Stats
Actions
Tags
From cortex
Deploy rsyslog forwarding drop-ins to configured fleet hosts over SSH. Use when configuring fleet forwarding, repairing missing rsyslog forwarding, or updating forwarding after server_url or syslog port changes.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cortex:cortex-deploy-dropinsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Install or update `/etc/rsyslog.d/99-cortex.conf` on each configured fleet host.
Install or update /etc/rsyslog.d/99-cortex.conf on each configured fleet host.
Verify before changing hosts:
fleet_hosts work without prompting.Skip devices that cannot be configured through SSH and rsyslog, such as UniFi, Mikrotik, ISP routers, or hosts running syslog-ng or other non-rsyslog forwarders. Point the user to docs/SETUP.md for those.
Parse the host portion from $CLAUDE_PLUGIN_OPTION_SERVER_URL. If it is localhost or 127.0.0.1, stop and ask for a routable hostname or IP because fleet hosts cannot forward to localhost.
Call the resolved value FORWARD_TARGET.
Resolve the externally reachable port as:
FORWARD_PORT="${CLAUDE_PLUGIN_OPTION_SYSLOG_HOST_PORT:-${CLAUDE_PLUGIN_OPTION_SYSLOG_PORT:-1514}}"
Use CLAUDE_PLUGIN_OPTION_SYSLOG_HOST_PORT when Docker publishes a host port that differs from the container's internal syslog port. The endpoint is FORWARD_TARGET:FORWARD_PORT.
Write this file on each host, using the resolved target and port:
# Avoid feeding cortex/rsyslog internal logs back into cortex.
if ($programname == "syslog" or $programname == "rsyslogd") then stop
*.* @@<FORWARD_TARGET>:<FORWARD_PORT>
Use @@ for TCP. Use single @ only when a host cannot send TCP.
For each host in $CLAUDE_PLUGIN_OPTION_FLEET_HOSTS (split comma-separated or newline-rendered values and ignore blanks):
Test SSH:
ssh -o BatchMode=yes -o ConnectTimeout=5 <host> true
On SSH failure: skip this host, mark it as FAILED (SSH unreachable) in the report, and continue to the next host.
Build and write the drop-in. Do not run an example that contains literal FORWARD_TARGET or CORTEX_RECEIVER_PORT placeholders:
target_line="*.* @@${FORWARD_TARGET}:${FORWARD_PORT}"
dropin_content="$(printf '%s\n' \
'# Avoid feeding cortex/rsyslog internal logs back into cortex.' \
'if ($programname == "syslog" or $programname == "rsyslogd") then stop' \
"$target_line")"
printf '%s\n' "$dropin_content" | ssh <host> "sudo tee /etc/rsyslog.d/99-cortex.conf >/dev/null"
Restart rsyslog:
ssh <host> "sudo systemctl restart rsyslog"
Verify rsyslog:
ssh <host> "systemctl is-active rsyslog"
Print a table:
| Host | Drop-in Deployed | rsyslog Restarted | Status |
|---|---|---|---|
| host | yes/no | yes/no | active/failed |
Tell the user to run cortex-dr after a few seconds to confirm log flow, or bash scripts/smoke-test.sh for full validation.
Creates, edits, and optimizes skills for Claude Code, including drafting, evaluating with test prompts, iterating on performance, and improving skill descriptions for better triggering accuracy.
npx claudepluginhub jmagar/claude-homelab --plugin syslog-mcp