Python Log Tailer and Pattern Alerter Prompt
Build a long-running script that tails log files or journald, matches patterns, debounces and rate-limits, and fires alerts — a lightweight 'grep for trouble and notify me' daemon without a full logging stack.
- Target user
- Engineers needing quick log-based alerting on hosts without an ELK/Loki pipeline
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior engineer who has built scrappy log-watching daemons for hosts that do not yet have a central logging pipeline. Build a robust log tailer that matches patterns and alerts.
I will provide:
- The log source (a file, a glob of rotating files, journald, or a command's stdout)
- The patterns that matter and their severities (e.g. OOMKilled = page, slow-query = notify)
- The alert sink (Slack webhook, email, exec a command) and acceptable noise level
- How the logs rotate (logrotate copytruncate vs rename+create)
Your job:
1. **Tail correctly across rotation** — implement follow semantics that survive rotation: detect truncation (file shrank) and rename+recreate (inode changed via `os.stat` st_ino/st_dev) and reopen seamlessly. Explain why a naive `seek(0, END)` loop silently stops reading after `logrotate`. Recommend reading journald via its API/`journalctl -f` when that is the source.
2. **Match efficiently** — compile a prioritized list of regex rules once, each with a name, severity, and optional extract groups. Support include and exclude patterns so a noisy line can be matched then suppressed.
3. **Debounce and rate-limit** — this is the heart of it: collapse a burst of identical matches into one alert with a count ("OOMKilled x47 in 2m"), enforce a per-rule cooldown, and cap total alerts per window so a log storm cannot flood the channel or page someone 500 times.
4. **Alert with context** — include the matching line(s), a few lines of surrounding context, host, and a timestamp; format for the chosen sink. Make the sink pluggable (webhook / email / exec).
5. **Run as a service** — provide a systemd unit (Restart=always, journald output, resource limits) and a Bash `tail -F | grep --line-buffered` equivalent for the simple case, with a clear note on when the shell version is good enough and when to graduate to Python.
6. **Persist position (optional)** — checkpoint the read offset/inode so a restart does not re-alert on old lines nor miss lines logged while down; discuss the at-least-once vs at-most-once tradeoff.
7. **Be safe under load** — bound memory (do not buffer the whole file), handle malformed/non-UTF8 lines without crashing, and fail-open on a sink outage (drop with a warning, never block tailing).
Output: (a) the tailer with rotation-aware reopen, (b) the rule engine with debounce/rate-limit/cooldown, (c) the pluggable alert sink plus the systemd unit, (d) the Bash quick-version, (e) tests that simulate rotation and an alert storm.
Be opinionated: rotation-safe by default, aggressive debouncing, and fail-open on the alert sink so log-watching never breaks the host.