v0.9.0-beta

What's New in v0.9.0-beta

Per-Source Parse Profile System

Log sources can now select a parse profile that controls multiline behavior, field extraction, and severity normalization deterministically. Profiles are available for 19 source types across 7 categories:

Category	Profiles
Database	PostgreSQL, MySQL / MariaDB
Web Server	Apache Access, Apache Error, nginx Access, nginx Error, HAProxy
Network	Cisco IOS / IOS-XE, MikroTik RouterOS, HP ProCurve / Aruba
System	Debian / systemd, Docker / Container Apps, Proxmox VE, Cron
Security	OpenSSH (sshd), iptables / nftables
Messaging	Asterisk PBX, Postfix MTA
General	Common (safe generic)

Each profile includes:

• Multiline mode — none (no backend joining), indent_only (conservative stacktrace), or timestamp_head (custom start pattern)
• Field extraction — Named regex captures stored in event.raw for filtering/search
• Severity overrides — Source-specific severity normalization
• UI transparency — "Under the hood" and "What changes in result" descriptions so operators can predict behavior before saving

Auto Timezone Detection

For non-Elasticsearch systems, a new Auto-detect timezone button compares timestamp vs received_at drift across recent events (minimum 20 events over 3+ hours) and proposes offset + IANA timezone settings with confidence stats.

Platform Hardening

• Multiline engine tightened — Generic fragment heuristics reduced to indentation + stack traces only; profile-aware multiline runs before generic logic
• Selector validation hardened — Deep validation of regex patterns, group/rule limits, and compilation checks on source create/update
• Connector dedup consistency — Pull connector runner uses ON CONFLICT ... IGNORE to prevent duplicate-insert failure loops
• Download auth fixed — Backup download now uses session-token-compatible auth headers
• Source list race condition — Request versioning prevents stale async overwrites when switching systems quickly
• Permission UX consistency — Manage actions hidden for view-only users to avoid 403 dead-ends
• Source ordering stability — Priority-sorted list maintained after create/update

Previous Unreleased Changes (since v0.8.10-beta)

• MITRE ATT&CK Mapping & Confidence Scores — LLM findings now carry optional confidence (0-1) and MITRE technique IDs with UI badges
• Scheduled Reports — Recurring summary/CSV/JSON reports via existing notification channels with cron scheduling
• New Connectors — VictoriaLogs, RabbitMQ, Kafka REST Proxy pull connector types
• Async Recalculation Queue — Coalescing effective score recalc prevents DB contention
• Hot-Path Database Indexes — Optimized indexes for dashboard/pipeline hot paths
• Secure Bootstrap Credentials — Admin password + API keys written to bootstrap-secrets.txt (mode 0600) instead of stdout
• Search Scalability Safeguards — Min query length, auto lookback, request cancellation
• UI Consistency — Custom ConfirmDialog, centralized date formatting, hasPermission extraction
• 30+ bug fixes — See CHANGELOG.md for the full list

---

Full changelog: CHANGELOG.md
Installation guide: INSTALL.md

v0.8.10-beta

What's New in v0.8.10-beta

This release adds universal multiline log merging — a two-layer defense that reassembles fragmented Docker container logs and other multi-line messages into complete events.

New: Application-Level Multiline Merging

• Fluent Bit Multiline Parser — New docker_app_multiline parser detects new log entries by their prefix (bracketed tags like [INFO], uppercase levels, timestamps, JSON objects) and merges everything else as continuation lines. Prevents applications that format arrays, objects, or stack traces across multiple lines from producing fragmented events.
• Universal Backend Fragment Detection — Expanded isFragment() heuristic in the backend's multiline reassembly module with new patterns:
  • Quoted data-structure elements ('paxcounter' ], "enabled": true,)
  • Quoted key-value pairs ("key": value)
  • Short lines ending with trailing commas
  • List/diff/separator prefixes (# - + ~ | *)
  • Works for ALL log sources (syslog, Docker, OTLP), not just Docker
• Defense-in-Depth — Fluent Bit catches most cases at the collector layer; the backend catches anything that slips through (cross-batch splits, non-Docker sources, whitespace-stripped fragments)

Discovery Improvements

• Suggestion Suppression — The auto-discovery engine now skips groups already covered by specific (non-catch-all) log sources. Stale suggestions and buffer entries are automatically cleaned up.
• Card-Based UI Redesign — Discovered sources panel uses a cleaner card layout with editable names, event count badges, metadata tags, and organized action buttons.
• Standardized Date Format — All dates in the discovery panel now use DD-MM-YYYY HH:MM:SS format.

Bug Fixes

• Ack All Events/Findings Not Refreshing — Both bulk acknowledgment buttons now refresh criterion groups, meta-analysis summary, findings list, and parent system scores after completion, matching per-group ack behavior.
• Discovery Suggesting Covered Sources — The grouping engine no longer creates suggestions for hosts/IPs already matched by existing specific log sources.
• Score Bars Not Updating After Ack/Unack — Backend event acknowledgment endpoints now run recalcEffectiveScores synchronously before sending the HTTP response, ensuring the frontend receives up-to-date scores on its subsequent refresh.
• Single Finding Ack/Reopen Not Refreshing Scores — handleAcknowledge and handleReopen in the drill-down now call onRefreshSystem so dashboard score bars update after acknowledging or reopening an individual finding.
• Audit Log Page Zero Bug — fetchAuditLog used falsy checks for page and limit params, silently dropping page=0 or limit=0 values. Now uses strict !== undefined checks.
• Multiline Comment/Code Mismatch — isFragment JSDoc incorrectly documented "comma or semicolon" detection but only checked for trailing commas. Comment corrected.
• Finding Transition Writing Non-Existent Column — transitionFindingsOnAck tried to set updated_at on the findings table, which has no such column, causing a PostgreSQL error on every event acknowledgment that matched open findings. Replaced with the correct acknowledged_at and acknowledged_by columns.

Full Changelog

See CHANGELOG.md for complete details.

v0.8.9-beta

What's New in v0.8.9-beta

This release focuses on reliability and correctness — a full codebase audit identified and fixed 16 bugs across the backend pipeline, frontend, and configuration.

Performance

• Scoring Pipeline N+1 Elimination — Replaced per-event DB writes with bulk operations, hoisted repeated config queries out of inner loops. ~95% fewer DB round-trips in typical scoring runs.
• Smart LLM Retry Logic — 120-second timeouts on all LLM calls. Only transient errors (429/502/503/504) and timeouts trigger a retry; non-retryable errors (400/401/403) fail immediately, saving 2+ seconds per bad request.
• Stale Score Elimination — Re-evaluation zeros out prior windows' meta_scores and uses DISTINCT ON for consistent score components. Removed redundant expensive regex CTE from score recalculation.

Bug Fixes

• LLM Adapter Retried Non-Retryable Errors — 400/401/403/500 responses were silently retried, wasting API calls and adding latency. Now throws immediately.
• Events Permanently Lost After Bulk Write Failure — If score writes failed, events were still marked as "scored" and never re-processed. Now guarded by success flag.
• Normal Behavior Filter Ignored Host/Program — Templates scoped to specific hosts or programs showed as "Normal" in the UI but weren't filtered from the criterion drill-down list.
• Normal Behavior Regex Patterns Too Complex — Generated patterns used {n} quantifiers and (?:...) groups that could fail in PostgreSQL. Now uses simple [^ ]+ for tokens, [0-9]+ for numbers, with no complex quantifiers.
• System Deletion Left Orphaned Records — Deleting a system did not cascade to findings, normal_behavior_templates, or discovery_suggestions.
• Pipeline Errors Silently Swallowed — The orchestrator's catch block was empty; errors from config sync are now logged.
• Pipeline Scheduler Stale Timer — A race condition could set a new timer after stop() during async config loading.
• Login Network Error — Frontend login() showed a cryptic browser TypeError on network failure instead of a user-friendly message.
• RFC 3164 Parser Truncation — MikroTik RouterOS messages with colons in the body were truncated; HP ProCurve switches with year-in-timestamp had host/program misidentified.
• POSIX Regex Compatibility — Normal behavior patterns used PCRE shorthands (\d) that could mismatch PostgreSQL's ~* operator. Now uses universal [0-9] syntax.
• Model Name Validation — Rejected OpenRouter-style names with slashes (e.g., openai/gpt-4o). Now accepts / and :.
• Maintenance Logger — Used console.* instead of the shared logger, bypassing LOG_LEVEL filtering and causing self-ingestion.
• SQL Type Cast Error — batchUpdateTemplateCache VALUES clause lacked ::uuid and ::timestamptz casts.
• LLM URL Double Slash — Trailing slashes on base URL produced malformed API paths.
• CSS Variable Missing — --text-secondary was referenced in 6 rules but never defined.

UX Improvements

• Simplified Regex Patterns — Auto-generated "Mark as Normal" patterns are now much simpler: [^ ]+ for variable tokens (UUIDs, MACs, interfaces), [0-9]+ for numbers, /[^ ]+ for paths. IPv4/CIDR split into clean separate rules. No more {n,m} quantifiers that confused PostgreSQL.
• Regex Quick Reference — The "Mark as Normal" modal now includes a collapsible regex cheat sheet with the 10 most common tokens (.*, .+, [^ ]+, [0-9]+, \., etc.).
• Auto-Escape IPs in Log Source Selectors — Plain IP addresses (e.g., 192.168.30.14) entered in the source_ip field are automatically escaped to ^192\.168\.30\.14$ on blur. Dotted hostnames are also escaped. Patterns with existing regex metacharacters are left untouched.
• Context-Sensitive Placeholders — The source_ip selector field now shows IP or regex (e.g. 192.168.30.14 or ^10\.0\.) instead of a generic regex hint.

Changed

• Scoring chunk size default increased from 500 to 5000 (loop processes ALL events, no hard cap)
• Fluent Bit default log level changed from info to warn
• Settings help text uses [0-9]+ instead of \d+ for consistency

Full Changelog

See CHANGELOG.md for complete details.

v0.8.8-beta

What's New in v0.8.8-beta

New Features

• System Auto-Discovery -- Automatically detects new log sources from unmatched incoming events and suggests new monitored systems. Unmatched events (including those matching catch-all sources) are buffered in a staging table, then grouped by host, IP, and optionally program. A dashboard banner notifies users, who can accept (creates system + log source with LLM-generated description), merge into existing systems, or dismiss. Fully configurable: group-by toggles, thresholds, rate filters, ignore patterns, buffer TTL, and auto-accept mode.
• DST-Aware Timezone Support (IANA) -- Monitored systems can now specify an IANA timezone name (e.g., Europe/Chisinau) instead of a fixed UTC offset. Automatically computes the correct UTC offset at each event's timestamp, handling summer/winter time transitions. Three-mode picker: None / Timezone (DST-aware) / Fixed UTC offset.
• Enhanced AI Finding Deduplication -- Two-layer approach: text normalization strips event references and isolated numbers before similarity computation, plus a new "DUPLICATE PREVENTION" section in the LLM system prompt instructs the model to compare against existing open findings.
• Cross-Batch Fragment Buffer -- Bounded in-memory buffer with TTL and LRU eviction for reassembling multiline syslog messages that arrive across different ingestion batches.
• Orphan Fragment Detection -- Scoring pipeline detects and skips short SQL-like, tab-prefixed, or process-info fragments that escaped multiline reassembly, saving LLM tokens.

Performance

• Score ALL Events (Loop-Based Scoring) -- The scoring pipeline now processes ALL unscored events in a loop with chunked fetches (default 5000 per iteration), instead of capping at 500. With template deduplication, 100k events with 50 unique patterns result in only ~3 LLM API calls. A 10-minute time guard prevents runaway execution. Per-system sequential processing ensures no system is starved.
• Cached Per-Job Configs -- Privacy filter config, task model overrides, system descriptions, and source labels are now loaded once per scoring job instead of per LLM batch, eliminating ~1200 redundant DB queries in typical runs.
• Fixed Premature Loop Break -- The break condition now uses the original fetched event count (before normal behavior and fragment filtering), preventing premature exit when many events match normal behavior templates.
• Global recalcEffectiveScores Mutex -- Promise-based serialization prevents concurrent CTE+UPDATE executions that previously caused PostgreSQL deadlocks.
• Supplementary Live-Event Score Update -- After the main CTE, a targeted UPDATE refreshes the latest window's max_event_score from live unacknowledged events, ensuring recent high-score events appear immediately.
• Async Ack/Unack and Mark as OK -- Event acknowledge, unacknowledge, and "Mark as Normal Behavior" endpoints return immediately while background processing continues asynchronously.
• Optimized Re-evaluation -- Removed redundant intermediate recalc call and optimized key_event_ids backfill.
• Source Cache Invalidation -- Auto-discovery accept/merge invalidates the in-memory log source cache so new sources match events immediately.

UI Improvements

• Scoring Chunk Size Config -- The old "Scoring limit per run" setting is replaced with "Scoring chunk size" (default 5000, max 100000). The UI clarifies that LLM cost is driven by unique templates, not this value.
• Discovery Panel Redesign -- Unified card-based design for pending suggestions. Programs list hidden when "Split by program" is disabled. System navigation link after accepting.
• Wider Drill-Down Layout -- Criterion drill-down panel widened to accommodate Copy and Ack buttons on a single line.
• Consistent Selector Help Text -- Examples in "How selectors work" now use the same single-backslash display format shown in the Log Sources table.
• Dashboard Score Consistency -- Replaced GROUP BY / MAX() aggregation with DISTINCT ON to ensure effective_value, meta_score, and max_event_score come from the same window.

Bug Fixes

• Stale Dashboard Scores After Re-evaluation -- Old meta-scores from prior windows persisted. Re-evaluation now zeros out prior windows' meta_scores, and the dashboard uses DISTINCT ON for consistent score components.
• IT Security Score Stuck at 0 Despite High Events -- A supplementary UPDATE now proactively refreshes the latest window from live event scores.
• PostgreSQL Deadlocks in Score Recalculation -- Global promise mutex serializes all recalcEffectiveScores invocations.
• Multiline PostgreSQL Log Fragmentation -- Orphan [N-M] continuations consolidated into a single merged event.
• Stale Scores After Rapid Ack Operations -- Coalescing pattern ensures queued recalc fires after current one finishes.
• Concurrent Event Group Ack -- Per-group independent in-flight tracking replaces single-key mutex.
• Auto-Created Log Source Not Matching -- Source cache invalidated after discovery accept/merge.
• Finding key_event_ids Backfill -- Migration backfills key_event_ids for existing findings with [N] refs.
• Discovery compilation error, hash mismatch, race conditions, wildcard fallback, double-processing guard, and error handling fixes.

Full Changelog

See CHANGELOG.md for complete details.

v0.8.7-beta

What's New in v0.8.7-beta

New Features

• Log Source OR Rule Groups — Log source selectors now support multiple AND-condition groups combined with OR logic, enabling complex event routing like (host=web-01 AND program=nginx) OR (host=web-02 AND program=apache). The UI provides an intuitive group editor with "Add AND condition" and "Add OR group" buttons. Fully backward-compatible with existing selectors.
• Async Re-evaluation with Progress Polling — The "Re-evaluate" button now returns immediately and processes scoring + meta-analysis in the background. The frontend polls every 3 seconds showing elapsed time, then auto-refreshes the drill-down and meta summary on completion.
• LLM Pricing for New Models — Added pricing entries for GPT-4.1 family (nano/mini/base), GPT-5 family (nano/mini/base), GPT-5.1 (base/codex-mini/codex), GPT-5.2, o3, o3-pro, and o4-mini. Removed deprecated o1-mini.

Performance

• Bulk Delete Optimization — bulkDeleteEvents, deleteOldEvents, and cascadeDeleteSystem now use single-statement bulk SQL DELETEs with subqueries instead of row-by-row loops, enabling instant cleanup of millions of records via PostgreSQL partition pruning.
• Pipeline Score Propagation — The automatic pipeline now calls recalcEffectiveScores after per-event scoring, so newly scored events immediately update the dashboard without waiting for the next meta-analysis run.

Bug Fixes

• Score Bars Stuck at 0 — Removed the meta_score zeroing guard in recalcEffectiveScores that incorrectly zeroed out LLM meta-scores when no per-event scores existed. Widened the dashboard fallback to trigger when effective_scores are all zero, not just missing.
• AI Finding Event Links — Findings now parse explicit [1], [2], [3] event references from LLM output and map them directly to event UUIDs. Word-overlap matching is used only as a fallback.
• Polling Memory Leak — The DrillDown re-evaluate polling now clears setTimeout handles on unmount, preventing setState-on-unmounted-component warnings.
• Stale Closure in Poll Refresh — The poll completion handler reads selectedCriterion and showAcknowledged from refs instead of stale closure captures.
• Request Object Lifecycle — Request properties are captured before reply.send() in the async re-evaluate handler, preventing issues with Fastify recycling the request object.
• Pipeline Hot-Loop Risk — Added Math.max(1, ...) guard on pipeline interval config to prevent zero-delay scheduling.
• SourceForm Remove Button — The "remove condition" button is now correctly disabled when a group has only one row.
• Missing CSS Classes — Added .btn-active and .text-secondary classes.

Full Changelog

See CHANGELOG.md for complete details.

v0.8.5-beta

What's New in v0.8.5-beta

Added

• Per-Group Event Acknowledgement: Acknowledge individual event groups directly from the criterion drill-down, rather than acknowledging all events in bulk
  • New "Ack" button on each event group row in the drill-down table
  • Corresponding "Un-ack" button when showing acknowledged events
  • Acknowledged events are deleted from event_scores and re-scored by the pipeline when un-acknowledged
  • Related open findings are automatically transitioned to "acknowledged" status
• Show Acknowledged Events Toggle: Drill-down now hides acknowledged events by default, with a toggle to show them
• Finding Proof Events ("Show Events"): View the source events that contributed to an AI finding
  • "Show Events" / "Hide Events" toggle button on each finding card
  • Fetches events by key_event_ids stored on findings when they are created
• Active Issues Breakdown: The AI Findings banner now shows "X active issues (Y open, Z ack'd)"
• Findings Key Event IDs: AI findings now store references to the source events that triggered them
• CHANGELOG.md: Added full release history following Keep a Changelog format

Changed

• Event ack now deletes event_scores (enables proper re-scoring on un-ack)
• Effective scores exclude acknowledged events from max_event_score
• Re-evaluate always excludes acknowledged events from LLM context
• Grouped endpoint hides acknowledged events by default
• Docker healthchecks: --start-period=60s prevents false "unhealthy" status during startup
• Body limit increased to 50MB; Fluent Bit Workers=2, Mem_Buf_Limit=10MB

Fixed

• Catch-all source matching for wildcard patterns on missing fields
• Guardrail 2: false positive rejection when event refs have empty messages
• Guardrail 3: hallucinated refs no longer bypass error-severity check
• LLM adapter: empty string content crash (changed ?? to ||)
• LLM adapter: error-path usage now reports effective model with overrides
• Finding proof events no longer leak across findings (scoped state)
• Show/Hide Events toggle now works (was dead code before)
• Score bar clamped to 0-100% to prevent visual overflow
• useCallback dependency arrays: added missing showAcknowledged
• TypeScript types: EventDetail nullable fields, optional AckGroupResponse fields
• Event ID validation in by-ids endpoint

Deployment

cd /opt/SyslogCollectorAI && git pull && cd docker && docker compose build && docker compose up -d

Full changelog: CHANGELOG.md

v0.8.4-beta

What's New in v0.8.4-beta

LLM Cost Optimization Suite

This release introduces a comprehensive set of 16 cost optimization techniques that reduce LLM API spending by up to 80-95% without sacrificing analysis quality. All optimizations are configurable through the web UI with sensible defaults.

New optimizations:

• O1: Zero-Score Window Skip -- when all events in an analysis window scored 0, the meta-analysis LLM call is skipped entirely
• O2: Zero-Score Event Filter -- events that scored 0 are excluded from the meta-analysis prompt, reducing input tokens
• O3: Per-Task Model Selection -- use different (potentially cheaper) models for scoring, meta-analysis, and RAG queries
• O5: Extended Score Cache -- default cache TTL increased from 60 to 360 minutes, reducing repeat scoring calls
• O6: RAG Usage Tracking -- Ask AI queries now tracked in the LLM usage dashboard with per-model cost estimates
• O7: Configurable Context Window -- control how many previous analysis summaries are included as LLM context

Full UI Configuration

All AI pipeline parameters are now configurable through the Settings page:

• Pipeline Settings -- pipeline interval, analysis window size, scoring limit per run, meta-analysis weight
• Per-Task Model Overrides -- independent model selection for scoring, meta-analysis, and RAG
• O1/O2 Toggles -- enable/disable zero-score optimizations in Token Optimization section
• Context Window & Recurring Lookback -- tune meta-analysis context depth in Meta-Analysis Tuning

Bug Fixes

• Fixed high-score prioritization using wrong event indices after O2 filtering
• Fixed LLM usage tracking reporting wrong model name when per-task override is active
• Aligned meta-analysis config defaults between API and runtime (max_new_findings_per_window, max_open_findings_per_system)

Documentation

• Added comprehensive LLM Cost Optimization section to README with flow diagram, 16-technique comparison table, cost tracking overview, and typical monthly cost estimates per model

v0.8.3-beta

LogSentinel AI v0.8.3-beta

New Features

• Configurable score display window -- The dashboard score bar time range (previously hardcoded at 7 days) is now configurable via Settings, Dashboard section (1-90 days). The DrillDown label updates dynamically to reflect the configured value.
• Docker container log collection -- Fluent Bit now tails Docker json-file logs from the host via a new tail input with Lua enrichment (container name resolution, stderr-to-error mapping, self-log filtering). Configurable Docker data root via DOCKER_DATA_ROOT env var.
• Proof event modal -- Clicking proof event links (Event 1, 2, etc.) in resolved findings now works even when the event is outside the loaded 200-event list. Events are fetched by ID and displayed in a detail modal.
• Mark as Normal Behavior -- Full workflow for marking event patterns as normal, excluding them from scoring and meta-analysis, with template management in Settings.

Bug Fixes

• 413 Request body too large -- Increased Fastify body limit from 1 MB to 10 MB to handle large Fluent Bit and rsyslog batches.
• Self-referential finding resolution -- Strengthened both guardrails: added standalone contradictory keywords like persists, unresolved, continues to; made the self-referential check bidirectional with a lowered threshold of 0.4.
• Docker NAT source-IP routing -- Fixed events being routed to catch-all instead of Docker Host system.
• Meta-analysis summary contamination -- Normal behavior patterns now exclude contaminated previous summaries from LLM context.
• Stale effective scores -- Re-evaluate now invalidates scores across the full configured display window.
• Event Explorer en-dash display -- Fixed unicode escape rendering as literal u2013 text.
• Event IDs validation -- Relaxed from UUID-only to alphanumeric to support Elasticsearch document IDs.

Infrastructure

• Docker data root is now configurable via DOCKER_DATA_ROOT env var for non-default Docker installations.
• event_ids filter added to events API across PostgreSQL and Elasticsearch backends.
• Dashboard config stored in app_config table with GET/PUT API endpoints.

v0.8.2-beta

v0.8.2-beta — Comprehensive AI Behavior Revision

Major overhaul of all AI mechanisms, designed for professional IT engineers who manage hundreds of systems and check status weekly at best.

Highlights

• Flapping eliminated by design — resolved findings are never reopened. Recurring issues create new findings with clear lineage.
• Proof-based resolution only — the LLM must reference specific events as evidence before closing a finding. Time-based auto-resolve removed entirely.
• Conservative scoring — revised all LLM prompts (per-event, meta-analysis, RAG) with routine event guidance and strict calibration to minimize false alarms.
• Findings-first dashboard — SystemCard now shows active findings count with severity breakdown as the primary status indicator.
• Clickable resolution proof — resolved findings display evidence with links that scroll to and highlight the referenced events.
• Quieter alerting defaults — threshold raised to 75%, throttle to 30 minutes, state-change-only enabled by default.

Backend Changes

• Fix duplicate skipMissIncrement safeguard bug in metaAnalyze.ts
• Eliminate flapping: new "Recurring:" finding creation instead of reopening resolved findings
• Remove time-based auto-resolve; enforce event_refs proof for LLM resolutions
• Implement eventIndexToId mapping (LLM event indices to real UUIDs)
• Store resolution_evidence as JSON: { text, event_ids }
• Write effective_score=0 for all criteria in quiet (zero-event) windows
• Revise SCORE_SYSTEM_PROMPT_TEMPLATE with routine event guidance and score calibration
• Revise DEFAULT_META_SYSTEM_PROMPT with conservative scoring, high bar for findings, strict resolution rules
• Revise DEFAULT_RAG_SYSTEM_PROMPT for senior IT operations audience
• Reduce max_new_findings_per_window default: 5 -> 3
• Make context_window_size configurable (default 5)
• Rename flapping_lookback_days to recurring_lookback_days (backward-compatible)
• Raise default alert min_score threshold: 0.5 -> 0.75
• Fix notify_only_on_state_change server default: false -> true
• Add DASHBOARD_URL env var for deep-links in alert notifications
• Add active_findings (count by severity) to /api/v1/dashboard/systems response

Frontend Changes

• Remove all flapping/reopen badges from DrillDown findings
• Render resolution evidence with clickable "Proof events" buttons (scroll-to + highlight)
• Add id attributes to event table rows for scroll-to targeting
• Add active findings badge with severity breakdown to SystemCard
• Update ActiveFindingsCounts and Finding types in api.ts
• Update default alert threshold to 75%, throttle to 30 minutes in AlertRulesPanel
• Remove orphaned flapping/reopen CSS (~38 lines)
• Add new CSS for evidence links, findings badge, event highlight animation

Configuration

• New optional env var: DASHBOARD_URL — set to your dashboard URL for notification deep-links
• Added to both backend/.env.example and docker/.env.example

Upgrade Notes

• No database migrations required
• Existing flapping_lookback_days in app_config is automatically migrated to recurring_lookback_days
• Existing alert rules keep their configured thresholds; only new rules get the 75% default
• Set DASHBOARD_URL in your .env to enable deep-links in notifications (e.g., http://your-server:8070)

v0.8.1-beta

What's New in v0.8.1-beta

Multi-Select Dropdown Filters

• DrillDown view: Added 5 multi-select filter dropdowns (Severity, Host, Program, Service, Facility) above the events table with a 'Clear all' button
• Event Explorer: Replaced single-select dropdowns with MultiSelect components for Severity, Host, Source IP, and Program filters
• New MultiSelect component: Reusable dropdown with checkboxes, search, select-all/clear-all, click-outside-to-close

Full-Stack Filter Support

• Backend API (/api/v1/systems/:id/events) now accepts comma-separated multi-value filter parameters
• PostgreSQL event source uses WHERE IN (...) for efficient multi-value filtering
• Elasticsearch event source uses erms queries for multi-value filtering
• Frontend API client sends filter arrays as comma-separated strings

Bug Fixes

• EventExplorer click-to-filter: Clicking a cell value now adds to the existing multi-selection instead of replacing it
• DrillDown empty state: Correctly distinguishes between 'no events at all' vs 'no events matching current filters'
• Reduced redundant API calls: Seed fetch for filter options skipped when initial load already covers it

Other

• Event limit in DrillDown increased from 100 to 200
• Version bumped to 0.8.1-beta in both backend and dashboard