Technical

Supported log formats.

Loupe ships eight parsers covering the formats actually involved in production incidents — server-side syslog variants, web access logs, structured app logs, email threads, macOS unified log exports, and packet captures. Detection runs on file contents, not extension, so rename freely.

syslog (RFC 5424)
RFC 5424
Detection
Files matching `*.log` whose first parseable line conforms to the 5424 PRI/version/timestamp/hostname/app/PROCID/msgid header.
Notes
Strict parser. Falls back to RFC 3164 if 5424 fails on the first 200 lines. Year inference for 3164 uses the case window — see caveats.
Example
```
<165>1 2026-04-27T14:02:41.108Z host1 app 1924 ID47 - pgsql: connection refused
```
Caveat
RFC 3164 has no year field, so we infer from the case time window. If your 3164 source crosses a year boundary, set the case window manually before ingest.
syslog (RFC 3164)
RFC 3164
Detection
Files matching `*.log` whose lines start with the 3164 timestamp + hostname + tag pattern.
Notes
Forgiving parser. Lines that fail to match are preserved as `.unknown` severity with the raw text intact, NOT dropped. The unparsed line stays in the timeline at its byte offset.
Example
```
Apr 27 14:02:41 host1 app[1924]: pgsql: connection refused
```
nginx / Apache (Combined Log)
COMBINEDAPACHELOG
Detection
Files whose first lines match the combined log format Grok pattern. Most nginx and Apache access logs land here by default.
Notes
Extracts client IP, user, timestamp, request, status, bytes, referrer, user-agent. Status codes are parsed as integers for the rule engine to threshold.
Example
```
10.0.4.12 - - [27/Apr/2026:14:02:41 +0000] "GET /api/orders HTTP/1.1" 502 0 "-" "ua/1.0"
```
nginx / Apache (Common Log)
COMMONAPACHELOG
Detection
Files matching combined-log without the referrer + user-agent fields. Older nginx defaults and many homegrown formats.
Notes
Same field extraction as Combined, minus the trailing two fields. Same rules apply.
Example
```
10.0.4.12 - - [27/Apr/2026:14:02:41 +0000] "GET /api/orders HTTP/1.1" 502 0
```
JSON Lines (.jsonl, .ndjson)
Detection
One valid JSON object per line. Common for structured app logs from Bunyan, pino, slog, etc.
Notes
Loupe extracts a timestamp from a configurable field (default: `time`, then `timestamp`, then `@timestamp`, then `ts`). Severity is mapped from `level` (string or number). All other fields are preserved on the event.
Example
```
{"time":"2026-04-27T14:02:42.140Z","level":"warn","msg":"circuit_breaker.open","service":"orders"}
```
Caveat
If timestamps come from a non-standard field, set it under Source → Adjust → Time Field before re-running ingest.
RFC 5322 email (.eml)
RFC 5322
Detection
Files starting with `Received:`, `From:`, `Date:`, or `Message-ID:` headers.
Notes
One event per message. Loupe extracts From, To, Subject, Date, and the first text/plain body. Multipart MIME is decoded; attachments are listed but not extracted by default. Email threads (`.mbox` files) are split into one event per message.
Example
```
From: oncall@example.com
Date: Mon, 27 Apr 2026 14:02:42 +0000
Subject: [oncall] paged: 5xx > 30/min
```
macOS unified log (JSON)
Detection
JSON output from `log show --style json`. Detected by the presence of `eventType` and `processImagePath` keys.
Notes
Designed to ingest the JSON form, not the binary tracev3 file. Run `log show --predicate ... --style json > logs.json` and drop the file in.
Example
```
[{"eventType":"logEvent","subsystem":"com.apple.network","timestamp":"2026-04-27T14:02:41Z","eventMessage":"connection refused"}]
```
Caveat
Live tailing via `log stream` is intentionally not supported in v1 — Loupe ingests files, not streams. See the roadmap for v1.x streaming considerations.
libpcap captures (.pcap, .pcapng)
Detection
Standard libpcap magic bytes at byte 0.
Notes
Optional dependency. Loupe shells out to `tshark` to enumerate frames. If `tshark` is missing, .pcap ingest is disabled with a clear error pointing to install instructions.
Example
```
Byte-level binary; not human-readable.
```
Caveat
Citations to pcap events reference the frame number and the per-frame timestamp, not raw bytes. The raw bytes stay in the original file inside the export bundle.
Plaintext fallback
Detection
Anything else with `*.log` / `*.txt` extension that no other parser claimed.
Notes
One event per line. Severity is inferred from keywords (`ERROR`, `WARN`, etc) when present; defaults to `.info`. Timestamps are extracted only if a recognizable ISO-8601 prefix is present.
Example
```
ERROR 2026-04-27 14:02:42 something exploded
```
Caveat
Rules generally don't fire on plaintext-fallback events — the field extraction is too imprecise. Use it for context, not for evidence.

Optional dependencies

Loupe runs without any external tools by default. One parser is optional and shells out to a third-party binary when available:

tshark — used for .pcap / .pcapng ingestion. Install via brew install wireshark or download Wireshark from wireshark.org. If absent, the pcap parser is disabled with a clear error.

Roadmap

Format coverage planned for v1.x:

• journald JSON (`journalctl --output=json`) — covers RHEL, Fedora, Ubuntu, Debian, Arch, openSUSE
• Windows .evtx — covers XP through Server 2025
• User-authored Grok rules — drop-in YAML for site-specific or vendor-specific patterns

All docs Hardware requirements

syslog (RFC 5424)

syslog (RFC 3164)

nginx / Apache (Combined Log)

nginx / Apache (Common Log)

JSON Lines (.jsonl, .ndjson)

RFC 5322 email (.eml)

macOS unified log (JSON)

libpcap captures (.pcap, .pcapng)

Plaintext fallback

Optional dependencies

Roadmap