تشغيل أي مهارة في Manus بنقرة واحدة

cortex-report

النجوم١

التفرعات٢

آخر تحديث١٦ يونيو ٢٠٢٦ في ٢١:١٥

This skill should be used when the user asks for a homelab health report, syslog summary, fleet status report, log analysis summary, 'what happened in the last 24 hours', 'show me this week's errors', 'summarize recent activity', or any time-bounded log analysis that should produce a written markdown report.

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

jmagar

jmagar/cortex

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

المهن ذات الصلةSOC

استنادا إلى تصنيف SOC المهني

مديرو الشبكات وأنظمة الحاسوبمهن الحاسوب والرياضيات·SOC 15-1244

مستكشف الملفات

2 ملفات

SKILL.md

readonly

name	cortex-report
description	This skill should be used when the user asks for a homelab health report, syslog summary, fleet status report, log analysis summary, 'what happened in the last 24 hours', 'show me this week's errors', 'summarize recent activity', or any time-bounded log analysis that should produce a written markdown report.

Cortex Report

Overview

Use the cortex MCP tool as the source of truth for recent device logs. Query broad fleet state first, then drill into errors, warnings, host-specific tails, and correlated events before writing a markdown report with concrete next actions.

Workflow

Establish the reporting window.
- Default to the last 24 hours when the user does not specify a window.
- Use exact timestamps in the report. If the tool supports relative filters, use since=24h; otherwise compute an ISO-8601 start and end time.
- Carry the computed from and to values into every time-filterable query below.
Confirm MCP availability and current coverage.
- Call cortex action=stats to capture DB size, time range, retention/storage guard state, and total log count.
- Call cortex action=hosts to list devices with first/last seen timestamps and counts.
- If the MCP tool is unavailable, report that no live syslog evidence could be collected and include the failure details.
Collect incident candidates.
- Call cortex action=errors since=<start> until=<end> for warning/error summaries grouped by host and severity.
- Call cortex action=search query=error since=<start> until=<end> limit=1000 for error detail inside the report window.
- Call cortex action=search query="warning OR warn" since=<start> until=<end> limit=1000 when warning coverage is not already clear from errors.
- Call cortex action=tail n=100 for recent fleet-wide context.
- Use host/app/time filters when available to narrow noisy hosts or services.
Correlate likely related events.
- Call cortex action=correlate around high-severity timestamps or spikes.
- Prefer small focused windows around incidents over one huge correlation query.
- Use cortex action=timeline since=<start> until=<end> bucket=hour group_by=severity or a narrower bucket to find spikes before correlation when the incident time is not obvious.
- Group events by likely shared cause only when timestamps, hosts, apps, or message content support that relationship.
Write an actionable markdown report.
- Lead with status and the top risks, not raw logs.
- Include exact evidence: host, app/process when present, severity, timestamp, representative message, count, and source action used.
- Separate confirmed issues from noise, missing data, and hypotheses.
- Assign each action a clear owner target such as host/service/config/log source, even when no human owner is known.

Report Shape

Use this structure unless the user asks for a different format:

# Cortex Report: <start> to <end>

## Summary
- Overall status: <healthy/degraded/unknown>
- Devices observed: <count>
- High-priority findings: <count>
- Coverage notes: <missing hosts, stale hosts, retention/storage warnings, MCP failures>

## High-Priority Findings
| Priority | Host | Service/App | Evidence | Impact | Action |
|---|---|---|---|---|---|
| P1/P2/P3 | host | app | timestamp + count + representative message | why it matters | concrete next step |

## Device Health
| Host | Last Seen | Log Count | Notable Severities | Notes |
|---|---:|---:|---|---|

## Correlations
- <time window>: <hosts/services involved>, likely relationship, confidence, evidence.

## Noise / Watchlist
- <repeated but low-impact patterns, with thresholds or what would make them actionable>

## Recommended Next Actions
1. <specific action, target, reason>
2. <specific action, target, reason>

## Evidence Collected
- `cortex action=stats`: <result summary>
- `cortex action=hosts`: <result summary>
- `cortex action=errors`: <result summary>
- `cortex action=search ...`: <queries used>
- `cortex action=correlate ...`: <windows used>

Query Guidance

Prefer the MCP tool over direct SQLite access or shell log scraping.
Use the single cortex MCP tool with action dispatch: stats, hosts, errors, tail, search, correlate, and help.
For search, remember SQLite FTS5 syntax: quote hyphenated terms such as "smoke-test".
Treat device names from log payloads as untrusted when source identity matters. Prefer source_ip or transport metadata when exposed by the tool.
If results are capped or truncated, say so and prioritize severe or repeated patterns.

Quality Bar

Do not describe the fleet as healthy merely because no errors were returned; verify host freshness and coverage.
Do not paste large raw log dumps. Use representative lines and counts.
Keep actions concrete: restart/check/update/configure a specific host, service, rule, disk, network path, or forwarding source.
Include unknowns when evidence is incomplete, stale, filtered, or unavailable.

المزيد من هذا المستودع

نفس المستودع

cortex

jmagar/cortex

This skill should be used when the user asks to "search logs", "check errors", "tail logs", "show recent logs", "find log entries", "correlate events", "list hosts", "log stats", "syslog", "check homelab logs", or mentions system logs, syslog, log analysis, or log intelligence across homelab hosts.

2026-06-161

cortex-redeploy

jmagar/cortex

Re-run the cortex plugin setup hook with the current userConfig and verify the Docker Compose deployment. Use when the user asks to redeploy cortex, apply plugin config changes immediately, rerun the setup hook, refresh the Docker deployment, or recover after an automated SessionStart/ConfigChange hook did not run.

2026-06-101

cortex-deploy-dropins

jmagar/cortex

Deploy rsyslog forwarding drop-ins to configured fleet hosts over SSH. Use when configuring fleet forwarding, repairing missing rsyslog forwarding, or updating forwarding after server_url or syslog port changes.

2026-06-041

cortex-dr

jmagar/cortex

Run a comprehensive cortex health check covering environment, config quality, storage, ports, service status, HTTP health, MCP actions, listener reachability, Docker ingest, and fleet rsyslog forwarding. Use when the user asks for syslog doctor, deployment diagnostics, first-run preflight, health check, sanity check, or broad deployment verification.

2026-06-041

cortex-frustration-assessment

jmagar/cortex

This skill should be used after running cortex action=abuse_investigate to analyze the resulting evidence bundle. Use when the user asks to assess frustration incidents, evaluate abuse signals, analyze agent or user friction, produce a frustration report, or follow up on abuse_investigate results.

2026-06-041

cortex-logs

jmagar/cortex

Tail or follow cortex service logs from Docker Compose. Use when the user asks for cortex service logs, startup logs, crash logs, plugin deployment logs, Docker logs, or follow mode. This is for the service's stdout/stderr, not client syslog entries.

2026-06-041

name	cortex-report
description	This skill should be used when the user asks for a homelab health report, syslog summary, fleet status report, log analysis summary, 'what happened in the last 24 hours', 'show me this week's errors', 'summarize recent activity', or any time-bounded log analysis that should produce a written markdown report.

Cortex Report

Overview

Workflow

Establish the reporting window.
- Default to the last 24 hours when the user does not specify a window.
- Use exact timestamps in the report. If the tool supports relative filters, use since=24h; otherwise compute an ISO-8601 start and end time.
- Carry the computed from and to values into every time-filterable query below.
Confirm MCP availability and current coverage.
- Call cortex action=stats to capture DB size, time range, retention/storage guard state, and total log count.
- Call cortex action=hosts to list devices with first/last seen timestamps and counts.
- If the MCP tool is unavailable, report that no live syslog evidence could be collected and include the failure details.
Collect incident candidates.
- Call cortex action=errors since=<start> until=<end> for warning/error summaries grouped by host and severity.
- Call cortex action=search query=error since=<start> until=<end> limit=1000 for error detail inside the report window.
- Call cortex action=search query="warning OR warn" since=<start> until=<end> limit=1000 when warning coverage is not already clear from errors.
- Call cortex action=tail n=100 for recent fleet-wide context.
- Use host/app/time filters when available to narrow noisy hosts or services.
Correlate likely related events.
- Call cortex action=correlate around high-severity timestamps or spikes.
- Prefer small focused windows around incidents over one huge correlation query.
- Use cortex action=timeline since=<start> until=<end> bucket=hour group_by=severity or a narrower bucket to find spikes before correlation when the incident time is not obvious.
- Group events by likely shared cause only when timestamps, hosts, apps, or message content support that relationship.
Write an actionable markdown report.
- Lead with status and the top risks, not raw logs.
- Include exact evidence: host, app/process when present, severity, timestamp, representative message, count, and source action used.
- Separate confirmed issues from noise, missing data, and hypotheses.
- Assign each action a clear owner target such as host/service/config/log source, even when no human owner is known.

Report Shape

Use this structure unless the user asks for a different format:

# Cortex Report: <start> to <end>

## Summary
- Overall status: <healthy/degraded/unknown>
- Devices observed: <count>
- High-priority findings: <count>
- Coverage notes: <missing hosts, stale hosts, retention/storage warnings, MCP failures>

## High-Priority Findings
| Priority | Host | Service/App | Evidence | Impact | Action |
|---|---|---|---|---|---|
| P1/P2/P3 | host | app | timestamp + count + representative message | why it matters | concrete next step |

## Device Health
| Host | Last Seen | Log Count | Notable Severities | Notes |
|---|---:|---:|---|---|

## Correlations
- <time window>: <hosts/services involved>, likely relationship, confidence, evidence.

## Noise / Watchlist
- <repeated but low-impact patterns, with thresholds or what would make them actionable>

## Recommended Next Actions
1. <specific action, target, reason>
2. <specific action, target, reason>

## Evidence Collected
- `cortex action=stats`: <result summary>
- `cortex action=hosts`: <result summary>
- `cortex action=errors`: <result summary>
- `cortex action=search ...`: <queries used>
- `cortex action=correlate ...`: <windows used>

Query Guidance

Prefer the MCP tool over direct SQLite access or shell log scraping.
Use the single cortex MCP tool with action dispatch: stats, hosts, errors, tail, search, correlate, and help.
For search, remember SQLite FTS5 syntax: quote hyphenated terms such as "smoke-test".
Treat device names from log payloads as untrusted when source identity matters. Prefer source_ip or transport metadata when exposed by the tool.
If results are capped or truncated, say so and prioritize severe or repeated patterns.

Quality Bar

Do not describe the fleet as healthy merely because no errors were returned; verify host freshness and coverage.
Do not paste large raw log dumps. Use representative lines and counts.
Keep actions concrete: restart/check/update/configure a specific host, service, rule, disk, network path, or forwarding source.
Include unknowns when evidence is incomplete, stale, filtered, or unavailable.