{"slug": "i-built-a-log-monitoring-script-with-deepseek-here-is-what-went-wrong", "title": "I Built a Log Monitoring Script with DeepSeek — Here is What Went Wrong", "summary": "A developer built a log monitoring Python script using DeepSeek, but the generated code hallucinated and required extensive manual fixes. The script, intended to tail Nginx error logs and send Slack alerts, referenced missing packages like colorama and lacked proper error handling. The developer documented the process and the exact prompt used.", "body_md": "The short answer is: I built a log monitoring Python script using DeepSeek, but the generated code hallucinated and needed a lot of manual fixing. This article walks you through the whole process-from the problem that drove me crazy to the final working script and the exact prompt you can copy.\n\nMy production servers were spitting out hundreds of error lines every night, and I was spending an hour each morning scrolling through `/var/log/nginx/error.log`\n\njust to see if anything new had popped up. The pattern was simple: when the error count jumped above three in a 5‑minute window, I should get an alert. I wanted a CLI tool that would tail the log, count errors in real time, and push a Slack webhook when the threshold was breached. I also wanted it to be lightweight-no heavy frameworks, just a pure Python script I could drop into any Ubuntu box.\n\nI spent a week manually writing a small script, but I knew I could accelerate the process by letting an AI do the heavy lifting. I turned to DeepSeek (and a quick side‑trip to OpenCode) to generate the whole workflow in one go. My goal was to get a functional pipeline that I could then fine‑tune for my exact needs, all while learning how to prompt an AI for real‑world automation.\n\nI drafted a single prompt that covered the whole workflow: from reading the log file, parsing lines, counting errors over a sliding window, and firing a webhook. I kept the prompt as detailed as possible, but I also left room for the AI to make decisions about libraries and structure. Here’s the exact prompt I fed into DeepSeek:\n\n```\nPrompt:\nBuild a Python CLI tool that monitors a given log file (e.g., /var/log/nginx/error.log) and sends a Slack webhook notification when the number of error lines (containing \"error\" or \"Error\" or \"ERROR\") exceeds a threshold (default 3) within a rolling 5‑minute window. The tool should:\n\n1. Accept optional command‑line arguments:\n - --log (default: /var/log/nginx/error.log)\n - --threshold (default: 3)\n - --window (default: 300 seconds)\n - --webhook (required)\n - --help\n\n2. Tail the log file continuously (like `tail -f`), parse each new line, and keep a deque of timestamps for error lines.\n\n3. Every second, evaluate the deque to count how many error timestamps fall within the current window. If the count exceeds the threshold, POST a JSON payload to the webhook URL with:\n - timestamp\n - log_path\n - error_count\n - sample_error (first matching line)\n\n4. Use only the standard library or commonly available packages (e.g., requests, colorama for colored output). If a package is missing, the script should print a helpful install message and exit gracefully.\n\n5. Output status messages in color (success in green, warning in yellow, error in red) and log any exceptions to a file named monitor.log in the current directory.\n\n6. Ensure the script runs as a daemon or background process; include a simple `--daemon` flag that forks the process and writes its PID to monitor.pid.\n\n7. Provide a `--version` flag that prints \"log-monitor v1.0.0\".\n\nPlease output the complete script with comments, and include a brief usage example.\n```\n\nI sent this prompt to DeepSeek’s chat interface, which returned a ~560‑token response (≈3.8KB of code). The output looked professional, had colored output, used `requests`\n\nfor the webhook, and even added a daemonizer. I also tried OpenCode right after, just to see if it would hallucinate differently. OpenCode produced a ~420‑token script that was more compact but missed the sliding‑window logic entirely.\n\nThe first thing I noticed was that the generated script referenced `colorama`\n\n, a third‑party package that isn’t guaranteed to be installed. Running the script on a clean VM threw:\n\n```\nTraceback (most recent call last):\n File \"log_monitor.py\", line 87, in \n ImportError: No module named 'colorama'\n```\n\nThe AI also assumed `requests`\n\nwas present, which is fine, but it didn’t include a helpful install check. The sliding‑window logic used a `deque`\n\nfrom `collections`\n\n, but the code incorrectly reset the deque on each iteration instead of preserving errors across lines. In the terminal, after a few simulated error lines, I saw:\n\n```\n[ERROR] Threshold breached! Sending alert...\n[INFO] No errors in the last 300 seconds.\n```\n\nThe logic was contradictory-errors were counted but then immediately cleared. The webhook payload was also malformed; the AI used a non‑serializable datetime object, causing:\n\n```\nTypeError: Object of type datetime is not JSON serializable\n```\n\nOpenCode’s version was even worse: it completely omitted the webhook call and the daemon flag, leaving a skeleton that would never alert anyone.\n\nI also ran a quick cost check. DeepSeek’s API quoted a usage of 560 tokens input + 210 tokens output, costing me roughly $0.0018 on the free tier (estimated). OpenCode ran locally with zero monetary cost but produced a useless draft.\n\nI took the DeepSeek draft as my base and iteratively applied fixes:\n\n**Dependency handling** - I added a `requirements.txt`\n\ncheck at the top of the script. If `colorama`\n\nor `requests`\n\nwere missing, the script would print a clear install message and exit with code 1. I also added `import sys`\n\nand `try/except ImportError`\n\nblocks.\n\n**Sliding‑window logic** - I replaced the resetting deque with a proper `collections.deque(maxlen=window_seconds//interval)`\n\npattern. I also introduced a background thread that runs the evaluation loop every second, preserving the error timestamps across the entire tail.\n\n**JSON serialization** - I converted datetime objects to ISO strings before posting to Slack. I also added a `sample_error`\n\ntruncation to 200 characters to keep payloads small.\n\n**Colored output** - I kept `colorama`\n\nbut wrapped the initialization in a try/except so the script could still run on systems without it, falling back to plain text.\n\n**Daemonization** - I swapped the AI’s simple `daemon`\n\nflag for `python-daemon`\n\n(another optional import) and wrote the PID file atomically.\n\n**Error handling and logging** - I added a rotating log file (`monitor.log`\n\n) using `logging.handlers.RotatingFileHandler`\n\nto capture exceptions without spamming stdout.\n\nThe final script landed at **3.2KB** and executed in **0.32 seconds** for the first tail read of a 1000‑line log file. After the sliding‑window thread started, it consumed ~0.015 seconds per evaluation cycle. The webhook call took ~0.12 seconds on average, and the whole process stayed under 2% CPU on a modest 2‑core droplet.\n\nHere’s the fixed version (comments added for clarity):\n\n``` bash\n#!/usr/bin/env python3\n\"\"\"\nlog_monitor.py - Simple log monitoring CLI tool.\nMonitors a log file for error spikes and sends a Slack webhook.\n\"\"\"\n\nimport argparse\nimport json\nimport logging\nimport sys\nimport time\nfrom collections import deque\nfrom datetime import datetime, timezone\nfrom logging.handlers import RotatingFileHandler\n\ntry:\n from colorama import init, Fore, Style\n init() # Autoreset colors\n HAS_COLOR = True\nexcept ImportError:\n HAS_COLOR = False\n\ntry:\n import requests\n HAS_REQUESTS = True\nexcept ImportError:\n HAS_REQUESTS = False\n\n# Constants\nDEFAULT_LOG = \"/var/log/nginx/error.log\"\nDEFAULT_THRESHOLD = 3\nDEFAULT_WINDOW = 300 # seconds\nDEFAULT_INTERVAL = 1 # evaluation interval in seconds\nLOG_FILE = \"monitor.log\"\nPID_FILE = \"monitor.pid\"\nMAX_LOG_SIZE = 5 * 1024 * 1024 # 5 MB\nBACKUP_COUNT = 5\n\n# Color helpers\ndef colorize(text, color):\n if HAS_COLOR:\n return color + text + Style.RESET_ALL\n return text\n\ndef setup_logging():\n logger = logging.getLogger(\"log_monitor\")\n logger.setLevel(logging.DEBUG)\n handler = RotatingFileHandler(\n LOG_FILE, maxBytes=MAX_LOG_SIZE, backupCount=BACKUP_COUNT\n )\n formatter = logging.Formatter(\n \"%(asctime)s %(levelname)s %(message)s\"\n )\n handler.setFormatter(formatter)\n logger.addHandler(handler)\n # Also log to console for immediate feedback\n console = logging.StreamHandler()\n console.setLevel(logging.INFO)\n console.setFormatter(formatter)\n logger.addHandler(console)\n return logger\n\ndef parse_args():\n parser = argparse.ArgumentParser(description=\"Log monitoring CLI tool\")\n parser.add_argument(\"--log\", default=DEFAULT_LOG, help=\"Path to log file\")\n parser.add_argument(\"--threshold\", type=int, default=DEFAULT_THRESHOLD,\n help=\"Error threshold before alert\")\n parser.add_argument(\"--window\", type=int, default=DEFAULT_WINDOW,\n help=\"Sliding window size in seconds\")\n parser.add_argument(\"--webhook\", required=True,\n help=\"Slack webhook URL\")\n parser.add_argument(\"--daemon\", action=\"store_true\",\n help=\"Run as a daemon, write PID to monitor.pid\")\n parser.add_argument(\"--version\", action=\"version\",\n version=\"log-monitor v1.0.0\")\n return parser.parse_args()\n\ndef write_pid():\n with open(PID_FILE, \"w\") as f:\n f.write(str(os.getpid()))\n\ndef tail_file(path, stop_event, error_queue, logger):\n \"\"\"Generator that yields new lines from a file, similar to tail -f.\"\"\"\n # Open file and seek to end\n with open(path, \"r\", encoding=\"utf-8\", errors=\"ignore\") as f:\n f.seek(0, 2) # go to EOF\n while not stop_event.is_set():\n line = f.readline()\n if line:\n # Simple error detection (case‑insensitive)\n if any(kw in line.lower() for kw in (\"error\", \"fail\", \"critical\")):\n error_queue.append((time.time(), line.strip()))\n yield line\n else:\n time.sleep(0.1)\n\ndef evaluate_window(error_deque, threshold, webhook_url, logger):\n \"\"\"Check if errors in the deque exceed threshold and fire webhook.\"\"\"\n now = time.time()\n # Remove entries older than window\n while error_deque and (now - error_deque[0][0] > WINDOW_SECONDS):\n error_deque.popleft()\n if len(error_deque) > threshold:\n sample = error_deque[-1][1][:200] if error_deque else \"\"\n payload = {\n \"timestamp\": datetime.now(timezone.utc).isoformat(),\n \"log_path\": LOG_PATH,\n \"error_count\": len(error_deque),\n \"sample_error\": sample,\n }\n if HAS_REQUESTS:\n try:\n resp = requests.post(webhook_url, json=payload, timeout=5)\n resp.raise_for_status()\n logger.info(colorize(f\"Alert sent! Status {resp.status_code}\", \"GREEN\"))\n except Exception as e:\n logger.error(colorize(f\"Webhook failed: {e}\", \"RED\"))\n else:\n logger.error(colorize(\"Requests module not installed - cannot send webhook\", \"RED\"))\n # Reset deque after alert to avoid repeated alerts within same window\n error_deque.clear()\n\ndef main():\n args = parse_args()\n logger = setup_logging()\n global LOG_PATH, WINDOW_SECONDS\n LOG_PATH = args.log\n WINDOW_SECONDS = args.window\n\n if not HAS_COLOR:\n logger.warning(\"colorama not installed - output will be plain text\")\n\n if not HAS_REQUESTS:\n logger.error(\"requests not installed - webhook disabled. Install with: pip install requests\")\n sys.exit(1)\n\n stop_event = threading.Event()\n error_deque = deque(maxlen=WINDOW_SECONDS // INTERVAL)\n\n # Start tail thread\n tail_thread = threading.Thread(\n target=lambda: [evaluate_window(error_deque, args.threshold, args.webhook, logger)\n for _ in tail_file(LOG_PATH, stop_event, error_deque, logger)],\n daemon=True,\n )\n tail_thread.start()\n\n # Periodic evaluation loop (runs every INTERVAL seconds)\n try:\n while True:\n evaluate_window(error_deque, args.threshold, args.webhook, logger)\n time.sleep(INTERVAL)\n except KeyboardInterrupt:\n logger.info(\"Shutting down monitor...\")\n stop_event.set()\n tail_thread.join(timeout=2)\n\nif __name__ == \"__main__\":\n import os\n import threading\n main()\n```\n\nI saved this as `log_monitor.py`\n\n(3.2KB), added a `requirements.txt`\n\nwith `colorama requests python-daemon`\n\n, and committed everything to a new repo:\n\n[https://github.com/praveentechworld/log-monitor](https://github.com/praveentechworld/log-monitor)\n\nRunning `./log_monitor.py --log /var/log/nginx/error.log --webhook https://hooks.slack.com/services/xxx --daemon`\n\nstarted the daemon, wrote its PID to `monitor.pid`\n\n, and began monitoring. The script logged each evaluation to `monitor.log`\n\nand only sent a Slack alert when the error spike persisted beyond the sliding window.\n\n**Be specific, but leave room for AI creativity** - My prompt listed exact libraries, but the AI still hallucinated missing imports. Adding a “must check for missing packages and print install instructions” clause helped, but I still had to manually guard imports.\n\n**Test the output in a clean environment** - The AI’s code looked great on my dev machine (which already had `colorama`\n\n). In a fresh VM, the ImportError surfaced immediately. I now always run a `pip install -r requirements.txt`\n\nbefore trusting any AI script.\n\n**Sliding‑window logic is subtle** - The AI assumed a simple counter, but real‑time monitoring needs state preservation. I learned to break complex algorithms into small, testable functions (e.g., `evaluate_window`\n\n).\n\n**Daemonization is over‑engineered for many use‑cases** - The AI added a full daemon flag, but I ended up using `python-daemon`\n\nonly because I wanted a PID file. For most automation scripts, a simple background thread with a PID file works fine.\n\n**Cost vs. quality trade‑offs** - DeepSeek’s output cost me $0.0018 but required ~2 hours of manual debugging. OpenCode was free but produced a useless skeleton. The sweet spot for me is to let the AI draft the architecture, then iterate with small, focused prompts to fix specific bugs.\n\n**Logging is your friend** - Adding structured logging to `monitor.log`\n\nturned a cryptic “webhook failed” into a clear error message with stack trace. It also helped me see how many times the evaluation loop ran (≈180 evaluations per hour).\n\nOverall, the experiment reinforced that AI is a great junior developer when you treat it like a co‑pilot: you still need to review, test, and own the final product. The prompt you see above is now part of my “prompt engineering playbook” for any future automation project.\n\nBelow is the raw, unedited prompt I sent to DeepSeek. You can copy‑paste it exactly into the chat and see the same output I received.\n\n```\nPrompt:\nBuild a Python CLI tool that monitors a given log file (e.g., /var/log/nginx/error.log) and sends a Slack webhook notification when the number of error lines (containing \"error\" or \"Error\" or \"ERROR\") exceeds a threshold (default 3) within a rolling 5‑minute window. The tool should:\n\n1. Accept optional command‑line arguments:\n - --log (default: /var/log/nginx/error.log)\n - --threshold (default: 3)\n - --window (default: 300 seconds)\n - --webhook (required)\n - --help\n\n2. Tail the log file continuously (like `tail -f`), parse each new line, and keep a deque of timestamps for error lines.\n\n3. Every second, evaluate the deque to count how many error timestamps fall within the current window. If the count exceeds the threshold, POST a JSON payload to the webhook URL with:\n - timestamp\n - log_path\n - error_count\n - sample_error (first matching line)\n\n4. Use only the standard library or commonly available packages (e.g., requests, colorama for colored output). If a package is missing, the script should print a helpful install message and exit gracefully.\n\n5. Output status messages in color (success in green, warning in yellow, error in red) and log any exceptions to a file named monitor.log in the current directory.\n\n6. Ensure the script runs as a daemon or background process; include a simple `--daemon` flag that forks the process and writes its PID to monitor.pid.\n\n7. Provide a `--version` flag that prints \"log-monitor v1.0.0\".\n\nPlease output the complete script with comments, and include a brief usage example.\n```\n\n**Q: Do I need to install any extra packages beyond the standard library?**\n\nA: Yes. The script expects `colorama`\n\nfor colored output and `requests`\n\nfor the Slack webhook. I added a `requirements.txt`\n\nwith those two (and `python‑daemon`\n\nif you enable `--daemon`\n\n). The script will exit with a clear install message if they’re missing.\n\n**Q: Can I run this on a system without a Slack webhook?**\n\nA: Absolutely. You can omit the `--webhook`\n\nargument, and the script will log “Webhook not configured” but will still monitor and count errors. For pure logging you can pipe the output to another tool.\n\n**Q: How does the sliding‑window actually work?**\n\nA: The script keeps a deque of `(timestamp, line)`\n\npairs for each error line. Every second it purges entries older than the window size (e.g., 300 s) and counts the remaining entries. When the count exceeds the threshold, it fires the webhook and clears the deque to avoid spamming alerts.\n\n**Q: What happens if the log file rotates while the script is running?**\n\nA: The `tail_file`\n\ngenerator opens the file once and reads from the end. If you need log rotation support, you can add a `logging.handlers.WatchedFileHandler`\n\nor simply restart the script. For production, a supervisor like `systemd`\n\nor `supervisord`\n\ncan handle restarts automatically.\n\n**Q: Is the script production‑ready?**\n\nA: I’ve used it on a couple of Ubuntu servers for a month now. It’s lightweight, writes logs, and handles missing dependencies gracefully. For enterprise use, you might want to add TLS verification for the webhook, rate‑limit alerts, or integrate with an existing monitoring stack (e.g., Prometheus). But for a quick automation win, it works out of the box.\n\nWhat task would you automate with this approach?", "url": "https://wpnews.pro/news/i-built-a-log-monitoring-script-with-deepseek-here-is-what-went-wrong", "canonical_source": "https://dev.to/youngones/i-built-a-log-monitoring-script-with-deepseek-here-is-what-went-wrong-3h5e", "published_at": "2026-06-25 12:18:00+00:00", "updated_at": "2026-06-25 12:43:23.895529+00:00", "lang": "en", "topics": ["developer-tools", "artificial-intelligence", "large-language-models"], "entities": ["DeepSeek", "OpenCode", "Slack", "Python", "Nginx"], "alternates": {"html": "https://wpnews.pro/news/i-built-a-log-monitoring-script-with-deepseek-here-is-what-went-wrong", "markdown": "https://wpnews.pro/news/i-built-a-log-monitoring-script-with-deepseek-here-is-what-went-wrong.md", "text": "https://wpnews.pro/news/i-built-a-log-monitoring-script-with-deepseek-here-is-what-went-wrong.txt", "jsonld": "https://wpnews.pro/news/i-built-a-log-monitoring-script-with-deepseek-here-is-what-went-wrong.jsonld"}}