https://sindro.me/tags/observability/ Recent content in Observability on Marcello Barnaba Hugo en-us Wed, 08 Apr 2026 00:00:00 +0000 https://sindro.me/posts/2026-04-08-backfilling-two-years-of-logs/ Wed, 08 Apr 2026 00:00:00 +0000 https://sindro.me/posts/2026-04-08-backfilling-two-years-of-logs/ <p><img src="https://sindro.me/posts/2026-04-08-backfilling-two-years-of-logs/cover.jpg" alt="BSD daemon with telemetry flowing through an enrichment pipeline into VictoriaLogs"></p> <p>I have a FreeBSD server called m42 that&rsquo;s been running for years. It handles email (Postfix + Dovecot + Rspamd), web (nginx with a dozen vhosts), firewall (pf), and all the usual suspects. It generates thousands of log entries per day across four distinct formats: BSD syslog, fail2ban, pf packet filter, and nginx access/error logs.</p> <p>I even wrote <a href="https://sindro.me/posts/2023-08-17-pfasciilogd-link-pf-and-fail2ban/">pfasciilogd</a> back in 2023 to convert pf&rsquo;s binary logs into ASCII text so fail2ban could parse them — a foundational piece that now feeds structured firewall telemetry into the whole pipeline.</p> <p>I also have two years of monthly backups sitting in <a href="https://restic.net/" target="_blank">restic</a> snapshots. That&rsquo;s roughly 25 million log lines, just&hellip; sitting there. A goldmine of security telemetry, traffic patterns, and attack data — completely unindexed and unsearchable.</p> <p>I built a full observability stack on a Raspberry Pi 5 at home — <a href="https://docs.victoriametrics.com/victorialogs/" target="_blank">VictoriaLogs</a> for storage, <a href="https://www.influxdata.com/time-series-platform/telegraf/" target="_blank">Telegraf</a> for processing, <a href="https://grafana.com/" target="_blank">Grafana</a> for visualization — and then I backfilled every single one of those 25 million entries through the exact same pipeline that processes live data. With full enrichment: GeoIP geolocation, ASN identification, and reverse DNS resolution for every IP address.</p> <p>This is enterprise-grade log management. Running on a $80 single-board computer. In my living room.</p> <h2 id="why-backfills-are-hard-and-usually-skipped">Why backfills are hard (and usually skipped)</h2> <p>Let&rsquo;s be honest: nobody does backfills. They&rsquo;re the broccoli of operations work. You know you should, but the effort-to-reward ratio feels terrible.</p> <p>The problem is that a backfill isn&rsquo;t just &ldquo;load old data.&rdquo; Your pipeline has evolved. The parsing rules you wrote six months ago don&rsquo;t match today&rsquo;s processors. The enrichment you added last week doesn&rsquo;t exist in your old backfill scripts. You end up with two classes of data: rich live entries and impoverished historical ones.</p>