Configuration

Last updated: March 30, 2026 · 2 min read

Configuration Reference

siftlogd is configured via siftlog.yaml. All fields are optional except sources. siftlogd looks for the config in the current directory, then ~/.siftlog/siftlog.yaml, or use --config /path/to/config.yaml.

Top-level structure

sources:      # required
correlation:  # optional
signal:       # optional
live:         # optional
output:       # optional
api:          # optional -- REST API (coming soon)

sources

At least one source is required. Each source has a name (unique, used in signal output) and a type.

file

- name: my-service
  type: file
  path: /var/log/my-service.log
  tail: true
  seek_to_end: true

loki

- name: production-loki
  type: loki
  url: https://loki.internal
  auth:
    type: bearer
    token_env: LOKI_TOKEN
  labels:
    env: production

cloudwatch

- name: ecs-services
  type: cloudwatch
  region: us-east-1
  log_groups:
    - /ecs/payment-service
    - /ecs/order-service

Credentials resolved via standard AWS credential chain.

elasticsearch

- name: es-logs
  type: elasticsearch
  url: https://elasticsearch.internal:9200
  query: "service: payment AND level: ERROR"
  auth:
    type: bearer
    token_env: ES_TOKEN

datadog

- name: datadog-prod
  type: datadog
  url: https://api.datadoghq.com
  query: "service:payment-service"
  auth:
    api_key: YOUR_DD_API_KEY
    app_key_env: DD_APP_KEY

googlecloud

- name: gcp-logs
  type: googlecloud
  project: my-gcp-project
  query: "severity>=WARNING"

Credentials resolved via Application Default Credentials.

correlation

correlation:
  anchor: sender          # sender | receiver
  window_ms: 5000
  drift_tolerance_ms: 200
  • anchor: sender trusts timestamps in the log event. receiver uses ingestion time — use this if your services have unreliable clocks.
  • window_ms: How far apart two events can be and still be considered causally related. Default 5000.
  • drift_tolerance_ms: Extra tolerance at the window boundary for minor clock differences. Default 200.

signal

signal:
  cascade_detection: true
  silence_detection: true
  anomaly_threshold_multiplier: 10.0
  silence_threshold_pct: 90.0
  baseline_window_minutes: 5
  • anomaly_threshold_multiplier: A service must exceed this multiple of its baseline error rate to trigger. Lower = more sensitive. Default 10.0.
  • silence_threshold_pct: A service must drop this percentage below its baseline volume to trigger silence. Default 90.0.
  • baseline_window_minutes: Rolling window for baseline calculation. Detection activates after this window elapses. Default 5.

api (coming soon)

api:
  enabled: false        # off by default
  port: 8080
  bind: 127.0.0.1      # localhost only by default
  api_key: YOUR_KEY    # required when enabled

The REST API is disabled by default. Users who never enable it have zero additional network surface. Required for the SiftLog Android companion app.

Environment variables

SIFTLOG_CORRELATION_WINDOW_MS=3000
SIFTLOG_SIGNAL_ANOMALY_THRESHOLD_MULTIPLIER=5.0
SIFTLOGD_LICENSE=YOUR-LICENSE-KEY

Next: Signal Detection

SiftLog Platform

Always-on log correlation daemon. Cascade, anomaly, and silence detection across every log source in your infrastructure.

Quick Links

Tracking Scripts
Telemetry Services
Anonymous Statistics
Your Privacy

No Bloat. No Spyware. No Nonsense.

Modern software has become surveillance dressed as convenience. Every click tracked, every behavior analyzed, every action monetized. M Media software doesn't play that game.

Our apps don't phone home, don't collect telemetry, and don't require accounts for features that should work offline. No analytics dashboards measuring your "engagement." No A/B tests optimizing how long you stay trapped in the interface.

We build tools, not attention traps.

The code does what it says on the tin — nothing more, nothing less. No hidden services running in the background. No dependencies on third-party APIs that might disappear tomorrow. No frameworks that require 500MB of node_modules to display a button.

Your data stays on your device
No "anonymous" usage statistics
Minimal dependencies, fewer risks
Respects CPU, RAM, and battery
Subscription Hell
  • • Payment fails? App stops
  • • Need online activation
  • • Forced updates
  • • Data held hostage
M Media Way
  • • Buy once, own forever
  • • Works offline
  • • Optional updates
  • • You control your data

Simple Licensing. No Games.

We don't believe in dark patterns, forced subscriptions, or holding your data hostage. M Media software products use clear, upfront licensing with no hidden traps.

You buy the software. You run it. You control your systems.

Licenses are designed to work offline, survive reinstalls, and respect long-term use. Updates are optional, not mandatory. Your tools don't suddenly stop working because a payment failed or a server somewhere changed hands.

One-time purchase, lifetime access
No "cloud authentication" breaking your workflow
Upgrade when you want to, not when we force you
Software empowers its owner — not rent itself back