Hi everyone, I’ve been building my own log search server because I wasn’t satisfied with any of the alternatives out there and wanted a project to learn rust with. It still needs a ton of work but wanted to share what I’ve built so far.

The repo is up here: https://codeberg.org/Kryesh/crystalline

and i’ve started putting together some documentation here: https://kryesh.codeberg.page/crystalline/

There’s a lot of features I plan to add to it but I’m curious to hear what people think and if there’s anything you’d like to see out of a project like this.

Some examples from my lab environment:

events view searching for SSH logins from systemd journals and syslog events:

counting raw event size for all indices:

performance is looking pretty decent so far, and it can be configured to not be too much of a resource hog depending on use case, some numbers from my test install:

  • raw events ingested: ~52 million
  • raw event size: ~40GB
  • on disk size: ~5.8GB

Ram usage:

  • not running searches ingesting 600MB-1GB per day it uses about 500MB of ram
  • running the ssh search examples above brings it to about 600MB of ram while the search is running
  • running last example search getting the size of all events (requires decompressing the entire event store) peaked at about 3.5GB of ram usage
  • warmaster@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    1 month ago

    That looks great, congrats!

    If you’re targeting us, homelabbers, I’ll tell you what I would want from a log server:

    • Stupid easy installation (Docker / Proxmox)
    • Integrations with:
    • Proxmox
    • Docker
    • Home Assistant
    • Frigate
    • Scrypted
    • Jellyfin
    • Immich
    • Unifi
    • Kryesh@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      30 days ago

      Thanks! definitely aiming for a stupid easy installation/management for the app itself; but in my experience getting a wide range of supported log sources is no small feat. I’ve been using fluentbit to handle collection from different sources and using the following has been working well for me:

      • docker ‘journald’ log driver
      • fluentbit ‘systemd’ input
      • fluentbit ‘http’ output like the one in the readme

      with that setup you can search for container logs by name which works great with compose:

      or process logs from an nginx container like this to see traffic from external hosts:

      I’ll add a more complete example to the docs, but if you look in the repo there’s a complete example for receiving and ingesting syslog that you can run with just “docker compose up”

      • PlusMinus@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        29 days ago

        Maybe you should add OTLP support? I don’t know how you are ingesting from Fluentbit at the moment, but I think with OTLP basically any log source can be integrated either through the fluentbit OTLP plugin or an OTEL collector.

        • Kryesh@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          29 days ago

          I’m currently using the fluentbit http output plugin, fluentbit can act as an otel collector with an input plugin which could then be routed to the http output plugin. Long term I’ll probably look at adding it but there’s other features that take priority in the app itself such as scheduled searching and notifications/alerting

  • LiPoly@lemmynsfw.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 month ago

    Kudos on the project! I often thought about building something similar myself, because I wasn’t happy with what’s out there. Everything is so complicated to set up and way too oversized for a simple log collection service, or the UI is just bad and super unintuitive for no reason. Glad you’re brining some new wind into the space.

  • pineapple@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    29 days ago

    I don’t really understand the point of this. What kind of logs are you storing and why would you want to?

  • farcaller@fstab.sh
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    This looks nice, but there’s plenty free alternatives in this space which warrants a section in the readme with the comparison to other products.

    You mention ram usage, but it’s oftentimes a product of event size. Based on your numbers, your average event size is about 800 bytes. Let’s call it 1kb. That’s one million events per day. It’s surely sounds more promising than Elastic, but not reaching Loki numbers, or, if you focus on efficiency, is way behind Victoriametrics Logs (based on peeking at their benches).

    I think the important bits you need to add is how you store the logs (i.e. which indices you build) and what are your trade-offs. Grep is an efficient logs processor which barely uses any ram but incurs dramatic I/O costs, after all.

    Enterprises will be looking at different numbers and they have lots of SaaS products to choose from. Homelab users are absolutely your target audience and you can have it by making a better UI than the alternative (victoriametrics logs aren’t that comfortable to work with) or making resource usage lower (people run k8s clusters on RPis, they sure wonder about every megabyte of ram lost) or making the deployment easier (fire and forget, and when you come to it, it works).

    It sounds like lots of things and I don’t want to be discouraging. What you started there is really nice-looking. Good job!

  • ancoraunamoka@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    29 days ago

    This is very cool.

    I an slowly building my own syslog server with visualization, but it’s cool to see new stuff on the block.

    I have always been wary of big commercial services like kibana, grafana, etc…