|
| 1 | +# LogLens v0.5.0 |
| 2 | + |
| 3 | +LogLens v0.5.0 is the Evidence Explainability Release. |
| 4 | + |
| 5 | +This release makes the path from raw authentication evidence to bounded triage |
| 6 | +findings easier to review. The focus is not adding more rules; it is making |
| 7 | +parser behavior, report contracts, evidence IDs, and non-claims visible enough |
| 8 | +for reviewers to verify. |
| 9 | + |
| 10 | +## Highlights |
| 11 | + |
| 12 | +- Stabilized the JSON report contract as `loglens.report.v2` with |
| 13 | + `schema_version` set to `2`. |
| 14 | +- Added stable finding explainability fields so a finding can be traced back to |
| 15 | + its rule context and source-line evidence. |
| 16 | +- Added a sanitized 150-line mixed auth corpus and checked-in parser coverage |
| 17 | + artifact for dirty syslog-style input. |
| 18 | +- Added false-positive taxonomy and forensic-style case-study documentation for |
| 19 | + evidence interpretation. |
| 20 | + |
| 21 | +## Stable JSON contract |
| 22 | + |
| 23 | +`report.json` now identifies the report artifact contract with: |
| 24 | + |
| 25 | +- `schema`: `loglens.report.v2` |
| 26 | +- `schema_version`: `2` |
| 27 | + |
| 28 | +Finding objects expose a stable explainability surface: |
| 29 | + |
| 30 | +- `rule_id` |
| 31 | +- `subject_kind` |
| 32 | +- `subject` |
| 33 | +- `grouping_key` |
| 34 | +- `window_start` |
| 35 | +- `window_end` |
| 36 | +- `threshold` |
| 37 | +- `observed_count` |
| 38 | +- `evidence_event_ids` |
| 39 | +- `verdict_boundary` |
| 40 | + |
| 41 | +`evidence_event_ids` are deterministic local IDs such as `line:1`. They help a |
| 42 | +reviewer trace the selected rule window back to source log lines without |
| 43 | +claiming global event identity. |
| 44 | + |
| 45 | +`verdict_boundary` is a machine-readable non-claim token. It keeps report output |
| 46 | +aligned with LogLens's triage scope instead of letting a finding read like an |
| 47 | +incident conclusion. |
| 48 | + |
| 49 | +The contract is backed by golden fixtures for `report.md`, `report.json`, |
| 50 | +`findings.csv`, and `warnings.csv` in |
| 51 | +[`tests/fixtures/report_contracts`](../tests/fixtures/report_contracts). Parser |
| 52 | +or rule changes that alter those artifacts must update the snapshots |
| 53 | +explicitly. |
| 54 | + |
| 55 | +## Parser observability artifacts |
| 56 | + |
| 57 | +This release adds two reviewer-facing mixed-input artifacts: |
| 58 | + |
| 59 | +- [`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) |
| 60 | +- [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json) |
| 61 | + |
| 62 | +The corpus is sanitized and intentionally mixed: Ubuntu / Debian-style |
| 63 | +`auth.log`, RHEL-family `secure`-style syslog, unsupported lines, malformed |
| 64 | +source IPs, and blank-line handling are represented together. |
| 65 | + |
| 66 | +The parser coverage artifact lets reviewers inspect parser observability without |
| 67 | +running the tool first. It exposes fields such as `total_input_lines`, |
| 68 | +`parsed_lines`, `unparsed_lines`, `failure_categories`, and |
| 69 | +`top_unknown_patterns`. |
| 70 | + |
| 71 | +## Evidence interpretation docs |
| 72 | + |
| 73 | +The release-facing review path now includes: |
| 74 | + |
| 75 | +- [`docs/parser-contract.md`](./parser-contract.md) for supported inputs, |
| 76 | + normalized event families, parser warning categories, and detection signal |
| 77 | + boundaries. |
| 78 | +- [`docs/report-artifacts.md`](./report-artifacts.md) for JSON, Markdown, and |
| 79 | + CSV artifact contracts. |
| 80 | +- [`docs/false-positive-taxonomy.md`](./false-positive-taxonomy.md) for benign |
| 81 | + or ambiguous contexts such as NAT, bastion, internal scanner, lab replay, |
| 82 | + scheduled admin task, and shared account behavior. |
| 83 | +- [`docs/incident-style-case.md`](./incident-style-case.md) for a compact trace |
| 84 | + from raw log lines to normalized events, finding fields, and bounded |
| 85 | + conclusion. |
| 86 | +- [`docs/case-study-linux-auth-bruteforce.md`](./case-study-linux-auth-bruteforce.md) |
| 87 | + for a longer forensic-style evidence explanation. |
| 88 | + |
| 89 | +## Non-claims |
| 90 | + |
| 91 | +LogLens findings remain bounded triage signals. This release does not claim: |
| 92 | + |
| 93 | +- no compromise verdict |
| 94 | +- no attribution |
| 95 | +- no blocking recommendation |
| 96 | +- no cross-host correlation |
| 97 | + |
| 98 | +In practical terms, a finding can show that supported evidence met a configured |
| 99 | +rule threshold. It does not decide whether a host was compromised, who operated |
| 100 | +the source, whether an address should be blocked, or whether activity across |
| 101 | +hosts is related. |
| 102 | + |
| 103 | +## Upgrade notes |
| 104 | + |
| 105 | +No CLI migration is required for local users. Downstream consumers of |
| 106 | +`report.json` should key off `schema` and `schema_version`, and should update |
| 107 | +their snapshots if they depend on finding object shape. |
0 commit comments