Recipe: Tail Log Files
Use file_tail input for app logs, container logs, and node-local stdout/stderr files.
Use file_tail input when events are written to a local file as NDJSON.
Tail an application log
blazerules_agent \
--rules rules.yaml \
--input file_tail \
--path /var/log/app/events.ndjson \
--batch-size 2048 \
--flush-ms 250 \
--output ndjson \
--output-path /var/log/blazerules/decisions.ndjson \
--service checkout \
--source file_tailPython equivalent: start the same tailing agent
import subprocess
subprocess.Popen([
"blazerules_agent",
"--rules", "rules.yaml",
"--input", "file_tail",
"--path", "/var/log/app/events.ndjson",
"--batch-size", "2048",
"--flush-ms", "250",
"--output", "ndjson",
"--output-path", "/var/log/blazerules/decisions.ndjson",
"--service", "checkout",
"--source", "file_tail",
])The agent starts at the end of the file and evaluates new lines as they arrive.
Input Example
{"event_id":"e1","level":"info","service":"checkout","message":"payment started","amount":30}
{"event_id":"e2","level":"error","service":"checkout","message":"payment failed","amount":900}Rules can target any fields in the line:
ruleset:
rules:
- id: checkout_error
action: REVIEW
conditions:
and:
- field: level
op: eq
value: error
- field: message
op: contains
value: paymentRotation Behavior
file_tail is intentionally simple: it follows appended lines on one path. If your log system rotates files aggressively, point the agent at the stable symlink or use Kubernetes/container log paths that remain stable for the container lifetime.