Home » Blog » Digital
Digital

OpenClaw Logs: AI-Powered Infrastructure Monitoring for Proxmox

Running a home lab with 18 LXC containers on Proxmox means thousands of log lines per hour — and critical errors buried in noise. OpenClaw Logs is an infrastructure monitoring system I built that collects, enriches, and analyzes logs from every container and the host, then alerts on anomalies via Telegram. The stack combines Fluent Bit for collection, a custom Lua enrichment filter, VictoriaLogs for storage, and an AI agent that continuously monitors for errors and patterns.

Contents
  1. OpenClaw Logs: The Problem
  2. Architecture Overview
  3. Fluent Bit Collection Pipeline
  4. One-Command Deployment
  5. Infrastructure Coverage
  6. VictoriaLogs and LogsQL
  7. AI-Powered Analysis
  8. Results
  9. Frequently Asked Questions
  10. Why VictoriaLogs instead of Elasticsearch?
  11. How does the Lua filter handle different log formats?
  12. Can this scale beyond a home lab?
  13. What triggers a Telegram alert?

OpenClaw Logs: The Problem

A Proxmox host running 18 containers (DNS filtering, MQTT broker, Zigbee bridge, password manager, reverse proxy, automation engines, monitoring tools) generates a constant stream of logs. Without centralized collection, you’re SSH-ing into each container to check journalctl when something breaks. OpenClaw Logs centralizes everything into a single queryable store with intelligent alerting.

Architecture Overview

  • Collection: Fluent Bit agents on each host, reading systemd journal entries and forwarding to the central store
  • Enrichment: Custom Lua filter that classifies log levels, extracts structured data from JSON logs (Pino, Bunyan, Rocket.Chat), and drops noise
  • Storage: VictoriaLogs v1.48.0 — purpose-built log database with 90-day retention, 5 GB cap, and LogsQL query language
  • Visualization: Grafana dashboards for real-time monitoring
  • Alerting: AI agent that queries error logs every heartbeat and sends Telegram alerts for anomalies
  • Access: Cloudflare Tunnel for secure remote access without exposed ports

This is the same data pipeline architecture I implement for enterprise systems — collect, transform, store, analyze.

Fluent Bit Collection Pipeline

Fluent Bit runs on the Proxmox host and reads systemd journal entries from all containers. The custom Lua enrichment filter handles the transformation layer:

  • Noise filtering: Drops known noisy apps (sd-pam, systemd-logind, sshd-session) that generate thousands of useless entries
  • Level classification: Maps syslog PRIORITY (0-7) to error/warn/info/debug levels
  • JSON log parsing: Detects JSON-formatted messages and extracts structured fields (msg, level, name, errmsg)
  • Pino/Bunyan support: Numeric log levels (10=debug, 30=info, 40=warn, 50=error) automatically mapped
  • Heuristic upgrade: If a message contains “error” or “fatal” keywords but was classified as info, the level gets upgraded
  • Metadata enrichment: Every log entry gets hostname, app name, normalized level, and job type

One-Command Deployment

Adding a new server to the monitoring takes one command:

curl -fsSL https://RAW_URL/install.sh | sudo bash

The install script automatically:

  • Installs Fluent Bit if not present
  • Detects environment type (LXC container vs bare metal server)
  • Generates the Lua enrichment filter with correct hostname and job type
  • Configures output to VictoriaLogs (HTTPS through Cloudflare or direct local connection)
  • Enables and starts the service

No manual configuration, no editing files. This is automation-first deployment — the kind that scales from one server to dozens.

Infrastructure Coverage

The system monitors 18 LXC containers plus the Proxmox host:

  • Network: AdGuard DNS, Nginx Proxy Manager, Cloudflare Tunnel, Smokeping
  • IoT/Home: Zigbee2MQTT, EMQX MQTT broker, ioBroker, HyperHDR
  • Security: Vaultwarden password manager
  • Automation: n8n workflow engine
  • Media: TorrServer, qBittorrent
  • Monitoring: Grafana, PiAlert network scanner, Homepage dashboard
  • AI Agents: OpenClaw instances (marketing agent, log analysis agent)
  • Storage: Samba file sync

VictoriaLogs and LogsQL

VictoriaLogs serves as the storage backend — a purpose-built log database that’s resource-efficient enough for home lab use while supporting the query capabilities needed for serious analysis:

  • LogsQL: SQL-like query language for filtering, aggregating, and analyzing logs
  • Stats aggregation: Group errors by hostname, app, level with count/sort operations
  • Retention policy: 90 days, 5 GB maximum — tuned for home lab scale
  • Web UI: Built-in query interface at /select/vmui

AI-Powered Analysis

The log analysis AI agent runs continuously, performing:

  • Error monitoring: Checking for level:error entries every 30 minutes
  • Anomaly detection: Identifying sudden error spikes, new error types, or missing hosts
  • Infrastructure reports: On-demand health summaries across all 18 containers
  • Coverage verification: Ensuring all containers are reporting (no silent failures)
  • Telegram alerts: Instant notification for critical issues

This combines proactive risk monitoring with AI analysis — the same pattern I recommend for enterprise infrastructure.

Results

  • Centralized log collection from 18 containers with one-command deployment
  • Intelligent noise filtering reducing log volume while preserving critical events
  • Structured log parsing for JSON-based applications (Pino, Bunyan, Rocket.Chat)
  • AI-powered continuous monitoring with Telegram alerting
  • Resource-efficient storage with 90-day retention
  • Secure remote access through Cloudflare Tunnel

Need centralized monitoring for your infrastructure? Let’s discuss architecture →

Frequently Asked Questions

Why VictoriaLogs instead of Elasticsearch?

VictoriaLogs is purpose-built for log storage with minimal resource usage — ideal for home lab and small infrastructure. Elasticsearch requires significantly more RAM and CPU for comparable workloads. LogsQL provides the query power needed without the operational overhead.

How does the Lua filter handle different log formats?

The filter first attempts JSON parsing. If the message starts with “{“, it extracts structured fields (msg, level, name). For non-JSON messages, it uses syslog PRIORITY mapping. A heuristic layer catches error keywords in info-classified messages. This handles everything from raw syslog to Pino JSON to Rocket.Chat formatted output.

Can this scale beyond a home lab?

Absolutely. VictoriaLogs supports horizontal scaling. The Fluent Bit collection pattern works identically for cloud VMs. The one-command installer works on any Debian/Ubuntu server. I’ve designed it with enterprise patterns that transfer directly to production environments.

What triggers a Telegram alert?

Error-level log entries, sudden spikes in error count, new error types not seen before, and hosts going silent (missing from expected log stream). The AI agent analyzes patterns, not just keyword matches.

Ilya Arestov — Fractional CTO | Dubai Airport Free Zone (DAFZ), Dubai, UAE | Almaty, Zenkov Street 59, Kazakhstan | +971-585-930-600 | https://t.me/getmonolith
Rate article
2009 - 2026