Releases: stacknil/LogLens
Release list
LogLens v0.5.0 - Evidence Explainability Release
LogLens v0.5.0 is the Evidence Explainability Release.
This release makes the path from raw Linux authentication evidence to bounded triage findings easier to review. It stabilizes parser observability, report contracts, evidence references, and explicit non-claims without widening LogLens into an incident verdict system.
Highlights
- Stable JSON report contract:
loglens.report.v2withschema_version: 2. - Stable finding explainability fields:
rule_id,subject_kind,subject,grouping_key,window_start,window_end,threshold,observed_count,evidence_event_ids, andverdict_boundary. - Golden fixtures for
report.md,report.json,findings.csv, andwarnings.csv. - Sanitized 150-line mixed auth corpus plus a checked-in parser coverage artifact.
- Parser failure and false-positive taxonomies.
- Forensic-style Linux authentication evidence case studies.
Reviewer evidence
- Full v0.5.0 release notes
- Parser contract
- Report artifact contract
- Mixed auth corpus and parser coverage artifact
- False-positive taxonomy
- Linux auth brute-force case study
Non-claims
LogLens findings remain bounded triage signals. This release makes:
- no compromise verdict
- no attribution
- no blocking recommendation
- no cross-host correlation
No CLI migration is required. Downstream JSON consumers should key off schema and schema_version.
LogLens v0.4.0 — optional CSV export and stabilized report outputs
- added optional CSV export for findings.csv and warnings.csv
- preserved default Markdown/JSON behavior when --csv is not requested
- added single-host and multi-host CSV regression coverage
- added .gitattributes guardrails to reduce future line-ending drift
LogLens v0.3.0 — parser family expansion, host summaries, and optional CSV export
LogLens v0.3.0
LogLens v0.3.0 expands parser family coverage, strengthens deterministic regression coverage, and improves multi-host reporting while keeping the tool intentionally defensive and public-safe.
Highlights
- broadened parser support for common Linux auth families
- strengthened sanitized corpus and golden regression coverage
- added multi-host host summaries in
report.mdandreport.json - added optional CSV export for findings and warnings
Notable changes
- added parser support for
Accepted publickeySSH successes plus selectedpam_faillock(...:auth)andpam_sss(...:auth)failure variants - expanded sanitized parser fixture matrices and added golden report-contract fixtures for Markdown, JSON, and CSV outputs
- added compact per-host summaries when one input file contains multiple hostnames, without introducing cross-host correlation or changing detector thresholds
- added explicit
--csvoutput forfindings.csvandwarnings.csv, and kept non-CSV runs non-destructive toward existing CSV files
Scope note
This release broadens the parser surface and improves report ergonomics, but LogLens remains a focused offline auth-log triage CLI rather than a SIEM, enrichment pipeline, or cross-host correlation platform.
LogLens v0.2.0 — parser fixture coverage and unified sudo signals
Highlights
- expanded sanitized parser fixture coverage for
sshdandpam_unixvariants - improved deterministic unknown-line telemetry and parser coverage reporting
- unified sudo detector input by moving sudo handling onto the signal layer
- improved release-facing documentation with a stable changelog and release-process guidance
Notable changes
- added dedicated parser fixture matrices for both
syslog_legacyandjournalctl_short_full - kept unsupported connection-close / timeout / PAM session-close variants as telemetry-only
- preserved detector thresholds and report schema while simplifying detector input semantics
- added
CHANGELOG.mdand release-process documentation for future releases
Scope note
This release remains intentionally conservative. LogLens is still a focused, public-safe detection engineering CLI rather than a SIEM or correlation platform.
LogLens v0.1.0 — MVP public release
syslog legacy + journalctl short-full dual input modes
normalized auth evidence + rule-based detections
parser coverage telemetry + unknown-line accounting
CI, CodeQL, SECURITY.md, Dependabot, and ruleset baseline