You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -102,6 +102,8 @@ LogLens currently parses and reports these additional auth patterns beyond the c
102
102
-`sshd`-owned `PAM: Authentication failure ...` lines, including OpenSSH's optional leading `error:` marker, with invalid/illegal-user variants normalized to `ssh_invalid_user`
103
103
-`sudo` command, password-failure, and sudoers policy-denial audit lines
Copy file name to clipboardExpand all lines: docs/parser-conformance-matrix.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,6 +47,7 @@ coverage of every distro or PAM module wording.
47
47
|`sshd`|`sshd[pid]: message` or `sshd: message`| Failed password, failed password for invalid/illegal user, failed none for invalid/illegal user, direct invalid/illegal user, `input_userauth_request` invalid/illegal user, accepted password, accepted publickey, accepted keyboard-interactive/pam, failed publickey, failed keyboard-interactive/pam, maximum-authentication-attempts exceeded, and `sshd`-owned `PAM: Authentication failure` lines |`ssh_failed_password`, `ssh_invalid_user`, `ssh_accepted_password`, `ssh_accepted_publickey`, `ssh_accepted_keyboard_interactive`, `ssh_failed_publickey`, `ssh_failed_keyboard_interactive`, `ssh_max_auth_tries`, `pam_auth_failure`| Preauth close/reset, timeout/disconnection, negotiation failure, and other unsupported `sshd` messages remain parser warnings such as `sshd_connection_closed_preauth`, `sshd_timeout_or_disconnection`, `sshd_negotiation_failure`, or `sshd_other`|
48
48
|`sudo`|`sudo[pid]: <actor> : ...` or `sudo: <actor> : ...`| Command audit lines with `COMMAND=`, incorrect-password audit lines, user-not-in-sudoers denials, and command-not-allowed denials |`sudo_command`, `sudo_auth_failure`, `sudo_policy_denied`| Other well-formed sudo-like messages remain `sudo_other` parser warnings and do not count as sudo burst evidence |
49
49
|`su`|`su[pid]: message` or `su: message`|`FAILED SU (to <target>) <actor> on <tty>` and `Successful su for <target> by <actor>`|`su_auth_failure`, `session_opened`| Other well-formed `su` messages remain `su_other` parser warnings |
50
+
|`login`|`login[pid]: message` or `login: message`| Selected util-linux `FAILED LOGIN`, `TOO MANY LOGIN TRIES`, `FAILED LOGIN SESSION`, `LOGIN ON ... BY ...`, and `ROOT LOGIN ON ...` messages |`pam_auth_failure`, `session_opened`| Localized or other unmodeled `login` messages remain `login_other` parser warnings; no network source IP is inferred from the `FROM` terminal/host field |
50
51
|`pam_unix`|`pam_unix(<service>:auth): ...` or `pam_unix(<service>:session): ...`| Auth failures carrying `authentication failure` plus selected session-opened lines such as sudo/su session opens |`pam_auth_failure`, `session_opened`| Session-closed and other unsupported `pam_unix` messages remain `pam_unix_session_closed` or `pam_unix_other` parser warnings |
51
52
|`pam_faillock`|`pam_faillock(<service>:auth): ...`| Selected auth failure variants: `Consecutive login failures for user ... from <ip>` and `Authentication failure for user ... from <ip>`|`pam_auth_failure`| Account-lock telemetry, auth-success telemetry, and other unmodeled variants remain `pam_faillock_account_locked`, `pam_faillock_authsucc`, or `pam_faillock_other` warnings |
52
53
|`pam_sss`|`pam_sss(<service>:auth): ...`| Selected SSSD auth failure variant: `received for user <user>: 7 (Authentication failure)`|`pam_auth_failure`| Unknown-user, auth-info-unavailable, and other unmodeled variants remain `pam_sss_unknown_user`, `pam_sss_authinfo_unavail`, or `pam_sss_other` warnings |
@@ -80,6 +81,8 @@ coverage of every distro or PAM module wording.
80
81
| Sudo policy denial |`<actor> : user NOT in sudoers ...` or `<actor> : command not allowed ...`|`syslog_legacy`, `journalctl_short_full`|`sudo_policy_denied`| Audit event; not counted as sudo burst evidence by default. |
81
82
|`su` failure audit |`FAILED SU (to <target>) <actor> on <tty>`|`syslog_legacy`, `journalctl_short_full`|`su_auth_failure`| Normalized `username` is the actor. |
82
83
|`su` success audit |`Successful su for <target> by <actor>`|`syslog_legacy`, `journalctl_short_full`|`session_opened`| Normalized `username` is the actor. |
84
+
| util-linux `login` failure audit |`FAILED LOGIN ... FROM <terminal-or-host> FOR <user>, ...`, `TOO MANY LOGIN TRIES ...`, or `FAILED LOGIN SESSION ...`|`syslog_legacy`, `journalctl_short_full`|`pam_auth_failure`| Extracts `username`; source IP remains empty because `FROM` is not treated as verified network evidence. |
85
+
| util-linux `login` success audit |`LOGIN ON <terminal> BY <user> [FROM <host>]` or `ROOT LOGIN ON <terminal> [FROM <host>]`|`syslog_legacy`, `journalctl_short_full`|`session_opened`| Extracts the actor, or `root` for root-login records; does not imply remote attribution. |
83
86
84
87
## Unsupported Bucket Matrix
85
88
@@ -102,6 +105,7 @@ normalized event is always `none`.
102
105
| Other unsupported `pam_sss(...)` messages |`syslog_legacy`, `journalctl_short_full`|`unsupported_pam_variant`|`pam_sss_other`| none |
103
106
| Well-formed `sudo` line that is not command, incorrect-password, or policy-denial evidence |`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`sudo_other`| none |
104
107
| Well-formed `su` line that is not recognized as success or failure audit evidence |`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`su_other`| none |
108
+
| Well-formed `login` line outside the selected util-linux message shapes |`syslog_legacy`, `journalctl_short_full`|`known_program_unknown_message`|`login_other`| none |
105
109
| Well-formed unsupported program tag |`syslog_legacy`, `journalctl_short_full`|`unknown_program`|`program_<sanitized_program>`| none |
106
110
107
111
## Header And Structural Warning Matrix
@@ -133,7 +137,7 @@ coverage telemetry path.
133
137
|[`assets/parser_auth_families_syslog.log`](../assets/parser_auth_families_syslog.log)| Selected `sshd`, `pam_unix`, `pam_faillock`, `pam_sss`, and session-opened auth-family support, plus five unsupported PAM-family telemetry buckets |
134
138
|[`assets/parser_auth_families_journalctl_short_full.log`](../assets/parser_auth_families_journalctl_short_full.log)| Same auth-family event and warning shape as the syslog auth-family fixture, with journalctl timestamp parsing |
135
139
|[`assets/noisy_auth_sample.log`](../assets/noisy_auth_sample.log) and [`tests/fixtures/parser_matrix/noisy_auth_expected.json`](../tests/fixtures/parser_matrix/noisy_auth_expected.json)| Noisy syslog coverage fixture with malformed lines, blank lines, unsupported auth-family evidence, irrelevant service lines, and locked parser quality counts |
136
-
|[`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) and [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json)|150-line sanitized mixed syslog corpus with Ubuntu / Debian-style `auth.log` and RHEL-family `secure`host labels, 90 parsed events, 50 parser warnings, 10 blank lines, and locked unknown-pattern and failure-category coverage |
140
+
|[`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) and [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json)|160-line sanitized mixed syslog corpus with Ubuntu / Debian-style `auth.log`, RHEL-family `secure` labels, selected util-linux `login` records, 100 parsed events, 50 parser warnings, 10 blank lines, and locked unknown-pattern and failure-category coverage |
Copy file name to clipboardExpand all lines: docs/parser-contract.md
+8-2Lines changed: 8 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,13 +28,19 @@ The parser currently recognizes common authentication evidence from:
28
28
-`sshd`
29
29
-`sudo`
30
30
-`su`
31
+
-`login`
31
32
-`pam_unix(...)`
32
33
- selected `pam_faillock(...)` variants
33
34
- selected `pam_sss(...)` variants
34
35
35
36
Recognized SSH failure families include failed password, invalid user, illegal user, failed publickey, failed keyboard-interactive/pam, failed-none invalid-user probing, `input_userauth_request` invalid/illegal-user preauth traces, `sshd`-owned PAM authentication-failure lines, and maximum-authentication-attempts-exceeded lines. `illegal user` is treated as an OpenSSH wording variant of `invalid user`. Maximum-authentication-attempts and `sshd`-owned PAM authentication-failure lines may include OpenSSH's leading `error:` marker and still normalize into the same event family. Invalid or illegal-user variants of failed-none probing, `input_userauth_request` preauth traces, keyboard-interactive, `sshd`-owned PAM authentication failures, and maximum-authentication-attempts-exceeded lines are normalized into `ssh_invalid_user` events. Recognized SSH failures can become detection signals through the configured signal mapping.
36
37
37
-
Recognized success or audit families include accepted password, accepted publickey, accepted keyboard-interactive/pam, sudo command audit lines, sudo password failures, sudoers policy denials, su success/failure audit lines, and selected PAM session/auth lines.
38
+
Recognized success or audit families include accepted password, accepted publickey, accepted keyboard-interactive/pam, sudo command audit lines, sudo password failures, sudoers policy denials, su success/failure audit lines, selected util-linux `login` failures and session records, and selected PAM session/auth lines. `login` failures do not infer a network source IP and remain lower-confidence `pam_auth_failure` context.
39
+
40
+
The selected `login` wording is anchored to the upstream
|[`assets/noisy_auth_sample.log`](../assets/noisy_auth_sample.log) and [`tests/fixtures/parser_matrix/noisy_auth_expected.json`](../tests/fixtures/parser_matrix/noisy_auth_expected.json)| Noisy syslog parser-coverage matrix for malformed, unsupported, blank, irrelevant, multi-host, and unusual-username input |
118
-
|[`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) and [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json)|150-line mixed auth corpus plus reviewer-facing parser coverage artifact for dirty syslog input |
124
+
|[`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) and [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json)|160-line mixed auth corpus plus reviewer-facing parser coverage artifact for dirty syslog input and selected util-linux `login` evidence|
119
125
|[`tests/test_report_contracts.cpp`](../tests/test_report_contracts.cpp)| Stable report-shape expectations for generated artifacts |
Copy file name to clipboardExpand all lines: docs/parser-coverage-notes.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,19 +25,19 @@ The locked expected coverage summary lives in [`tests/fixtures/parser_matrix/noi
25
25
26
26
## Mixed auth corpus
27
27
28
-
[`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) is a 150-line sanitized `syslog_legacy` corpus for dirty-input review. It mixes Ubuntu / Debian `auth.log`-style and RHEL-family `secure`-style host labels while keeping the same BSD syslog header contract. This is a parser-observability fixture, not a claim of complete distro coverage.
28
+
[`assets/mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) is a 160-line sanitized `syslog_legacy` corpus for dirty-input review. It mixes Ubuntu / Debian `auth.log`-style and RHEL-family `secure`-style host labels while keeping the same BSD syslog header contract. This is a parser-observability fixture, not a claim of complete distro coverage.
29
29
30
-
The corpus repeats ten small evidence batches. Each batch includes recognized `sshd`, `sudo`, `su`, `pam_unix`, `pam_faillock`, and `pam_sss` evidence; unsupported `sshd` preauth and `pam_unix` session-close telemetry; an unsupported service program; a malformed source IP; an invalid timestamp; and one blank line.
30
+
The corpus repeats ten small evidence batches. Each batch includes recognized `sshd`, `sudo`, `su`, `pam_unix`, `pam_faillock`, and `pam_sss` evidence; unsupported `sshd` preauth and `pam_unix` session-close telemetry; an unsupported service program; a malformed source IP; an invalid timestamp; and one blank line. A final ten-line segment adds selected util-linux `login` failure and session records without changing the warning corpus.
31
31
32
32
For reviewer inspection without running the test suite, [`assets/mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json) captures the deterministic parser coverage view for this corpus: parser-quality counters, normalized event-type counts, unknown-pattern buckets, failure categories, and warning line references.
-`failure_categories`: 10 each for `known_program_unknown_message`, `malformed_source_ip`, `unknown_program`, `unknown_timestamp`, and `unsupported_pam_variant`
42
42
-`top_unknown_patterns`: 10 each for `invalid_month_token`, `malformed_source_ip`, `pam_unix_session_closed`, `program_cron`, and `sshd_connection_closed_preauth`
0 commit comments