Skip to content

Commit c1701e4

Browse files
authored
Merge pull request #82 from stacknil/stacknil/controlled-external-review
docs: publish parser uncertainty case study
2 parents 361b958 + 37f7e30 commit c1701e4

2 files changed

Lines changed: 86 additions & 0 deletions

File tree

README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,9 @@ LogLens is an MVP / early release. The repository is stable enough for public re
3333

3434
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md), [`docs/reviewer-brief.md`](./docs/reviewer-brief.md), and the [`v0.5 Evidence Explainability release note`](./docs/release-v0.5.0.md). The [`quality gates map`](./docs/quality-gates.md) links claims to tests and fixtures. For detection reasoning, follow the [`one-page incident-style case`](./docs/incident-style-case.md), then use the full [`Linux auth brute-force case study`](./docs/case-study-linux-auth-bruteforce.md), [`rule catalog`](./docs/rule-catalog.md), and [`false-positive taxonomy`](./docs/false-positive-taxonomy.md) for depth. For local scale expectations, see the [`performance envelope`](./docs/performance-envelope.md).
3535

36+
For a shorter external review entry point focused on uncertainty handling, read
37+
[How LogLens Treats Parser Uncertainty as Evidence](./docs/case-study-parser-uncertainty-as-evidence.md).
38+
3639
## Why This Project Exists
3740

3841
Many small security tools can detect a handful of known log patterns. Fewer tools make their parsing limits visible.
Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
# How LogLens Treats Parser Uncertainty as Evidence
2+
3+
A log analysis tool can appear more certain than it is when unsupported input
4+
quietly disappears. LogLens takes the opposite approach: parser uncertainty is
5+
part of the review artifact.
6+
7+
The practical review question is simple: when a report contains no finding,
8+
did the relevant activity fail to meet a rule, or did the parser fail to
9+
understand the source line? The report should preserve enough evidence to tell
10+
those cases apart.
11+
12+
## Three visible line outcomes
13+
14+
The [parser contract](parser-contract.md) gives every input line one of three
15+
outcomes:
16+
17+
1. A recognized authentication line becomes a typed event.
18+
2. A blank line is counted in `skipped_blank_lines`.
19+
3. A malformed or unsupported line becomes a parser warning with a line
20+
number, failure category, and unknown-pattern bucket.
21+
22+
Unsupported lines do not become detector input. They remain visible as
23+
coverage telemetry. This keeps a parser gap from being mistaken for negative
24+
security evidence.
25+
26+
The categories are deliberately coarser than the pattern buckets. For example,
27+
an unsupported `sshd` pre-authentication close and an unsupported negotiation
28+
failure can both belong to `known_program_unknown_message` while retaining
29+
different buckets. The category supports summary review; the bucket preserves
30+
the narrower engineering question.
31+
32+
## A noisy corpus is useful evidence
33+
34+
The checked-in
35+
[`mixed_auth_corpus.log`](../assets/mixed_auth_corpus.log) is a sanitized,
36+
150-line syslog-style fixture. Its paired
37+
[`mixed_auth_parser_coverage.json`](../assets/mixed_auth_parser_coverage.json)
38+
records recognized events, warnings, blank lines, failure categories, pattern
39+
buckets, and source-line references.
40+
41+
The corpus is intentionally noisy. A lower parse-success rate is not hidden or
42+
reframed as a quality claim. What matters is that the unsupported portion has a
43+
stable, inspectable shape. The locked expectations are documented in
44+
[parser coverage notes](parser-coverage-notes.md) and exercised by parser and
45+
report-contract tests.
46+
47+
## Parsing and detection remain separate
48+
49+
A parsed event is not automatically a detection signal. LogLens keeps that
50+
boundary explicit through its signal configuration. Supported success and
51+
audit events can remain reportable context without contributing to a
52+
brute-force finding. Unsupported lines never cross that boundary.
53+
54+
This separation lets a reviewer ask two different questions:
55+
56+
- Did the parser classify this line as documented?
57+
- Did the configured rule use that event as evidence?
58+
59+
The [parser conformance matrix](parser-conformance-matrix.md) and
60+
[rule catalog](rule-catalog.md) provide the corresponding review surfaces.
61+
62+
## Reproduce the contract
63+
64+
From the repository root:
65+
66+
```bash
67+
cmake -S . -B build
68+
cmake --build build
69+
ctest --test-dir build --output-on-failure
70+
```
71+
72+
For a shorter artifact-first route, use the
73+
[reviewer path](reviewer-path.md). A useful external review can stay narrow:
74+
check one supported line, one unsupported line, or one report warning against
75+
the documented outcome.
76+
77+
## What this does not prove
78+
79+
Visible uncertainty is not complete parser coverage. LogLens does not claim to
80+
support every Linux distribution, authentication module, or message variant.
81+
It also does not turn a rule match into a compromise verdict, attribution, or
82+
blocking recommendation. The case study shows how uncertainty is preserved for
83+
review, not how uncertainty is eliminated.

0 commit comments

Comments
 (0)