Skip to content

test: expand sanitized sshd and PAM corpus for parser and report regression #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stacknil merged 1 commit into from
Mar 23, 2026
Merged

test: expand sanitized sshd and PAM corpus for parser and report regression #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions assets/parser_auth_families_journalctl_short_full.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
Wed 2026-03-11 10:00:01 UTC example-host sshd[3100]: Accepted publickey for alice from 203.0.113.70 port 53000 ssh2: ED25519 SHA256:SANITIZEDKEY
Wed 2026-03-11 10:00:20 UTC example-host sshd[3101]: Accepted password for bob from 203.0.113.73 port 53001 ssh2
Wed 2026-03-11 10:00:36 UTC example-host sshd[3102]: Failed publickey for invalid user svc-deploy from 203.0.113.74 port 53002 ssh2
Wed 2026-03-11 10:00:42 UTC example-host pam_faillock(sshd:auth): Consecutive login failures for user alice account temporarily locked from 203.0.113.71
Wed 2026-03-11 10:01:13 UTC example-host pam_faillock(sshd:auth): Authentication failure for user bob from 203.0.113.72
Wed 2026-03-11 10:01:40 UTC example-host pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.75 user=carol
Wed 2026-03-11 10:01:54 UTC example-host pam_faillock(sshd:auth): User carol successfully authenticated
Wed 2026-03-11 10:02:25 UTC example-host pam_sss(sshd:auth): received for user dave: 7 (Authentication failure)
Wed 2026-03-11 10:02:56 UTC example-host pam_sss(sshd:auth): received for user erin: 10 (User not known to the underlying authentication module)
Wed 2026-03-11 10:03:27 UTC example-host pam_sss(sshd:auth): received for user frank: 9 (Authentication service cannot retrieve authentication info)
Wed 2026-03-11 10:02:44 UTC example-host pam_unix(sudo:session): session opened for user root by erin(uid=0)
Wed 2026-03-11 10:03:05 UTC example-host pam_faillock(sshd:auth): Account temporarily locked for user frank
Wed 2026-03-11 10:03:24 UTC example-host pam_sss(sshd:auth): received for user grace: 10 (User not known to the underlying authentication module)
Wed 2026-03-11 10:03:43 UTC example-host pam_sss(sshd:auth): received for user heidi: 9 (Authentication service cannot retrieve authentication info)
Wed 2026-03-11 10:04:02 UTC example-host pam_unix(sshd:session): session closed for user alice
10 changes: 8 additions & 2 deletions assets/parser_auth_families_syslog.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
Mar 11 10:00:01 example-host sshd[2100]: Accepted publickey for alice from 203.0.113.70 port 53000 ssh2: ED25519 SHA256:SANITIZEDKEY
Mar 11 10:00:20 example-host sshd[2101]: Accepted password for bob from 203.0.113.73 port 53001 ssh2
Mar 11 10:00:36 example-host sshd[2102]: Failed publickey for invalid user svc-deploy from 203.0.113.74 port 53002 ssh2
Mar 11 10:00:42 example-host pam_faillock(sshd:auth): Consecutive login failures for user alice account temporarily locked from 203.0.113.71
Mar 11 10:01:13 example-host pam_faillock(sshd:auth): Authentication failure for user bob from 203.0.113.72
Mar 11 10:01:40 example-host pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.75 user=carol
Mar 11 10:01:54 example-host pam_faillock(sshd:auth): User carol successfully authenticated
Mar 11 10:02:25 example-host pam_sss(sshd:auth): received for user dave: 7 (Authentication failure)
Mar 11 10:02:56 example-host pam_sss(sshd:auth): received for user erin: 10 (User not known to the underlying authentication module)
Mar 11 10:03:27 example-host pam_sss(sshd:auth): received for user frank: 9 (Authentication service cannot retrieve authentication info)
Mar 11 10:02:44 example-host pam_unix(sudo:session): session opened for user root by erin(uid=0)
Mar 11 10:03:05 example-host pam_faillock(sshd:auth): Account temporarily locked for user frank
Mar 11 10:03:24 example-host pam_sss(sshd:auth): received for user grace: 10 (User not known to the underlying authentication module)
Mar 11 10:03:43 example-host pam_sss(sshd:auth): received for user heidi: 9 (Authentication service cannot retrieve authentication info)
Mar 11 10:04:02 example-host pam_unix(sshd:session): session closed for user alice
4 changes: 4 additions & 0 deletions assets/parser_fixture_matrix_journalctl_short_full.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,13 @@ Tue 2026-03-10 09:01:15 UTC example-host sshd[3002]: Invalid user backup from 20
Tue 2026-03-10 09:01:52 UTC example-host pam_unix(sshd:auth): authentication failure; user=alice euid=0 tty=ssh rhost=203.0.113.40
Tue 2026-03-10 09:02:30 UTC example-host pam_unix(sudo:session): session opened for user root(uid=0) by alice(uid=1000)
Tue 2026-03-10 09:03:05 UTC example-host pam_unix(su-l:session): session opened for user root by bob(uid=1001)
Tue 2026-03-10 09:03:28 UTC example-host sshd[3008]: Accepted password for alice from 203.0.113.41 port 52003 ssh2
Tue 2026-03-10 09:03:34 UTC example-host sshd[3009]: Accepted publickey for carol from 203.0.113.42 port 52004 ssh2: ED25519 SHA256:SANITIZEDKEY2
Tue 2026-03-10 09:03:40 UTC example-host sshd[3003]: Connection closed by user alice 203.0.113.50 port 52010 [preauth]
Tue 2026-03-10 09:04:05 UTC example-host sshd[3004]: Connection closed by authenticating user carol 203.0.113.51 port 52011 [preauth]
Tue 2026-03-10 09:04:28 UTC example-host sshd[3005]: Connection closed by invalid user deploy 203.0.113.52 port 52012 [preauth]
Tue 2026-03-10 09:05:02 UTC example-host sshd[3006]: Disconnected from authenticating user dave 203.0.113.53 port 52013 [preauth]
Tue 2026-03-10 09:05:34 UTC example-host sshd[3007]: Timeout, client not responding from 203.0.113.54 port 52014
Tue 2026-03-10 09:05:46 UTC example-host sshd[3010]: Received disconnect from 203.0.113.55 port 52015:11: disconnected by user
Tue 2026-03-10 09:05:58 UTC example-host sshd[3011]: Unable to negotiate with 203.0.113.56 port 52016: no matching host key type found. Their offer: ssh-rsa
Tue 2026-03-10 09:06:10 UTC example-host pam_unix(sshd:session): session closed for user alice
4 changes: 4 additions & 0 deletions assets/parser_fixture_matrix_syslog.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,13 @@ Mar 10 09:01:15 example-host sshd[2002]: Invalid user backup from 203.0.113.12 p
Mar 10 09:01:52 example-host pam_unix(sshd:auth): authentication failure; user=alice euid=0 tty=ssh rhost=203.0.113.40
Mar 10 09:02:30 example-host pam_unix(sudo:session): session opened for user root(uid=0) by alice(uid=1000)
Mar 10 09:03:05 example-host pam_unix(su-l:session): session opened for user root by bob(uid=1001)
Mar 10 09:03:28 example-host sshd[2008]: Accepted password for alice from 203.0.113.41 port 52003 ssh2
Mar 10 09:03:34 example-host sshd[2009]: Accepted publickey for carol from 203.0.113.42 port 52004 ssh2: ED25519 SHA256:SANITIZEDKEY2
Mar 10 09:03:40 example-host sshd[2003]: Connection closed by user alice 203.0.113.50 port 52010 [preauth]
Mar 10 09:04:05 example-host sshd[2004]: Connection closed by authenticating user carol 203.0.113.51 port 52011 [preauth]
Mar 10 09:04:28 example-host sshd[2005]: Connection closed by invalid user deploy 203.0.113.52 port 52012 [preauth]
Mar 10 09:05:02 example-host sshd[2006]: Disconnected from authenticating user dave 203.0.113.53 port 52013 [preauth]
Mar 10 09:05:34 example-host sshd[2007]: Timeout, client not responding from 203.0.113.54 port 52014
Mar 10 09:05:46 example-host sshd[2010]: Received disconnect from 203.0.113.55 port 52015:11: disconnected by user
Mar 10 09:05:58 example-host sshd[2011]: Unable to negotiate with 203.0.113.56 port 52016: no matching host key type found. Their offer: ssh-rsa
Mar 10 09:06:10 example-host pam_unix(sshd:session): session closed for user alice
6 changes: 5 additions & 1 deletion tests/fixtures/report_contracts/multi_host_journalctl_short_full/input.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@ Wed 2026-03-11 09:01:05 UTC alpha-host sshd[2302]: Failed password for root from
Wed 2026-03-11 09:02:10 UTC alpha-host sshd[2303]: Failed password for test from 203.0.113.10 port 52040 ssh2
Wed 2026-03-11 09:03:44 UTC alpha-host sshd[2304]: Failed password for guest from 203.0.113.10 port 52050 ssh2
Wed 2026-03-11 09:04:05 UTC alpha-host sshd[2305]: Failed password for invalid user deploy from 203.0.113.10 port 52060 ssh2
Wed 2026-03-11 09:05:20 UTC alpha-host sshd[2306]: Accepted password for ops from 203.0.113.60 port 52070 ssh2
Wed 2026-03-11 09:06:02 UTC alpha-host pam_faillock(sshd:auth): Authentication failure for user svc-ci from 203.0.113.61
Wed 2026-03-11 09:10:10 UTC beta-host sshd[2401]: Accepted publickey for alice from 203.0.113.20 port 52111 ssh2
Wed 2026-03-11 09:11:00 UTC beta-host sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/systemctl restart ssh
Wed 2026-03-11 09:12:10 UTC beta-host sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Wed 2026-03-11 09:13:02 UTC beta-host pam_sss(sshd:auth): received for user mallory: 7 (Authentication failure)
Wed 2026-03-11 09:13:38 UTC beta-host pam_sss(sshd:auth): received for user ghost: 10 (User not known to the underlying authentication module)
Wed 2026-03-11 09:14:15 UTC beta-host sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/vi /etc/ssh/sshd_config
Wed 2026-03-11 09:15:12 UTC alpha-host sshd[2306]: Connection closed by authenticating user alice 203.0.113.50 port 52290 [preauth]
Wed 2026-03-11 09:15:12 UTC alpha-host sshd[2307]: Connection closed by authenticating user alice 203.0.113.50 port 52290 [preauth]
Wed 2026-03-11 09:16:18 UTC beta-host sshd[2402]: Timeout, client not responding from 203.0.113.51 port 52291
31 changes: 19 additions & 12 deletions tests/fixtures/report_contracts/multi_host_journalctl_short_full/report.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,42 +4,48 @@
"input_mode": "journalctl_short_full",
"timezone_present": true,
"parser_quality": {
"total_lines": 11,
"parsed_lines": 9,
"unparsed_lines": 2,
"parse_success_rate": 0.8182,
"total_lines": 15,
"parsed_lines": 12,
"unparsed_lines": 3,
"parse_success_rate": 0.8000,
"top_unknown_patterns": [
{"pattern": "pam_sss_unknown_user", "count": 1},
{"pattern": "sshd_connection_closed_preauth", "count": 1},
{"pattern": "sshd_timeout_or_disconnection", "count": 1}
]
},
"parsed_event_count": 9,
"warning_count": 2,
"parsed_event_count": 12,
"warning_count": 3,
"finding_count": 3,
"event_counts": [
{"event_type": "ssh_failed_password", "count": 3},
{"event_type": "ssh_accepted_password", "count": 1},
{"event_type": "ssh_accepted_publickey", "count": 1},
{"event_type": "ssh_invalid_user", "count": 2},
{"event_type": "pam_auth_failure", "count": 2},
{"event_type": "sudo_command", "count": 3}
],
"host_summaries": [
{
"hostname": "alpha-host",
"parsed_event_count": 5,
"parsed_event_count": 7,
"finding_count": 2,
"warning_count": 1,
"event_counts": [
{"event_type": "ssh_failed_password", "count": 3},
{"event_type": "ssh_invalid_user", "count": 2}
{"event_type": "ssh_accepted_password", "count": 1},
{"event_type": "ssh_invalid_user", "count": 2},
{"event_type": "pam_auth_failure", "count": 1}
]
},
{
"hostname": "beta-host",
"parsed_event_count": 4,
"parsed_event_count": 5,
"finding_count": 1,
"warning_count": 1,
"warning_count": 2,
"event_counts": [
{"event_type": "ssh_accepted_publickey", "count": 1},
{"event_type": "pam_auth_failure", "count": 1},
{"event_type": "sudo_command", "count": 3}
]
}
Expand Down Expand Up @@ -77,7 +83,8 @@
}
],
"warnings": [
{"line_number": 10, "reason": "unrecognized auth pattern: sshd_connection_closed_preauth"},
{"line_number": 11, "reason": "unrecognized auth pattern: sshd_timeout_or_disconnection"}
{"line_number": 12, "reason": "unrecognized auth pattern: pam_sss_unknown_user"},
{"line_number": 14, "reason": "unrecognized auth pattern: sshd_connection_closed_preauth"},
{"line_number": 15, "reason": "unrecognized auth pattern: sshd_timeout_or_disconnection"}
]
}
24 changes: 14 additions & 10 deletions tests/fixtures/report_contracts/multi_host_journalctl_short_full/report.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,20 @@
- Input: `tests/fixtures/report_contracts/multi_host_journalctl_short_full/input.log`
- Input mode: journalctl_short_full
- Timezone present: true
- Total lines: 11
- Parsed lines: 9
- Unparsed lines: 2
- Parse success rate: 81.82%
- Parsed events: 9
- Total lines: 15
- Parsed lines: 12
- Unparsed lines: 3
- Parse success rate: 80.00%
- Parsed events: 12
- Findings: 3
- Parser warnings: 2
- Parser warnings: 3

## Host Summary

| Host | Parsed Events | Findings | Warnings |
| --- | ---: | ---: | ---: |
| alpha-host | 5 | 2 | 1 |
| beta-host | 4 | 1 | 1 |
| alpha-host | 7 | 2 | 1 |
| beta-host | 5 | 1 | 2 |

## Findings

Expand All @@ -33,20 +33,24 @@
| Event Type | Count |
| --- | ---: |
| ssh_failed_password | 3 |
| ssh_accepted_password | 1 |
| ssh_accepted_publickey | 1 |
| ssh_invalid_user | 2 |
| pam_auth_failure | 2 |
| sudo_command | 3 |

## Parser Quality

| Unknown Pattern | Count |
| --- | ---: |
| pam_sss_unknown_user | 1 |
| sshd_connection_closed_preauth | 1 |
| sshd_timeout_or_disconnection | 1 |

## Parser Warnings

| Line | Reason |
| ---: | --- |
| 10 | unrecognized auth pattern: sshd_connection_closed_preauth |
| 11 | unrecognized auth pattern: sshd_timeout_or_disconnection |
| 12 | unrecognized auth pattern: pam_sss_unknown_user |
| 14 | unrecognized auth pattern: sshd_connection_closed_preauth |
| 15 | unrecognized auth pattern: sshd_timeout_or_disconnection |
6 changes: 5 additions & 1 deletion tests/fixtures/report_contracts/multi_host_syslog_legacy/input.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@ Mar 11 09:01:05 alpha-host sshd[1302]: Failed password for root from 203.0.113.1
Mar 11 09:02:10 alpha-host sshd[1303]: Failed password for test from 203.0.113.10 port 52040 ssh2
Mar 11 09:03:44 alpha-host sshd[1304]: Failed password for guest from 203.0.113.10 port 52050 ssh2
Mar 11 09:04:05 alpha-host sshd[1305]: Failed password for invalid user deploy from 203.0.113.10 port 52060 ssh2
Mar 11 09:05:20 alpha-host sshd[1306]: Accepted password for ops from 203.0.113.60 port 52070 ssh2
Mar 11 09:06:02 alpha-host pam_faillock(sshd:auth): Authentication failure for user svc-ci from 203.0.113.61
Mar 11 09:10:10 beta-host sshd[1401]: Accepted publickey for alice from 203.0.113.20 port 52111 ssh2
Mar 11 09:11:00 beta-host sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/systemctl restart ssh
Mar 11 09:12:10 beta-host sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Mar 11 09:13:02 beta-host pam_sss(sshd:auth): received for user mallory: 7 (Authentication failure)
Mar 11 09:13:38 beta-host pam_sss(sshd:auth): received for user ghost: 10 (User not known to the underlying authentication module)
Mar 11 09:14:15 beta-host sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/vi /etc/ssh/sshd_config
Mar 11 09:15:12 alpha-host sshd[1306]: Connection closed by authenticating user alice 203.0.113.50 port 52290 [preauth]
Mar 11 09:15:12 alpha-host sshd[1307]: Connection closed by authenticating user alice 203.0.113.50 port 52290 [preauth]
Mar 11 09:16:18 beta-host sshd[1402]: Timeout, client not responding from 203.0.113.51 port 52291
31 changes: 19 additions & 12 deletions tests/fixtures/report_contracts/multi_host_syslog_legacy/report.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,42 +5,48 @@
"assume_year": 2026,
"timezone_present": false,
"parser_quality": {
"total_lines": 11,
"parsed_lines": 9,
"unparsed_lines": 2,
"parse_success_rate": 0.8182,
"total_lines": 15,
"parsed_lines": 12,
"unparsed_lines": 3,
"parse_success_rate": 0.8000,
"top_unknown_patterns": [
{"pattern": "pam_sss_unknown_user", "count": 1},
{"pattern": "sshd_connection_closed_preauth", "count": 1},
{"pattern": "sshd_timeout_or_disconnection", "count": 1}
]
},
"parsed_event_count": 9,
"warning_count": 2,
"parsed_event_count": 12,
"warning_count": 3,
"finding_count": 3,
"event_counts": [
{"event_type": "ssh_failed_password", "count": 3},
{"event_type": "ssh_accepted_password", "count": 1},
{"event_type": "ssh_accepted_publickey", "count": 1},
{"event_type": "ssh_invalid_user", "count": 2},
{"event_type": "pam_auth_failure", "count": 2},
{"event_type": "sudo_command", "count": 3}
],
"host_summaries": [
{
"hostname": "alpha-host",
"parsed_event_count": 5,
"parsed_event_count": 7,
"finding_count": 2,
"warning_count": 1,
"event_counts": [
{"event_type": "ssh_failed_password", "count": 3},
{"event_type": "ssh_invalid_user", "count": 2}
{"event_type": "ssh_accepted_password", "count": 1},
{"event_type": "ssh_invalid_user", "count": 2},
{"event_type": "pam_auth_failure", "count": 1}
]
},
{
"hostname": "beta-host",
"parsed_event_count": 4,
"parsed_event_count": 5,
"finding_count": 1,
"warning_count": 1,
"warning_count": 2,
"event_counts": [
{"event_type": "ssh_accepted_publickey", "count": 1},
{"event_type": "pam_auth_failure", "count": 1},
{"event_type": "sudo_command", "count": 3}
]
}
Expand Down Expand Up @@ -78,7 +84,8 @@
}
],
"warnings": [
{"line_number": 10, "reason": "unrecognized auth pattern: sshd_connection_closed_preauth"},
{"line_number": 11, "reason": "unrecognized auth pattern: sshd_timeout_or_disconnection"}
{"line_number": 12, "reason": "unrecognized auth pattern: pam_sss_unknown_user"},
{"line_number": 14, "reason": "unrecognized auth pattern: sshd_connection_closed_preauth"},
{"line_number": 15, "reason": "unrecognized auth pattern: sshd_timeout_or_disconnection"}
]
}
24 changes: 14 additions & 10 deletions tests/fixtures/report_contracts/multi_host_syslog_legacy/report.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,20 @@
- Input mode: syslog_legacy
- Assume year: 2026
- Timezone present: false
- Total lines: 11
- Parsed lines: 9
- Unparsed lines: 2
- Parse success rate: 81.82%
- Parsed events: 9
- Total lines: 15
- Parsed lines: 12
- Unparsed lines: 3
- Parse success rate: 80.00%
- Parsed events: 12
- Findings: 3
- Parser warnings: 2
- Parser warnings: 3

## Host Summary

| Host | Parsed Events | Findings | Warnings |
| --- | ---: | ---: | ---: |
| alpha-host | 5 | 2 | 1 |
| beta-host | 4 | 1 | 1 |
| alpha-host | 7 | 2 | 1 |
| beta-host | 5 | 1 | 2 |

## Findings

Expand All @@ -34,20 +34,24 @@
| Event Type | Count |
| --- | ---: |
| ssh_failed_password | 3 |
| ssh_accepted_password | 1 |
| ssh_accepted_publickey | 1 |
| ssh_invalid_user | 2 |
| pam_auth_failure | 2 |
| sudo_command | 3 |

## Parser Quality

| Unknown Pattern | Count |
| --- | ---: |
| pam_sss_unknown_user | 1 |
| sshd_connection_closed_preauth | 1 |
| sshd_timeout_or_disconnection | 1 |

## Parser Warnings

| Line | Reason |
| ---: | --- |
| 10 | unrecognized auth pattern: sshd_connection_closed_preauth |
| 11 | unrecognized auth pattern: sshd_timeout_or_disconnection |
| 12 | unrecognized auth pattern: pam_sss_unknown_user |
| 14 | unrecognized auth pattern: sshd_connection_closed_preauth |
| 15 | unrecognized auth pattern: sshd_timeout_or_disconnection |
Loading
Loading