Skip to content

Releases: stacknil/LogLens

LogLens v0.5.0 - Evidence Explainability Release

Choose a tag to compare

@stacknil stacknil released this 04 Jul 10:13
1ce0dd9

LogLens v0.5.0 is the Evidence Explainability Release.

This release makes the path from raw Linux authentication evidence to bounded triage findings easier to review. It stabilizes parser observability, report contracts, evidence references, and explicit non-claims without widening LogLens into an incident verdict system.

Highlights

  • Stable JSON report contract: loglens.report.v2 with schema_version: 2.
  • Stable finding explainability fields: rule_id, subject_kind, subject, grouping_key, window_start, window_end, threshold, observed_count, evidence_event_ids, and verdict_boundary.
  • Golden fixtures for report.md, report.json, findings.csv, and warnings.csv.
  • Sanitized 150-line mixed auth corpus plus a checked-in parser coverage artifact.
  • Parser failure and false-positive taxonomies.
  • Forensic-style Linux authentication evidence case studies.

Reviewer evidence

Non-claims

LogLens findings remain bounded triage signals. This release makes:

  • no compromise verdict
  • no attribution
  • no blocking recommendation
  • no cross-host correlation

No CLI migration is required. Downstream JSON consumers should key off schema and schema_version.

LogLens v0.4.0 — optional CSV export and stabilized report outputs

Choose a tag to compare

@stacknil stacknil released this 25 Mar 11:30
d7ebcac
  • added optional CSV export for findings.csv and warnings.csv
  • preserved default Markdown/JSON behavior when --csv is not requested
  • added single-host and multi-host CSV regression coverage
  • added .gitattributes guardrails to reduce future line-ending drift

LogLens v0.3.0 — parser family expansion, host summaries, and optional CSV export

Choose a tag to compare

@stacknil stacknil released this 25 Mar 09:23
0bc460f

LogLens v0.3.0

LogLens v0.3.0 expands parser family coverage, strengthens deterministic regression coverage, and improves multi-host reporting while keeping the tool intentionally defensive and public-safe.

Highlights

  • broadened parser support for common Linux auth families
  • strengthened sanitized corpus and golden regression coverage
  • added multi-host host summaries in report.md and report.json
  • added optional CSV export for findings and warnings

Notable changes

  • added parser support for Accepted publickey SSH successes plus selected pam_faillock(...:auth) and pam_sss(...:auth) failure variants
  • expanded sanitized parser fixture matrices and added golden report-contract fixtures for Markdown, JSON, and CSV outputs
  • added compact per-host summaries when one input file contains multiple hostnames, without introducing cross-host correlation or changing detector thresholds
  • added explicit --csv output for findings.csv and warnings.csv, and kept non-CSV runs non-destructive toward existing CSV files

Scope note

This release broadens the parser surface and improves report ergonomics, but LogLens remains a focused offline auth-log triage CLI rather than a SIEM, enrichment pipeline, or cross-host correlation platform.

LogLens v0.2.0 — parser fixture coverage and unified sudo signals

Choose a tag to compare

@stacknil stacknil released this 20 Mar 03:52
bdd6ce8

Highlights

  • expanded sanitized parser fixture coverage for sshd and pam_unix variants
  • improved deterministic unknown-line telemetry and parser coverage reporting
  • unified sudo detector input by moving sudo handling onto the signal layer
  • improved release-facing documentation with a stable changelog and release-process guidance

Notable changes

  • added dedicated parser fixture matrices for both syslog_legacy and journalctl_short_full
  • kept unsupported connection-close / timeout / PAM session-close variants as telemetry-only
  • preserved detector thresholds and report schema while simplifying detector input semantics
  • added CHANGELOG.md and release-process documentation for future releases

Scope note

This release remains intentionally conservative. LogLens is still a focused, public-safe detection engineering CLI rather than a SIEM or correlation platform.

LogLens v0.1.0 — MVP public release

Choose a tag to compare

@stacknil stacknil released this 18 Mar 17:02
472fe68

syslog legacy + journalctl short-full dual input modes

normalized auth evidence + rule-based detections

parser coverage telemetry + unknown-line accounting

CI, CodeQL, SECURITY.md, Dependabot, and ruleset baseline