User Guide
Dashboard¶
The dashboard is the primary interface for viewing, searching, and exporting syslog data. It refreshes live, scales to millions of messages without slowing down, and shows you the state of your environment at a glance.
Accessing the dashboard¶
Open http://<server-ip>:5000 in a browser. If you've enabled HTTPS, it's also reachable at https://<server-ip>:5001. HTTP keeps running regardless of HTTPS state so you can never lock yourself out with a bad certificate.
The Windows install creates a LuceDev Syslog Dashboard Start Menu shortcut that reads the configured port from settings.json and opens the correct URL.
Layout¶
The dashboard is one long page with four stacked sections.
1. Severity cards¶
Eight cards across the top — one per syslog severity (Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug). Each card shows the count for that severity, color-coded. Click a card to filter the log table to that severity. Click the same card again to clear the filter.
When a host filter is active, the cards show counts scoped to that host.
2. Charts¶
Two charts side-by-side, both backed by pre-aggregated hourly data so they render instantly regardless of database size:
- Log volume over time — bar chart of hourly log counts for the last 24 hours
- Top hosts — bar chart of the most active syslog sources
3. Filters¶
The filter bar lets you narrow the log table:
- Host — dropdown of every host that has sent at least one log
- Severity — single-select dropdown
- Date range — start and end date/time
- Search — keyword search across the message text
Filters combine with AND logic and are applied as a single query.
4. Log table¶
Four columns:
| Column | Description |
|---|---|
| Timestamp | When the server received the message |
| Host | Source device IP or hostname |
| Severity | Parsed from the RFC 3164 priority field |
| Message | The raw syslog message |
150 logs per page. Sort by any column.
Facility is captured but not displayed
Each log also carries a facility (kern, user, mail, daemon, etc.) parsed from the priority field. It's stored and included in CSV/JSON exports, but isn't shown as a dashboard column to keep the table dense.
Search¶
Keyword search uses SQLite's FTS5 full-text index with prefix matching. That means:
firewallmatchesfirewall,firewalld,firewall-cmd, etc.- Multi-word queries are AND'd:
firewall deniedmatches messages containing both - IPs and hostnames work as keywords too —
10.27.50.16will find any message containing that string
Searches stay fast on millions of messages because they hit the FTS index instead of scanning every row.
Live refresh¶
The dashboard polls the server every 15 seconds and updates the table, severity cards, and charts in place — no full page reload, no scroll loss. The live-refresh indicator in the top-right shows the next refresh time.
Pagination¶
For deep navigation (page 100+), the log API uses cursor-based pagination that stays constant-time at any depth. The pagination controls at the bottom switch automatically to cursor mode once you scroll deep enough.
Status indicator¶
Top-right of every page:
- Green dot — the syslog receiver is listening
- The text shows the listener address (e.g.
0.0.0.0:514)
This indicator is the fastest way to confirm the service is healthy without leaving the dashboard.
Trial and license banners¶
When the license is in trial or grace state, a banner appears above the page content:
- Trial:
N days remaining in trial. Activate a license key. - Grace:
License server unreachable — N days of grace remaining.
Once licensed, the banner disappears.
Export¶
The Export button downloads the current filtered view:
- CSV — includes Timestamp, Host, Severity, Facility, Message
- JSON — same fields, structured for scripting
Exports respect the active filters and date range. They're capped at 10,000 rows to keep the request fast — narrow your filters if you need more than that.
Only admin and auditor roles can export. Viewers see the button disabled.