Real-Time Threat Hunting in Your Terminal with Teler

Ever feel like you're flying blind when it comes to attacks on your web applications? Logs are great for post-mortems, but by the time you sift through them, the damage might already be done. What if you could see malicious traffic as it happens, right in your terminal?

That's the gap teler fills. It's an open-source intrusion detection system that runs alongside your web server, analyzing logs in real-time to alert you about common web-based threats. No complex dashboards, no external services—just immediate, actionable alerts where you're already working.

What It Does

Teler is a real-time threat detection tool for your web server logs. You run it as a companion process to applications like Nginx, Apache, or even your custom Go server. It ingests log entries as they are generated and checks each request against a set of security rules and threat intelligence feeds.

When it detects something suspicious—like a path traversal attempt, SQL injection payload, or a request from a known malicious IP—it prints a detailed alert directly to your terminal or a designated output. It's like having a dedicated security guard watching your access logs, tapping you on the shoulder the moment something sketchy happens.

Why It's Cool

The real charm of teler is its simplicity and immediacy. It's built for developers who want clarity without overhead.

• Real-Time, Not Retroactive: You're notified of attacks as they occur. This allows for potentially blocking an ongoing brute-force attack or scanning campaign before it completes.
• Terminal-First Design: The alerts are designed for readability in a terminal. You get a clear, color-coded breakdown of the threat type, the offending request, and the matched pattern, all without leaving your command line.
• Extensible and Customizable: It comes with a solid set of default threat patterns (common OWASP Top 10 stuff, bad bots, scrapers), but you can easily define your own custom rules using regular expressions or substring matching to catch patterns specific to your application.
• Lightweight and Portable: It's a single binary written in Go. You can run it anywhere your web server runs, from your local dev machine to a production VPS, without a heavy installation process.

How to Try It

Getting started is straightforward. The quickest way is with go install:

go install github.com/teler-sh/teler@latest

You can then run it by piping your web server's access logs into it. For example, with Nginx:

tail -f /var/log/nginx/access.log | teler -c /path/to/teler.yaml

The -c flag lets you specify a configuration file where you can enable/disable threat feeds, set custom rules, and define output formats (JSON is an option if you want to pipe alerts to another tool). The project's GitHub repository has detailed documentation on configuration, supported log formats, and all available options.

Final Thoughts

Teler isn't a replacement for a full-fledged WAF or a SIEM system, and it doesn't try to be. Instead, it's an incredibly useful developer-oriented tool for gaining immediate visibility. It's perfect for monitoring staging environments, personal projects, or even as a first line of awareness in production. Running it for a few days on a public-facing service can be a real eye-opener to the sheer amount of automated malicious traffic constantly probing the internet.

It puts a spotlight on the threats you usually only see as abstract lines in a log file days later. For any developer running a web service, it's absolutely worth an afternoon of setup.

Find more interesting projects from the community on @githubprojects.