Changelog & Roadmap

The batch ingestion endpoint now auto-detects and normalizes multiple payload formats, improving compatibility with various log collectors and forwarders.

Added

• OTLP Metrics Ingestion — Full OpenTelemetry metrics support with protobuf/JSON, all 5 metric types, exemplar support, TimescaleDB hypertables, ClickHouse support, query API with 7 aggregation intervals and 6 functions, group-by label support, 118+ tests
• Service Dependency Graph — Force-directed graph visualization with health color-coding, click-to-inspect panels, and PNG export
• Audit Log — Tracks 4 event categories (login, config changes, user management, data modifications) with high-performance buffer and CSV export

Changed

• Batch ingestion endpoint accepts flexible payload formats (standard, direct array, wrapped array) with auto-normalization
• UX Restructuring — Sidebar grouped into Observe/Detect/Manage sections, Service Map merged into Traces, Sigma Rules moved to Security, Settings restructured, Command palette updated

Fixed

• OTLP Traces typo using resource_logs instead of resource_spans
• OTLP Authentication for /v1/otlp routes
• JavaScript SDKs updated to v0.6.1 for OTLP compatibility
• Frontend environment loading via $env/dynamic/public
• SDK code examples across dashboard
• Pagination total count with fast approximate estimates
• Admin dashboard timeline gaps (ClickHouse bucket key format)
• Chart locale now respects system language
• Silent API errors now show toasts
• Empty states for services/errors
• Docker auto-database creation

Fixed SMTP configuration to support unauthenticated mail servers. Only SMTP_HOST is now required — SMTP_USER and SMTP_PASS are optional. The sender address is configured via SMTP_FROM.

Added

• Write-Only API Keys — New type field (write/full), safe for browsers and mobile, defaults to write
• Domain/IP Allowlist — Up to 50 allowed origins per key with wildcard subdomain support and Origin header validation

Security

• fast-xml-parser bumped to >=5.3.6 for entity expansion DoS fix
• Read endpoints reject write-only API keys with 403
• Origin allowlist validation with wildcard subdomain parsing

Breaking Changes

• API key default type changed to write — existing keys migrated automatically, server-side queries need full type
• Database migration 024_api_key_scopes.sql required

Added

• ClickHouse Storage Engine — Full support as TimescaleDB alternative via @logtide/reservoir abstraction layer with PREWHERE, async_insert, and ngrambf_v1 indexes
• Full Log Query Migration — All query operations (alerts, dashboard, admin, retention, ingestion, correlation) migrated to the Reservoir abstraction

Performance

• Removed COUNT(*) full scans in admin queries, switched to continuous aggregates
• ClickHouse DateTime64(3) millisecond precision with hasToken() fallback
• TimescaleDB removed redundant indexes, added UNNEST batch inserts

Added

• Host Security Detection Packs — 3 packs (Antivirus & Malware, Rootkit Detection, File Integrity Monitoring) with 15 rules total, MITRE ATT&CK mapped
• PII Masking at Ingestion — Content patterns (email, credit card, phone, SSN, IPv4, API keys), field name masking, custom rules, three strategies (mask, redact, hash with per-org salt), Settings UI with live test panel
• Keyboard Shortcuts — Command Palette (Ctrl/Cmd+K), Help Modal (?), sequence navigation (G+D/S/A/P/T/E/R/X), search shortcuts, first-time toast
• Admin Dashboard Revision — Health status cards, 24h activity timeline, 8 stat cards, System Health page with database/pool/Redis diagnostics
• Rate-of-Change Alerts — 4 baseline methods (same_time_yesterday, same_day_last_week, rolling_7d_avg, percentile_p95), anti-spam, frontend baseline picker
• Timeline Event Markers — Alerts and security detections shown on log timeline chart
• Version Update Notifications — GitHub release checking with 6-hour cache and release channel setting

Fixed

• Sigma API missing tags and MITRE fields
• Badge components stretching in containers
• Client errors (4xx) returning 500 instead of correct status
• Log Context metadata expanding dialog infinitely
• Email logo not rendering in Outlook/Gmail
• Continuous Aggregates showing “Refresh: unknown”
• Charts not resizing on sidebar toggle (switched to ResizeObserver)

Added

• Detection Pack Category Routing directing results to correct UI sections

Fixed

• Exception Detection for metadata.error structure
• Exception Details Dialog showing [object Object]
• Onboarding race condition with concurrent requests
• Internal org missing members assignment
• Unwanted email/webhook notifications dispatch
• Email logo not rendering with hosted SVG URLs
• Ingestion JSON parse errors returning proper 400 status

Fixed

• Detection Category Filter Validation Error with schema correction
• Admin Dashboard timeout fixed with continuous aggregates

Performance

• Admin stats endpoints optimized from 31s to ~1s
• Error Group Logs timeout fixed with time bounds

Added

• Hostname Filter for Syslog Sources with automatic extraction and filtering

Fixed

• Log Retention on Compressed Chunks with proper decompression handling
• Fluent Bit Kubernetes metadata extraction improvements

Performance

• log_identifiers table optimized as TimescaleDB hypertable
• Continuous aggregates for spans and detection events
• Hybrid query architecture using aggregates for historical data
• Admin monitoring endpoints for compression and aggregate stats

Security

• Fastify security vulnerabilities fixed in upgrade to 5.7.3+

Fixed

• API batch request limit with automatic batch splitting
• Unicode escape sequences sanitization
• POST requests without body compatibility
• Log retention cleanup for compressed chunks
• Fluent Bit Kubernetes metadata extraction

Added

• Notification Channels — Configurable email and webhook destinations with channel testing before saving

Changed

• UI space optimization reducing margins and padding across the dashboard

Fixed

• Invitation email resend functionality
• Unwanted notifications when channels unconfigured

Added

• Terminal Log View — ANSI-style color coding for a familiar terminal experience
• Detection Packs — Pre-configured Sigma rule bundles for common scenarios (startup, auth, database health)
• Event Correlation — Click any request ID, trace ID, or user ID to see all related logs
• Alert Preview — “Would Have Fired” simulation to test rules before enabling
• Optional Redis — PostgreSQL-based alternatives with adapter pattern queue system

Fixed

• Log Context modal reopening after close
• Exception details from metadata display
• WebSocket memory leak in live tail handler
• SQL injection prevention in notification publisher

Added

• Clipboard utility with centralized copy function
• Config validation test coverage

Fixed

• Documentation corrections for API configuration
• Docker Compose configuration information

Added

• Exception parsers for multi-language stack trace parsing

Changed

• Dependencies updated including @sveltejs/kit

Fixed

• OTLP endpoint URLs in documentation

Added

• Substring Search — Full-text search with PostgreSQL trigram index
• Clickable Dashboard Elements — Interactive navigation from charts and widgets
• Enhanced Exception Visualization — Improved stack trace display
• Customizable Log Retention — Configurable retention policies per project
• Full-Page Export — Export all matching logs across pages
• Custom Time Range Picker — Improved date/time selection UI

Breaking Changes

• Environment variables renamed (LOGWARD → LOGTIDE)
• Fluent Bit configuration variables renamed
• Database defaults changed
• Docker container and service names changed
• SMTP default sender changed

Fixed

• Mobile navigation menu hamburger functionality
• Services dropdown showing all services
• Journald log format detection
• Syslog level mapping improvements
• OTLP protobuf parsing with proper binary support

Fixed

• SvelteKit 2 compatibility with new store patterns
• Traces page navigation fixing 404 links
• Registration error network handling

Added

• LDAP Authentication — Enterprise directory integration
• OpenID Connect (OIDC) — SSO with any OIDC-compliant provider
• Initial Admin via Environment Variables — Bootstrap admin user at first startup
• Disable Sign-ups — Control user registration for private instances
• Auth-free Mode — No authentication required, ideal for home labs and local development
• ARM64 / Raspberry Pi Support — Docker images for ARM architecture

Changed

• Fluent Bit default version pinned to 4.2.2

Updated security policy with current supported versions.

Added

• SIEM Dashboard — Real-time security dashboard with dedicated widgets
• C# / .NET SDK — Full .NET application support
• IP Reputation & GeoIP Enrichment — Automatic IP context enrichment for security analysis
• Organization Invitations — Invite users to join your organization
• Horizontal Scaling Documentation — Traefik-based setup guide

Fixed

• PDF export functionality in incident detail

Added

• Syslog integration documentation with device-specific guides
• Go SDK documentation at /docs/sdks/go
• Documentation restructure with new Integrations section

Changed

• Docker Compose improved container orchestration
• Onboarding flow skip behavior refinement
• Runtime configuration for PUBLIC_API_URL

Fixed

• Sign Up Free link pointing to correct route
• Skip tutorial redirect loop
• API URL in code examples

Added

• Docker image publishing with GitHub Actions CI/CD pipeline
• Self-hosting documentation with deployment guides

Changed

• docker-compose.yml now uses pre-built images by default

Added

• Onboarding Tutorial — Multi-step wizard guiding new users through setup
• Empty State Components — Helpful guidance when dashboards have no data yet
• User Onboarding Checklist — Progress tracking for initial setup steps
• UI enhancements with help components

Fixed

• Organization context handling improvements
• Error states and loading indicators

Added

• Redis Caching Layer — Type-safe cache keys with automatic invalidation
• Landing page public index

Changed

• Database optimization with composite indexes

Performance

• Session validation 30x faster with caching
• API key verification 20x faster
• Query results 10x faster
• Aggregations 50x faster

Fixed

• Admin panel double sidebar issue
• Admin routes navigation path corrections

Added

• OpenTelemetry Support — OTLP ingestion endpoints for traces and logs
• Distributed Tracing — Full CRUD operations with waterfall visualization
• Testing Infrastructure — 563+ tests covering all major features

Changed

• OTLP ingestion performance optimization
• Span selection UX with keyboard navigation

Fixed

• Frontend UX issues in OTLP data display
• trace_id handling flexibility for various formats

Added

• Multi-organization architecture — Isolated workspaces for teams and projects
• High-performance batch log ingestion — Optimized for high throughput
• Real-time log streaming — Server-Sent Events for live tail
• Advanced search and filtering — Query logs with complex filters
• TimescaleDB storage — Automatic compression and retention policies
• Dashboard with statistics — Overview of log volume, errors, and trends
• Alert system — Rules with email and webhook notifications
• Sigma detection engine — Industry-standard threat detection rules
• Official SDKs — Node.js, Python, PHP, and Kotlin
• Docker Compose deployment — Single-command setup