Finch brings production-grade observability to your infrastructure — no Kubernetes, no cloud vendor, no expertise required. Deploy a full logs, metrics, and profiling stack in one command. Enroll agents on any Linux or macOS machine in one more. Everything else — TLS, authentication, agent configuration — is handled for you.
Background, motivation, and a walkthrough: Blog post
Install the Finch CLI:
curl -sSfL https://finch.coresec.zone | sudo sh -Alternatively, download a binary from the releases page or build from source.
You need a Linux machine with SSH access and superuser privileges.
finchctl service deploy root@10.19.80.100That's it. The full observability stack is up at https://10.19.80.100.
Open /grafana in your browser — user admin, password admin.
Your local mTLS credentials are saved automatically to ~/.config/finch.json.
Need Let's Encrypt or a custom certificate? See TLS options.
Register a new agent with the Finch service and deploy it to a target machine:
finchctl agent register \
--agent.hostname sparrow \
--agent.logs.journal \
10.19.80.100The agent config is saved as finch-agent.cfg and contains all endpoints and
credentials.
finchctl agent deploy --agent.config finch-agent.cfg root@172.17.0.4Alloy is installed and started on the target machine automatically.
Want to collect Docker logs, log files, metrics, or profiles? See Agent options.
finchctl service dashboard --web --permission.session-timeout 1800 10.19.80.100The dashboard opens in your browser with a fresh session token.
- TLS options - Let's Encrypt, custom certificates
- Agent options - Docker logs, file logs, metrics, profiles, labels
- Managing agents - list, describe, edit, deregister
- Token renewal - refreshing agent credentials before expiry
- Security model - how Finch handles auth, rotation, and recovery
- Windows agents - enrolling agents on Windows
Fork the repository and submit a pull request. For major changes, open an issue first to discuss your proposal.
This project is licensed under the MIT License.