Skip to content

Commit 08f1c17

Browse files
committed
docs(release): add v0.5 evidence explainability notes
1 parent ae99271 commit 08f1c17

5 files changed

Lines changed: 185 additions & 12 deletions

File tree

CHANGELOG.md

Lines changed: 34 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,7 @@ All notable user-visible changes should be recorded here.
66

77
### Added
88

9-
- Added sanitized golden `report.md` / `report.json` regression fixtures to lock report contracts.
10-
- Added `schema` and `schema_version` fields to `report.json` so downstream tooling can identify the report artifact contract.
11-
- Added `verdict_boundary` to JSON findings and advanced the report artifact contract to `loglens.report.v2`.
12-
- Expanded parser coverage for `Accepted publickey` and selected `pam_faillock` / `pam_sss` variants.
13-
- Added a 150-line sanitized mixed auth corpus fixture covering Ubuntu / Debian-style `auth.log`, RHEL-family `secure`-style syslog, unknown lines, malformed source IPs, and blank-line handling.
14-
- Added a reviewer-facing parser coverage JSON artifact for the mixed auth corpus.
15-
- Added compact host-level summaries for multi-host reports.
16-
- Added optional CSV export for findings and warnings when explicitly requested.
9+
- None yet.
1710

1811
### Changed
1912

@@ -25,10 +18,43 @@ All notable user-visible changes should be recorded here.
2518

2619
### Docs
2720

21+
- None yet.
22+
23+
## v0.5.0
24+
25+
### Added
26+
27+
- Stabilized the JSON report artifact contract as `loglens.report.v2` with
28+
`schema_version` set to `2`.
29+
- Added finding explainability fields to JSON findings, including `rule_id`,
30+
`subject_kind`, `subject`, `grouping_key`, `window_start`, `window_end`,
31+
`threshold`, `observed_count`, `evidence_event_ids`, and `verdict_boundary`.
32+
- Added sanitized golden `report.md`, `report.json`, `findings.csv`, and
33+
`warnings.csv` regression fixtures to lock report contracts.
34+
- Added a 150-line sanitized mixed auth corpus fixture covering Ubuntu /
35+
Debian-style `auth.log`, RHEL-family `secure`-style syslog, unknown lines,
36+
malformed source IPs, and blank-line handling.
37+
- Added a reviewer-facing parser coverage JSON artifact for the mixed auth
38+
corpus.
39+
40+
### Changed
41+
42+
- Made parser coverage telemetry and finding explainability part of the
43+
release-facing review path instead of internal-only implementation detail.
44+
45+
### Fixed
46+
47+
- None.
48+
49+
### Docs
50+
51+
- Added release notes for the v0.5 Evidence Explainability Release.
2852
- Added a one-page incident-style case that traces raw SSH evidence through
2953
normalized events and finding fields to a bounded conclusion.
3054
- Added a rule-by-rule false-positive taxonomy for NAT, bastion, internal scanner,
3155
lab replay, scheduled admin task, and shared-account contexts.
56+
- Added forensic-style case-study coverage for Linux auth brute-force evidence
57+
interpretation.
3258
- Expanded the parser conformance matrix with explicit Ubuntu / Debian
3359
`auth.log`, RHEL-family `secure`, `journalctl --output=short-full`, `sshd`,
3460
`sudo`, `pam_unix`, `pam_faillock`, and `pam_sss` style coverage.

README.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,13 +9,15 @@ It parses `auth.log` / `secure`-style syslog input and `journalctl --output=shor
99

1010
## Example Finding
1111

12-
A compact finding summary is a bounded triage signal, not attribution:
12+
A compact finding summary is a bounded triage signal, not a compromise verdict
13+
or attribution:
1314

1415
```json
1516
{
1617
"rule_id": "brute_force",
1718
"subject_kind": "source_ip",
1819
"subject": "203.0.113.10",
20+
"grouping_key": "source_ip",
1921
"window_start": "2026-03-10 08:11:22",
2022
"window_end": "2026-03-10 08:18:05",
2123
"threshold": 5,
@@ -29,7 +31,7 @@ A compact finding summary is a bounded triage signal, not attribution:
2931

3032
LogLens is an MVP / early release. The repository is stable enough for public review, local experimentation, and extension, but the parser and detection coverage are intentionally narrow.
3133

32-
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md), [`docs/reviewer-brief.md`](./docs/reviewer-brief.md), and the [`quality gates map`](./docs/quality-gates.md). For detection reasoning, follow the [`one-page incident-style case`](./docs/incident-style-case.md), then use the full [`Linux auth brute-force case study`](./docs/case-study-linux-auth-bruteforce.md), [`rule catalog`](./docs/rule-catalog.md), and [`false-positive taxonomy`](./docs/false-positive-taxonomy.md) for depth. For local scale expectations, see the [`performance envelope`](./docs/performance-envelope.md).
34+
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md), [`docs/reviewer-brief.md`](./docs/reviewer-brief.md), and the [`v0.5 Evidence Explainability release note`](./docs/release-v0.5.0.md). The [`quality gates map`](./docs/quality-gates.md) links claims to tests and fixtures. For detection reasoning, follow the [`one-page incident-style case`](./docs/incident-style-case.md), then use the full [`Linux auth brute-force case study`](./docs/case-study-linux-auth-bruteforce.md), [`rule catalog`](./docs/rule-catalog.md), and [`false-positive taxonomy`](./docs/false-positive-taxonomy.md) for depth. For local scale expectations, see the [`performance envelope`](./docs/performance-envelope.md).
3335

3436
## Why This Project Exists
3537

@@ -56,7 +58,7 @@ LogLens includes two minimal GitHub Actions workflows:
5658
- `CI` builds and tests the project on `ubuntu-latest` and `windows-latest`
5759
- `CodeQL` runs GitHub code scanning for C/C++ on pushes, pull requests, and a weekly schedule
5860

59-
Both workflows are intended to stay stable enough to require on pull requests to `main`. Regression coverage is backed by sanitized parser fixture matrices plus golden report-contract fixtures for `report.md`, `report.json`, and optional CSV outputs. Release-facing documentation is split across [`CHANGELOG.md`](./CHANGELOG.md), [`docs/release-process.md`](./docs/release-process.md), [`docs/release-v0.1.0.md`](./docs/release-v0.1.0.md), [`docs/release-v0.3.0.md`](./docs/release-v0.3.0.md), and the repository's GitHub release notes. The repository hardening note is in [`docs/repo-hardening.md`](./docs/repo-hardening.md), and vulnerability reporting guidance is in [`SECURITY.md`](./SECURITY.md).
61+
Both workflows are intended to stay stable enough to require on pull requests to `main`. Regression coverage is backed by sanitized parser fixture matrices plus golden report-contract fixtures for `report.md`, `report.json`, and optional CSV outputs. Release-facing documentation is split across [`CHANGELOG.md`](./CHANGELOG.md), [`docs/release-process.md`](./docs/release-process.md), [`docs/release-v0.1.0.md`](./docs/release-v0.1.0.md), [`docs/release-v0.3.0.md`](./docs/release-v0.3.0.md), [`docs/release-v0.5.0.md`](./docs/release-v0.5.0.md), and the repository's GitHub release notes. The repository hardening note is in [`docs/repo-hardening.md`](./docs/repo-hardening.md), and vulnerability reporting guidance is in [`SECURITY.md`](./SECURITY.md).
6062

6163
## Threat Model
6264

docs/release-v0.5.0.md

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
# LogLens v0.5.0
2+
3+
LogLens v0.5.0 is the Evidence Explainability Release.
4+
5+
This release makes the path from raw authentication evidence to bounded triage
6+
findings easier to review. The focus is not adding more rules; it is making
7+
parser behavior, report contracts, evidence IDs, and non-claims visible enough
8+
for reviewers to verify.
9+
10+
## Highlights
11+
12+
- Stabilized the JSON report contract as `loglens.report.v2` with
13+
`schema_version` set to `2`.
14+
- Added stable finding explainability fields so a finding can be traced back to
15+
its rule context and source-line evidence.
16+
- Added a sanitized 150-line mixed auth corpus and checked-in parser coverage
17+
artifact for dirty syslog-style input.
18+
- Added false-positive taxonomy and forensic-style case-study documentation for
19+
evidence interpretation.
20+
21+
## Stable JSON contract
22+
23+
`report.json` now identifies the report artifact contract with:
24+
25+
- `schema`: `loglens.report.v2`
26+
- `schema_version`: `2`
27+
28+
Finding objects expose a stable explainability surface:
29+
30+
- `rule_id`
31+
- `subject_kind`
32+
- `subject`
33+
- `grouping_key`
34+
- `window_start`
35+
- `window_end`
36+
- `threshold`
37+
- `observed_count`
38+
- `evidence_event_ids`
39+
- `verdict_boundary`
40+
41+
`evidence_event_ids` are deterministic local IDs such as `line:1`. They help a
42+
reviewer trace the selected rule window back to source log lines without
43+
claiming global event identity.
44+
45+
`verdict_boundary` is a machine-readable non-claim token. It keeps report output
46+
aligned with LogLens's triage scope instead of letting a finding read like an
47+
incident conclusion.
48+
49+
The contract is backed by golden fixtures for `report.md`, `report.json`,
50+
`findings.csv`, and `warnings.csv` in
51+
[`tests/fixtures/report_contracts`](../tests/fixtures/report_contracts). Parser
52+
or rule changes that alter those artifacts must update the snapshots
53+
explicitly.
54+
55+
## Parser observability artifacts
56+
57+
This release adds two reviewer-facing mixed-input artifacts:
58+
59+
- [`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log)
60+
- [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json)
61+
62+
The corpus is sanitized and intentionally mixed: Ubuntu / Debian-style
63+
`auth.log`, RHEL-family `secure`-style syslog, unsupported lines, malformed
64+
source IPs, and blank-line handling are represented together.
65+
66+
The parser coverage artifact lets reviewers inspect parser observability without
67+
running the tool first. It exposes fields such as `total_input_lines`,
68+
`parsed_lines`, `unparsed_lines`, `failure_categories`, and
69+
`top_unknown_patterns`.
70+
71+
## Evidence interpretation docs
72+
73+
The release-facing review path now includes:
74+
75+
- [`docs/parser-contract.md`](./parser-contract.md) for supported inputs,
76+
normalized event families, parser warning categories, and detection signal
77+
boundaries.
78+
- [`docs/report-artifacts.md`](./report-artifacts.md) for JSON, Markdown, and
79+
CSV artifact contracts.
80+
- [`docs/false-positive-taxonomy.md`](./false-positive-taxonomy.md) for benign
81+
or ambiguous contexts such as NAT, bastion, internal scanner, lab replay,
82+
scheduled admin task, and shared account behavior.
83+
- [`docs/incident-style-case.md`](./incident-style-case.md) for a compact trace
84+
from raw log lines to normalized events, finding fields, and bounded
85+
conclusion.
86+
- [`docs/case-study-linux-auth-bruteforce.md`](./case-study-linux-auth-bruteforce.md)
87+
for a longer forensic-style evidence explanation.
88+
89+
## Non-claims
90+
91+
LogLens findings remain bounded triage signals. This release does not claim:
92+
93+
- no compromise verdict
94+
- no attribution
95+
- no blocking recommendation
96+
- no cross-host correlation
97+
98+
In practical terms, a finding can show that supported evidence met a configured
99+
rule threshold. It does not decide whether a host was compromised, who operated
100+
the source, whether an address should be blocked, or whether activity across
101+
hosts is related.
102+
103+
## Upgrade notes
104+
105+
No CLI migration is required for local users. Downstream consumers of
106+
`report.json` should key off `schema` and `schema_version`, and should update
107+
their snapshots if they depend on finding object shape.

docs/report-artifacts.md

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,23 @@ The JSON report keeps parser observability visible next to findings:
4242

4343
Finding objects contain `rule_id`, `rule`, `subject_kind`, `subject`, `grouping_key`, `threshold`, `observed_count`, `event_count`, `window_start`, `window_end`, `evidence_event_ids`, `verdict_boundary`, `usernames`, and `summary`.
4444

45+
The stable finding explainability surface for `loglens.report.v2` is:
46+
47+
- `rule_id`
48+
- `subject_kind`
49+
- `subject`
50+
- `grouping_key`
51+
- `window_start`
52+
- `window_end`
53+
- `threshold`
54+
- `observed_count`
55+
- `evidence_event_ids`
56+
- `verdict_boundary`
57+
58+
These fields are release-facing contract fields. Parser or rule changes that
59+
alter their names, meanings, values, or presence must update the golden report
60+
fixtures explicitly.
61+
4562
`evidence_event_ids` are deterministic local event identifiers derived from the source line number, formatted as `line:<number>`. They let reviewers trace a finding back to the normalized input events that satisfied the rule window without implying global event identity.
4663

4764
`verdict_boundary` is a stable token that states what the finding must not be
@@ -90,7 +107,7 @@ The report contracts are backed by generated fixture artifacts:
90107
| [`multi_host_syslog_legacy`](../tests/fixtures/report_contracts/multi_host_syslog_legacy) | `report.md`, `report.json`, `findings.csv`, `warnings.csv` |
91108
| [`multi_host_journalctl_short_full`](../tests/fixtures/report_contracts/multi_host_journalctl_short_full) | `report.md`, `report.json`, `findings.csv`, `warnings.csv` |
92109

93-
The enforcement lives in [`tests/test_report_contracts.cpp`](../tests/test_report_contracts.cpp). Parser or rule changes that alter report artifacts must update these snapshots explicitly. The focused report writer tests live in [`tests/test_report.cpp`](../tests/test_report.cpp).
110+
The enforcement lives in [`tests/test_report_contracts.cpp`](../tests/test_report_contracts.cpp). Parser or rule changes that alter report artifacts must update these snapshots explicitly. This includes changes to stable finding explainability fields, parser coverage fields, warning categories, CSV columns, or Markdown report layout. The focused report writer tests live in [`tests/test_report.cpp`](../tests/test_report.cpp).
94111

95112
## Boundaries
96113

docs/reviewer-path.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ This path is for reviewers who want to understand LogLens quickly without readin
77
| Review question | Start here | Good stopping point |
88
| --- | --- | --- |
99
| What is LogLens? | [`README.md`](../README.md) and [`docs/reviewer-brief.md`](./reviewer-brief.md) | Can state scope, supported inputs, outputs, and non-goals |
10+
| What changed in v0.5? | [`docs/release-v0.5.0.md`](./release-v0.5.0.md) | Can explain the Evidence Explainability Release theme and its non-claims |
1011
| What log formats are supported? | [`docs/parser-contract.md`](./parser-contract.md) | Can name `syslog_legacy` and `journalctl_short_full` behavior |
1112
| What artifacts does it produce? | [`docs/report-artifacts.md`](./report-artifacts.md) and report-contract fixtures | Can inspect Markdown, JSON, and optional CSV outputs |
1213
| How do rules use evidence? | [`docs/rule-catalog.md`](./rule-catalog.md) | Can explain grouping keys, windows, thresholds, and unsupported-evidence boundaries |
@@ -23,6 +24,7 @@ Read:
2324

2425
- [`README.md`](../README.md)
2526
- [`docs/reviewer-brief.md`](./reviewer-brief.md)
27+
- [`docs/release-v0.5.0.md`](./release-v0.5.0.md)
2628

2729
Confirm:
2830

@@ -35,6 +37,23 @@ Core review lens:
3537

3638
> Parser observability > silent detection claims.
3739
40+
## v0.5 release-facing route
41+
42+
Start with [`docs/release-v0.5.0.md`](./release-v0.5.0.md), then inspect:
43+
44+
- [`docs/parser-contract.md`](./parser-contract.md)
45+
- [`docs/report-artifacts.md`](./report-artifacts.md)
46+
- [`tests/fixtures/report_contracts/syslog_legacy/report.json`](../tests/fixtures/report_contracts/syslog_legacy/report.json)
47+
- [`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log)
48+
- [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json)
49+
- [`docs/false-positive-taxonomy.md`](./false-positive-taxonomy.md)
50+
- [`docs/case-study-linux-auth-bruteforce.md`](./case-study-linux-auth-bruteforce.md)
51+
52+
Good stopping point: the reviewer can name the stable finding explainability
53+
fields, explain how parser coverage remains visible for unknown lines, and state
54+
that findings are bounded triage signals with no compromise verdict,
55+
attribution, blocking recommendation, or cross-host correlation claim.
56+
3857
## 5-minute artifact review
3958

4059
Inspect:
@@ -43,8 +62,10 @@ Inspect:
4362
- [`assets/sample_journalctl_short_full.log`](../assets/sample_journalctl_short_full.log)
4463
- [`tests/fixtures/report_contracts/syslog_legacy/report.md`](../tests/fixtures/report_contracts/syslog_legacy/report.md)
4564
- [`tests/fixtures/report_contracts/syslog_legacy/report.json`](../tests/fixtures/report_contracts/syslog_legacy/report.json)
65+
- [`docs/release-v0.5.0.md`](./release-v0.5.0.md)
4666
- [`docs/report-artifacts.md`](./report-artifacts.md)
4767
- [`docs/parser-contract.md`](./parser-contract.md)
68+
- [`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log)
4869
- [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json)
4970
- [`docs/quality-gates.md`](./quality-gates.md)
5071
- [`docs/incident-style-case.md`](./incident-style-case.md)

0 commit comments

Comments
 (0)