You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+45-8Lines changed: 45 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,11 +7,34 @@ C++20 defensive log analysis CLI for Linux authentication logs, with parser cove
7
7
8
8
It parses `auth.log` / `secure`-style syslog input and `journalctl --output=short-full`-style input, normalizes authentication evidence, applies configurable rule-based detections, and emits deterministic Markdown and JSON reports, with optional CSV exports for findings and warnings.
9
9
10
+
## Example Finding
11
+
12
+
A compact finding summary is a bounded triage signal, not a compromise verdict
LogLens is an MVP / early release. The repository is stable enough for public review, local experimentation, and extension, but the parser and detection coverage are intentionally narrow.
13
33
14
-
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md) and [`docs/reviewer-brief.md`](./docs/reviewer-brief.md).
34
+
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md), [`docs/reviewer-brief.md`](./docs/reviewer-brief.md), and the [`v0.5 Evidence Explainability release note`](./docs/release-v0.5.0.md). The [`quality gates map`](./docs/quality-gates.md) links claims to tests and fixtures. For detection reasoning, follow the [`one-page incident-style case`](./docs/incident-style-case.md), then use the full [`Linux auth brute-force case study`](./docs/case-study-linux-auth-bruteforce.md), [`rule catalog`](./docs/rule-catalog.md), and [`false-positive taxonomy`](./docs/false-positive-taxonomy.md) for depth. For local scale expectations, see the [`performance envelope`](./docs/performance-envelope.md).
35
+
36
+
For a shorter external review entry point focused on uncertainty handling, read
37
+
[How LogLens Treats Parser Uncertainty as Evidence](./docs/case-study-parser-uncertainty-as-evidence.md).
15
38
16
39
## Why This Project Exists
17
40
@@ -38,7 +61,7 @@ LogLens includes two minimal GitHub Actions workflows:
38
61
-`CI` builds and tests the project on `ubuntu-latest` and `windows-latest`
39
62
-`CodeQL` runs GitHub code scanning for C/C++ on pushes, pull requests, and a weekly schedule
40
63
41
-
Both workflows are intended to stay stable enough to require on pull requests to `main`. Regression coverage is backed by sanitized parser fixture matrices plus golden report-contract fixtures for `report.md`, `report.json`, and optional CSV outputs. Release-facing documentation is split across [`CHANGELOG.md`](./CHANGELOG.md), [`docs/release-process.md`](./docs/release-process.md), [`docs/release-v0.1.0.md`](./docs/release-v0.1.0.md), [`docs/release-v0.3.0.md`](./docs/release-v0.3.0.md), and the repository's GitHub release notes. The repository hardening note is in [`docs/repo-hardening.md`](./docs/repo-hardening.md), and vulnerability reporting guidance is in [`SECURITY.md`](./SECURITY.md).
64
+
Both workflows are intended to stay stable enough to require on pull requests to `main`. Regression coverage is backed by sanitized parser fixture matrices plus golden report-contract fixtures for `report.md`, `report.json`, and optional CSV outputs. Release-facing documentation is split across [`CHANGELOG.md`](./CHANGELOG.md), [`docs/release-process.md`](./docs/release-process.md), [`docs/release-v0.1.0.md`](./docs/release-v0.1.0.md), [`docs/release-v0.3.0.md`](./docs/release-v0.3.0.md), [`docs/release-v0.5.0.md`](./docs/release-v0.5.0.md), and the repository's GitHub release notes. The repository hardening note is in [`docs/repo-hardening.md`](./docs/repo-hardening.md), and vulnerability reporting guidance is in [`SECURITY.md`](./SECURITY.md).
42
65
43
66
## Threat Model
44
67
@@ -66,7 +89,8 @@ LogLens currently parses and reports these additional auth patterns beyond the c
-`Failed publickey` SSH failures, which count toward SSH brute-force detection by default
68
91
-`Failed keyboard-interactive/pam` and `maximum authentication attempts exceeded` SSH failures, which count toward SSH brute-force detection by default
69
-
-`sshd`-owned `PAM: Authentication failure ...` lines, with invalid/illegal-user variants normalized to `ssh_invalid_user`
92
+
-`input_userauth_request: invalid/illegal user ...` preauth SSH traces normalized to `ssh_invalid_user`
93
+
-`sshd`-owned `PAM: Authentication failure ...` lines, including OpenSSH's optional leading `error:` marker, with invalid/illegal-user variants normalized to `ssh_invalid_user`
70
94
-`sudo` command, password-failure, and sudoers policy-denial audit lines
71
95
-`su` success and failure audit lines
72
96
-`pam_unix(...:auth): authentication failure`
@@ -82,14 +106,19 @@ LogLens also tracks parser coverage telemetry for unsupported or malformed lines
82
106
-`parsed_lines`
83
107
-`unparsed_lines`
84
108
-`parse_success_rate`
109
+
-`failure_categories`
85
110
-`top_unknown_patterns`
86
111
87
112
Common unsupported-pattern buckets include `sshd_connection_closed_preauth`,
88
-
`sshd_timeout_or_disconnection`, `sshd_negotiation_failure`, and
89
-
`pam_unix_session_closed`. These buckets keep non-finding evidence reviewable
`pam_faillock_account_locked`, and `pam_unix_session_closed`. These buckets keep
115
+
non-finding evidence reviewable without counting it as detector evidence.
116
+
Failure categories group unsupported lines into reviewer-facing parser boundary
117
+
classes: `unknown_timestamp`, `unknown_program`,
118
+
`known_program_unknown_message`, `malformed_source_ip`, and
119
+
`unsupported_pam_variant`.
91
120
92
-
For the parser behavior contract, supported modes, and fixture map, see [`docs/parser-contract.md`](./docs/parser-contract.md).
121
+
For a compact raw-log-to-conclusion trace, see [`docs/incident-style-case.md`](./docs/incident-style-case.md). For rule-by-rule semantics and signal boundaries, see [`docs/rule-catalog.md`](./docs/rule-catalog.md). For benign-context hypotheses and the evidence needed to support them, see [`docs/false-positive-taxonomy.md`](./docs/false-positive-taxonomy.md). For a full forensic-style evidence walkthrough, see [`docs/case-study-linux-auth-bruteforce.md`](./docs/case-study-linux-auth-bruteforce.md). For the parser behavior contract, supported modes, and fixture map, see [`docs/parser-contract.md`](./docs/parser-contract.md). For the deliberately noisy parser-coverage sample, see [`docs/parser-coverage-notes.md`](./docs/parser-coverage-notes.md).
93
122
94
123
LogLens does not currently detect:
95
124
@@ -107,6 +136,12 @@ cmake --build build
107
136
ctest --test-dir build --output-on-failure
108
137
```
109
138
139
+
For Visual Studio or other multi-config generators, pass the built configuration to CTest:
Without `--csv`, LogLens does not create, overwrite, or delete any existing CSV files in the output directory.
141
176
@@ -212,6 +247,8 @@ The config file schema is intentionally small and strict:
212
247
213
248
This mapping lets LogLens normalize parsed events into detection signals before applying brute-force or multi-user rules. By default, `pam_auth_failure` is treated as lower-confidence attempt evidence and does not count as a terminal authentication failure unless the config explicitly upgrades it. The `ssh_failed_keyboard_interactive` and `ssh_max_auth_tries` mapping keys are optional in older configs and default to terminal failure evidence.
214
249
250
+
The checked-in [`assets/sample_config.json`](./assets/sample_config.json) is tested as a runnable default-equivalent config fixture. If default detector thresholds or signal mappings change, update that file and the related tests together.
251
+
215
252
Timestamp handling is now explicit:
216
253
217
254
-`--mode syslog`, `--mode syslog-legacy`, or `input_mode: syslog_legacy` requires `--year` or `timestamp.assume_year`
0 commit comments