Forensic Mode
Forensic Mode is HostAtlas’ postmortem cockpit. Pick a server, pick a window in the past, and see every signal that fired inside it — alerts, incidents, config events, anomalies, audit entries, log lines, metric peaks — laid out on one screen. You write postmortems from evidence instead of memory.
What you see
Section titled “What you see”Open Forensic Mode in the sidebar. At the top: a server picker and a time-range control (15 min, 1 h, 6 h, 24 h, 7 d, or a custom UTC from / to).
Once you pick a server and window, the page assembles:
- Window header — server hostname, exact from → to timestamps in UTC, duration in minutes.
- KPI strip — alert count, incident count, config-event count, anomaly count, log-line count for the window.
- Metric peaks — CPU, RAM, disk, load over the window as donuts (for percentage metrics) and sparklines.
- Alerts — every alert firing inside the window with severity, rule, and target.
- Incidents — incidents that opened, updated, or closed in the window.
- Config events — configuration changes on the server (agent-reported or user-driven).
- Anomalies — anomaly detector hits.
- Audit entries — user and system actions that touched the server.
- Log lines — sampled agent-collected log lines.
Every section is a link out to the source page (incident detail, alert rule, config-diff, and so on).
What you can do
Section titled “What you can do”- Summarise with AI — one button hands the assembled snapshot to the AI assistant, which returns a plain-language summary of what happened and why. Nothing is written or acted on; it’s a reading aid.
- Change window — narrow to a suspicious 15-minute slice, widen to 24 hours, or pick a custom UTC range.
- Open the server — jump directly to the current server detail page.
- From an incident, click Replay — the incident opens Forensic Mode automatically centred on its firing window.
How it works
Section titled “How it works”- Forensic Mode is a read-only assembler. It queries the existing alert, incident, anomaly, config, audit, log, and metric stores for the window you picked and lays them out. No new storage, no extra ingestion overhead.
- The window is bounded by your plan’s data retention — Pro keeps a shorter history, Business / Enterprise longer.
- The AI summary uses your workspace’s configured assistant. No infrastructure change is made; the output is text on the page.
Related
Section titled “Related”- Alerts & Incidents — click Replay on an incident to land here pre-scoped.
- Activity — the wider, non-time-travelling event stream.
- Anomalies — a source Forensic Mode surfaces.