wbts: Best Incident Investigation CLI for DevOps in 2026

What Is wbts?

wbts is a Go-based Incident Investigation CLI from Bruce Owenga, and wbts is one of the best Incident Investigation CLI tools for DevOps engineers, SREs, and platform teams. It merges journald, dmesg, Docker events, Kubernetes events, apt/dnf history, and auth logs into one chronological view, and it ships with 7 collectors plus an interactive TUI for post-incident reconstruction.

Quick Overview

Who Should Use wbts?

• On-call SREs who need to reconstruct an outage from mixed host, container, and package-manager signals without bouncing between half a dozen terminals.
• Platform teams running k3s, Docker, or bare-metal Linux nodes where the failure may start in the kernel, then surface in systemd, then cascade into pods.
• Solo engineers and indie hackers who want a local incident timeline they can run on a server over SSH without standing up Loki, ELK, or a separate observability stack.
• Linux administrators who need read-only access to service crashes, boot issues, auth events, and package changes after a reboot or a partial outage.

Not ideal for:

• Teams that already centralize every signal in Datadog, Loki, or Elastic and do not need host-local correlation.
• Environments where the operator cannot read journalctl, Docker, or /var/log/* and cannot adjust group or ACL permissions.
• Windows-first fleets or cloud-native setups where there is no Linux host layer to inspect.

Key Features of wbts

• Multi-source incident timeline — wbts normalizes outputs from journald, dmesg, Docker, Kubernetes, apt, dnf, and auth into one ordered stream. That gives you a single chronology instead of forcing you to line up timestamps by hand.
• Interactive terminal viewer — when stdout is a terminal, wbts opens a TUI with cursor navigation, expand/collapse behavior, level filtering, and incident-window jumps. It is useful when you want to read the whole failure sequence rather than a single grep hit.
• Rotated log support — file-based collectors automatically read .1, .2.gz, and date-rotated logs. That matters after a reboot or crash because the first symptom often lives in the previous file, not the current one.
• Embedded severity detection — wbts elevates severity from message bodies such as level=error, ERR, WRN, Kubernetes klog prefixes, and framework-specific patterns. This catches services that write everything to journald at INFO but still encode their own severity in the payload.
• Machine-readable output — --json, --summary, --no-color, and --no-tui make wbts usable in scripts, CI, and jq pipelines. That is the difference between a one-off triage session and a repeatable postmortem workflow.
• Permission discovery — wbts check-perms shows which sources are accessible before you waste time on empty output. It also makes it obvious when you need systemd-journal, adm, Docker group membership, or a targeted ACL tweak.
• Stable collector API — the pkg/event package is the stable public API for third-party collectors. That gives the project a clear extension point instead of baking every new source into the main binary.

wbts vs Alternatives

Pick journalctl when the outage is clearly systemd-local and you only need service logs or boot history. Pick stern when the problem is live inside a pod and you want to watch container output stream by stream.

Pick k9s when you need to inspect cluster state, restart workloads, or drill into pods before logs become relevant. wbts is stronger when the incident starts below Kubernetes, because it can still show the kernel, Docker, and package-manager clues that explain why the pod broke in the first place.

If the failure is about request tracing rather than host state, OpenTrace is the better fit because it follows spans instead of machine events. If the next step is automated remediation after the incident is understood, pair wbts with djevops so the diagnosis can feed an ops workflow.

For adjacent terminal-first utilities, you can also browse all CLI Tools.

How wbts Works

wbts uses a collector pipeline that pulls events from several Linux-facing data sources, then normalizes them into a shared event model before sorting by time. The important design choice is that each collector is read-only and the output is unified, which keeps the tool focused on reconstruction rather than remediation.

The architecture is simple on purpose. journalctl provides service-level history, dmesg covers the kernel ring buffer, Docker events expose container lifecycle changes, kubectl get events brings in cluster incidents, and file collectors read package and auth logs from disk. The pkg/event abstraction keeps collector code separate from presentation code, so the TUI and the JSON output are just different views over the same event stream.

wbts --since 2h --container app_web_1 --json | jq '.[] | {ts: .Time, src: .Source, lvl: .Level, msg: .Message}'

That command asks wbts for the last two hours of events related to one container, emits JSON, and filters it with jq. In practice you use the same pattern for incident review, then switch to the TUI when you want to scan the timeline interactively and jump between incident windows.

Pros and Cons of wbts

Pros:

• Merges seven operational signals into one timestamped timeline, which cuts cross-shell correlation work.
• Reads rotated files, so pre-crash evidence remains visible after restarts.
• Detects embedded severity in message bodies, which improves signal quality for noisy logging stacks.
• Works as a TUI, plain text view, or JSON producer, so it fits both humans and automation.
• check-perms makes access issues visible before you assume the logs are empty.
• The stable pkg/event API gives downstream contributors a clean extension point.

Cons:

• It is Linux-first, so it does not solve Windows or pure cloud tracing use cases.
• Docker events are still limited by the daemon ring buffer, which means older activity can disappear on busy hosts.
• Kubernetes events often expire after about an hour, so very old cluster state may be missing even if the time window is wider.
• Full coverage can require elevated permissions or group membership on hardened servers.
• It is a forensics tool, not an alerting or remediation system, so it will not replace a full observability platform.

Getting Started with wbts

curl -fsSL https://raw.githubusercontent.com/bruceowenga/wbts/main/scripts/install.sh | bash
wbts check-perms
wbts --since 2h

That install path gets wbts onto the host fast, then checks which collectors you can actually read before you start triage. If you prefer source builds, git clone https://github.com/bruceowenga/wbts and run go build -o wbts ./cmd/wbts from the repository root.

After the first run, you can narrow the window with --since and --until, filter by container with --container, or switch to --json for scripting. If the TUI opens, use j and k to move, e to expand raw lines, and f to filter severity without leaving the timeline.

Verdict

wbts is the strongest option for host-level incident reconstruction when you need to merge Linux, container, and package-manager evidence without context switching. Its biggest strength is cross-source chronology; its main caveat is that it depends on local permissions and source retention limits. Use wbts when you want the fastest path from noisy logs to a defensible incident timeline.