Troubleshoot a Remote Server
When a production server misbehaves, you need a diagnosis in minutes, not hours. OpenCode can read the relevant logs, cross-reference them with recent changes, and propose a fix — all while you stay in control of the box.
When to use this recipe
- A service is up but slow, erroring, or returning 5xx intermittently.
- Logs are large and you don’t know which subsystem is the source.
- You need to act on a fix but want a second opinion before restarting anything.
Prerequisites
- OpenCode installed on your local machine.
- SSH access to the affected server.
- Read-only access to the relevant logs and config files.
Steps
-
Define the symptom precisely
In one paragraph, state what’s wrong, when it started, and what you’ve already ruled out.
The checkout service has been returning 504s to about 3% of requests since 14:00 UTC today. Latency p99 went from 800ms to 6s. No deploys in the last 6 hours. CPU and memory on the app nodes are normal. I haven’t restarted anything yet.
-
Pull the relevant logs
Ask OpenCode to fetch the right slice of logs and surface anomalies.
SSH to the prod-app cluster (creds in 1Password). Pull the last 2 hours of the checkout service’s stdout and stderr. Surface any error patterns, stack traces, or unusual latency spikes. Don’t include normal traffic.
-
Correlate with recent changes
Even when no deploys happened, infra changes can still matter.
Check our infra changes in the last 24 hours (Terraform, ingress, DNS). Cross-reference each change with the timing of the latency increase.
-
Form a hypothesis
Ask OpenCode to propose the most likely cause and how to verify it.
Based on the logs and infra changes, give me a ranked list of the top 3 hypotheses for the latency increase. For each, tell me what evidence supports it and what one command I could run to confirm or rule it out.
-
Verify without disruption
Use the lowest-impact verification path first. Never jump to a restart.
# Example: check if a downstream is timing out curl -w '%{time_total}\n' -o /dev/null -s https://internal.api/ping -
Apply the smallest safe fix
Once verified, make the smallest change that resolves the issue. If the fix is risky, propose it to a teammate first.
Given that hypothesis #2 is now confirmed, propose the smallest safe change. Tell me the exact command(s), what to monitor in the next 10 minutes, and the rollback plan.
-
Write a post-incident note
Even for a small incident, capture what happened, why, and what to change.
Write a 1-page post-incident note to
incidents/2026-06-27-checkout-504.mdwith: timeline, root cause, mitigation, and one preventive measure (alert, runbook, test, or refactor).
Key prompt
SSH to [host] with the credentials in [vault path]. Pull the last [N hours] of [service] logs and surface error patterns, stack traces, and latency anomalies. Then check our infra changes in the same window. Give me a ranked list of the top 3 hypotheses for [symptom] — for each, the supporting evidence and one verification command. Don’t run anything destructive.
Verify
- A clear root cause is identified and documented.
- The fix is applied and metrics return to baseline.
- A post-incident note is written and shared with the team.
- If alerts were missing, file a follow-up to add them.
Common pitfalls
- Restarting first: A restart can hide evidence and cause a second incident. Always diagnose before acting.
- Single log file: A symptom often spans multiple logs. Pull from all of them, not just the obvious one.
- Skipping the post-incident: Without a writeup, the same incident will recur in 3 months.
Related recipes
- bug-hunting —
reason.remote.to-bug - refactor-codebase —
reason.remote.to-refactor - git-commit-workflow —
reason.remote.to-git
Related docs
Next up
- bug-hunting —
next.remote.to-bug