• added optional CSV export for findings.csv and warnings.csv
• preserved default Markdown/JSON behavior when --csv is not requested
• added single-host and multi-host CSV regression coverage
• added .gitattributes guardrails to reduce future line-ending drift

LogLens v0.3.0

LogLens v0.3.0 expands parser family coverage, strengthens deterministic regression coverage, and improves multi-host reporting while keeping the tool intentionally defensive and public-safe.

Highlights

• broadened parser support for common Linux auth families
• strengthened sanitized corpus and golden regression coverage
• added multi-host host summaries in report.md and report.json
• added optional CSV export for findings and warnings

Notable changes

• added parser support for Accepted publickey SSH successes plus selected pam_faillock(...:auth) and pam_sss(...:auth) failure variants
• expanded sanitized parser fixture matrices and added golden report-contract fixtures for Markdown, JSON, and CSV outputs
• added compact per-host summaries when one input file contains multiple hostnames, without introducing cross-host correlation or changing detector thresholds
• added explicit --csv output for findings.csv and warnings.csv, and kept non-CSV runs non-destructive toward existing CSV files

Scope note

This release broadens the parser surface and improves report ergonomics, but LogLens remains a focused offline auth-log triage CLI rather than a SIEM, enrichment pipeline, or cross-host correlation platform.

Highlights

• expanded sanitized parser fixture coverage for sshd and pam_unix variants
• improved deterministic unknown-line telemetry and parser coverage reporting
• unified sudo detector input by moving sudo handling onto the signal layer
• improved release-facing documentation with a stable changelog and release-process guidance

Notable changes

• added dedicated parser fixture matrices for both syslog_legacy and journalctl_short_full
• kept unsupported connection-close / timeout / PAM session-close variants as telemetry-only
• preserved detector thresholds and report schema while simplifying detector input semantics
• added CHANGELOG.md and release-process documentation for future releases

Scope note

This release remains intentionally conservative. LogLens is still a focused, public-safe detection engineering CLI rather than a SIEM or correlation platform.

syslog legacy + journalctl short-full dual input modes

normalized auth evidence + rule-based detections

parser coverage telemetry + unknown-line accounting

CI, CodeQL, SECURITY.md, Dependabot, and ruleset baseline