monsys.ai
NLFREN
Sign inGet started
SYSADMIN · DAY-TO-DAY

What a sysadmin actually does every week in monsys.ai

Five concrete actions that come up every week. With the SQL query, curl call or click path that does the work in seconds — not in a ticket thread.

Full docs
01

Monday morning — what changed over the weekend

Nobody called you, but that doesn't mean things stayed quiet. Drift, ad-hoc fixes, EAT executions — you want a 30-second overview.

IN THE DASHBOARD
  1. Sidebar → Audit-log
  2. Filter: last 72h, grouped by event_type
  3. Click any drift_event row to see operator + reason
  4. Unexplained drift? → agent → Inventory → Restore

Next month's Audit Pack contains the same overview, Ed25519-signed.

Same via API (sql) — for automation
SELECT a.hostname, l.event_type,
       l.event_data->>'reason' AS reason,
       u.email AS actor, l.created_at
  FROM audit_log l
  LEFT JOIN agents a ON a.id = l.agent_id
  LEFT JOIN users  u ON u.id = l.user_id
 WHERE l.tenant_id = $1::UUID
   AND l.created_at >= NOW() - INTERVAL '72 hours'
 ORDER BY l.created_at DESC;
02

Patch a kernel CVE across 80 production hosts — with no downtime

USN-2026-1234 hits your whole Ubuntu fleet. Manual apt-get install on 80 hosts is not an option; rebooting them all at once isn't either.

IN THE DASHBOARD
  1. Sidebar → Kernel CVEs → Active batches tab
  2. 'New batch' button → tag selector 'production' + target kernel
  3. Enter TOTP → Start canary
  4. Watch canary → primary → completed in the same view

Every kernel EAT lands in audit_log + transparency_log. Client + auditor can verify offline with the monsys-verify-eat CLI.

Same via API (bash) — for automation
curl -X POST https://app.monsys.ai/api/v1/kernel-updates/batches \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-TOTP-Code: 123456" \
  -d '{
    "title":           "USN-2026-1234 — kernel 6.8.0-49.49",
    "target_kernel":   "6.8.0-49.49",
    "package_manager": "apt",
    "reboot_strategy": "auto-at-window",
    "selector_kind":   "tag",
    "selector_value":  {"tag":"production"}
  }'
03

Why did I get 438 alerts last night

Alert dedup usually fails because a title contains a varying value (count, percentage, timestamp) — each new value = new dedup key = new alert.

IN THE DASHBOARD
  1. Sidebar → Alerts → 'Grouped by title' tab
  2. Sort descending by count
  3. Click the biggest group — is there a value embedded in the title?
  4. /settings/alert-rules → fix the rule so the value goes into description

InsertAlert helper dedups 30 min per (tenant, agent, category, title). Maintenance windows silence automatically during scheduled work.

Same via API (sql) — for automation
SELECT title, COUNT(*),
       MIN(created_at), MAX(created_at)
  FROM alerts
 WHERE tenant_id = $1::UUID
   AND created_at >= NOW() - INTERVAL '24 hours'
 GROUP BY title
 ORDER BY 2 DESC LIMIT 10;
04

Employee left — find every system they had access to

Alice resigns tomorrow. You need to know: which servers, which SSH keys, which Copilot/OpenAI seats, which sudo rights — across all tenants.

IN THE DASHBOARD
  1. Sidebar → Identity surface → search 'alice@'
  2. See linked systems (hosts, SSH keys, Copilot seats)
  3. Per system, 'Revoke' button → TOTP
  4. Audit-log shows 'identity_revoked' as evidence

run_playbook EAT actions live in audit_log per host + one parent row linking all child EATs for traceability.

Same via API (bash) — for automation
# Identity surface — search across systems
curl 'https://app.monsys.ai/api/v1/identity/persons?email=alice@acme.com' \
  -H "Authorization: Bearer $TOKEN"

# Bulk revoke via a playbook EAT (TOTP required)
curl -X POST https://app.monsys.ai/api/v1/agents/<id>/emergency \
  -H "X-TOTP-Code: 123456" \
  -d '{"actions":[{"kind":"run_playbook","id":"revoke-user"}]}'
05

Are production DB backups still working

Backup tools report success/failure to monsys. A tool that hasn't run for 18 days doesn't report failure either — just silence.

IN THE DASHBOARD
  1. Sidebar → Inventory → Backups tab
  2. Filter on tag 'production-db'
  3. Sort 'Last successful' ascending
  4. Click 'Create alert rule' on the stale host → threshold 25h

Backup evidence (last 90d successful runs per host) automatically lands in the monthly Audit Pack under NIS2 §2(c) business continuity.

Same via API (sql) — for automation
SELECT a.hostname, b.tool, b.destination,
       b.last_successful_run,
       NOW() - b.last_successful_run AS age,
       b.last_failure_message
  FROM backup_configs b
  JOIN agents a ON a.id = b.agent_id
 WHERE b.tenant_id = $1::UUID
   AND 'production-db' = ANY(a.tags)
 ORDER BY b.last_successful_run NULLS FIRST;

Other roles

AUDITOR

Pull and verify evidence

NIS2 quarterly audit, offline cryptographic verification, proving CVE patch SLAs, retention checks, privileged-action log.

DEVOPS

CI/CD + supply chain

SLO error budgets, deploy gates on Trust Score, npm supply-chain monitoring, terraform drift detection, LLM cost per team.

MSP

Cross-tenant operations

Urgency cockpit for 20+ tenants, white-label per client, pre-issued EATs for off-hours, multi-party signing with quorum, RBAC impersonation.

Read the extended practical docs