v0.2.2

Fixed

• CLI startup robustness — .env loading is now non-fatal.

  • stackdog --help and other commands no longer panic when .env is missing or contains malformed lines.
  • Stackdog now logs a warning and continues with existing environment variables.

• Installer release resolution — install.sh now handles missing /releases/latest responses gracefully.

  • Falls back to the most recent release entry when no stable "latest" release is available.
  • Improves error messaging and updates install examples to use the main branch script URL.

Added

• Expanded detector framework with additional log-driven detection coverage.

  • Reverse shell, sensitive file access, cloud metadata / SSRF, exfiltration chain, and secret leakage detectors.
  • file integrity monitoring with SQLite-backed baselines via STACKDOG_FIM_PATHS.
  • configuration assessment via STACKDOG_SCA_PATHS.
  • package inventory heuristics via STACKDOG_PACKAGE_INVENTORY_PATHS.
  • Docker posture audits for privileged mode, host namespaces, dangerous capabilities, Docker socket mounts, and writable sensitive mounts.

• Improved syslog ingestion

  • RFC3164 and RFC5424 parsing in file-based log ingestion for cleaner timestamps and normalized message bodies.

Log Sniffing & Analysis (stackdog sniff)

• CLI Subcommands — Multi-mode binary with stackdog serve and stackdog sniff

  • --once flag for single-pass mode
  • --consume flag to archive logs (zstd) and purge originals
  • --sources to add custom log paths
  • --ai-provider to select AI backend (openai/candle)
  • --interval for polling frequency
  • --output for archive destination

• Log Source Discovery — Automatic and manual log source management

  • System logs (/var/log/syslog, messages, auth.log, etc.)
  • Docker container logs via bollard API
  • Custom file paths (CLI, env var, or REST API)
  • Incremental read position tracking (byte offset persisted in DB)

• Log Readers — Trait-based reader abstraction

  • FileLogReader with byte-offset tracking and log rotation detection
  • DockerLogReader using bollard streaming API
  • JournaldReader (Linux-gated) for systemd journal

• AI-Powered Analysis — Dual-backend log summarization

  • OpenAiAnalyzer — works with any OpenAI-compatible API (OpenAI, Ollama, vLLM)
  • PatternAnalyzer — local fallback with error/warning counting and spike detection
  • Structured LogSummary with anomaly detection (LogAnomaly, severity levels)

• Log Consumer — Archive and purge pipeline

  • FNV hash-based deduplication
  • zstd compression (level 3) for archived logs
  • File truncation and Docker log purge
  • ConsumeResult tracking (entries archived, duplicates skipped, bytes freed)

• Reporter — Bridges log analysis to existing alert system

  • Converts LogAnomaly → Alert using AlertManager infrastructure
  • Routes notifications via route_by_severity() to configured channels
  • Persists LogSummary records to database

• REST API Endpoints

  • GET /api/logs/sources — list discovered log sources
  • POST /api/logs/sources — manually add a custom source
  • GET /api/logs/sources/{path} — get source details
  • DELETE /api/logs/sources/{path} — remove a source
  • GET /api/logs/summaries — list AI-generated summaries (filterable by source)

• Database Tables — log_sources and log_summaries with indexes

Dependencies

• clap = "4" (derive) — CLI argument parsing
• async-trait = "0.1" — async trait support
• reqwest = "0.12" (json) — HTTP client for AI APIs
• zstd = "0.13" — log compression
• futures-util = "0.3" — Docker log streaming

Changed

• Refactored main.rs to dispatch serve/sniff subcommands via clap
• Added events, rules, alerting, models modules to binary crate
• Updated .env.sample with STACKDOG_LOG_SOURCES, STACKDOG_AI_* config vars
• Version metadata updated to 0.2.2 across Cargo, the web package manifest, and current release documentation.

Testing

• 80+ new tests covering all sniff modules (TDD)
  • Config: 12, Discovery: 14, Readers: 10, Analyzer: 16, Consumer: 13, Reporter: 5, Orchestrator: 3, API: 7

Planned

• Web dashboard (React/TypeScript)
• ML anomaly detection with Candle
• Kubernetes support
• Grafana integration
• Package builds (deb, rpm)

---

What's Changed

• Dev by @vsilent in #1
• Dev by @vsilent in #2
• install: fallback when latest release is missing by @vsilent in #3
• Dev by @vsilent in #4
• Dev by @vsilent in #6
• Dev by @vsilent in #5

Full Changelog: https://github.com/trydirect/stackdog/commits/v0.2.2