log_analysis/README.md

# log_analysis

Cross-server log inventory and anomaly scanning across the rpert infrastructure
(10 hosts: mo1, ams, ams2, ro1, ca1, ca2, ca3, fr1, sony, termux).

## Layout

```
log_analysis/
├── README.md
├── scripts/
│   ├── discover-logs.sh    # portable log inventory (Linux/FreeBSD/Termux)
│   ├── scan-anomalies.sh   # ERROR/WARN/CRITICAL counts + journalctl scan
│   └── run-all.sh          # fan out both scripts to every host via SSH
├── logs/
│   └── inventory/<host>.csv   # path,size_bytes,mtime,service
├── anomalies/
│   └── <host>.txt             # raw anomaly findings per host
└── reports/
    └── SUMMARY.md             # cross-host roll-up + recommendations
```

## Hosts

| Host    | OS       | SSH                       |
|---------|----------|---------------------------|
| mo1     | Debian   | local                     |
| ams     | FreeBSD  | `ssh ams` (sudo -n)       |
| ams2    | FreeBSD  | `ssh ams2` (sudo -n)      |
| ro1     | FreeBSD  | `ssh ro1` (sudo -n)       |
| ca1     | Ubuntu   | `ssh ca1`                 |
| ca2     | Debian   | `ssh ca2`                 |
| ca3     | Debian   | `ssh -p 15120 ca3`        |
| fr1     | Ubuntu   | `ssh fr1`                 |
| sony    | Debian   | `ssh sony` (laptop)       |
| termux  | Android  | `ssh -p 8022 termux`      |

## Usage

```bash
./scripts/run-all.sh        # discovery + anomaly scan, all hosts
git add -A && git commit -m "refresh $(date -I)" && git push
```

Reports land in `reports/SUMMARY.md`.

## Notes

- FreeBSD hosts use `sudo -n` + `BatchMode=yes` (per memory).
- Discovery uses `locate`/`plocate` where available, falls back to scanning
  `/var/log` with `du`. `find` is avoided per project preference.
- Sony and Termux may be offline; the runner skips unreachable hosts.