Log Analytics Setup

Deploy 4 agents: collector, parser, alerter, and dashboard.

Roles

Role	Hostname	Skills	Purpose
collector	<prefix>-collector	pilot-stream-data, pilot-archive, pilot-compress	Aggregates logs from servers, containers, apps; normalizes formats
parser	<prefix>-parser	pilot-event-filter, pilot-task-router, pilot-dataset	Extracts structured fields, parses stack traces, identifies patterns
alerter	<prefix>-alerter	pilot-alert, pilot-metrics, pilot-cron	Detects log spikes, error rate anomalies, fires alerts
dashboard	<prefix>-dashboard	pilot-webhook-bridge, pilot-slack-bridge, pilot-announce	Search, visualization, drill-down, and report generation

Setup Procedure

Step 1: Ask the user which role this agent should play and what prefix to use.

Step 2: Install the skills for the chosen role:

# For collector:
clawhub install pilot-stream-data pilot-archive pilot-compress
# For parser:
clawhub install pilot-event-filter pilot-task-router pilot-dataset
# For alerter:
clawhub install pilot-alert pilot-metrics pilot-cron
# For dashboard:
clawhub install pilot-webhook-bridge pilot-slack-bridge pilot-announce

Step 3: Set the hostname:

pilotctl --json set-hostname <prefix>-<role>

Step 4: Write the setup manifest:

mkdir -p ~/.pilot/setups
cat > ~/.pilot/setups/log-analytics.json << 'MANIFEST'
<INSERT ROLE MANIFEST FROM BELOW>
MANIFEST

Step 5: Tell the user to initiate handshakes with direct communication peers.

Manifest Templates Per Role

collector

{
  "setup": "log-analytics", "setup_name": "Log Analytics",
  "role": "collector", "role_name": "Log Collector",
  "hostname": "<prefix>-collector",
  "description": "Aggregates logs from servers, containers, and applications. Normalizes formats.",
  "skills": {"pilot-stream-data": "Ingest log streams from multiple sources in real time.", "pilot-archive": "Archive raw logs for retention and forensic analysis.", "pilot-compress": "Compress high-volume log batches before transmission."},
  "peers": [{"role": "parser", "hostname": "<prefix>-parser", "description": "Receives raw normalized logs"}],
  "data_flows": [{"direction": "send", "peer": "<prefix>-parser", "port": 1002, "topic": "raw-log", "description": "Raw normalized logs from all sources"}],
  "handshakes_needed": ["<prefix>-parser"]
}

parser

{
  "setup": "log-analytics", "setup_name": "Log Analytics",
  "role": "parser", "role_name": "Log Parser",
  "hostname": "<prefix>-parser",
  "description": "Extracts structured fields, parses stack traces, identifies error patterns.",
  "skills": {"pilot-event-filter": "Filter noise, deduplicate, and normalize log events.", "pilot-task-router": "Route logs to specialized parsers by source type and format.", "pilot-dataset": "Store extracted patterns and structured fields for search."},
  "peers": [{"role": "collector", "hostname": "<prefix>-collector", "description": "Sends raw logs"}, {"role": "alerter", "hostname": "<prefix>-alerter", "description": "Receives parsed events"}],
  "data_flows": [{"direction": "receive", "peer": "<prefix>-collector", "port": 1002, "topic": "raw-log", "description": "Raw normalized logs from all sources"}, {"direction": "send", "peer": "<prefix>-alerter", "port": 1002, "topic": "parsed-event", "description": "Parsed events with structured fields and severity"}],
  "handshakes_needed": ["<prefix>-collector", "<prefix>-alerter"]
}

alerter

{
  "setup": "log-analytics", "setup_name": "Log Analytics",
  "role": "alerter", "role_name": "Anomaly Alerter",
  "hostname": "<prefix>-alerter",
  "description": "Detects log spikes, error rate anomalies, and novel error patterns. Fires alerts.",
  "skills": {"pilot-alert": "Fire alerts when error rates or log volumes breach thresholds.", "pilot-metrics": "Compute baseline rates, trend comparisons, and anomaly scores.", "pilot-cron": "Run scheduled anomaly scans over rolling time windows."},
  "peers": [{"role": "parser", "hostname": "<prefix>-parser", "description": "Sends parsed events"}, {"role": "dashboard", "hostname": "<prefix>-dashboard", "description": "Receives anomaly alerts"}],
  "data_flows": [{"direction": "receive", "peer": "<prefix>-parser", "port": 1002, "topic": "parsed-event", "description": "Parsed events with structured fields"}, {"direction": "send", "peer": "<prefix>-dashboard", "port": 1002, "topic": "anomaly-alert", "description": "Anomaly alerts with context and baseline comparisons"}],
  "handshakes_needed": ["<prefix>-parser", "<prefix>-dashboard"]
}

dashboard

{
  "setup": "log-analytics", "setup_name": "Log Analytics",
  "role": "dashboard", "role_name": "Log Dashboard",
  "hostname": "<prefix>-dashboard",
  "description": "Provides search, visualization, and drill-down into log data. Generates reports.",
  "skills": {"pilot-webhook-bridge": "Forward reports to external dashboards and monitoring tools.", "pilot-slack-bridge": "Post log health summaries and critical alerts to Slack.", "pilot-announce": "Broadcast periodic log health reports to subscribers."},
  "peers": [{"role": "alerter", "hostname": "<prefix>-alerter", "description": "Sends anomaly alerts"}],
  "data_flows": [{"direction": "receive", "peer": "<prefix>-alerter", "port": 1002, "topic": "anomaly-alert", "description": "Anomaly alerts with context and baselines"}, {"direction": "send", "peer": "external", "port": 443, "topic": "log-report", "description": "Log reports to dashboards and Slack channels"}],
  "handshakes_needed": ["<prefix>-alerter"]
}

Data Flows

• collector -> parser : raw-log events from all sources (port 1002)
• parser -> alerter : parsed-event with structured fields and severity (port 1002)
• alerter -> dashboard : anomaly-alert with context and baselines (port 1002)
• dashboard -> external : log-report via webhooks and Slack (port 443)

Handshakes

# collector <-> parser:
pilotctl --json handshake <prefix>-parser "setup: log-analytics"
pilotctl --json handshake <prefix>-collector "setup: log-analytics"
# parser <-> alerter:
pilotctl --json handshake <prefix>-alerter "setup: log-analytics"
pilotctl --json handshake <prefix>-parser "setup: log-analytics"
# alerter <-> dashboard:
pilotctl --json handshake <prefix>-dashboard "setup: log-analytics"
pilotctl --json handshake <prefix>-alerter "setup: log-analytics"

Workflow Example

# On collector -- publish raw log:
pilotctl --json publish <prefix>-parser raw-log '{"source":"nginx-prod-01","level":"error","message":"upstream timed out"}'
# On parser -- publish parsed event:
pilotctl --json publish <prefix>-alerter parsed-event '{"pattern_id":"NGINX-TIMEOUT-001","level":"error","occurrences_1h":47}'
# On alerter -- publish anomaly alert:
pilotctl --json publish <prefix>-dashboard anomaly-alert '{"alert_id":"ALR-7829","type":"error_spike","severity":"critical","current_rate":47,"baseline_rate":3}'
# On dashboard -- publish log report:
pilotctl --json publish <prefix>-dashboard log-report '{"period":"2026-04-09T15:00Z/PT1H","errors":1290,"anomalies_detected":2}'

Dependencies

Requires pilot-protocol skill, pilotctl binary, clawhub binary, and a running daemon.