🌊 Logtide 0.6.0

[Polliog]

The Privacy & Power User Update

This release brings enterprise-grade privacy controls, powerful keyboard navigation, and comprehensive host security monitoring - making Logtide faster to use and safer by default.

---

✨ What's New

🔒 PII Masking at Ingestion

Automatic sensitive data protection before storage - your logs never touch disk unmasked.

• Built-in patterns: Detects emails, credit cards, phone numbers, SSNs, IP addresses, API keys
• Smart field scanning: Automatically masks values in password, token, secret, authorization fields
• Custom rules: Define org-level or project-level regex patterns for your specific needs
• Three masking strategies:
  • mask - Partial masking: u***@domain.com
  • redact - Full redaction: [REDACTED_EMAIL]
  • hash - SHA-256 with per-org salt: [HASH:abc123...]
• Settings UI: /dashboard/settings/pii-masking with rule management and live test panel
• Zero-cost when disabled: Cache hit ~0.001ms, returns immediately when no rules enabled
• GDPR-compliant: Data never stored unmasked, built-in rules disabled by default (opt-in)

⌨️ Keyboard Shortcuts for Power Users (#42)

Navigate and control Logtide without touching your mouse.

• Command Palette (Ctrl/Cmd+K): Fuzzy search over pages and quick actions
• Help Modal (?): Complete shortcut reference with platform-aware keys (⌘ on Mac, Ctrl on Windows)
• Sequence Navigation (G then D/S/A/P/T/E/R/X): GitHub-style two-key navigation
  • G D → Dashboard
  • G S → Logs
  • G A → Alerts
  • G P → Projects
  • G T → Traces
  • G E → Security
  • G R → Errors
  • G X → Settings
• Search Page Shortcuts:
  • / - Focus search input
  • J/K - Navigate logs with visual highlight
  • Enter - Expand/collapse selected log
  • R - Refresh results
• Global Shortcuts:
  • Ctrl/Cmd+/ - Go to search
  • Ctrl/Cmd+B - Toggle sidebar
  • Escape - Close modals
• Discoverability: First-time toast notification, shortcut hints in command palette
• Input-aware: Shortcuts suppressed when typing in inputs, textareas, or comboboxes

🛡️ Host Security Detection Packs

15 pre-built rules for host-based security monitoring, all MITRE ATT&CK mapped.

• Antivirus & Malware Pack (antivirus-malware):

  • Malware detection (ClamAV FOUND patterns)
  • AV scan failures
  • Webshell in web directories (compound condition)
  • Outdated virus signatures
  • Quarantine/removal failures

• Rootkit Detection Pack (rootkit-detection):

  • Rootkit identification (rkhunter/chkrootkit)
  • Hidden processes
  • System binary tampering (checksum mismatch)
  • Suspicious kernel modules
  • Promiscuous network interfaces

• File Integrity Monitoring Pack (file-integrity):

  • Critical system file changes (/etc/passwd, /etc/shadow, /boot)
  • SSH config modifications
  • Web directory file changes
  • Cron job tampering
  • Mass file changes (ransomware indicator)

All rules use logsource.product: linux for proper scoping and compound conditions to reduce false positives.

📊 Admin Dashboard Revision

Complete redesign of the admin panel for platform-level observability.

• Dashboard home:

  • 4 health status cards (system health, ingestion rate, active issues, total logs)
  • Platform activity chart (24h timeline of logs/detections/spans)
  • 8 stat cards (users, orgs, projects, ingestion, alerts, queues, database, redis)
  • Top organizations and projects tables

• System Health page (/dashboard/admin/system-health):

  • Database/connection pool/Redis diagnostics
  • Database tables overview
  • TimescaleDB compression stats with progress bars
  • Continuous aggregates health with staleness indicators
  • Storage & performance metrics
  • Worker queue details

• Slow queries monitoring:

  • Active running queries table (from pg_stat_activity) with duration color-coding
  • Historical slowest queries table (from pg_stat_statements)

📈 Rate-of-Change Alerts

Baseline-based anomaly detection - trigger when log volume deviates from historical patterns.

• 4 baseline methods:
  • same_time_yesterday
  • same_day_last_week
  • rolling_7d_avg (default)
  • percentile_p95
• Anti-spam: Sustained check, cooldown period (60min default), minimum baseline guard
• Smart defaults: 3x deviation multiplier, 10min baseline, 5min sustained check
• Email subject: [Anomaly] rule — Nx above baseline (vs [Alert] for threshold)
• Webhook payload: Includes baseline_metadata and event_type: "anomaly"
• History display: "Anomaly" badge with baseline metadata (current rate vs baseline, deviation ratio)

📍 Timeline Event Markers

Visual indicators showing when alerts or security detections occurred.

• Scatter circle markers overlaid on the Logs Timeline chart
• Red circles for alert triggers, purple for security detections
• Larger markers when both occur in same hour
• Hover tooltip shows alert rule names, log counts, and detection severity breakdown
• "Events" toggle in legend to show/hide markers
• Graceful degradation: chart unchanged when no events exist

🔔 Version Update Notifications

Admin dashboard banner that checks GitHub releases for new versions.

• Backend endpoint proxies GitHub Releases API with 6-hour cache
• Compares current version against latest stable and beta releases using semver
• Release channel setting (stable / beta) configurable from Admin Settings
• Blue "Update available" banner with direct link to release, or green "Up to date" indicator

---

🔧 Improvements

Enhanced Error Handling

• Client errors returning 500 instead of 4xx: Multiple API routes now properly return 400 Bad Request for invalid input

  • Global error handler detects Fastify validation errors
  • SIEM routes (10 endpoints) now return 400 with validation details
  • Exceptions routes (8 endpoints) fixed
  • OTLP content-type parsers now set statusCode: 400 for decompression errors

• Client errors (4xx) logged as ERROR: Now 4xx errors logged as warn, 5xx as error

  • Added skipPaths to avoid logging noise from ingestion endpoints

UI Improvements

• Charts not resizing on sidebar toggle: Replaced window.resize listener with ResizeObserver on chart containers

  • Affects: LogsChart, TimelineWidget, SeverityPieChart, MitreHeatmap, ServiceMap, PreviewTimeline

• Notification click navigating to wrong organization: Now auto-switches to the notification's organization before navigating

Admin Panel Consistency

• Added admin guard (is_admin check + redirect) to Users, Organizations, and Auth Providers pages
• Replaced unsafe click-to-confirm delete patterns with proper AlertDialog confirmation modals
• Replaced browser confirm() with AlertDialog
• Fixed window.location.href navigation with SvelteKit goto()
• Fixed Svelte 4 authStore.subscribe() pattern to use reactive $authStore

---

🐛 Bug Fixes

• Sigma API missing tags and MITRE fields: getSigmaRules and getSigmaRuleById now include tags, mitreTactics, and mitreTechniques in responses
• Log Context metadata expanding dialog infinitely: Added max-w-full to <pre> blocks and overflow-hidden to log entry containers
• Email logo not rendering in some clients: Switched from .svg to .png for Outlook/Gmail compatibility
• Continuous Aggregates showing "Refresh: unknown": Fixed backend query reading schedule_interval from correct column
• HealthStats type mismatch: Frontend now uses 'healthy'|'degraded'|'down' status values matching backend
• UI layout fixes: Fixed Badge components stretching to fill container width in alert history detection cards

---

⚡ Performance

PII Masking Optimizations

• Zero-cost when disabled: Cache hit is a single Map.get() + timestamp check (~0.001ms)
• Compiled regex reuse: Uses lastIndex = 0 reset instead of new RegExp() per string
  • Eliminates ~6000 object allocations per 1000-log batch
• Hot path allocation reduction: Ingestion path skips path-tracking arrays, uses Object.keys() instead of Object.entries()
• Credit card regex rewrite: Replaced greedy backtracking-prone pattern with specific issuer prefixes
• Early exit for simple messages: Skips all regex evaluation for strings <6 chars or containing only [a-zA-Z0-9 _-]
• In-memory rule cache: 5-min TTL per org+project combination, invalidated on CRUD operations
• ReDoS protection: Custom regex patterns validated with safe-regex2, quantifiers capped at 100

---

📦 Upgrade Guide

Standard upgrade

docker compose pull
docker compose up -d

Database migrations

This release includes 2 new migrations:

• 021_add_pii_masking - Adds pii_masking_rules and organization_pii_salts tables
• 022_add_rate_of_change_alerts - Adds columns to alert_rules and baseline_metadata to alert_history

Migrations run automatically on startup.

---

Full Changelog: v0.5.0...v0.6.0