syslog-reportlisted

# Syslog Report ## Overview Use the `syslog` MCP tool as the source of truth for recent device logs. Query broad fleet state first, then drill into errors, warnings, host-specific tails, and correlated events before writing a markdown report with concrete next actions. ## Workflow 1. Establish the reporting window. - Default to the last 24 hours when the user does not specify a window. - Use exact timestamps in the report. If the tool supports relative filters, use `since=24h`; otherwise compute an ISO-8601 start and end time. - Carry the computed `from` and `to` values into every time-filterable query below. 2. Confirm MCP availability and current coverage. - Call `syslog action=stats` to capture DB size, time range, retention/storage guard state, and total log count. - Call `syslog action=hosts` to list devices with first/last seen timestamps and counts. - If the MCP tool is unavailable, report that no live syslog evidence could be collected and include the failure details. 3. Collect incident candidates. - Call `syslog action=errors from=<start> to=<end>` for warning/error summaries grouped by host and severity. - Call `syslog action=search query=error from=<start> to=<end> limit=1000` for error detail inside the report window. - Call `syslog action=search query="warning OR warn" from=<start> to=<end> limit=1000` when warning coverage is not already clear from `errors`. - Call `syslog action=tail n=100` for recent fleet-wide context.