#!/bin/sh
# scan-anomalies.sh — inspect recent log files for error/warning/critical patterns.
# Output is human-readable; one block per file with issues.

set -u
HOST=$(hostname 2>/dev/null || uname -n)
echo "=== Anomaly scan: $HOST ($(date -u +%FT%TZ)) ==="
echo

# 1. systemd journal (Linux only) — last 24h, error priority and above.
if command -v journalctl >/dev/null 2>&1; then
    echo "--- journalctl -p err --since '24 hours ago' ---"
    journalctl -p err --since '24 hours ago' --no-pager 2>/dev/null | tail -100
    echo
fi

# 2. kubectl events (mo1 only).
if command -v kubectl >/dev/null 2>&1; then
    echo "--- kubectl get events --all-namespaces (warnings) ---"
    kubectl get events --all-namespaces --field-selector type!=Normal 2>/dev/null | tail -50
    echo
fi

# 3. Recent (mtime < 7d) log files: count error tokens.
PATTERN='ERROR|FATAL|CRITICAL|FAIL(ED|URE)?|panic|segfault|OOM|Out of memory|denied'
WPAT='WARN(ING)?'

scan_file() {
    f="$1"
    case "$f" in
        *.gz)  cmd="zcat -- \"$f\"" ;;
        *.xz)  cmd="xzcat -- \"$f\"" ;;
        *.zst) cmd="zstdcat -- \"$f\"" ;;
        *.zip) return ;;
        *)     cmd="cat -- \"$f\"" ;;
    esac
    errs=$(eval "$cmd" 2>/dev/null | grep -c -E "$PATTERN")
    warns=$(eval "$cmd" 2>/dev/null | grep -c -E "$WPAT")
    if [ "${errs:-0}" -gt 0 ] || [ "${warns:-0}" -gt 50 ]; then
        sz=$(stat -c '%s' "$f" 2>/dev/null || stat -f '%z' "$f" 2>/dev/null)
        printf '%s\terrors=%s\twarns=%s\tsize=%s\n' "$f" "$errs" "$warns" "$sz"
        # Show up to 5 sample error lines.
        eval "$cmd" 2>/dev/null | grep -E "$PATTERN" | head -5 | sed 's/^/    > /'
    fi
}

echo "--- recent log files (mtime < 7d) ---"
# Use locate when possible; otherwise restrict to /var/log walk.
{
    if command -v plocate >/dev/null 2>&1; then plocate /var/log 2>/dev/null
    elif command -v locate >/dev/null 2>&1; then locate /var/log 2>/dev/null
    fi
    [ -d /var/log ] && du -a /var/log 2>/dev/null | awk '{ $1=""; sub(/^ /,""); print }'
} | sort -u | while IFS= read -r f; do
    [ -f "$f" ] || continue
    case "$f" in *.log|*.log.*|*/messages|*/syslog|*/auth*|*/kern*|*/daemon*) ;; *) continue ;; esac
    # mtime within 7 days
    if [ "$(find "$f" -prune -mtime -7 2>/dev/null)" = "$f" ]; then
        scan_file "$f"
    fi
done

# 4. Disk usage of /var/log overall.
echo
echo "--- /var/log disk usage ---"
du -sh /var/log 2>/dev/null
du -sh /var/log/* 2>/dev/null | sort -h | tail -15

# 5. Largest log files
echo
echo "--- top 15 largest files under /var/log ---"
du -ab /var/log 2>/dev/null | sort -nr | head -15 | awk '{ printf "%10d  %s\n", $1, $2 }'