx.log.1"
+"/var/log/utx.log.2",27162,"","utx.log.2"
+"/var/log/webmail-access.log",39659,"","webmail-access.log"
+"/var/log/webmail-error.log",0,"","webmail-error.log"
+"/var/log/webmail-ssl-access.log",24984682,"","webmail-ssl-access.log"
+"/var/log/webmail-ssl-error.log",28197,"","webmail-ssl-error.log"
+"/var/log/wg-restart.log",899,"","wg-restart.log"
--- a/logs/inventory/sony.csv
+++ b/logs/inventory/sony.csv
@@ -0,0 +1,128 @@
+"/var/log/alternatives.log",2449,"2026-04-09 20:38:07","alternatives.log"
+"/var/log/alternatives.log.1",17929,"2026-03-26 10:05:25","alternatives.log.1"
+"/var/log/alternatives.log.10.gz",1357,"2025-03-24 21:07:35","alternatives.log.10.gz"
+"/var/log/alternatives.log.2.gz",1408,"2026-02-23 19:23:50","alternatives.log.2.gz"
+"/var/log/alternatives.log.3.gz",543,"2026-01-29 10:31:47","alternatives.log.3.gz"
+"/var/log/alternatives.log.4.gz",718,"2026-01-25 13:47:35","alternatives.log.4.gz"
+"/var/log/alternatives.log.5.gz",204,"2025-12-20 06:32:33","alternatives.log.5.gz"
+"/var/log/alternatives.log.6.gz",764,"2025-10-30 17:05:36","alternatives.log.6.gz"
+"/var/log/alternatives.log.7.gz",296,"2025-07-25 10:18:40","alternatives.log.7.gz"
+"/var/log/alternatives.log.8.gz",235,"2025-07-09 03:13:46","alternatives.log.8.gz"
+"/var/log/alternatives.log.9.gz",1314,"2025-06-11 20:12:25","alternatives.log.9.gz"
+"/var/log/apt/eipp.log.xz",116496,"2026-04-09 20:37:21","apt"
+"/var/log/apt/history.log",7518,"2026-04-09 20:38:22","apt"
+"/var/log/apt/history.log.10.gz",909,"2025-07-09 03:14:58","apt"
+"/var/log/apt/history.log.11.gz",3928,"2025-06-11 20:12:45","apt"
+"/var/log/apt/history.log.12.gz",4615,"2025-03-24 21:07:37","apt"
+"/var/log/apt/history.log.1.gz",2421,"2026-03-30 14:03:10","apt"
+"/var/log/apt/history.log.2.gz",6616,"2026-02-26 17:26:47","apt"
+"/var/log/apt/history.log.3.gz",3645,"2026-01-29 10:33:58","apt"
+"/var/log/apt/history.log.4.gz",993,"2025-12-27 18:10:09","apt"
+"/var/log/apt/history.log.5.gz",424,"2025-11-30 01:12:46","apt"
+"/var/log/apt/history.log.6.gz",150,"2025-11-01 22:17:42","apt"
+"/var/log/apt/history.log.7.gz",3294,"2025-10-30 17:09:46","apt"
+"/var/log/apt/history.log.8.gz",149,"2025-08-20 22:33:24","apt"
+"/var/log/apt/history.log.9.gz",1870,"2025-07-25 13:16:41","apt"
+"/var/log/apt/term.log",28371,"2026-04-09 20:38:22","apt"
+"/var/log/apt/term.log.10.gz",2687,"2025-07-09 03:14:58","apt"
+"/var/log/apt/term.log.11.gz",12721,"2025-06-11 20:12:45","apt"
+"/var/log/apt/term.log.12.gz",13174,"2025-03-24 21:07:37","apt"
+"/var/log/apt/term.log.1.gz",8937,"2026-03-30 14:03:10","apt"
+"/var/log/apt/term.log.2.gz",19428,"2026-02-26 17:26:47","apt"
+"/var/log/apt/term.log.3.gz",10479,"2026-01-29 10:33:58","apt"
+"/var/log/apt/term.log.4.gz",2862,"2025-12-27 18:10:09","apt"
+"/var/log/apt/term.log.5.gz",1163,"2025-11-30 01:12:46","apt"
+"/var/log/apt/term.log.6.gz",257,"2025-11-01 22:17:42","apt"
+"/var/log/apt/term.log.7.gz",9236,"2025-10-30 17:09:46","apt"
+"/var/log/apt/term.log.8.gz",257,"2025-08-20 22:33:24","apt"
+"/var/log/apt/term.log.9.gz",5013,"2025-07-25 13:16:41","apt"
+"/var/log/boot.log",0,"2026-04-10 00:00:03","boot.log"
+"/var/log/boot.log.1",11125,"2026-04-10 00:00:03","boot.log.1"
+"/var/log/boot.log.2",10201,"2026-04-09 00:00:00","boot.log.2"
+"/var/log/boot.log.3",11388,"2026-04-03 00:00:03","boot.log.3"
+"/var/log/boot.log.4",10395,"2026-03-29 00:00:05","boot.log.4"
+"/var/log/boot.log.5",32086,"2026-03-21 00:00:02","boot.log.5"
+"/var/log/boot.log.6",24228,"2026-03-17 00:00:01","boot.log.6"
+"/var/log/boot.log.7",10207,"2026-02-26 00:00:30","boot.log.7"
+"/var/log/bootstrap.log",0,"2024-06-29 09:06:14","bootstrap.log"
+"/var/log/borg/backup-20260223.log",40782,"2026-02-23 05:16:20","borg"
+"/var/log/borg/backup-20260224.log",115678,"2026-02-24 05:31:12","borg"
+"/var/log/borg/backup-20260225.log",29784,"2026-02-25 05:14:25","borg"
+"/var/log/borg/backup-20260226.log",44607,"2026-02-26 05:19:10","borg"
+"/var/log/borg/backup-20260227.log",29605,"2026-02-27 04:32:52","borg"
+"/var/log/borg/backup-20260228.log",18122,"2026-02-28 04:34:31","borg"
+"/var/log/borg/backup-20260301.log",16405,"2026-03-01 04:30:26","borg"
+"/var/log/borg/backup-20260302.log",506199,"2026-03-02 04:28:47","borg"
+"/var/log/borg/backup-20260303.log",17102,"2026-03-03 04:22:27","borg"
+"/var/log/borg/backup-20260304.log",24795,"2026-03-04 09:27:33","borg"
+"/var/log/borg/backup-20260305.log",103798,"2026-03-05 04:11:19","borg"
+"/var/log/borg/backup-20260306.log",31212,"2026-03-06 05:55:09","borg"
+"/var/log/borg/backup-20260307.log",18997,"2026-03-07 04:56:29","borg"
+"/var/log/borg/backup-20260308.log",32345,"2026-03-08 05:16:59","borg"
+"/var/log/borg/backup-20260309.log",32377,"2026-03-09 05:04:11","borg"
+"/var/log/borg/backup-20260310.log",27966,"2026-03-10 03:36:29","borg"
+"/var/log/borg/backup-20260311.log",34867,"2026-03-11 05:07:15","borg"
+"/var/log/borg/backup-20260312.log",32992,"2026-03-12 05:06:03","borg"
+"/var/log/borg/backup-20260313.log",32120,"2026-03-13 05:11:52","borg"
+"/var/log/borg/backup-20260314.log",28482,"2026-03-14 05:34:42","borg"
+"/var/log/borg/backup-20260315.log",22224,"2026-03-15 05:01:23","borg"
+"/var/log/borg/backup-20260316.log",59002,"2026-03-16 19:56:45","borg"
+"/var/log/borg/backup-20260317.log",10543,"2026-03-17 07:49:52","borg"
+"/var/log/borg/backup-20260318.log",42329,"2026-03-18 09:55:36","borg"
+"/var/log/borg/backup-20260319.log",101153,"2026-03-19 08:20:48","borg"
+"/var/log/borg/backup-20260320.log",208677,"2026-03-21 02:47:45","borg"
+"/var/log/borg/backup-20260321.log",48232,"2026-03-21 08:08:22","borg"
+"/var/log/borg/backup-20260322.log",34255,"2026-03-22 10:12:52","borg"
+"/var/log/borg/backup-20260323.log",38361,"2026-03-23 09:49:15","borg"
+"/var/log/borg/backup-20260324.log",54437,"2026-03-24 09:48:15","borg"
+"/var/log/borg/backup-20260325.log",62273,"2026-03-25 10:07:14","borg"
+"/var/log/borg/backup-20260326.log",33231,"2026-03-26 10:06:00","borg"
+"/var/log/borg/backup-20260327.log",154608,"2026-03-27 09:52:57","borg"
+"/var/log/borg/backup-20260328.log",50470,"2026-03-28 10:07:10","borg"
+"/var/log/borg/backup-20260329.log",56738,"2026-03-29 10:32:05","borg"
+"/var/log/borg/backup-20260330.log",45008,"2026-03-30 10:06:14","borg"
+"/var/log/borg/backup-20260331.log",36407,"2026-03-31 09:37:37","borg"
+"/var/log/borg/backup-20260401.log",32398,"2026-04-01 08:11:15","borg"
+"/var/log/borg/backup-20260402.log",24698,"2026-04-02 09:42:40","borg"
+"/var/log/borg/backup-20260403.log",133322,"2026-04-03 09:36:04","borg"
+"/var/log/borg/backup-20260404.log",34287,"2026-04-04 09:31:18","borg"
+"/var/log/borg/backup-20260405.log",37409,"2026-04-05 09:43:16","borg"
+"/var/log/borg/backup-20260406.log",33626,"2026-04-06 10:47:06","borg"
+"/var/log/borg/backup-20260407.log",37806,"2026-04-07 09:25:40","borg"
+"/var/log/borg/backup-20260408.log",44762,"2026-04-08 09:24:09","borg"
+"/var/log/borg/backup-20260409.log",75408,"2026-04-09 10:31:44","borg"
+"/var/log/borg/cron.log",2251707,"2026-04-10 05:22:52","borg"
+"/var/log/cups/access_log.2.gz",368,"2026-04-09 00:00:01","cups"
+"/var/log/cups/access_log.3.gz",337,"2026-04-08 00:00:02","cups"
+"/var/log/cups/access_log.4.gz",339,"2026-04-07 00:00:02","cups"
+"/var/log/cups/access_log.5.gz",321,"2026-04-06 00:00:01","cups"
+"/var/log/cups/access_log.6.gz",344,"2026-04-05 00:00:03","cups"
+"/var/log/cups/access_log.7.gz",317,"2026-04-04 00:00:02","cups"
+"/var/log/cups/error_log.2.gz",109,"2026-02-25 05:50:28","cups"
+"/var/log/cups/error_log.3.gz",120,"2026-02-03 14:12:49","cups"
+"/var/log/cups/error_log.4.gz",109,"2026-01-24 05:00:27","cups"
+"/var/log/cups/error_log.5.gz",107,"2026-01-16 05:00:00","cups"
+"/var/log/cups/error_log.6.gz",109,"2025-12-28 05:00:45","cups"
+"/var/log/cups/error_log.7.gz",109,"2025-12-16 05:00:52","cups"
+"/var/log/dpkg.log",79170,"2026-04-09 20:38:22","dpkg.log"
+"/var/log/dpkg.log.1",172056,"2026-03-30 14:03:09","dpkg.log.1"
+"/var/log/dpkg.log.10.gz",4772,"2025-07-09 03:14:58","dpkg.log.10.gz"
+"/var/log/dpkg.log.11.gz",21063,"2025-06-11 20:12:45","dpkg.log.11.gz"
+"/var/log/dpkg.log.12.gz",23025,"2025-03-24 21:07:37","dpkg.log.12.gz"
+"/var/log/dpkg.log.2.gz",27009,"2026-02-26 17:26:47","dpkg.log.2.gz"
+"/var/log/dpkg.log.3.gz",19151,"2026-01-29 10:33:58","dpkg.log.3.gz"
+"/var/log/dpkg.log.4.gz",4865,"2025-12-27 18:10:09","dpkg.log.4.gz"
+"/var/log/dpkg.log.5.gz",1013,"2025-11-30 01:12:46","dpkg.log.5.gz"
+"/var/log/dpkg.log.6.gz",186,"2025-11-01 22:17:42","dpkg.log.6.gz"
+"/var/log/dpkg.log.7.gz",18860,"2025-10-30 17:09:46","dpkg.log.7.gz"
+"/var/log/dpkg.log.8.gz",185,"2025-08-20 22:33:24","dpkg.log.8.gz"
+"/var/log/dpkg.log.9.gz",7748,"2025-07-25 13:16:41","dpkg.log.9.gz"
+"/var/log/fontconfig.log",16615,"2026-02-14 01:51:38","fontconfig.log"
+"/var/log/installer/syslog",198578,"2025-03-23 03:21:46","installer"
+"/var/log/installer/Xorg.0.log",44876,"2025-03-23 03:21:46","installer"
+"/var/log/sddm.log",0,"2024-06-29 09:06:14","sddm.log"
+"/var/log/Xorg.0.log",47522,"2026-04-10 21:29:28","Xorg.0.log"
+"/var/log/Xorg.0.log.old",42628,"2026-04-09 12:29:54","Xorg.0.log.old"
+"/var/log/Xorg.2.log",51228,"2025-03-29 01:58:02","Xorg.2.log"
+"/var/log/Xorg.2.log.old",45357,"2025-03-23 20:36:17","Xorg.2.log.old"
+"/var/log/Xorg.4.log",43321,"2025-03-23 20:36:16","Xorg.4.log"
--- a/logs/inventory/termux.csv
+++ b/logs/inventory/termux.csv
@@ -0,0 +1,29 @@
+"/data/data/com.termux/files/home/.local/var/debian/debian-fs/var/log/alternatives.log",74663,"2026-01-25 15:05:11","alternatives.log"
+"/data/data/com.termux/files/home/.local/var/debian/debian-fs/var/log/apt/eipp.log.xz",33020,"2026-01-25 15:04:25","apt"
+"/data/data/com.termux/files/home/.local/var/debian/debian-fs/var/log/apt/history.log",138276,"2026-01-25 15:05:20","apt"
+"/data/data/com.termux/files/home/.local/var/debian/debian-fs/var/log/apt/term.log",1279412,"2026-01-25 15:05:20","apt"
+"/data/data/com.termux/files/home/.local/var/debian/debian-fs/var/log/bootstrap.log",75657,"2022-11-13 07:36:10","bootstrap.log"
+"/data/data/com.termux/files/home/.local/var/debian/debian-fs/var/log/dpkg.log",1369807,"2026-01-25 15:05:20","dpkg.log"
+"/data/data/com.termux/files/home/.local/var/debian/debian-fs/var/log/fontconfig.log",13461,"2024-02-21 10:33:37","fontconfig.log"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/anaconda.log",101454,"2024-07-26 16:48:49","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/dbus.log",3476,"2024-07-26 16:48:49","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/dnf.librepo.log",31090,"2024-07-26 16:48:50","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/hawkey.log",120,"2024-07-26 16:48:49","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/journal.log",746062,"2024-07-26 16:48:49","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/lorax-packages.log",25989,"2024-07-26 16:48:49","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/packaging.log",28677,"2024-07-26 16:48:50","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/program.log",8933,"2024-07-26 16:48:49","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/storage.log",66950,"2024-07-26 16:48:49","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/anaconda/syslog",505487,"2024-07-26 16:48:49","anaconda"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/dnf.librepo.log",186446,"2026-01-25 15:05:58","dnf.librepo.log"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/dnf.log",496468,"2026-01-25 15:06:00","dnf.log"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/dnf.rpm.log",71157,"2026-01-25 15:05:50","dnf.rpm.log"
+"/data/data/com.termux/files/home/.local/var/fedora/fedora-fs/var/log/hawkey.log",5940,"2026-01-25 15:05:50","hawkey.log"
+"/data/data/com.termux/files/usr/var/log/alternatives.log",68273,"2026-04-02 20:59:54","alternatives.log"
+"/data/data/com.termux/files/usr/var/log/apt/eipp.log.xz",9992,"2026-04-02 20:59:34","apt"
+"/data/data/com.termux/files/usr/var/log/apt/history.log",191850,"2026-04-02 20:59:59","apt"
+"/data/data/com.termux/files/usr/var/log/apt/term.log",1360953,"2026-04-02 20:59:59","apt"
+"/data/data/com.termux/files/usr/var/log/borg/borg.log",37989099,"2024-06-30 23:05:56","borg"
+"/data/data/com.termux/files/usr/var/log/mbsync/mbsync.log",704,"2025-02-13 02:14:43","mbsync"
+"/data/data/com.termux/files/usr/var/log/notmuch/notmuch.log",3098180,"2025-02-13 02:14:42","notmuch"
+"/data/data/com.termux/files/usr/var/log/rclone/rclone.log",125022,"2024-06-30 23:17:54","rclone"
--- a/reports/SUMMARY.md
+++ b/reports/SUMMARY.md
@@ -0,0 +1,87 @@
+# Cross-Server Log Inspection — Summary
+
+_Generated: 2026-04-10T21:49:07+00:00_
+
+## Coverage
+
+| Host | Inventory entries | Status | Top log dirs |
+|------|-------------------:|--------|--------------|
+| ams | 31 | ok | /var/log/borg-backup.log (5.9M), /var/log/auth.log (612.1K), /var/log/utx.log.1 (468.9K) |
+| ams2 | 73 | ok | /var/log/auth.log (648.3K), /var/log/messages (647.8K), /var/log/daemon.log (646.9K) |
+| ca1 | 92 | ok | /var/log/syslog (8.6M), /var/log/kern.log.1 (7.3M), /var/log/ufw.log.1 (7.3M) |
+| ca2 | 48 | ok | /var/log/ufw.log.1 (3.7M), /var/log/auth.log.1 (3.3M), /var/log/auth.log (1.6M) |
+| ca3 | 9 | ok | /var/log/dpkg.log (134.3K), /var/log/apt (85.1K), /var/log/syslog (28.1K) |
+| fr1 | 106 | ok | /var/log/syslog (37.7M), /var/log/kern.log.1 (7.3M), /var/log/ufw.log.1 (7.2M) |
+| mo1 | 50 | ok | /var/log/syslog (64.4M), /var/log/rclone-media.log (17.5M), /var/log/syslog.3.gz (6.9M) |
+| ro1 | 59 | ok | /var/log/webmail-ssl-access.log (23.8M), /var/log/borg-backup.log (12.7M), /var/log/httpd (9.6M) |
+| sony | 128 | ok | /var/log/borg (4.8M), /var/log/apt (261.3K), /var/log/installer (237.7K) |
+| termux | 29 | ok | /data/data/com.termux (45.9M) |
+
+## Top 25 largest log files (cluster-wide)
+
+| Host | Path | Size | Mtime | Service |
+|------|------|-----:|-------|---------|
+| mo1 | `/var/log/syslog` | 64.4M | 2026-04-10 21:46:09 | syslog |
+| fr1 | `/var/log/syslog` | 37.7M | 2026-04-10 21:46:28 | syslog |
+| termux | `/data/data/com.termux/files/usr/var/log/borg/borg.log` | 36.2M | 2024-06-30 23:05:56 | borg |
+| ro1 | `/var/log/webmail-ssl-access.log` | 23.8M |  | webmail-ssl-access.log |
+| mo1 | `/var/log/rclone-media.log` | 17.5M | 2026-04-10 21:45:33 | rclone-media.log |
+| ro1 | `/var/log/borg-backup.log` | 12.7M |  | borg-backup.log |
+| ro1 | `/var/log/httpd/i47i.tk-access.log` | 9.3M |  | httpd |
+| ca1 | `/var/log/syslog` | 8.6M | 2026-04-10 21:46:08 | syslog |
+| ca1 | `/var/log/kern.log.1` | 7.3M | 2026-04-04 23:59:51 | kern.log.1 |
+| fr1 | `/var/log/kern.log.1` | 7.3M | 2026-04-05 00:00:01 | kern.log.1 |
+| ca1 | `/var/log/ufw.log.1` | 7.3M | 2026-04-04 23:59:51 | ufw.log.1 |
+| fr1 | `/var/log/ufw.log.1` | 7.2M | 2026-04-05 00:00:01 | ufw.log.1 |
+| mo1 | `/var/log/syslog.3.gz` | 6.9M | 2026-03-22 00:00:04 | syslog.3.gz |
+| ro1 | `/var/log/redis/redis.log` | 6.2M |  | redis |
+| fr1 | `/var/log/kern.log` | 6.0M | 2026-04-10 21:46:25 | kern.log |
+| fr1 | `/var/log/ufw.log` | 6.0M | 2026-04-10 21:46:25 | ufw.log |
+| ca1 | `/var/log/kern.log` | 6.0M | 2026-04-10 21:45:55 | kern.log |
+| ca1 | `/var/log/ufw.log` | 6.0M | 2026-04-10 21:45:55 | ufw.log |
+| ams | `/var/log/borg-backup.log` | 5.9M |  | borg-backup.log |
+| ro1 | `/var/log/httpd-error.log` | 5.5M |  | httpd-error.log |
+| fr1 | `/var/log/postfix.log` | 5.2M | 2026-02-02 23:37:02 | postfix.log |
+| mo1 | `/var/log/auth.log.1` | 4.3M | 2026-04-05 00:00:03 | auth.log.1 |
+| ro1 | `/var/log/freedns-ssl-access.log` | 4.2M |  | freedns-ssl-access.log |
+| fr1 | `/var/log/syslog.2.gz` | 3.8M | 2026-03-29 00:00:00 | syslog.2.gz |
+| ca2 | `/var/log/ufw.log.1` | 3.7M | 2026-03-18 04:08:03 | ufw.log.1 |
+
+## Anomalies — files with errors or excessive warnings
+
+| Host | Severity | Errors | Warns | Size | Path |
+|------|----------|-------:|------:|-----:|------|
+| ro1 | **HIGH** | 72 | 0 | 1.3M | `/var/log/freedns-ssl-error.log` |
+| ro1 | **HIGH** | 62 | 0 | 27.5K | `/var/log/webmail-ssl-error.log` |
+| ro1 | **HIGH** | 51 | 0 | 391.4K | `/var/log/httpd/i47i.tk-error.log` |
+| ro1 | **HIGH** | 7 | 3614 | 1.0M | `/var/log/mount_monitor.log.old` |
+| ro1 | **HIGH** | 0 | 1808 | 514.3K | `/var/log/mount_monitor.log` |
+| ams | **MED** | 21 | 0 | 5.9M | `/var/log/borg-backup.log` |
+| ro1 | **MED** | 0 | 886 | 500.3K | `/var/log/messages` |
+| ro1 | **LOW** | 6 | 0 | 3.4M | `/var/log/rclone_1fichier.log` |
+| ro1 | **LOW** | 5 | 0 | 12.7M | `/var/log/borg-backup.log` |
+| ro1 | **LOW** | 3 | 0 | 2.4K | `/var/log/manual-upgrades/upgrade-2026-04-05_0400.log` |
+| ams | **LOW** | 1 | 0 | 53.9K | `/var/log/debug.log.0.bz2` |
+| ams2 | **LOW** | 1 | 0 | 259.3K | `/var/log/borg/cron.log` |
+
+## systemd journal error volume (24h)
+
+| Host | journalctl -p err lines |
+|------|------------------------:|
+| ams | 0 |
+| ams2 | 0 |
+| ca1 | 1 |
+| ca2 | 1 |
+| ca3 | 2 |
+| fr1 | 1 |
+| mo1 | 37 |
+| ro1 | 0 |
+| sony | 100 |
+| termux | 0 |
+
+## Recommendations
+
+- **Investigate 5 HIGH-severity log file(s) immediately** — see table above. These have either ≥50 error lines or ≥1000 warning lines in the last 7 days.
+- **Sparse inventories on ca3, termux** — these likely require sudo to enumerate /var/log fully. Re-run discovery as root for a complete picture (the runner can be extended to use `sudo -n` on Linux hosts as it already does on FreeBSD).
+- Re-run `./scripts/run-all.sh` on a schedule (cron / systemd timer) and commit the diff to track regressions over time.
+- Consider centralising logs (Loki / Vector → VictoriaLogs on mo1) so this scan becomes a single query rather than 10 SSH fan-outs.
--- a/scripts/build-summary.py
+++ b/scripts/build-summary.py
@@ -0,0 +1,174 @@
+#!/usr/bin/env python3
+"""Aggregate per-host CSV inventories + anomaly text into reports/SUMMARY.md."""
+from __future__ import annotations
+import csv, glob, os, re, sys
+from pathlib import Path
+from datetime import datetime, timezone
+
+ROOT = Path(__file__).resolve().parent.parent
+INV_DIR = ROOT / "logs" / "inventory"
+ANOM_DIR = ROOT / "anomalies"
+OUT = ROOT / "reports" / "SUMMARY.md"
+
+def human(n: int) -> str:
+    for unit in ("B","K","M","G","T"):
+        if n < 1024:
+            return f"{n:.0f}{unit}" if unit == "B" else f"{n:.1f}{unit}"
+        n /= 1024
+    return f"{n:.1f}P"
+
+def load_inventory(host: str, csvpath: Path):
+    rows = []
+    if not csvpath.exists() or csvpath.stat().st_size == 0:
+        return rows
+    with csvpath.open(newline="", errors="replace") as f:
+        for r in csv.reader(f):
+            if len(r) < 4: continue
+            try:
+                rows.append((r[0], int(r[1]), r[2], r[3]))
+            except ValueError:
+                continue
+    return rows
+
+ANOM_RE = re.compile(r"^(\S+)\s+errors=(\d+)\s+warns=(\d+)\s+size=(\d+)")
+
+def parse_anomaly(host: str, txt: Path):
+    """Return list of (path, errors, warns, size) and journal error count."""
+    findings = []
+    journal_err = 0
+    if not txt.exists():
+        return findings, journal_err, "missing"
+    body = txt.read_text(errors="replace")
+    if not body.strip():
+        return findings, journal_err, "empty (host unreachable?)"
+    for line in body.splitlines():
+        m = ANOM_RE.match(line)
+        if m:
+            findings.append((m.group(1), int(m.group(2)), int(m.group(3)), int(m.group(4))))
+    # crude journal error tally
+    in_journal = False
+    for line in body.splitlines():
+        if line.startswith("--- journalctl"):
+            in_journal = True; continue
+        if line.startswith("---") and in_journal:
+            break
+        if in_journal and line.strip():
+            journal_err += 1
+    return findings, journal_err, "ok"
+
+def severity(errors: int, warns: int) -> str:
+    if errors >= 50 or warns >= 1000: return "HIGH"
+    if errors >= 10 or warns >= 200:  return "MED"
+    if errors > 0 or warns > 50:      return "LOW"
+    return "-"
+
+def main():
+    hosts = sorted({p.stem for p in INV_DIR.glob("*.csv")} |
+                   {p.stem for p in ANOM_DIR.glob("*.txt")})
+    out = []
+    out.append("# Cross-Server Log Inspection — Summary")
+    out.append("")
+    out.append(f"_Generated: {datetime.now(timezone.utc).isoformat(timespec='seconds')}_")
+    out.append("")
+    out.append("## Coverage")
+    out.append("")
+    out.append("| Host | Inventory entries | Status | Top log dirs |")
+    out.append("|------|-------------------:|--------|--------------|")
+    per_host_findings = {}
+    per_host_inv = {}
+    for h in hosts:
+        inv = load_inventory(h, INV_DIR / f"{h}.csv")
+        per_host_inv[h] = inv
+        findings, jerr, status = parse_anomaly(h, ANOM_DIR / f"{h}.txt")
+        per_host_findings[h] = (findings, jerr, status)
+        # top dirs by total size
+        dirs = {}
+        for path, sz, _, _ in inv:
+            d = "/".join(path.split("/")[:4])
+            dirs[d] = dirs.get(d, 0) + sz
+        topdirs = ", ".join(f"{d} ({human(s)})" for d, s in sorted(dirs.items(), key=lambda x:-x[1])[:3])
+        out.append(f"| {h} | {len(inv)} | {status} | {topdirs or '-'} |")
+    out.append("")
+
+    # Largest individual log files across all hosts
+    out.append("## Top 25 largest log files (cluster-wide)")
+    out.append("")
+    out.append("| Host | Path | Size | Mtime | Service |")
+    out.append("|------|------|-----:|-------|---------|")
+    flat = []
+    for h, rows in per_host_inv.items():
+        for path, sz, mt, svc in rows:
+            flat.append((h, path, sz, mt, svc))
+    flat.sort(key=lambda x: -x[2])
+    for h, p, sz, mt, svc in flat[:25]:
+        out.append(f"| {h} | `{p}` | {human(sz)} | {mt} | {svc} |")
+    out.append("")
+
+    # Anomaly findings table
+    out.append("## Anomalies — files with errors or excessive warnings")
+    out.append("")
+    out.append("| Host | Severity | Errors | Warns | Size | Path |")
+    out.append("|------|----------|-------:|------:|-----:|------|")
+    rows_sev = []
+    for h, (findings, _, _) in per_host_findings.items():
+        for path, e, w, sz in findings:
+            rows_sev.append((severity(e,w), h, e, w, sz, path))
+    sev_rank = {"HIGH":0, "MED":1, "LOW":2, "-":3}
+    rows_sev.sort(key=lambda r: (sev_rank[r[0]], -r[2], -r[3]))
+    for sev, h, e, w, sz, p in rows_sev:
+        out.append(f"| {h} | **{sev}** | {e} | {w} | {human(sz)} | `{p}` |")
+    if not rows_sev:
+        out.append("| - | - | - | - | - | _no error patterns detected in 7-day window_ |")
+    out.append("")
+
+    # journal error summary
+    out.append("## systemd journal error volume (24h)")
+    out.append("")
+    out.append("| Host | journalctl -p err lines |")
+    out.append("|------|------------------------:|")
+    for h, (_, jerr, _) in per_host_findings.items():
+        out.append(f"| {h} | {jerr} |")
+    out.append("")
+
+    # Recommendations
+    out.append("## Recommendations")
+    out.append("")
+    recs = []
+    # 1. Severity-based
+    high = [r for r in rows_sev if r[0] == "HIGH"]
+    if high:
+        recs.append(f"- **Investigate {len(high)} HIGH-severity log file(s) immediately** — see table above. "
+                    "These have either ≥50 error lines or ≥1000 warning lines in the last 7 days.")
+    # 2. Big files
+    bigfiles = [r for r in flat if r[2] > 100*1024*1024]
+    if bigfiles:
+        recs.append(f"- **{len(bigfiles)} log file(s) exceed 100 MB** — consider tightening logrotate "
+                    "(e.g. `/etc/logrotate.d/`) and/or using zstd compression. Largest: "
+                    f"`{bigfiles[0][1]}` on {bigfiles[0][0]} at {human(bigfiles[0][2])}.")
+    # 3. Hosts with no inventory (likely unprivileged)
+    empty = [h for h, inv in per_host_inv.items() if len(inv) < 30]
+    if empty:
+        recs.append(f"- **Sparse inventories on {', '.join(empty)}** — these likely require sudo to enumerate "
+                    "/var/log fully. Re-run discovery as root for a complete picture (the runner can be "
+                    "extended to use `sudo -n` on Linux hosts as it already does on FreeBSD).")
+    # 4. journal noise
+    noisy = sorted(((h, j) for h, (_, j, _) in per_host_findings.items() if j > 100),
+                   key=lambda x:-x[1])
+    if noisy:
+        h, j = noisy[0]
+        recs.append(f"- **journald noisiest on {h}** ({j} error lines/24h). Top drivers worth triaging: "
+                    "check `journalctl -p err -b` for repeating units (mbsync, sudo PAM failures, etc.).")
+    # 5. Generic
+    recs.append("- Re-run `./scripts/run-all.sh` on a schedule (cron / systemd timer) and commit the diff "
+                "to track regressions over time.")
+    recs.append("- Consider centralising logs (Loki / Vector → VictoriaLogs on mo1) so this scan becomes "
+                "a single query rather than 10 SSH fan-outs.")
+    out.extend(recs)
+    out.append("")
+
+    OUT.parent.mkdir(parents=True, exist_ok=True)
+    OUT.write_text("\n".join(out))
+    print(f"wrote {OUT} ({len(out)} lines)")
+
+if __name__ == "__main__":
+    main()
--- a/scripts/discover-logs.sh
+++ b/scripts/discover-logs.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+# discover-logs.sh — portable log inventory.
+# Outputs CSV: path,size_bytes,mtime_iso,service
+# Works on Linux (Debian/Ubuntu), FreeBSD, and Termux.
+
+set -u
+HOST=$(hostname 2>/dev/null || uname -n)
+
+# 1. Build candidate file list using fast tools when available.
+LIST=$(mktemp 2>/dev/null || echo /tmp/discover.$$)
+trap 'rm -f "$LIST"' EXIT
+
+if command -v plocate >/dev/null 2>&1; then
+    plocate /var/log 2>/dev/null > "$LIST"
+elif command -v locate >/dev/null 2>&1; then
+    locate /var/log 2>/dev/null > "$LIST"
+else
+    # No locate db: walk /var/log with du (faster than find for our purposes).
+    if [ -d /var/log ]; then
+        du -ab /var/log 2>/dev/null | awk '{ $1=""; sub(/^ /,""); print }' > "$LIST"
+    fi
+fi
+
+# Add Kubernetes / container log dirs explicitly (they may be outside locate db).
+for extra in /var/log/pods /var/log/containers /var/lib/docker/containers /var/log/journal; do
+    [ -d "$extra" ] && du -ab "$extra" 2>/dev/null | awk '{ $1=""; sub(/^ /,""); print }' >> "$LIST"
+done
+
+# Termux logs
+if [ -n "${PREFIX:-}" ] && [ -d "${PREFIX}/var/log" ]; then
+    du -ab "${PREFIX}/var/log" 2>/dev/null | awk '{ $1=""; sub(/^ /,""); print }' >> "$LIST"
+fi
+
+# 2. Filter to regular files matching log-ish patterns, emit CSV.
+# Service guessed from path component under /var/log/.
+sort -u "$LIST" | while IFS= read -r p; do
+    [ -f "$p" ] || continue
+    case "$p" in
+        *.log|*.log.*|*.gz|*.zst|*.xz|*.zip|*/messages|*/syslog|*/auth*|*/kern*|*/daemon*|*/dmesg*|*/secure*) ;;
+        *) continue ;;
+    esac
+    sz=$(stat -c '%s' "$p" 2>/dev/null || stat -f '%z' "$p" 2>/dev/null) || continue
+    mt=$(stat -c '%y' "$p" 2>/dev/null | cut -d. -f1 || stat -f '%Sm' -t '%Y-%m-%d %H:%M:%S' "$p" 2>/dev/null) || continue
+    svc=$(echo "$p" | awk -F/ '{
+        for (i=1;i<=NF;i++) if ($i=="log" || $i=="logs") { print $(i+1); exit }
+    }')
+    [ -z "$svc" ] && svc="other"
+    # CSV-escape quotes/commas in path
+    esc=$(printf '%s' "$p" | sed 's/"/""/g')
+    printf '"%s",%s,"%s","%s"\n' "$esc" "$sz" "$mt" "$svc"
+done
--- a/scripts/run-all.sh
+++ b/scripts/run-all.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+# run-all.sh — fan out discover-logs.sh and scan-anomalies.sh to every host.
+# Run from the log_analysis repo root.
+
+set -u
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+mkdir -p "$ROOT/logs/inventory" "$ROOT/anomalies"
+
+# host:ssh-prefix:needs-sudo
+HOSTS=(
+    "mo1:local:0"
+    "ams:ssh -o BatchMode=yes ams:1"
+    "ams2:ssh -o BatchMode=yes ams2:1"
+    "ro1:ssh -o BatchMode=yes ro1:1"
+    "ca1:ssh -o BatchMode=yes ca1:0"
+    "ca2:ssh -o BatchMode=yes ca2:0"
+    "ca3:ssh -o BatchMode=yes -p 15120 ca3:0"
+    "fr1:ssh -o BatchMode=yes fr1:0"
+    "sony:ssh -o BatchMode=yes -o ConnectTimeout=5 sony:0"
+    "termux:ssh -o BatchMode=yes -o ConnectTimeout=5 -p 8022 termux:0"
+)
+
+run_one() {
+    local entry="$1"
+    local host="${entry%%:*}"
+    local rest="${entry#*:}"
+    local ssh_cmd="${rest%:*}"
+    local sudo_flag="${rest##*:}"
+
+    local discover scan
+    discover="$(cat "$ROOT/scripts/discover-logs.sh")"
+    scan="$(cat "$ROOT/scripts/scan-anomalies.sh")"
+
+    local pfx=""
+    [ "$sudo_flag" = "1" ] && pfx="sudo -n "
+
+    if [ "$ssh_cmd" = "local" ]; then
+        echo "[$host] discover (local)"
+        ${pfx}sh -c "$discover" > "$ROOT/logs/inventory/$host.csv" 2>/dev/null
+        echo "[$host] scan (local)"
+        ${pfx}sh -c "$scan" > "$ROOT/anomalies/$host.txt" 2>&1
+    else
+        echo "[$host] discover via: $ssh_cmd"
+        $ssh_cmd "${pfx}sh" > "$ROOT/logs/inventory/$host.csv" 2>/dev/null <<EOF || echo "[$host] discover FAILED"
+$discover
+EOF
+        echo "[$host] scan via: $ssh_cmd"
+        $ssh_cmd "${pfx}sh" > "$ROOT/anomalies/$host.txt" 2>&1 <<EOF || echo "[$host] scan FAILED"
+$scan
+EOF
+    fi
+    local lines bytes
+    lines=$(wc -l < "$ROOT/logs/inventory/$host.csv" 2>/dev/null || echo 0)
+    bytes=$(wc -c < "$ROOT/anomalies/$host.txt" 2>/dev/null || echo 0)
+    echo "[$host] done — inventory=$lines lines, anomalies=$bytes bytes"
+}
+
+# Run hosts in parallel (background), wait at end.
+for h in "${HOSTS[@]}"; do
+    run_one "$h" &
+done
+wait
+echo "All hosts complete."
--- a/scripts/scan-anomalies.sh
+++ b/scripts/scan-anomalies.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+# scan-anomalies.sh — inspect recent log files for error/warning/critical patterns.
+# Output is human-readable; one block per file with issues.
+
+set -u
+HOST=$(hostname 2>/dev/null || uname -n)
+echo "=== Anomaly scan: $HOST ($(date -u +%FT%TZ)) ==="
+echo
+
+# 1. systemd journal (Linux only) — last 24h, error priority and above.
+if command -v journalctl >/dev/null 2>&1; then
+    echo "--- journalctl -p err --since '24 hours ago' ---"
+    journalctl -p err --since '24 hours ago' --no-pager 2>/dev/null | tail -100
+    echo
+fi
+
+# 2. kubectl events (mo1 only).
+if command -v kubectl >/dev/null 2>&1; then
+    echo "--- kubectl get events --all-namespaces (warnings) ---"
+    kubectl get events --all-namespaces --field-selector type!=Normal 2>/dev/null | tail -50
+    echo
+fi
+
+# 3. Recent (mtime < 7d) log files: count error tokens.
+PATTERN='ERROR|FATAL|CRITICAL|FAIL(ED|URE)?|panic|segfault|OOM|Out of memory|denied'
+WPAT='WARN(ING)?'
+
+scan_file() {
+    f="$1"
+    case "$f" in
+        *.gz)  cmd="zcat -- \"$f\"" ;;
+        *.xz)  cmd="xzcat -- \"$f\"" ;;
+        *.zst) cmd="zstdcat -- \"$f\"" ;;
+        *.zip) return ;;
+        *)     cmd="cat -- \"$f\"" ;;
+    esac
+    errs=$(eval "$cmd" 2>/dev/null | grep -c -E "$PATTERN")
+    warns=$(eval "$cmd" 2>/dev/null | grep -c -E "$WPAT")
+    if [ "${errs:-0}" -gt 0 ] || [ "${warns:-0}" -gt 50 ]; then
+        sz=$(stat -c '%s' "$f" 2>/dev/null || stat -f '%z' "$f" 2>/dev/null)
+        printf '%s\terrors=%s\twarns=%s\tsize=%s\n' "$f" "$errs" "$warns" "$sz"
+        # Show up to 5 sample error lines.
+        eval "$cmd" 2>/dev/null | grep -E "$PATTERN" | head -5 | sed 's/^/    > /'
+    fi
+}
+
+echo "--- recent log files (mtime < 7d) ---"
+# Use locate when possible; otherwise restrict to /var/log walk.
+{
+    if command -v plocate >/dev/null 2>&1; then plocate /var/log 2>/dev/null
+    elif command -v locate >/dev/null 2>&1; then locate /var/log 2>/dev/null
+    fi
+    [ -d /var/log ] && du -a /var/log 2>/dev/null | awk '{ $1=""; sub(/^ /,""); print }'
+} | sort -u | while IFS= read -r f; do
+    [ -f "$f" ] || continue
+    case "$f" in *.log|*.log.*|*/messages|*/syslog|*/auth*|*/kern*|*/daemon*) ;; *) continue ;; esac
+    # mtime within 7 days
+    if [ "$(find "$f" -prune -mtime -7 2>/dev/null)" = "$f" ]; then
+        scan_file "$f"
+    fi
+done
+
+# 4. Disk usage of /var/log overall.
+echo
+echo "--- /var/log disk usage ---"
+du -sh /var/log 2>/dev/null
+du -sh /var/log/* 2>/dev/null | sort -h | tail -15
+
+# 5. Largest log files
+echo
+echo "--- top 15 largest files under /var/log ---"
+du -ab /var/log 2>/dev/null | sort -nr | head -15 | awk '{ printf "%10d  %s\n", $1, $2 }'