sap-ecs-log-forwarder 1.0.0__py3-none-any.whl

sap_ecs_log_forwarder/cli.py

@@ -0,0 +1,303 @@
+import click
+
+from sap_ecs_log_forwarder.crypto import encrypt_value, generate_key, get_active_key
+from .config import load_config, save_config
+
+@click.group()
+def cli():
+    pass
+
+@cli.command("config-path")
+def config_path():
+    """Show resolved config file path."""
+    from sap_ecs_log_forwarder.config import CONFIG_FILE
+    click.echo(str(CONFIG_FILE.resolve()))
+
+@cli.command("set-log-file")
+@click.option("--path", prompt=True, help="Path to write JSON logs (e.g., /var/log/sap-log-forwarder/app.log)")
+def set_log_file(path):
+    """Configure a file path to write logs. Use an empty path to disable file logging."""
+    cfg = load_config()
+    p = path.strip()
+    if p:
+        cfg["logFile"] = p
+        click.echo(f"Log file set to: {p}")
+    else:
+        cfg.pop("logFile", None)
+        click.echo("File logging disabled.")
+    save_config(cfg)
+
+@cli.group()
+def input():
+    pass
+
+@input.command("add")
+@click.option("--provider", type=click.Choice(["gcp","aws","azure"]), prompt=True)
+@click.option("--name", prompt=True)
+@click.option("--subscription", help="GCP subscription path ( Full Path - projects/{project_id}/subscriptions/{sub_name} )")
+@click.option("--queue", help="AWS/Azure queue URL or name")
+@click.option("--region", help="AWS region")
+@click.option("--bucket", help="Bucket name (AWS/GCP)")
+@click.option("--storage-account", help="Azure storage account or conn string")
+@click.option("--max-retries", type=int, default=5, show_default=True)
+@click.option("--retry-delay", type=int, default=10, show_default=True)
+@click.option("--log-level", type=click.Choice(["DEBUG","INFO","WARNING","ERROR","CRITICAL"]), default="INFO", show_default=True, help="Log level for this input")
+def add_input(provider, name, subscription, queue, region, bucket, storage_account, max_retries, retry_delay, log_level):
+    cfg = _load_mutable()
+    if any(i.get("name")==name for i in cfg["inputs"]):
+        click.echo(f"Input '{name}' exists.")
+        return
+    base = {
+        "provider": provider,
+        "name": name,
+        "maxRetries": max_retries,
+        "retryDelay": retry_delay,
+        "includeFilter": [],
+        "excludeFilter": [],
+        "outputs": [],
+        "logLevel": log_level.upper(),
+    }
+    if provider == "gcp":
+        base["subscription"] = subscription or click.prompt("GCP subscription")
+        base["bucket"] = bucket or click.prompt("GCP bucket (optional)", default="")
+    elif provider == "aws":
+        base["queue"] = queue or click.prompt("SQS queue URL")
+        base["region"] = region or click.prompt("AWS region")
+        base["bucket"] = bucket or click.prompt("S3 bucket")
+    elif provider == "azure":
+        base["queue"] = queue or click.prompt("Azure queue name")
+        base["storageAccount"] = storage_account or click.prompt("Azure storage account / conn string")
+    cfg["inputs"].append(base)
+    save_config(cfg)
+    click.echo(f"Added input '{name}' ({provider}).")
+
+@input.command("list")
+def list_inputs():
+    cfg = _load_mutable()
+    if not cfg["inputs"]:
+        click.echo("No inputs.")
+        return
+    for i in cfg["inputs"]:
+        click.echo(f"- {i['name']} [{i['provider']}]")
+
+@input.command("remove")
+@click.argument("name")
+def remove_input(name):
+    cfg = _load_mutable()
+    before = len(cfg["inputs"])
+    cfg["inputs"] = [i for i in cfg["inputs"] if i.get("name") != name]
+    save_config(cfg)
+    if len(cfg["inputs"]) == before:
+        click.echo("Not found.")
+    else:
+        click.echo("Removed.")
+
+@cli.group()
+def output():
+    pass
+
+@output.command("add")
+@click.option("--input-name", prompt=True)
+@click.option("--type", "otype", type=click.Choice(["files","http","console"]), prompt=True)
+@click.option("--destination", help="For files/http")
+@click.option("--compress", is_flag=True, default=False)
+@click.option("--include", "include_filters", multiple=True, help="Regex include filter(s) for output (can be repeated)")
+@click.option("--exclude", "exclude_filters", multiple=True, help="Regex exclude filter(s) for output (can be repeated)")
+def add_output(input_name, otype, destination, compress, include_filters, exclude_filters):
+    cfg = _load_mutable()
+    inp = _find(cfg, input_name)
+    if not inp:
+        click.echo("Input not found.")
+        return
+    out = {"type": otype}
+    if otype in ("files","http"):
+        out["destination"] = destination or click.prompt("Destination")
+    if otype == "files":
+        out["compress"] = compress
+
+    # Attach output-level filters if provided
+    if include_filters:
+        out["includeFilter"] = list(include_filters)
+    if exclude_filters:
+        out["excludeFilter"] = list(exclude_filters)
+
+    if otype in ("files","http") and not out.get("destination"):
+        click.echo("Destination required.")
+        return
+    inp.setdefault("outputs", []).append(out)
+    save_config(cfg)
+    click.echo("Output added.")
+
+@output.command("list")
+@click.argument("input_name")
+def list_outputs(input_name):
+    cfg = _load_mutable()
+    inp = _find(cfg, input_name)
+    if not inp:
+        click.echo("Input not found.")
+        return
+    outs = inp.get("outputs", [])
+    if not outs:
+        click.echo("No outputs.")
+        return
+    for idx, o in enumerate(outs):
+        inc = ", ".join(o.get("includeFilter", [])) or "-"
+        exc = ", ".join(o.get("excludeFilter", [])) or "-"
+        click.echo(f"[{idx}] {o['type']} -> {o.get('destination','')} (include: {inc}; exclude: {exc})")
+
+@output.command("remove")
+@click.option("--input-name", prompt=True)
+@click.option("--index", type=int, prompt=True)
+def remove_output(input_name, index):
+    cfg = _load_mutable()
+    inp = _find(cfg, input_name)
+    if not inp:
+        click.echo("Input not found.")
+        return
+    outs = inp.get("outputs", [])
+    if not (0 <= index < len(outs)):
+        click.echo("Invalid index.")
+        return
+    outs.pop(index)
+    save_config(cfg)
+    click.echo("Removed.")
+
+@cli.command("gen-key")
+def gen_key():
+    key = generate_key()
+    click.echo(f"Generated key: {key}")
+    click.echo("Export it: export FORWARDER_ENCRYPTION_KEY='{}'".format(key))
+
+@cli.group()
+def creds():
+    """Manage encrypted credentials."""
+    pass
+
+@creds.command("set-provider-auth")
+@click.option("--input-name", prompt=True)
+def set_provider_auth(input_name):
+    cfg = _load_mutable()
+    inp = _find(cfg, input_name)
+    if not inp:
+        click.echo("Input not found.")
+        return
+    provider = inp.get("provider")
+    key = get_active_key()
+    if not key:
+        click.echo("Encryption key not set (env FORWARDER_ENCRYPTION_KEY).")
+        return
+    auth = {}
+    if provider == "aws":
+        mode = click.prompt("AWS auth mode (static/dynamic)", default="static")
+        if mode == "static":
+            access_key = click.prompt("AWS Access Key ID", hide_input=True)
+            secret_key = click.prompt("AWS Secret Access Key", hide_input=True)
+            auth["accessKeyId"] = "enc:" + encrypt_value(access_key, key)
+            auth["secretAccessKey"] = "enc:" + encrypt_value(secret_key, key)
+        else:
+            client_id = click.prompt("Backend client_id", hide_input=True)
+            client_secret = click.prompt("Backend client_secret", hide_input=True)
+            login_url = click.prompt("Login URL", default="http://localhost:8000/api/v1/app/login")
+            aws_creds_url = click.prompt("AWS Credentials URL", default="http://localhost:8000/api/v1/aws/credentials")
+            auth["clientId"] = "enc:" + encrypt_value(client_id, key)
+            auth["clientSecret"] = "enc:" + encrypt_value(client_secret, key)
+            auth["loginUrl"] = login_url
+            auth["awsCredsUrl"] = aws_creds_url
+            click.echo("Dynamic AWS auth will request temporary credentials every ~15 minutes.")
+    elif provider == "azure":
+        mode = click.prompt("Azure auth mode (sas/dynamic)", default="sas")
+        if mode == "sas":
+            sas = click.prompt("Azure SAS Token", hide_input=True)
+            auth["sasToken"] = "enc:" + encrypt_value(sas, key)
+        else:
+            client_id = click.prompt("Backend client_id", hide_input=True)
+            client_secret = click.prompt("Backend client_secret", hide_input=True)
+            login_url = click.prompt("Login URL", default="http://localhost:8000/api/v1/app/login")
+            creds_url = click.prompt("Credentials URL", default="http://localhost:8000/api/v1/azure/credentials")
+            # Store dynamic auth params
+            auth["clientId"] = "enc:" + encrypt_value(client_id, key)
+            auth["clientSecret"] = "enc:" + encrypt_value(client_secret, key)
+            auth["loginUrl"] = login_url
+            auth["credsUrl"] = creds_url
+            click.echo("Dynamic Azure auth will request temporary SAS tokens every ~15 minutes.")
+    elif provider == "gcp":
+        mode = click.prompt("GCP service account JSON input mode (file/paste)", default="file")
+        if mode == "file":
+            path = click.prompt("Path to service account JSON file")
+            try:
+                with open(path, "r") as f:
+                    content = f.read()
+            except Exception as e:
+                click.echo(f"Failed to read file: {e}")
+                return
+        else:
+            click.echo("Paste JSON, finish with EOF (Ctrl-D):")
+            try:
+                import sys
+                content = sys.stdin.read()
+            except Exception as e:
+                click.echo(f"Failed to read input: {e}")
+                return
+        auth["serviceAccountJson"] = "enc:" + encrypt_value(content.strip(), key)
+    else:
+        click.echo("Unsupported provider for auth.")
+        return
+    auth["encrypted"] = True
+    inp["authentication"] = auth
+    save_config(cfg)
+    click.echo("Provider credentials stored (encrypted).")
+
+@creds.command("set-http-auth")
+@click.option("--input-name", prompt=True)
+@click.option("--output-index", type=int, prompt=True)
+@click.option("--auth-type", type=click.Choice(["bearer","api-key","basic"]), prompt=True)
+def set_http_auth(input_name, output_index, auth_type):
+    cfg = _load_mutable()
+    inp = _find(cfg, input_name)
+    if not inp:
+        click.echo("Input not found.")
+        return
+    outs = inp.get("outputs", [])
+    if not (0 <= output_index < len(outs)):
+        click.echo("Invalid index.")
+        return
+    out = outs[output_index]
+    if out.get("type") != "http":
+        click.echo("Selected output not HTTP.")
+        return
+    key = get_active_key()
+    if not key:
+        click.echo("Encryption key not set (env FORWARDER_ENCRYPTION_KEY).")
+        return
+    if auth_type == "bearer":
+        token = click.prompt("Bearer token", hide_input=True)
+        out["authorization"] = {"type":"bearer","token":"enc:"+encrypt_value(token, key),"encrypted":True}
+    elif auth_type == "api-key":
+        api_key = click.prompt("API key", hide_input=True)
+        out["authorization"] = {"type":"api-key","apiKey":"enc:"+encrypt_value(api_key, key),"encrypted":True}
+    elif auth_type == "basic":
+        user = click.prompt("Username")
+        pwd = click.prompt("Password", hide_input=True)
+        out["authorization"] = {
+            "type":"basic",
+            "user":user,
+            "password":"enc:"+encrypt_value(pwd, key),
+            "encrypted":True
+        }
+    save_config(cfg)
+    click.echo("Credentials stored (encrypted).")
+
+def _load_mutable():
+    try:
+        return load_config()
+    except FileNotFoundError:
+        return {"logLevel":"info","inputs":[]}
+
+def _find(cfg, name):
+    for i in cfg.get("inputs", []):
+        if i.get("name")==name:
+            return i
+    return None
+
+if __name__ == "__main__":
+    cli()

sap_ecs_log_forwarder/config.py

@@ -0,0 +1,99 @@
+import json
+import logging
+import os
+from pathlib import Path
+
+def _resolve_config_path():
+    # 1. Environment variable override
+    env_path = os.getenv("SAP_LOG_FORWARDER_CONFIG")
+    if env_path:
+        return Path(env_path).expanduser()
+
+    # 2. Existing local config.json (backward compatibility)
+    local = Path("config.json")
+    if local.exists():
+        return local
+
+    # 3. Default in user home
+    home_path = Path.home() / ".sapecslogforwarder"
+    try:
+        home_path.mkdir(parents=True, exist_ok=True)
+    except Exception:
+        pass
+    return home_path / "config.json"
+
+
+CONFIG_FILE = _resolve_config_path()
+
+def validate_input(inp):
+    provider = inp.get("provider")
+    required = {
+        "gcp": ["subscription"],
+        "aws": ["queue","region","bucket"],
+        "azure": ["queue","storageAccount"]
+    }.get(provider, [])
+    missing = [r for r in required if not inp.get(r)]
+    if missing:
+        raise ValueError(f"Input '{inp.get('name')}' missing required fields: {missing}")
+    if not isinstance(inp.get("outputs", []), list):
+        raise ValueError(f"Input '{inp.get('name')}' outputs must be a list.")
+    auth = inp.get("authentication")
+    if not auth:
+        return  # auth optional
+
+    if not isinstance(auth, dict):
+        raise ValueError(f"Input '{inp.get('name')}' authentication must be an object.")
+
+    if provider == "aws":
+        static_ok = ("accessKeyId" in auth and "secretAccessKey" in auth)
+        dynamic_ok = (all(k in auth for k in ("clientId","clientSecret","loginUrl")) and ("awsCredsUrl" in auth or "credsUrl" in auth))
+        if not (static_ok or dynamic_ok):
+            raise ValueError(
+                f"Input '{inp.get('name')}' AWS auth must include either static keys "
+                "(accessKeyId, secretAccessKey) or dynamic fields "
+                "(clientId, clientSecret, loginUrl, awsCredsUrl)."
+            )
+    elif provider == "azure":
+        static_ok = ("sasToken" in auth)
+        dynamic_ok = (all(k in auth for k in ("clientId","clientSecret","loginUrl","credsUrl")))
+        if not (static_ok or dynamic_ok):
+            raise ValueError(
+                f"Input '{inp.get('name')}' Azure auth must include either 'sasToken' "
+                "or dynamic fields (clientId, clientSecret, loginUrl, credsUrl)."
+            )
+    elif provider == "gcp":
+        if "serviceAccountJson" not in auth:
+            raise ValueError(f"Input '{inp.get('name')}' GCP auth missing 'serviceAccountJson'.")
+
+
+def load_config():
+    if not CONFIG_FILE.exists():
+        raise FileNotFoundError(f"Config file missing: {CONFIG_FILE.resolve()}")
+    with CONFIG_FILE.open() as f:
+        data = json.load(f)
+    if "inputs" not in data or not isinstance(data["inputs"], list):
+        raise ValueError("Config must contain 'inputs' list.")
+    for inp in data["inputs"]:
+        validate_input(inp)
+    return data
+
+def save_config(cfg):
+    # Ensure parent exists
+    try:
+        CONFIG_FILE.parent.mkdir(parents=True, exist_ok=True)
+    except Exception:
+        pass
+    with CONFIG_FILE.open("w") as f:
+        json.dump(cfg, f, indent=2)
+
+
+def get_log_level(cfg):
+    level = cfg.get("logLevel", "INFO").upper()
+    return getattr(logging, level, logging.INFO)
+
+def get_log_file(cfg):
+    """Return log file path if configured, else None."""
+    path = cfg.get("logFile")
+    if not path:
+        return None
+    return str(Path(path).expanduser())

sap_ecs_log_forwarder/consumer.py

@@ -0,0 +1,56 @@
+import logging
+import threading
+import time
+
+from sap_ecs_log_forwarder.json_logging import setup_structured_logging
+from sap_ecs_log_forwarder.metrics import format_metrics, reset_metrics
+from .config import CONFIG_FILE, get_log_file, load_config, get_log_level
+from .aws import AWSRunner
+from .gcp import GCPRunner
+from .azure import AzureRunner
+
+PROVIDERS = {
+    "gcp": GCPRunner,
+    "aws": AWSRunner,
+    "azure": AzureRunner,
+}
+
+def _metrics_logger():
+    while True:
+        time.sleep(30)
+        logging.info("metrics snapshot\n" + format_metrics())
+        ## Verify if is the beginning of the day (00:00 UTC)
+        now = time.gmtime()
+        if now.tm_hour == 0 and (now.tm_min == 0 or now.tm_min == 1):
+            logging.info("Daily metrics snapshot\n" + format_metrics())
+            reset_metrics()
+
+def run_all():
+    cfg = load_config()
+    logging.info(f"Using config file: {CONFIG_FILE.resolve()}")
+    setup_structured_logging(get_log_level(cfg), get_log_file(cfg))
+    inputs = cfg.get("inputs", [])
+    if not inputs:
+        logging.warning("No inputs configured.")
+        return
+    m_thread = threading.Thread(target=_metrics_logger, daemon=True)
+    m_thread.start()
+    threads = []
+    for inp in inputs:
+        p = inp.get("provider")
+        cls = PROVIDERS.get(p)
+        if not cls:
+            logging.error(f"Unknown provider: {p}")
+            continue
+        runner = cls(inp)
+        t = threading.Thread(target=runner.start, name=f"{p}-{inp.get('name','input')}", daemon=True)
+        t.start()
+        threads.append(t)
+    try:
+        for t in threads:
+            t.join()
+    except KeyboardInterrupt:
+        logging.info("Shutdown requested.")
+
+if __name__ == "__main__":
+    run_all()

sap_ecs_log_forwarder/crypto.py

@@ -0,0 +1,41 @@
+import os
+from cryptography.fernet import Fernet
+
+_ENV_KEY = "FORWARDER_ENCRYPTION_KEY"
+
+def decrypt_auth_dict(auth):
+    if not isinstance(auth, dict):
+        return {}
+    dec = {}
+    for k, v in auth.items():
+        if k == "encrypted":
+            continue
+        # URLs are not encrypted; keep as-is
+        if k in ("loginUrl","credsUrl","awsCredsUrl"):
+            dec[k] = v
+            continue
+        dec[k] = decrypt_value_if_needed(v)
+    return dec
+
+def get_active_key():
+    key = os.getenv(_ENV_KEY)
+    return key
+
+def generate_key():
+    return Fernet.generate_key().decode()
+
+def encrypt_value(value, key):
+    if not value:
+        return value
+    f = Fernet(key.encode() if isinstance(key, str) else key)
+    return f.encrypt(value.encode()).decode()
+
+def decrypt_value_if_needed(value):
+    if not value or not value.startswith("enc:"):
+        return value
+    key = get_active_key()
+    if not key:
+        return value  # Cannot decrypt without key
+    raw = value[4:]
+    f = Fernet(key.encode() if isinstance(key, str) else key)
+    return f.decrypt(raw.encode()).decode()

sap_ecs_log_forwarder/gcp.py

@@ -0,0 +1,105 @@
+import json
+import time
+import logging
+from functools import partial
+from google.cloud import pubsub_v1
+from google.api_core.exceptions import PermissionDenied, NotFound
+from google.oauth2 import service_account
+
+from sap_ecs_log_forwarder import metrics
+from sap_ecs_log_forwarder.crypto import decrypt_auth_dict
+from sap_ecs_log_forwarder.processor import emit
+from sap_ecs_log_forwarder.utils import compile_filters, decode_bytes, is_relevant, split_lines
+
+class GCPRunner:
+    def __init__(self, cfg):
+        self.cfg = cfg
+        self._stop = False
+        inc, exc = compile_filters(cfg.get("includeFilter", []), cfg.get("excludeFilter", []))
+        self.include = inc
+        self.exclude = exc
+        self.max_retries = cfg.get("maxRetries", 5)
+        self.retry_delay = cfg.get("retryDelay", 10)
+        lvl = getattr(logging, str(self.cfg.get("logLevel","INFO")).upper(), logging.INFO)
+        self.log = logging.getLogger(f"input.{self.cfg.get('name','aws')}")
+        self.log.setLevel(lvl)
+
+    def _valid_sub(self, path):
+        try:
+            c = pubsub_v1.SubscriberClient(credentials=self._storage_credentials) if self._storage_credentials else pubsub_v1.SubscriberClient()
+            c.get_subscription(request={"subscription": path})
+            return True
+        except PermissionDenied:
+            return True
+        except NotFound:
+            self.log.error(f"Subscription not found: {path}")
+            return False
+        except Exception as e:
+            self.log.error(f"Subscription check failed: {e}")
+            return False
+
+    def start(self):
+        credentials = None
+        auth = decrypt_auth_dict(self.cfg.get("authentication", {}))
+        sa_json = auth.get("serviceAccountJson")
+        if sa_json:
+            try:
+                info = json.loads(sa_json)
+                credentials = service_account.Credentials.from_service_account_info(info)
+            except Exception as e:
+                self.log.error(f"Failed to parse GCP service account JSON: {e}")
+        client = pubsub_v1.SubscriberClient(credentials=credentials) if credentials else pubsub_v1.SubscriberClient()
+        self._storage_credentials = credentials
+        path = self.cfg.get("subscription")
+        if not path or not self._valid_sub(path):
+            return
+        cb = partial(self._callback, credentials=credentials)
+        future = client.subscribe(path, callback=cb)
+        self.log.info(f"[{self.cfg['name']}] Listening on {path}")
+        try:
+            future.result()
+        except Exception as e:
+            self.log.error(f"GCP runner stopped: {e}")
+            future.cancel()
+
+    def _callback(self, message, credentials=None):
+        if self._stop:
+            message.nack()
+            return
+        try:
+            payload = json.loads(message.data.decode("utf-8"))
+        except Exception as e:
+            self.log.error(f"JSON decode failure: {e}")
+            message.ack()
+            return
+        bucket = payload.get("bucket")
+        name = payload.get("name","")
+        event_type = message.attributes.get("eventType")
+        if event_type != "OBJECT_FINALIZE" or not is_relevant(name, self.include, self.exclude):
+            self.log.debug(f"[{self.cfg['name']}] Ignoring GCP object event: {name} ({event_type})")
+            message.ack()
+            return
+        retries = 0
+        while retries < self.max_retries:
+            try:
+                self.log.debug(f"[{self.cfg['name']}] Processing GCP object gs://{bucket}/{name}")
+                from google.cloud import storage
+                sc = storage.Client(credentials=credentials) if credentials else storage.Client()
+                blob = sc.bucket(bucket).blob(name)
+                raw = blob.download_as_bytes()
+                text = decode_bytes(raw)
+                lines = split_lines(text)
+                emit(lines, name, self.cfg.get("outputs", []))
+                self.log.debug(f"[{self.cfg['name']}] Processed GCP object gs://{bucket}/{name}")
+                message.ack()
+                metrics.inc("gcp_messages_processed")
+                return
+            except Exception as e:
+                retries += 1
+                metrics.inc("gcp_retry")
+                self.log.error(f"GCP process error attempt {retries}: {e}")
+                time.sleep(min(self.retry_delay * (2 ** (retries-1)), 120))
+        message.ack()
+
+    def stop(self):
+        self._stop = True

sap_ecs_log_forwarder/json_logging.py

@@ -0,0 +1,42 @@
+import json
+import logging
+import time
+from logging import StreamHandler, FileHandler
+
+class JsonFormatter(logging.Formatter):
+    def format(self, record):
+        data = {
+            "ts": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime(record.created)),
+            "level": record.levelname,
+            "message": record.getMessage(),
+            "logger": record.name,
+            "thread": record.threadName,
+            "pid": record.process,
+            "module": record.module,
+            "func": record.funcName,
+            "line": record.lineno,
+            "stack": self.formatException(record.exc_info) if record.exc_info else None,
+        }
+        if hasattr(record, "source"):
+            data["source"] = record.source
+        if record.__dict__.get("destination"):
+            data["destination"] = record.__dict__["destination"]
+        return json.dumps(data)
+
+def setup_structured_logging(level, log_file: str):
+    formatter = JsonFormatter()
+    root = logging.getLogger()
+    root.handlers.clear()
+
+    # Always keep console output
+    sh = StreamHandler()
+    sh.setFormatter(formatter)
+    root.addHandler(sh)
+
+    # Optional file output
+    if log_file:
+        fh = FileHandler(log_file)
+        fh.setFormatter(formatter)
+        root.addHandler(fh)
+
+    root.setLevel(level)

sap_ecs_log_forwarder/metrics.py

@@ -0,0 +1,37 @@
+import threading
+from collections import Counter
+import time
+
+class _Metrics:
+    def __init__(self):
+        self._lock = threading.Lock()
+        self._counters = Counter()
+        self._start = time.time()
+
+    def inc(self, name, value=1):
+        with self._lock:
+            self._counters[name] += value
+
+    def snapshot(self):
+        with self._lock:
+            return dict(self._counters), self._start
+        
+    def reset(self):
+        with self._lock:
+            self._counters = Counter()
+            self._start = time.time()
+
+metrics = _Metrics()
+
+def inc(name, value=1):
+    metrics.inc(name, value)
+
+def format_metrics():
+    counters, start = metrics.snapshot()
+    lines = [f"# start_time_seconds {start:.0f}"]
+    for k,v in counters.items():
+        lines.append(f"{k} {v}")
+    return "\n".join(lines)
+
+def reset_metrics():
+    metrics.reset()