You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
`pam_faillock_account_locked`, and `pam_unix_session_closed`. These buckets keep
91
92
non-finding evidence reviewable without counting it as detector evidence.
93
+
Failure categories group unsupported lines into reviewer-facing parser boundary
94
+
classes: `unknown_timestamp`, `unknown_program`,
95
+
`known_program_unknown_message`, `malformed_source_ip`, and
96
+
`unsupported_pam_variant`.
92
97
93
98
For rule-by-rule semantics and signal boundaries, see [`docs/rule-catalog.md`](./docs/rule-catalog.md). For a forensic-style evidence walkthrough, see [`docs/case-study-linux-auth-bruteforce.md`](./docs/case-study-linux-auth-bruteforce.md). For the parser behavior contract, supported modes, and fixture map, see [`docs/parser-contract.md`](./docs/parser-contract.md). For the deliberately noisy parser-coverage sample, see [`docs/parser-coverage-notes.md`](./docs/parser-coverage-notes.md).
94
99
@@ -142,7 +147,7 @@ When you add `--csv`, LogLens also writes:
Copy file name to clipboardExpand all lines: docs/case-study-linux-auth-bruteforce.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -110,10 +110,10 @@ The sudo finding is adjacent but separate. It is not joined to the SSH failure c
110
110
111
111
The parser warnings are:
112
112
113
-
| Line | Unknown-pattern bucket | Evidence interpretation |
114
-
| ---: | --- | --- |
115
-
| 15 |`sshd_connection_closed_preauth`| preauth connection-close noise was observed but not promoted to a typed event |
116
-
| 16 |`sshd_timeout_or_disconnection`| timeout/disconnection noise was observed but not promoted to a typed event |
113
+
| Line |Failure category |Unknown-pattern bucket | Evidence interpretation |
114
+
| ---: | --- | --- | --- |
115
+
| 15 |`known_program_unknown_message`|`sshd_connection_closed_preauth`| preauth connection-close noise was observed but not promoted to a typed event |
116
+
| 16 |`known_program_unknown_message`|`sshd_timeout_or_disconnection`| timeout/disconnection noise was observed but not promoted to a typed event |
117
117
118
118
These warnings are useful because they prevent silent overconfidence. A reviewer can see both the finding-producing evidence and the unsupported surrounding records.
|`sshd` preauth connection closed or reset, including `Connection closed by ... [preauth]`, `Connection closed by authenticating user ... [preauth]`, and `Connection reset by ... [preauth]`|`syslog_legacy`, `journalctl_short_full`|`sshd_connection_closed_preauth`| none |
63
-
|`sshd` timeout, disconnection, or disconnect notice, including `Timeout, client not responding`, `Disconnected from ...`, and `Received disconnect ...`|`syslog_legacy`, `journalctl_short_full`|`sshd_timeout_or_disconnection`| none |
64
-
|`sshd` negotiation failure such as `Unable to negotiate with ...`|`syslog_legacy`, `journalctl_short_full`|`sshd_negotiation_failure`| none |
65
-
| Other well-formed but unsupported `sshd` messages |`syslog_legacy`, `journalctl_short_full`|`sshd_other`| none |
| Other unsupported `pam_faillock(...)` messages |`syslog_legacy`, `journalctl_short_full`|`pam_faillock_other`| none |
71
-
|`pam_sss(...:auth)` user not known to underlying authentication module |`syslog_legacy`, `journalctl_short_full`|`pam_sss_unknown_user`| none |
72
-
|`pam_sss(...:auth)` authentication service cannot retrieve authentication info |`syslog_legacy`, `journalctl_short_full`|`pam_sss_authinfo_unavail`| none |
73
-
| Other unsupported `pam_sss(...)` messages |`syslog_legacy`, `journalctl_short_full`|`pam_sss_other`| none |
74
-
| Well-formed `sudo` line that is not command, incorrect-password, or policy-denial evidence |`syslog_legacy`, `journalctl_short_full`|`sudo_other`| none |
75
-
| Well-formed `su` line that is not recognized as success or failure audit evidence |`syslog_legacy`, `journalctl_short_full`|`su_other`| none |
76
-
| Well-formed unsupported program tag |`syslog_legacy`, `journalctl_short_full`|`program_<sanitized_program>`| none |
|`sshd` preauth connection closed or reset, including `Connection closed by ... [preauth]`, `Connection closed by authenticating user ... [preauth]`, and `Connection reset by ... [preauth]`|`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`sshd_connection_closed_preauth`| none |
63
+
|`sshd` timeout, disconnection, or disconnect notice, including `Timeout, client not responding`, `Disconnected from ...`, and `Received disconnect ...`|`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`sshd_timeout_or_disconnection`| none |
64
+
|`sshd` negotiation failure such as `Unable to negotiate with ...`|`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`sshd_negotiation_failure`| none |
65
+
| Other well-formed but unsupported `sshd` messages |`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`sshd_other`| none |
| Other unsupported `pam_faillock(...)` messages |`syslog_legacy`, `journalctl_short_full`|`unsupported_pam_variant`|`pam_faillock_other`| none |
71
+
|`pam_sss(...:auth)` user not known to underlying authentication module |`syslog_legacy`, `journalctl_short_full`|`unsupported_pam_variant`|`pam_sss_unknown_user`| none |
72
+
|`pam_sss(...:auth)` authentication service cannot retrieve authentication info |`syslog_legacy`, `journalctl_short_full`|`unsupported_pam_variant`|`pam_sss_authinfo_unavail`| none |
73
+
| Other unsupported `pam_sss(...)` messages |`syslog_legacy`, `journalctl_short_full`|`unsupported_pam_variant`|`pam_sss_other`| none |
74
+
| Well-formed `sudo` line that is not command, incorrect-password, or policy-denial evidence |`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`sudo_other`| none |
75
+
| Well-formed `su` line that is not recognized as success or failure audit evidence |`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`su_other`| none |
76
+
| Well-formed unsupported program tag |`syslog_legacy`, `journalctl_short_full`|`unknown_program`|`program_<sanitized_program>`| none |
77
77
78
78
## Header And Structural Warning Matrix
79
79
80
80
Structural failures do not reach the authentication message classifier. They
81
81
still produce parser warnings and unknown-pattern buckets through the same
Copy file name to clipboardExpand all lines: docs/parser-contract.md
+11-2Lines changed: 11 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,11 +36,20 @@ Recognized success or audit families include accepted password, accepted publick
36
36
| --- | --- | --- |
37
37
| Recognized auth line | Emits a typed `Event` with timestamp, hostname, program, optional pid, message, source IP, username, event type, and line number | Can contribute to summaries, reports, and configured detection signals |
38
38
| Blank line | Skips the line and increments `skipped_blank_lines`| Does not become a warning or parsed event |
39
-
| Malformed header | Emits a parser warning with the original line number and structural reason| Counts toward `unparsed_lines` and `top_unknown_patterns`|
40
-
| Well-formed but unsupported auth pattern | Emits a parser warning with an unknown-pattern bucket | Stays visible as telemetry instead of being silently ignored |
39
+
| Malformed header | Emits a parser warning with the original line number, structural reason, and `unknown_timestamp` category | Counts toward `unparsed_lines`, `failure_categories`, and `top_unknown_patterns`|
40
+
| Well-formed but unsupported auth pattern | Emits a parser warning with a failure category and unknown-pattern bucket | Stays visible as telemetry instead of being silently ignored |
41
41
42
42
This is the main trust boundary: unsupported input should remain inspectable, even when it does not produce a finding.
43
43
44
+
Parser failure categories are intentionally coarser than unknown-pattern
45
+
buckets:
46
+
47
+
-`unknown_timestamp`
48
+
-`unknown_program`
49
+
-`known_program_unknown_message`
50
+
-`malformed_source_ip`
51
+
-`unsupported_pam_variant`
52
+
44
53
Stable unsupported-pattern buckets currently exercised by the fixture corpus include
Copy file name to clipboardExpand all lines: docs/parser-coverage-notes.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,10 +20,11 @@ The locked expected coverage summary lives in [`tests/fixtures/parser_matrix/noi
20
20
-`parsed_lines`: 8
21
21
-`unparsed_lines`: 16
22
22
-`parse_success_rate`: 0.3333333333
23
+
-`failure_categories`: coarse parser boundary categories for unsupported lines
23
24
-`top_unknown_patterns`: the five most common unsupported-pattern buckets
24
25
25
26
## Reading the numbers
26
27
27
-
A low parse success rate is not automatically a bug for this fixture. The sample is deliberately noisy, and the useful property is that unsupported evidence remains explainable through `warnings` and `top_unknown_patterns`.
28
+
A low parse success rate is not automatically a bug for this fixture. The sample is deliberately noisy, and the useful property is that unsupported evidence remains explainable through `warnings`, `failure_categories`, and `top_unknown_patterns`.
28
29
29
30
The matrix should stay defensive and public-safe: use documentation IP ranges, synthetic hostnames, and synthetic usernames only.
`evidence_event_ids` are deterministic local event identifiers derived from the source line number, formatted as `line:<number>`. They let reviewers trace a finding back to the normalized input events that satisfied the rule window without implying global event identity.
43
44
44
-
Warning objects contain the original `line_number` and the parser `reason`.
45
+
Warning objects contain the original `line_number`, parser `category`, and parser `reason`.
46
+
47
+
Parser failure categories are stable reviewer-facing buckets for unsupported
48
+
lines: `unknown_timestamp`, `unknown_program`,
49
+
`known_program_unknown_message`, `malformed_source_ip`, and
50
+
`unsupported_pam_variant`. They complement `top_unknown_patterns`: categories
51
+
explain the parser boundary class, while unknown-pattern buckets preserve the
52
+
more specific unsupported message shape.
45
53
46
54
## CSV Contract
47
55
48
56
The optional CSV exports intentionally stay small:
Copy file name to clipboardExpand all lines: docs/reviewer-path.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,6 +60,7 @@ Look for parser coverage fields:
60
60
-`parsed_lines`
61
61
-`unparsed_lines`
62
62
-`parse_success_rate`
63
+
-`failure_categories`
63
64
-`top_unknown_patterns`
64
65
65
66
Good stopping point: the reviewer can explain what LogLens parses, how rules count supported evidence, what the reports contain, and how unsupported lines remain visible without becoming findings.
Copy file name to clipboardExpand all lines: docs/rule-catalog.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -111,7 +111,7 @@ The finding is a triage signal. It is not a compromise verdict, attribution clai
111
111
112
112
### Why unsupported evidence is not counted
113
113
114
-
Unsupported lines are parser warnings, not `AuthSignal` records. They may appear in `top_unknown_patterns`, but they do not carry the `counts_as_terminal_auth_failure` flag required by this rule.
114
+
Unsupported lines are parser warnings, not `AuthSignal` records. They may appear in `failure_categories` and `top_unknown_patterns`, but they do not carry the `counts_as_terminal_auth_failure` flag required by this rule.
115
115
116
116
This prevents unsupported preauth noise, malformed lines, and unmodeled auth-family messages from silently increasing brute-force counts.
0 commit comments