fix: implement persistent alert logging and reduce log noise

leos565 · leos565 · commit 523aa07c8e5f · 2026-02-25T21:37:23.000+02:00
diff --git a/deploy/dashboard/app.py b/deploy/dashboard/app.py
@@ -49,8 +49,8 @@
 
 BLOCK_LOG_PATHS = [
     "/var/log/clawedr.log",
-    "/tmp/clawedr_log_tailer.log",
     os.path.expanduser("~/Library/Logs/clawedr.log"),
+    "/tmp/clawedr_log_tailer.log",
 ]
 
 _BLOCK_LINE_RE = re.compile(
@@ -83,7 +83,7 @@ def _find_openclaw() -> Optional[str]:
     return None
 
 
-def _parse_log_lines(max_lines: int = 200) -> list[dict]:
+def _parse_log_lines(max_lines: int = 1000) -> list[dict]:
     """Parse recent BLOCKED entries from the log files."""
     alerts: list[dict] = []
     for log_path in BLOCK_LOG_PATHS:
diff --git a/deploy/install.sh b/deploy/install.sh
@@ -199,6 +199,11 @@ install_macos() {
     mkdir -p "$CLAWEDR_DIR/dashboard/templates"
     mkdir -p "/etc/clawedr"
     chmod 777 "/etc/clawedr" || true
+    
+    # Initialize persistent log file with wide permissions
+    touch "/var/log/clawedr.log"
+    chmod 666 "/var/log/clawedr.log" || true
+    
     cp "$tmpdir/clawedr.sb"              "$CLAWEDR_DIR/"
     cp "$tmpdir/log_tailer.py"           "$CLAWEDR_DIR/"
     cp "$tmpdir/apply_macos_policy.py"   "$CLAWEDR_DIR/"
@@ -257,6 +262,11 @@ install_linux() {
     mkdir -p "$CLAWEDR_DIR/dashboard/templates"
     mkdir -p "/etc/clawedr"
     chmod 777 "/etc/clawedr" || true
+    
+    # Initialize persistent log file with wide permissions
+    touch "/var/log/clawedr.log"
+    chmod 666 "/var/log/clawedr.log" || true
+    
     cp "$tmpdir/compiled_policy.json" "$CLAWEDR_DIR/"
     cp "$tmpdir/bpf_hooks.c"         "$CLAWEDR_DIR/"
     cp "$tmpdir/monitor.py"          "$CLAWEDR_DIR/"
diff --git a/deploy/linux/monitor.py b/deploy/linux/monitor.py
@@ -201,7 +201,7 @@ def _print_event(cpu, data, size):
             # This is when deny_rules must run — at enter, cmdline was still the shell.
             matched_rule = _check_deny_rules(ns_pid, comm, filename)
             if not matched_rule:
-                logger.info(
+                logger.debug(
                     "[observed] pid=%d uid=%d comm=%s file=%s",
                     ns_pid, event.uid, comm, filename,
                 )
diff --git a/deploy/macos/log_tailer.py b/deploy/macos/log_tailer.py
@@ -27,6 +27,7 @@
 from shared.user_rules import get_custom_rules, USER_RULES_PATH
 
 logger = logging.getLogger("clawedr.log_tailer")
+block_logger = logging.getLogger("clawedr.blocked")
 
 # Subsystem for macOS Console.app filtering (e.g. predicate: subsystem == "com.clawedr.shield")
 OSLOG_SUBSYSTEM = "com.clawedr.shield"
@@ -39,6 +40,7 @@
     "CLAWEDR_SB_PATH", "/usr/local/share/clawedr/clawedr.sb"
 )
 POLL_INTERVAL = int(os.environ.get("CLAWEDR_POLL_INTERVAL", "10"))
+BLOCK_LOG_FILE = "/var/log/clawedr.log"
 
 # Regex to extract blocked path/process from sandbox violation log lines
 _DENY_RE = re.compile(r"deny\(?\d*\)?\s+([\w\-\*]+)\s+(.*)", re.IGNORECASE)
@@ -114,7 +116,7 @@ def tail_sandbox_log():
                 if len(seen_events) > 5000:
                     seen_events.clear()
 
-                logger.info("SANDBOX EVENT: %s", line)
+                logger.debug("SANDBOX EVENT: %s", line)
 
                 # Try to extract what was denied and dispatch an alert
                 match = _DENY_RE.search(line)
@@ -150,7 +152,7 @@ def tail_sandbox_log():
                         continue
 
                     # Log the blocked event in the format expected by the dashboard
-                    logger.warning("BLOCKED [%s] action=%s target=%s", rule_id, action, target)
+                    block_logger.warning("BLOCKED [%s] action=%s target=%s", rule_id, action, target)
 
                     dispatch_alert_async(
                         rule_id=rule_id,
@@ -226,6 +228,17 @@ def _configure_logging() -> None:
     stream.setFormatter(fmt)
     root.addHandler(stream)
 
+    # Dedicated alert logging to /var/log/clawedr.log (persistent)
+    block_logger.setLevel(logging.WARNING)
+    block_logger.propagate = False
+    block_logger.addHandler(stream) # Also log to stderr for visibility in /tmp log
+    try:
+        block_fh = logging.FileHandler(BLOCK_LOG_FILE)
+        block_fh.setFormatter(fmt)
+        block_logger.addHandler(block_fh)
+    except PermissionError:
+        logger.warning("Cannot write to %s — block file logging disabled", BLOCK_LOG_FILE)
+
     try:
         import pyoslog
         if pyoslog.is_supported():

Original file line number	Diff line number	Diff line change
`@@ -201,7 +201,7 @@ def _print_event(cpu, data, size):`
`201`	`201`	`# This is when deny_rules must run — at enter, cmdline was still the shell.`
`202`	`202`	`matched_rule = _check_deny_rules(ns_pid, comm, filename)`
`203`	`203`	`if not matched_rule:`
`204`		`- logger.info(`
	`204`	`+ logger.debug(`
`205`	`205`	`"[observed] pid=%d uid=%d comm=%s file=%s",`
`206`	`206`	`ns_pid, event.uid, comm, filename,`
`207`	`207`	`)`