logystera's sandbox: Logystera

Logystera is a log intelligence and security analytics module for Drupal 10 and 11.

It captures 40+ audit signal types from your site — authentication, content changes, file uploads, configuration, cron health, database errors, and more — buffers them locally, and ships them in signed batches to the Logystera platform for threat detection, rule-based alerting, and operational dashboards.

How it works

Signals are captured during normal request processing and written to local JSONL files. A background cron job (or optional auto-dispatch) delivers batches to the Logystera gateway using HMAC-SHA256 signed requests. No data is transmitted until the module is explicitly connected.

The module never blocks page loads — all network I/O happens in the background.

Signal types

Authentication — logins, failed login attempts, logouts, role changes, user blocks
Content — node/media create, update, delete, moderation transitions
Files — uploads with size, type, and path tracking
Configuration — config saves, deletes, imports, exports
System health — cron execution, cache flushes, module install/uninstall, available updates
Errors — PHP warnings, database errors (deadlocks, connection failures, disk full), slow queries
Security — file integrity monitoring, 403 access denied, page visits, API access
Email — delivery success and failure tracking

Every signal type can be individually toggled on or off.

Admin interface

Six admin tabs under Configuration > System > Logystera:

Settings — connect via one-click OAuth or manual credentials, toggle signals, choose dispatch mode
Status — connection state, buffer depth, last dispatch time, backoff status
Events — browse captured signals with type filtering and payload inspection
Ingest Logs — gateway request history with HTTP codes, durations, and errors
Debug — system diagnostics, buffer file listing, PHP and Drupal info
Support — send a support request with optional system diagnostics

Architecture

Local-first — signals are written to JSONL files with 5 MB rotation and 50 MB cap, never lost on network failure
Batch dispatch — configurable batch size (10–500 events per request)
HMAC-SHA256 — every gateway request is cryptographically signed
Exponential backoff — automatic retry with circuit breaker on auth failures
Zero runtime dependencies — no external PHP libraries required beyond Drupal core

Privacy and security

No passwords, cookies, request bodies, or personal content is collected
User IDs are HMAC-hashed before transmission
Database query values are stripped from error messages
File integrity checks use MD5 hashes, not file contents
All data is sanitized locally before transmission
Supports multisite with per-site isolation

External service

This module communicates with the Logystera gateway (https://gateway.logystera.com) to provide monitoring, alerting, and dashboard functionality. No data is transmitted until the site administrator explicitly connects the module. See the Logystera privacy policy for data handling details.

Requirements

• Drupal 10 or 11
• PHP 8.1+
• A Logystera account (free tier available)