forensic-log

Forensic Log MCP Server is a high-performance MCP server written in Rust designed to analyze massive log files (Apache, Nginx, Syslog, JSON Lines, CSV/TSV) using SIMD-accelerated parsers and Polars-powered query execution. It exposes tools that Claude can invoke through MCP to discover log schemas, filter, aggregate, and search within large datasets without loading everything into memory. The server supports streaming and lazy evaluation, enabling efficient processing of multi-GB files. Typical workflows involve discovering the log structure with get_log_schema, filtering and aggregating with analyze_logs and aggregate_logs, and performing exact or pattern-based searches with search_pattern. The time_analysis tool allows bucketing results over time for trends and anomaly detection. In Claude, you would configure the server as an MCP source and issue tool commands through natural language prompts, such as filtering to 5xx responses or grouping by IP, to obtain fast, aggregated insights on massive logs.

Prerequisites

• Docker (recommended for ease) or build dependencies for Rust if you prefer a native binary
• Optional: Claude Code or another MCP-compatible client

Installation steps (Docker)

1. Pull or build the MCP image for forensic-log-mcp (replace with your image name if you build locally): docker pull forensic-log-mcp:latest

2. Run the MCP server (map ports if you need to connect Claude to it): docker run -it --rm -p 8080:8080 forensic-log-mcp:latest

Alternative: Build from source (Rust)

1. Prerequisites: Rust 1.75+ and Cargo, Git
2. Clone the repository: git clone https://github.com/TLinvest/forensic-log-mcp.git cd forensic-log-mcp
3. Build the MCP server in release mode: cargo build --release
4. Run the binary directly (adjust paths as needed): ./target/release/forensic-log-mcp

Configuration (for Claude integration)

• Create or update your Claude MCP configuration to include the forensic-logs server as shown in the mcp.json example provided by Claude.
• Ensure the server is reachable from Claude (network access, firewall rules, and any required credentials).

Notes and tips:

• The server supports multiple log formats (Apache/Nginx, Syslog, JSON Lines, CSV/TSV) with SIMD-accelerated parsing for fast queries.
• If you run locally, ensure large file streaming is enabled and that the input paths are accessible to the running process.
• When tuning performance, consider: enabling lazy field extraction, predicate pushdown, and adjusting chunk sizes for file processing (the underlying engine uses parallel chunk processing).
• If you encounter issues with large datasets, verify that your environment provides sufficient memory and that the Polars-based engine has access to the data in a memory-mappable form.
• The MCP server is designed to work with Claude’s MCP protocol; if Claude reports missing tools, ensure the runtime exposes get_log_schema, analyze_logs, aggregate_logs, search_pattern, and time_analysis as available tools.