Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Plugin] Logs Viewer - Real-time log viewer & dashboard widget for Unraid

Featured Replies

Real-time system, Docker and VM log viewer with dashboard widget and dedicated Tools page. Log backups and system alerts.

Live auto-refresh, severity badges, search, filtering, syntax highlighting and export.

Features

Dashboard Widget with live auto-refresh and severity proportion strip

Tools Page for full-screen, focused log viewing

System Logs: Syslog, Syslog Previous, Dmesg, GraphQL API, Nginx Errors, PHP Log, Libvirt

Docker Logs with real-time running/stopped status indicators

VM Logs with real-time running/stopped status indicators

Log Backups: scheduled daily snapshots of all enabled sources, compressed and stored on a path you choose, with retention control and calendar-based download

Alerts: pattern-based rules that scan logs every 1/2/5 minutes and push notifications through Unraid's notification system when a match is found. Includes one-click presets for failed logins, disk errors, OOM, kernel panics, array errors and Docker crashes

Search: match highlighting with next/prev navigation

Filtering: by severity level (Info, Warnings, Errors, Critical) or login events

Severity Badges: clickable counters that double as quick filters

Proportion Strip: color bar in the footer showing the error/warning/info ratio at a glance

Syntax Highlighting: Highlight.js and Prism.js bundled locally, no CDN calls

Autoscroll: follows new entries as they arrive, with pause-on-hover option

Export: .log, .txt or structured .json with parsed timestamps and levels

Responsive: works from wide monitors down to phones (five breakpoints)

Theme Support: Black, Gray, Azure and White

Independent Settings: Dashboard widget and Tool page configured separately

Performance Friendly: single-source polling, content hash detection, pre-compiled regex, smart tail limits

Dashboard Screenshots:

pc-dashboard-full-settings-syntax-on.png

pc-dashboard-full-settings-syntax-on-docker.png

Tool page Screenshots:

pc-tool-page-full-settings-syntax-on.png

pc- tool-merge.png

Installation

Community Applications: search for Logs Viewer → Install

Configuration

Go to Settings > Logs Viewer after installing.

Four tabs: Dashboard, Tool, Backup and Alerts, each with their own settings.

GENERAL

Automatic Refresh: enable/disable live polling

Refresh Interval: how often to poll (seconds)

LOG DISPLAY

Appearance

Log Font Size: adjustable (default: Large)

Log Font Family: system, monospace, JetBrains Mono, Fira Code, Source Code Pro, IBM Plex Mono

Log Background Color: custom color picker

Theme Preset: color theme presets

Syntax

Syntax Highlighting: on/off

Syntax Engine: Highlight.js or Prism.js (beta)

Highlight Levels: colorize Info, Warning, Error, Critical keywords

Highlight Mode: full or keywords-only

TOOLS

Search

Search in log: enable/disable

Highlight search matches: on/off

Export

Export Format: .log / .txt / .json

Include timestamp in filename: on/off

LAYOUT

Show badges: severity counters (clickable as filters)

Show total lines: line count with pulse indicator

Show timestamp: 24-hour clock in footer

Show filter dropdown: quick severity filter in tabs rail

Show toast: notification bar in footer

Widget height: resizable

AUTOSCROLL

Autoscroll default: initial state on load

Pause on hover: stop scrolling when mouse is over the log

PERFORMANCE

Show only last N lines: 0 = full log, or 200 / 500 / 800 / 1500

LOG SOURCES

System Logs: pick which ones to show

Docker Logs: select containers (auto-discovered with status)

VM Logs: select VMs (auto-discovered with status)

Log Sources

System Logs:

Syslog (/var/log/syslog), Dmesg, Nginx Errors, GraphQL API, PHP Log, Libvirt. Selectable per page.

Docker Logs

All containers discovered automatically. Each one shows a green or red dot for its current state. Pick which ones you want to monitor.

VM Logs

All VMs discovered automatically with the same status dots.

Export Formats:

- .log : plain text

- .txt : plain text

- .json : structured with parsed timestamp, level, hostname and service per line

New Features v.2026.04.15

Log Backups:

Daily compressed backups of all enabled log sources (system, Docker, VMs) to a storage path of your choice.

Settings include:

Backup time (configurable hour)

Storage path (defaults to /mnt/user/appdata/Logs-Viewer-Backup)

Retention period (automatic cleanup of old backups)

Calendar view in the Settings page showing available dates

One-click ZIP download for any backup date

Backup directories are created with restricted permissions (700) so they are not exposed through Samba shares.

Alerts

The alert system scans log sources at regular intervals and sends notifications through Unraid's built-in notification system when a pattern match is found.

How it works:

Define rules with a name, text or regex pattern, target sources and severity level

Set a cooldown per rule to avoid repeated notifications for the same event

The scanner runs as a cron job every 1, 2 or 5 minutes depending on your setting

Matches are logged in the alert history (visible in the Settings page) and pushed as Unraid notifications

Built-in presets (one click):

Failed Login (syslog)

Disk Error (syslog, dmesg)

Out of Memory (syslog, dmesg)

Kernel Panic (syslog, dmesg)

Array Error (syslog)

Docker Crash (docker logs)

You can add your own rules on top of these.

Settings Screenshots:

pc-settings-page.png

Security Information:

CSRF nonce on every API request (hourly rotation, stored in /tmp)¹

Rate limiting: 60 requests/minute per IP

Origin validation blocks cross-origin requests

XSS sanitizer strips all span attributes except class, validates values against a character whitelist

All htmlspecialchars calls use ENT_QUOTES

INI writes strip control characters to block injection

Whitelist validators on all settings fields (interval, theme, engine, format, font size, etc.)

VM log paths checked with realpath to prevent directory traversal

Content-hash parameter validated against a strict hex regex

Alert patterns capped at 500 chars with lowered backtrack limit to prevent ReDoS

Security headers on all API responses (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy)

MD5 package integrity check on install

File permissions:

Plugin directory: 755

PHP / Page / Asset files: 644

Config file and directory: 600 / 700

Cache directory: 700

Backup directory: 700

No world-writable files

¹ Custom nonce instead of Unraid's built-in csrf_token. Keeps the API self-contained.

Requirements

Unraid 7.2.0 or later

GitHub Repository: https://github.com/Lazaros-Chalkidis/unraid-logsviewer

GitHub Profile: https://github.com/Lazaros-Chalkidis

Feedback, bug reports or feature ideas welcome here or on GitHub Issues.

Edited by Lazaros Chalkidis
Update Content and Photos for v.2026.06.06

Fantastic! Unraid should incorporate this. 👍👍

This thing causes massive network spikes every time it refreshes even when nothing has changed

image.png

And on my main system manages the incredible feat of freezing not only the browser (chrome) for about 3 seconds each time it does so (see below, I'm scroling continuously, the stops are due to it) but the entire OS (win11), can't switch windows and the mouse gets sluggish whenever the dashboard page is open.

Also why a tiny font instead of the same as everything in the UI?

Edited by Kilrah

Ooof a pretty nasty XSS vulnerability here...

All someone has to do is craft a malicious payload within an SSH username and boom.... On the next poll, the widget fetches this line, runs it through the pipeline unescaped, and writes it to innerhtml the img tag renders in the browser and onerror fires, executing the attacker's JavaScript. Anyone viewing the logs dashboard while this log line is present will have the payload execute in their browser. Since the dashboard is always viewed as root an attacker could use this to:

  • Steal the session token or cookies

  • Make credentialed API calls to the Unraid backend

  • Pivot to further compromise the server

Other injection sources beyond SSH also exist such as nginx/apache access logs log the request path and User-Agent header, so simply sending an HTTP request with a crafted path to any web service writing to a monitored log file is equally viable.

Edited by DiscoverIt

  • Author

Hi @DiscoverIt,

thank you for the detailed report, this is exactly the kind of security scrutiny a plugin should face.

I investigated the specific attack vector you described and here's what I found:

Server-side escaping (PHP) All log content system logs, Docker logs, and VM logs is passed through htmlspecialchars($text, ENT_QUOTES, 'UTF-8') before being serialized to JSON and sent to the client.

This converts <img src=x onerror=alert('XSS')> into &lt;img src=x onerror=alert('XSS')&gt; before it ever reaches the browser.

Client-side (JavaScript) The innerHTML write you identified does receive this data, but by the time it arrives it is already HTML-encoded plain text.

The highlightLevels() and applySearchHighlight() functions only inject controlled <span> tags wrapping already escaped content they never operate on raw unescaped input.

Live test: I sent a crafted payload directly to the server: curl "http://[server]/<img src=x onerror=alert('XSS')>"

The nginx error log contained no trace of the payload nginx rejected the malformed URI before it was even logged. No alert fired in the browser.

In summary: the escaping happens at the API boundary (PHP), before the data touches JavaScript.

The innerHTML usage is safe because the data arrives pre escaped. I appreciate you raising this it's a valid concern for any log viewer and worth documenting clearly.

If you were able to reproduce this in practice, I'd be happy to see a proof of concept, but based on my code review and live testing, I cannot reproduce the vulnerability you described.

I tested your exact SSH username vector. As you can see, the payload appears fully HTML escaped in the widget &lt;img src=x onerror=alert(1)&gt; no script executes!

For the record, here is the proof.

reproduce.png

Edited by Lazaros Chalkidis
Upload photo from test

  • Author

Hello @Kilrah, thank you for the detailed report and the video.

The network spikes are related to how much log data is being fetched per refresh cycle.

I noticed in your video that your syslog shows ~5000 lines. Please check your Settings and reduce the tail lines to 200-500 for the dashboard widget, this alone will dramatically reduce the data transferred per refresh and should fix the browser slowdown.

Regarding the font size — there is already a font size option in the Settings page under Log Display.

Edited by Lazaros Chalkidis

  • Author

v2026.03.16 is now available

This update focuses entirely on performance and stability, addressing the browser freezing reports some of you experienced during auto-refresh.

What's fixed:

Browser freezing on refresh: The widget now detects when log content hasn't changed and skips the entire render cycle. This was the main cause of the 3-5 second freezes reported.
Docker logs load faster: Multiple container logs are now fetched in parallel instead of one-by-one.
Reduced server load during polling: Unnecessary duplicate requests have been eliminated.
Faster line counting: Large log files are now counted using native system tools instead of PHP loops.
Improved caching: Server-side response cache is now more effective at absorbing rapid requests.
Google Fonts no longer block page load: Custom fonts now load asynchronously.
Mobile detection fix: Servers with low-core CPUs (Celeron, J-series, i3) were incorrectly treated as mobile devices, limiting syntax highlighting budgets.
Minor cosmetic fix: Single quotes in log output now display correctly.

No settings changes needed, everything is automatic. Fully backward compatible.

As always, feedback is welcome. If you were experiencing the freezing issue, please let me know if this update resolves it for you.

  • Author

v2026.03.17 is now available

This update brings several bug fixes.

Bug fixes:
• Widget no longer stops after ~1 hour: The CSRF token now auto refreshes when it expires. Previously the widget would silently stop polling.
• Reset to Defaults: now works independently per tab Resetting Tool settings no longer affects Dashboard settings and vice versa.
• Syntax selection preserved: Resetting one tab no longer clears the syntax choice on the other.
• Single quotes: in logs now display correctly.
• Cache directory permissions: corrected (0777 → 0755).

Removed:
• "Refresh only when scripts are running" option has been removed, it was ineffective for system logs and caused confusion.

Update via Community Applications or download from GitHub. Feedback welcome!

  • Author

Hey everyone,

just pushed v2026.03.21 with some important updates.

Full Theme Support

Logs Viewer now works properly with Unraid's Dark / White / Gray and Azure themes.

All UI elements adapt automatically: tabs, search box, badges, dropdowns, autoscroll toggle, syntax / filter controls, and the settings page.

The plugin detects your theme from dynamix.cfg on page load, with a JS luminance check as fallback. Syntax highlighting also picks the right stylesheet (light or dark) depending on your theme.

Theme presets (Terminal, Dim, Contrast) now have light-palette equivalents, and the color picker / Reset to Defaults behave correctly in both modes.

Security Improvements

Tightened up input handling and output sanitization across the board.

Log content now goes through an additional filtering step before being displayed, settings values are properly escaped when saved to the config file, and several settings fields now have strict validation before they're written to disk. Nothing was actively exploitable, but these changes add extra layers of protection.

Other Changes

Prism syntax engine is no longer marked as Beta. The performance guards have been stable for a while now so it didn't make sense to keep the label.

Let me know if you run into any issues, especially with the light theme.

1.png

2.png

3.png

4.png

5.png

  • Author

Update pushed today (2026.03.31).

Here's what changed:

The widget footer got a full redesign. There's now a proportion strip at the top of the footer that shows the ratio of info / warning / error / critical lines as a color bar.

Severity badges are clickable and work as quick filters. Docker and VM dropdowns show green / red dots for running / stopped state. Timestamp switched to 24-hour with an SVG clock icon.

Responsive layout is in.

Five breakpoints from 1024px down to 360px.

Header stacks on tablets, footer collapses on phones, tool page goes full width on small screens.

Tested on all four Unraid themes (Black, Gray, Azure, White) and fixed all the hardcoded colors that were breaking on light themes.

Performance side: auto-refresh now polls only the log you're viewing instead of every enabled source.

A content hash mechanism skips the full payload when nothing changed, so idle traffic is close to zero. Level highlighting went from twelve regex passes to one. Syntax libraries are bundled locally now, no more CDN calls.

Security got a pass too.

The HTML sanitizer is stricter, all settings fields have whitelist validators, INI writes strip control characters, VM log paths are checked with realpath, and security headers are on all API responses.

A bunch of fixes as well: syntax dropdown working on 7.2+, double-encoded entities in highlighted output, the diagonal hover artifact on buttons, critical badge not highlighting when selected, and login toast bleeding between dashboard and tool page.

Full changelog in the first post and on GitHub.

Let me know if you run into anything.

Screenshots:

pc-dashboard-full-settings-syntax-on-docker.png

pc-settings-page.png

  • Author

Hey everyone, v2026.04.06 is out.

Toast bar upgrade

The toast bar at the bottom of the widget now has two sections. The left side works as before (selected log, search results, login alerts, syntax warnings). The right side now shows the log file size permanently, plus live counters between polls: new lines in green, new errors in orange, new critical in red. These stay visible until the next poll brings fresh data. If you have pause on hover enabled, a "Paused" label also appears when you hover over the log panel.

Settings page

The System Logs, Docker Logs and VM Logs sections have been redesigned with a proper structured layout matching the rest of the settings page. Footer buttons (Apply, Reset, Done) and source action buttons (Select All, Deselect All, Scan) now match the Stream Viewer design. The hex color input for log background also accepts manual typing now.

Fixes

Theme preset selection (Terminal, Dim, Contrast) was broken and would always revert to Default after clicking Apply. This has been fixed. Also fixed the syntax/perf toast getting stuck after clearing a search query.

Let me know if you run into anything.

widget.png

  • Author

v2026.04.15 is out.

New Features

Syslog Previous added as a selectable system log source in Dashboard and Tool page

Three new theme presets: Midnight, Ocean and Monokai

Log Backups: scheduled daily compressed backups of all enabled sources (system, Docker, VMs) with retention control, calendar view and one-click ZIP download

Alert system: pattern-based rules that scan logs at configurable intervals and send notifications through Unraid's notification system, with built-in presets and alert history

Screenshot_10.png

Screenshot_8.png

Screenshot_11.png

Screenshot_12.png

  • 4 weeks later...

First of all, excellent plugin, thanks

On the other hand, can you make it so it can cover all the space?

imagen.png

by taking all the space available maybe you can get some ideas from dozzle like having the left panel to navigate

imagen.png,

Edited by L0rdRaiden

Another thing is more rules around security

Auditd could be enable https://forums.unraid.net/topic/197621-plugin-logs-viewer-real-time-log-viewer-dashboard-widget-for-unraid/

To keep the plugin lightweight (since Unraid runs entirely in RAM) and seamlessly integrate it with the existing PHP/WebGUI architecture, here is the complete technical blueprint for adding Sigma support, auditd, state management, and auto-updating rules.


1. Architecture: The "Pre-Compiled" Strategy

Unraid is based on Slackware, and installing Python just to run the sigma-cli converter natively is too heavy.
The Solution: Use GitHub Actions in your repository to run a daily workflow that pulls the latest SigmaHQ rules, converts them to standard PCRE Regular Expressions (using sigma-cli targeting grep/php), and outputs a sigma_rules_compiled.json file.

Your Unraid plugin will simply download this JSON file. It keeps the plugin incredibly fast and completely dependency-free.


2. Enabling auditd in Unraid

Unraid's kernel usually supports auditing (CONFIG_AUDIT=y), but the userland tools are not installed by default. You need to pull the Slackware audit package during the plugin installation.

In your .plg file, add the installation steps:

<!-- Download and install the Slackware audit package -->

<FILE Name="/boot/config/plugins/unraid-logsviewer/packages/audit-x86_64.txz" Run="upgradepkg --install-new">

<URL>https://slackware.uk/slackware/slackware64-15.0/slackware64/a/audit-3.0.1-x86_64-2.txz</URL>

</FILE>

<!-- Start auditd and load rules on boot -->

<FILE Run="/bin/bash">

<INLINE>

# Basic audit rules for Unraid (tracking executions, root actions)

cat &lt;&lt; 'EOF' &gt; /etc/audit/audit.rules

-D

-b 8192

-w /etc/passwd -p wa -k identity

-w /etc/shadow -p wa -k identity

-a always,exit -F arch=b64 -S execve -F euid=0 -k root_action

EOF

# Start the daemon

/sbin/auditd

/sbin/auditctl -R /etc/audit/audit.rules

echo "Auditd enabled and rules loaded."

</INLINE>

</FILE>

Note: This will output logs to /var/log/audit/audit.log, which you can add as a new source in your logsviewer.


3. State Management: Preventing Duplicate Scans

To avoid scanning logs you have already scanned (crucial for both scheduled and on-demand scans), you must implement a File Cursor / Bookmark system tracking the inode and byte_offset.

Create a PHP helper (cursor_manager.php) in your plugin:

<?php

$CURSOR_FILE = '/tmp/logsviewer_sigma_cursors.json';

function get_cursor($filepath) {

global $CURSOR_FILE;

if (!file_exists($CURSOR_FILE)) return ['inode' => 0, 'offset' => 0];

$cursors = json_decode(file_get_contents($CURSOR_FILE), true);

$current_inode = fileinode($filepath);

// If log was rotated, inode changes, reset offset to 0

if (isset($cursors[$filepath]) && $cursors[$filepath]['inode'] === $current_inode) {

return $cursors[$filepath];

}

return ['inode' => $current_inode, 'offset' => 0];

}

function save_cursor($filepath, $inode, $offset) {

global $CURSOR_FILE;

$cursors = file_exists($CURSOR_FILE) ? json_decode(file_get_contents($CURSOR_FILE), true) : [];

$cursors[$filepath] =['inode' => $inode, 'offset' => $offset];

file_put_contents($CURSOR_FILE, json_encode($cursors));

}

?>

Note: This will output logs to /var/log/audit/audit.log, which you can add as a new source in your logsviewer.


3. State Management: Preventing Duplicate Scans

To avoid scanning logs you have already scanned (crucial for both scheduled and on-demand scans), you must implement a File Cursor / Bookmark system tracking the inode and byte_offset.

Create a PHP helper (cursor_manager.php) in your plugin:

<?php

$CURSOR_FILE = '/tmp/logsviewer_sigma_cursors.json';

function get_cursor($filepath) {

global $CURSOR_FILE;

if (!file_exists($CURSOR_FILE)) return ['inode' => 0, 'offset' => 0];

$cursors = json_decode(file_get_contents($CURSOR_FILE), true);

$current_inode = fileinode($filepath);

// If log was rotated, inode changes, reset offset to 0

if (isset($cursors[$filepath]) && $cursors[$filepath]['inode'] === $current_inode) {

return $cursors[$filepath];

}

return ['inode' => $current_inode, 'offset' => 0];

}

function save_cursor($filepath, $inode, $offset) {

global $CURSOR_FILE;

$cursors = file_exists($CURSOR_FILE) ? json_decode(file_get_contents($CURSOR_FILE), true) : [];

$cursors[$filepath] =['inode' => $inode, 'offset' => $offset];

file_put_contents($CURSOR_FILE, json_encode($cursors));

}

?>

4. The Scanning Engine (On-Demand & Scheduled)

Since unraid-logsviewer already runs a cron job [1], you can inject this logic into the existing scanner, or expose it via an API endpoint for on-demand scanning.

Here is the core PHP logic to scan only new lines:

<?php

require_once 'cursor_manager.php';

// 1. Load compiled Sigma rules

$sigma_rules = json_decode(file_get_contents('/boot/config/plugins/unraid-logsviewer/sigma_rules_compiled.json'), true);

$log_files =['/var/log/syslog', '/var/log/dmesg', '/var/log/audit/audit.log'];

foreach ($log_files as $file) {

if (!file_exists($file)) continue;

$cursor = get_cursor($file);

$handle = fopen($file, 'r');

// Seek to the last read position instantly

fseek($handle, $cursor['offset']);

while (($line = fgets($handle)) !== false) {

// Fast matching

foreach ($sigma_rules as $rule) {

if (preg_match($rule['regex'], $line)) {

// Trigger Unraid Notification

$command = escapeshellcmd("/usr/local/emhttp/webGui/scripts/notify");

$args = "-e 'Sigma Alert' -s '{$rule['title']}' -d '{$line}' -i 'alert'";

exec("$command $args");

// Save to local alert history SQLite/JSON

log_alert($rule['title'], $line, $rule['severity']);

}

}

}

// Save new cursor position

save_cursor($file, fileinode($file), ftell($handle));

fclose($handle);

}

?>

To trigger an On-Demand scan, simply tie an AJAX POST request from the LogsViewer UI to this PHP script. Because of fseek, it will instantly process only the lines written since the last cron run, making it lightning fast.


5. Auto-Update Feature

To keep the rules up-to-date automatically, add a lightweight script (update_sigma.php) that runs daily via Unraid's /etc/cron.daily/:

<?php

$remote_url = "https://raw.githubusercontent.com/Lazaros-Chalkidis/unraid-logsviewer/main/sigma_rules_compiled.json";

$local_file = "/boot/config/plugins/unraid-logsviewer/sigma_rules_compiled.json";

$remote_content = file_get_contents($remote_url);

if ($remote_content) {

$remote_hash = md5($remote_content);

$local_hash = file_exists($local_file) ? md5_file($local_file) : '';

if ($remote_hash !== $local_hash) {

file_put_contents($local_file, $remote_content);

// Optional: Send Unraid notification that rules were updated

exec("/usr/local/emhttp/webGui/scripts/notify -e 'Logs Viewer' -s 'Sigma Rules Updated' -d 'New threat definitions downloaded' -i 'normal'");

}

}

?>

6. Extra Features to Make it Stand Out

  1. MITRE ATT&CK Badges in UI:
    Modify the Alerts tab in unraid-logsviewer to parse the tags array from the Sigma rules. Display visual badges (like T1078 - Valid Accounts or Initial Access) next to the alert in the dashboard.

  2. Severity Mapping to Unraid's Notify:
    Map Sigma rule severities directly to Unraid's notification levels.

    • Sigma low/medium -> Unraid -i 'normal'

    • Sigma high -> Unraid -i 'warning'

    • Sigma critical -> Unraid -i 'alert'

  3. Regex Timeout Guard (ReDoS Protection):
    Since unraid-logsviewer already limits backtracking limits (pcre.backtrack_limit) to prevent ReDoS (Regular Expression Denial of Service) [1], make sure you apply this same restriction via ini_set('pcre.backtrack_limit', 100000); before looping the Sigma regexes.

  4. Whitelisting/Exclusions:
    Allow users to suppress specific Sigma alerts directly from the WebGUI (e.g., clicking a "Mute Rule" button on the Alerts tab). This saves an array of muted Rule IDs to a whitelist.json file, and your PHP loop will simply continue; if the matched rule ID is in that list.

Edited by L0rdRaiden

  • Author

Hello @L0rdRaiden.

Thanks for the detailed write-up and for taking the time to put all this together, it's genuinely appreciated. I've gone through each section and want to share where I land, what makes sense to adopt, and what doesn't fit the direction of the plugin.

On the layout

You're right about the width. The panel height is already user-adjustable by dragging the bottom-right corner, but wider monitors could definitely benefit from better use of horizontal space. I'll add an optional Wide mode toggle in the settings.

On the SigmaHQ corpus and pre-compiled pipeline (section 1)

The pre-compile pipeline is the delivery mechanism for the SigmaHQ corpus, so the decision is really about whether to adopt those rules at all. I'd rather not, and the reason is signal quality rather than feasibility.

The Sigma project itself is upfront about this. The official rule specification defines an experimental status as a rule that could lead to false positives results or be noisy, and the level field documentation notes that even high and critical rules indicate an incident if not a false positive. Industry guidance from major Sigma users is consistent. SOC Prime explicitly warns that deploying all rules at once without testing is a recipe for disaster, and LimaCharlie notes that community rules are often broad by design and will fire on benign system activity in production environments.

The corpus also skews heavily Windows. Of the roughly 3,100 rules currently in the SigmaHQ repository, around 2,400 (about 77%) target Windows, while only 209 (about 7%) target Linux. Within that Linux subset, 121 rules require process creation telemetry (Sysmon for Linux, auditd-based, or similar collectors that Unraid doesn't run by default) and 53 require auditd directly. Only the 22 builtin rules use a generic Linux logsource that could plausibly match plain syslog content as LogsViewer reads it. The remaining file-event and network-connection rules need their own telemetry sources. The grep backend that this proposal targets is also positioned in Sigma's own docs as useful for ad-hoc searching on a single host rather than as a primary production detection path. Compiling field-based rules through it flattens them to substring or regex matching on unstructured text and loses much of the precision that makes Sigma valuable in its native environment.

So what shipping this would mean in practice for an Unraid install is: maybe a couple of dozen rules that actually fire on something the system produces, embedded in a much larger set that either does not apply or fires on benign activity, with no per-environment tuning, presented to an audience that is mostly home NAS users rather than SOC analysts. That erodes trust faster than the catches earn it back, especially given that LogsViewer is not currently positioned as a security plugin.

The pipeline itself isn't the issue, there's just nothing I want to put through it.

On bundling auditd (section 2)

I'd rather not bundle and manage auditd within LogsViewer. A few specific concerns with the snippet as written.

The package URL is pinned to slackware64-15.0, which is the Slackware base for Unraid 6.12.x. Unraid 7.x is built on Slackware current, which has a different glibc and Python (3.12 vs 3.9 on Slackware 15). The 15.0 audit package will either fail to install or install with library mismatches on 7.x, and will break again the next time the base shifts.

The proposed audit.rules starts with the D flag, which silently deletes every audit rule already loaded on the system. Any user-configured rules disappear without warning on every boot.

The default rule set is heavy on Unraid. Logging every execve under euid 0 means cron, plugins, Docker daemon activity, array event hooks, and so on all get recorded. Without per-deployment tuning the audit log fills quickly.

If auditd integration is worth doing as a feature in its own right, it belongs in a separate opt-in plugin where it is the headline.

One small clarification on your closing note. /var/log/audit/audit.log cannot actually be added as a new source in LogsViewer today. The system source list is hardcoded (syslog, dmesg, graphql-api.log, nginx-error, phplog, libvirt), and there is no settings path for arbitrary log files. That is a gap I want to close anyway, by adding user-configurable custom log paths. Once that lands, anyone running auditd separately can point LogsViewer at the audit log in one line.

On the cursor and state management system (section 3)

Good catch. Byte offset tracking is already in place in logsviewer-alerts-scan.php, but you're right on two real shortcomings. The offsets file lives at /tmp/logsviewer_cache/alert_offsets.json, and /tmp is tmpfs on Unraid, so the cursor state is lost on reboot. The cursor is also offset only, with no inode tracking. On log rotation, fseek to the saved offset can either skip lines silently or land past the end of the new file. Both will be implemented.

On the scanning engine (section 4)

Agreed. Adding a Scan Now button on the Alerts tab via AJAX is a clean addition. Since the scanner is already cursor-based, it will remain fast even when triggered manually.

On auto-updates (section 5)

Falls away with the Sigma decision above.

On the extras (section 6)

ReDoS protection is already in place. The scanner sets pcre.backtrack_limit around preg_match calls. Severity mapping to Unraid notify icons is already wired up (critical to alert, warning to warning, default to normal). Mute Rule is not in place today. I want to add it from the Alert History view, with muted IDs persisted and checked at the top of the scan loop. MITRE ATT&CK badges are a good idea. Since they depend on tags, I'll implement them via an optional Tags field in the rule editor. Users (or future curated packs) can tag their own rules with MITRE technique IDs, and the UI renders the badges in the alert history.

Summary of what I'll implement for the next update:

1. Persistent cursor storage with inode tracking for log rotation

2. User-configurable custom log paths

3. Scan Now button on the Alerts tab

4. Mute Rule action from the Alert History view

5. Optional Tags field on rules with MITRE-style badges

6. Wide mode toggle for the log viewer

Your write-up surfaced a couple of real improvements to the existing scanner that I might have otherwise missed. Thanks again, feedback like this is very valuable.

  • 4 weeks later...
  • Author

v2026.06.06 is out

This release is a big one. The Tool page has been completely rebuilt into a full log viewer, and there are new tools on the Alerts side plus a lot of polish across the plugin.

Fixed

Apostrophes and other characters in log lines no longer show as raw codes like &amp;#039;.

The Tool page no longer shows an "HTTP 403" error after being left idle.

Merge mode now orders lines from different sources correctly by time.

On a fresh install, Dmesg no longer appears with a "log not found" error; empty (0 B) logs are now hidden from the very first load.

Docker container log sizes are detected reliably, so the source pickers no longer grey out valid containers.

The alert mute menu no longer gets cut off at the bottom of the list.

The whole Tool page now fits on screen without page scrolling.

New Features

Rebuilt Tool page: a full-screen log viewer with a sidebar listing all your sources (System logs, Docker containers, VMs, and custom logs), grouped together with a status dot and the file size next to each one.

Live tailing: the open log updates on its own. Pick the refresh rate (3, 5, 10 or 20 seconds) in settings. Hovering over the log pauses updates so lines do not scroll away while you are reading.

Severity filtering: click the Info / Warnings / Errors / Critical pills to show only that level, and use the Filter dropdown for "and above" levels.

Merge mode: pick two or more sources to see them combined in one stream, ordered by time.

Search box in the footer to filter the current log as you type.

Right-click a line to copy it or to filter the log on the selected text.

Download button to save the current log as plain text, JSON or CSV (format is chosen in settings).

Custom log paths: add any log file under /var/log, /mnt/user or /mnt/cache, and it becomes available everywhere (Tool page, widget, Alerts and Backup).

Alerts: a Scan Now button for on-demand scans, the option to mute a rule for 1 hour / 24 hours / 7 days / forever, and tags on rules with a built-in MITRE ATT&CK technique picker.

Log font size setting (Default or Large) for the Tool page.

Improvements

Settings and Tool pages now use the full width of large 2K and 4K monitors instead of leaving big empty margins.

Tidier Settings footer with Support Forum, GitHub Issues and Credits links in one row.

Stopped Docker containers and VMs now show a red dot, matching the dashboard widget.

Sidebar dots now always reflect the source state and no longer change colour when you click a source.

Alternating row shading in the log makes long lines easier to follow.

Consistent "Docker Containers" wording across the whole plugin.

Alert tracking now survives reboots and log rotation, so you do not get duplicate or missed alerts.

One consistent button style across the Tool page.

Tool page Screenshots:

pc-tool-page-full-settings-syntax-on.png

pc- tool-merge.png

Probably one of the most useful plugins. The alert system is the best feature

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.