test: expand sanitized sshd and PAM corpus for parser and report regression

Author: stacknil

assets/parser_auth_families_journalctl_short_full.log

@@ -1,7 +1,13 @@
 Wed 2026-03-11 10:00:01 UTC example-host sshd[3100]: Accepted publickey for alice from 203.0.113.70 port 53000 ssh2: ED25519 SHA256:SANITIZEDKEY
+Wed 2026-03-11 10:00:20 UTC example-host sshd[3101]: Accepted password for bob from 203.0.113.73 port 53001 ssh2
+Wed 2026-03-11 10:00:36 UTC example-host sshd[3102]: Failed publickey for invalid user svc-deploy from 203.0.113.74 port 53002 ssh2
 Wed 2026-03-11 10:00:42 UTC example-host pam_faillock(sshd:auth): Consecutive login failures for user alice account temporarily locked from 203.0.113.71
 Wed 2026-03-11 10:01:13 UTC example-host pam_faillock(sshd:auth): Authentication failure for user bob from 203.0.113.72
+Wed 2026-03-11 10:01:40 UTC example-host pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.75  user=carol
 Wed 2026-03-11 10:01:54 UTC example-host pam_faillock(sshd:auth): User carol successfully authenticated
 Wed 2026-03-11 10:02:25 UTC example-host pam_sss(sshd:auth): received for user dave: 7 (Authentication failure)
-Wed 2026-03-11 10:02:56 UTC example-host pam_sss(sshd:auth): received for user erin: 10 (User not known to the underlying authentication module)
-Wed 2026-03-11 10:03:27 UTC example-host pam_sss(sshd:auth): received for user frank: 9 (Authentication service cannot retrieve authentication info)
+Wed 2026-03-11 10:02:44 UTC example-host pam_unix(sudo:session): session opened for user root by erin(uid=0)
+Wed 2026-03-11 10:03:05 UTC example-host pam_faillock(sshd:auth): Account temporarily locked for user frank
+Wed 2026-03-11 10:03:24 UTC example-host pam_sss(sshd:auth): received for user grace: 10 (User not known to the underlying authentication module)
+Wed 2026-03-11 10:03:43 UTC example-host pam_sss(sshd:auth): received for user heidi: 9 (Authentication service cannot retrieve authentication info)
+Wed 2026-03-11 10:04:02 UTC example-host pam_unix(sshd:session): session closed for user alice

assets/parser_auth_families_syslog.log

@@ -1,7 +1,13 @@
 Mar 11 10:00:01 example-host sshd[2100]: Accepted publickey for alice from 203.0.113.70 port 53000 ssh2: ED25519 SHA256:SANITIZEDKEY
+Mar 11 10:00:20 example-host sshd[2101]: Accepted password for bob from 203.0.113.73 port 53001 ssh2
+Mar 11 10:00:36 example-host sshd[2102]: Failed publickey for invalid user svc-deploy from 203.0.113.74 port 53002 ssh2
 Mar 11 10:00:42 example-host pam_faillock(sshd:auth): Consecutive login failures for user alice account temporarily locked from 203.0.113.71
 Mar 11 10:01:13 example-host pam_faillock(sshd:auth): Authentication failure for user bob from 203.0.113.72
+Mar 11 10:01:40 example-host pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.75  user=carol
 Mar 11 10:01:54 example-host pam_faillock(sshd:auth): User carol successfully authenticated
 Mar 11 10:02:25 example-host pam_sss(sshd:auth): received for user dave: 7 (Authentication failure)
-Mar 11 10:02:56 example-host pam_sss(sshd:auth): received for user erin: 10 (User not known to the underlying authentication module)
-Mar 11 10:03:27 example-host pam_sss(sshd:auth): received for user frank: 9 (Authentication service cannot retrieve authentication info)
+Mar 11 10:02:44 example-host pam_unix(sudo:session): session opened for user root by erin(uid=0)
+Mar 11 10:03:05 example-host pam_faillock(sshd:auth): Account temporarily locked for user frank
+Mar 11 10:03:24 example-host pam_sss(sshd:auth): received for user grace: 10 (User not known to the underlying authentication module)
+Mar 11 10:03:43 example-host pam_sss(sshd:auth): received for user heidi: 9 (Authentication service cannot retrieve authentication info)
+Mar 11 10:04:02 example-host pam_unix(sshd:session): session closed for user alice

assets/parser_fixture_matrix_journalctl_short_full.log

@@ -4,9 +4,13 @@ Tue 2026-03-10 09:01:15 UTC example-host sshd[3002]: Invalid user backup from 20
 Tue 2026-03-10 09:01:52 UTC example-host pam_unix(sshd:auth): authentication failure; user=alice euid=0 tty=ssh rhost=203.0.113.40
 Tue 2026-03-10 09:02:30 UTC example-host pam_unix(sudo:session): session opened for user root(uid=0) by alice(uid=1000)
 Tue 2026-03-10 09:03:05 UTC example-host pam_unix(su-l:session): session opened for user root by bob(uid=1001)
+Tue 2026-03-10 09:03:28 UTC example-host sshd[3008]: Accepted password for alice from 203.0.113.41 port 52003 ssh2
+Tue 2026-03-10 09:03:34 UTC example-host sshd[3009]: Accepted publickey for carol from 203.0.113.42 port 52004 ssh2: ED25519 SHA256:SANITIZEDKEY2
 Tue 2026-03-10 09:03:40 UTC example-host sshd[3003]: Connection closed by user alice 203.0.113.50 port 52010 [preauth]
 Tue 2026-03-10 09:04:05 UTC example-host sshd[3004]: Connection closed by authenticating user carol 203.0.113.51 port 52011 [preauth]
 Tue 2026-03-10 09:04:28 UTC example-host sshd[3005]: Connection closed by invalid user deploy 203.0.113.52 port 52012 [preauth]
 Tue 2026-03-10 09:05:02 UTC example-host sshd[3006]: Disconnected from authenticating user dave 203.0.113.53 port 52013 [preauth]
 Tue 2026-03-10 09:05:34 UTC example-host sshd[3007]: Timeout, client not responding from 203.0.113.54 port 52014
+Tue 2026-03-10 09:05:46 UTC example-host sshd[3010]: Received disconnect from 203.0.113.55 port 52015:11: disconnected by user
+Tue 2026-03-10 09:05:58 UTC example-host sshd[3011]: Unable to negotiate with 203.0.113.56 port 52016: no matching host key type found. Their offer: ssh-rsa
 Tue 2026-03-10 09:06:10 UTC example-host pam_unix(sshd:session): session closed for user alice

assets/parser_fixture_matrix_syslog.log

@@ -4,9 +4,13 @@ Mar 10 09:01:15 example-host sshd[2002]: Invalid user backup from 203.0.113.12 p
 Mar 10 09:01:52 example-host pam_unix(sshd:auth): authentication failure; user=alice euid=0 tty=ssh rhost=203.0.113.40
 Mar 10 09:02:30 example-host pam_unix(sudo:session): session opened for user root(uid=0) by alice(uid=1000)
 Mar 10 09:03:05 example-host pam_unix(su-l:session): session opened for user root by bob(uid=1001)
+Mar 10 09:03:28 example-host sshd[2008]: Accepted password for alice from 203.0.113.41 port 52003 ssh2
+Mar 10 09:03:34 example-host sshd[2009]: Accepted publickey for carol from 203.0.113.42 port 52004 ssh2: ED25519 SHA256:SANITIZEDKEY2
 Mar 10 09:03:40 example-host sshd[2003]: Connection closed by user alice 203.0.113.50 port 52010 [preauth]
 Mar 10 09:04:05 example-host sshd[2004]: Connection closed by authenticating user carol 203.0.113.51 port 52011 [preauth]
 Mar 10 09:04:28 example-host sshd[2005]: Connection closed by invalid user deploy 203.0.113.52 port 52012 [preauth]
 Mar 10 09:05:02 example-host sshd[2006]: Disconnected from authenticating user dave 203.0.113.53 port 52013 [preauth]
 Mar 10 09:05:34 example-host sshd[2007]: Timeout, client not responding from 203.0.113.54 port 52014
+Mar 10 09:05:46 example-host sshd[2010]: Received disconnect from 203.0.113.55 port 52015:11: disconnected by user
+Mar 10 09:05:58 example-host sshd[2011]: Unable to negotiate with 203.0.113.56 port 52016: no matching host key type found. Their offer: ssh-rsa
 Mar 10 09:06:10 example-host pam_unix(sshd:session): session closed for user alice

tests/fixtures/report_contracts/multi_host_journalctl_short_full/input.log

@@ -3,9 +3,13 @@ Wed 2026-03-11 09:01:05 UTC alpha-host sshd[2302]: Failed password for root from
 Wed 2026-03-11 09:02:10 UTC alpha-host sshd[2303]: Failed password for test from 203.0.113.10 port 52040 ssh2
 Wed 2026-03-11 09:03:44 UTC alpha-host sshd[2304]: Failed password for guest from 203.0.113.10 port 52050 ssh2
 Wed 2026-03-11 09:04:05 UTC alpha-host sshd[2305]: Failed password for invalid user deploy from 203.0.113.10 port 52060 ssh2
+Wed 2026-03-11 09:05:20 UTC alpha-host sshd[2306]: Accepted password for ops from 203.0.113.60 port 52070 ssh2
+Wed 2026-03-11 09:06:02 UTC alpha-host pam_faillock(sshd:auth): Authentication failure for user svc-ci from 203.0.113.61
 Wed 2026-03-11 09:10:10 UTC beta-host sshd[2401]: Accepted publickey for alice from 203.0.113.20 port 52111 ssh2
 Wed 2026-03-11 09:11:00 UTC beta-host sudo:    alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/systemctl restart ssh
 Wed 2026-03-11 09:12:10 UTC beta-host sudo:    alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/journalctl -xe
+Wed 2026-03-11 09:13:02 UTC beta-host pam_sss(sshd:auth): received for user mallory: 7 (Authentication failure)
+Wed 2026-03-11 09:13:38 UTC beta-host pam_sss(sshd:auth): received for user ghost: 10 (User not known to the underlying authentication module)
 Wed 2026-03-11 09:14:15 UTC beta-host sudo:    alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/vi /etc/ssh/sshd_config
-Wed 2026-03-11 09:15:12 UTC alpha-host sshd[2306]: Connection closed by authenticating user alice 203.0.113.50 port 52290 [preauth]
+Wed 2026-03-11 09:15:12 UTC alpha-host sshd[2307]: Connection closed by authenticating user alice 203.0.113.50 port 52290 [preauth]
 Wed 2026-03-11 09:16:18 UTC beta-host sshd[2402]: Timeout, client not responding from 203.0.113.51 port 52291

tests/fixtures/report_contracts/multi_host_journalctl_short_full/report.json

@@ -4,42 +4,48 @@
   "input_mode": "journalctl_short_full",
   "timezone_present": true,
   "parser_quality": {
-    "total_lines": 11,
-    "parsed_lines": 9,
-    "unparsed_lines": 2,
-    "parse_success_rate": 0.8182,
+    "total_lines": 15,
+    "parsed_lines": 12,
+    "unparsed_lines": 3,
+    "parse_success_rate": 0.8000,
     "top_unknown_patterns": [
+      {"pattern": "pam_sss_unknown_user", "count": 1},
       {"pattern": "sshd_connection_closed_preauth", "count": 1},
       {"pattern": "sshd_timeout_or_disconnection", "count": 1}
     ]
   },
-  "parsed_event_count": 9,
-  "warning_count": 2,
+  "parsed_event_count": 12,
+  "warning_count": 3,
   "finding_count": 3,
   "event_counts": [
     {"event_type": "ssh_failed_password", "count": 3},
+    {"event_type": "ssh_accepted_password", "count": 1},
     {"event_type": "ssh_accepted_publickey", "count": 1},
     {"event_type": "ssh_invalid_user", "count": 2},
+    {"event_type": "pam_auth_failure", "count": 2},
     {"event_type": "sudo_command", "count": 3}
   ],
   "host_summaries": [
     {
       "hostname": "alpha-host",
-      "parsed_event_count": 5,
+      "parsed_event_count": 7,
       "finding_count": 2,
       "warning_count": 1,
       "event_counts": [
         {"event_type": "ssh_failed_password", "count": 3},
-        {"event_type": "ssh_invalid_user", "count": 2}
+        {"event_type": "ssh_accepted_password", "count": 1},
+        {"event_type": "ssh_invalid_user", "count": 2},
+        {"event_type": "pam_auth_failure", "count": 1}
       ]
     },
     {
       "hostname": "beta-host",
-      "parsed_event_count": 4,
+      "parsed_event_count": 5,
       "finding_count": 1,
-      "warning_count": 1,
+      "warning_count": 2,
       "event_counts": [
         {"event_type": "ssh_accepted_publickey", "count": 1},
+        {"event_type": "pam_auth_failure", "count": 1},
         {"event_type": "sudo_command", "count": 3}
       ]
     }
@@ -77,7 +83,8 @@
     }
   ],
   "warnings": [
-    {"line_number": 10, "reason": "unrecognized auth pattern: sshd_connection_closed_preauth"},
-    {"line_number": 11, "reason": "unrecognized auth pattern: sshd_timeout_or_disconnection"}
+    {"line_number": 12, "reason": "unrecognized auth pattern: pam_sss_unknown_user"},
+    {"line_number": 14, "reason": "unrecognized auth pattern: sshd_connection_closed_preauth"},
+    {"line_number": 15, "reason": "unrecognized auth pattern: sshd_timeout_or_disconnection"}
   ]
 }

tests/fixtures/report_contracts/multi_host_journalctl_short_full/report.md

@@ -5,20 +5,20 @@
 - Input: `tests/fixtures/report_contracts/multi_host_journalctl_short_full/input.log`
 - Input mode: journalctl_short_full
 - Timezone present: true
-- Total lines: 11
-- Parsed lines: 9
-- Unparsed lines: 2
-- Parse success rate: 81.82%
-- Parsed events: 9
+- Total lines: 15
+- Parsed lines: 12
+- Unparsed lines: 3
+- Parse success rate: 80.00%
+- Parsed events: 12
 - Findings: 3
-- Parser warnings: 2
+- Parser warnings: 3
 
 ## Host Summary
 
 | Host | Parsed Events | Findings | Warnings |
 | --- | ---: | ---: | ---: |
-| alpha-host | 5 | 2 | 1 |
-| beta-host | 4 | 1 | 1 |
+| alpha-host | 7 | 2 | 1 |
+| beta-host | 5 | 1 | 2 |
 
 ## Findings
 
@@ -33,20 +33,24 @@
 | Event Type | Count |
 | --- | ---: |
 | ssh_failed_password | 3 |
+| ssh_accepted_password | 1 |
 | ssh_accepted_publickey | 1 |
 | ssh_invalid_user | 2 |
+| pam_auth_failure | 2 |
 | sudo_command | 3 |
 
 ## Parser Quality
 
 | Unknown Pattern | Count |
 | --- | ---: |
+| pam_sss_unknown_user | 1 |
 | sshd_connection_closed_preauth | 1 |
 | sshd_timeout_or_disconnection | 1 |
 
 ## Parser Warnings
 
 | Line | Reason |
 | ---: | --- |
-| 10 | unrecognized auth pattern: sshd_connection_closed_preauth |
-| 11 | unrecognized auth pattern: sshd_timeout_or_disconnection |
+| 12 | unrecognized auth pattern: pam_sss_unknown_user |
+| 14 | unrecognized auth pattern: sshd_connection_closed_preauth |
+| 15 | unrecognized auth pattern: sshd_timeout_or_disconnection |

tests/fixtures/report_contracts/multi_host_syslog_legacy/input.log

@@ -3,9 +3,13 @@ Mar 11 09:01:05 alpha-host sshd[1302]: Failed password for root from 203.0.113.1
 Mar 11 09:02:10 alpha-host sshd[1303]: Failed password for test from 203.0.113.10 port 52040 ssh2
 Mar 11 09:03:44 alpha-host sshd[1304]: Failed password for guest from 203.0.113.10 port 52050 ssh2
 Mar 11 09:04:05 alpha-host sshd[1305]: Failed password for invalid user deploy from 203.0.113.10 port 52060 ssh2
+Mar 11 09:05:20 alpha-host sshd[1306]: Accepted password for ops from 203.0.113.60 port 52070 ssh2
+Mar 11 09:06:02 alpha-host pam_faillock(sshd:auth): Authentication failure for user svc-ci from 203.0.113.61
 Mar 11 09:10:10 beta-host sshd[1401]: Accepted publickey for alice from 203.0.113.20 port 52111 ssh2
 Mar 11 09:11:00 beta-host sudo:    alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/systemctl restart ssh
 Mar 11 09:12:10 beta-host sudo:    alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/journalctl -xe
+Mar 11 09:13:02 beta-host pam_sss(sshd:auth): received for user mallory: 7 (Authentication failure)
+Mar 11 09:13:38 beta-host pam_sss(sshd:auth): received for user ghost: 10 (User not known to the underlying authentication module)
 Mar 11 09:14:15 beta-host sudo:    alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/vi /etc/ssh/sshd_config
-Mar 11 09:15:12 alpha-host sshd[1306]: Connection closed by authenticating user alice 203.0.113.50 port 52290 [preauth]
+Mar 11 09:15:12 alpha-host sshd[1307]: Connection closed by authenticating user alice 203.0.113.50 port 52290 [preauth]
 Mar 11 09:16:18 beta-host sshd[1402]: Timeout, client not responding from 203.0.113.51 port 52291

tests/fixtures/report_contracts/multi_host_syslog_legacy/report.json

@@ -5,42 +5,48 @@
   "assume_year": 2026,
   "timezone_present": false,
   "parser_quality": {
-    "total_lines": 11,
-    "parsed_lines": 9,
-    "unparsed_lines": 2,
-    "parse_success_rate": 0.8182,
+    "total_lines": 15,
+    "parsed_lines": 12,
+    "unparsed_lines": 3,
+    "parse_success_rate": 0.8000,
     "top_unknown_patterns": [
+      {"pattern": "pam_sss_unknown_user", "count": 1},
       {"pattern": "sshd_connection_closed_preauth", "count": 1},
       {"pattern": "sshd_timeout_or_disconnection", "count": 1}
     ]
   },
-  "parsed_event_count": 9,
-  "warning_count": 2,
+  "parsed_event_count": 12,
+  "warning_count": 3,
   "finding_count": 3,
   "event_counts": [
     {"event_type": "ssh_failed_password", "count": 3},
+    {"event_type": "ssh_accepted_password", "count": 1},
     {"event_type": "ssh_accepted_publickey", "count": 1},
     {"event_type": "ssh_invalid_user", "count": 2},
+    {"event_type": "pam_auth_failure", "count": 2},
     {"event_type": "sudo_command", "count": 3}
   ],
   "host_summaries": [
     {
       "hostname": "alpha-host",
-      "parsed_event_count": 5,
+      "parsed_event_count": 7,
       "finding_count": 2,
       "warning_count": 1,
       "event_counts": [
         {"event_type": "ssh_failed_password", "count": 3},
-        {"event_type": "ssh_invalid_user", "count": 2}
+        {"event_type": "ssh_accepted_password", "count": 1},
+        {"event_type": "ssh_invalid_user", "count": 2},
+        {"event_type": "pam_auth_failure", "count": 1}
       ]
     },
     {
       "hostname": "beta-host",
-      "parsed_event_count": 4,
+      "parsed_event_count": 5,
       "finding_count": 1,
-      "warning_count": 1,
+      "warning_count": 2,
       "event_counts": [
         {"event_type": "ssh_accepted_publickey", "count": 1},
+        {"event_type": "pam_auth_failure", "count": 1},
         {"event_type": "sudo_command", "count": 3}
       ]
     }
@@ -78,7 +84,8 @@
     }
   ],
   "warnings": [
-    {"line_number": 10, "reason": "unrecognized auth pattern: sshd_connection_closed_preauth"},
-    {"line_number": 11, "reason": "unrecognized auth pattern: sshd_timeout_or_disconnection"}
+    {"line_number": 12, "reason": "unrecognized auth pattern: pam_sss_unknown_user"},
+    {"line_number": 14, "reason": "unrecognized auth pattern: sshd_connection_closed_preauth"},
+    {"line_number": 15, "reason": "unrecognized auth pattern: sshd_timeout_or_disconnection"}
   ]
 }

tests/fixtures/report_contracts/multi_host_syslog_legacy/report.md

@@ -6,20 +6,20 @@
 - Input mode: syslog_legacy
 - Assume year: 2026
 - Timezone present: false
-- Total lines: 11
-- Parsed lines: 9
-- Unparsed lines: 2
-- Parse success rate: 81.82%
-- Parsed events: 9
+- Total lines: 15
+- Parsed lines: 12
+- Unparsed lines: 3
+- Parse success rate: 80.00%
+- Parsed events: 12
 - Findings: 3
-- Parser warnings: 2
+- Parser warnings: 3
 
 ## Host Summary
 
 | Host | Parsed Events | Findings | Warnings |
 | --- | ---: | ---: | ---: |
-| alpha-host | 5 | 2 | 1 |
-| beta-host | 4 | 1 | 1 |
+| alpha-host | 7 | 2 | 1 |
+| beta-host | 5 | 1 | 2 |
 
 ## Findings
 
@@ -34,20 +34,24 @@
 | Event Type | Count |
 | --- | ---: |
 | ssh_failed_password | 3 |
+| ssh_accepted_password | 1 |
 | ssh_accepted_publickey | 1 |
 | ssh_invalid_user | 2 |
+| pam_auth_failure | 2 |
 | sudo_command | 3 |
 
 ## Parser Quality
 
 | Unknown Pattern | Count |
 | --- | ---: |
+| pam_sss_unknown_user | 1 |
 | sshd_connection_closed_preauth | 1 |
 | sshd_timeout_or_disconnection | 1 |
 
 ## Parser Warnings
 
 | Line | Reason |
 | ---: | --- |
-| 10 | unrecognized auth pattern: sshd_connection_closed_preauth |
-| 11 | unrecognized auth pattern: sshd_timeout_or_disconnection |
+| 12 | unrecognized auth pattern: pam_sss_unknown_user |
+| 14 | unrecognized auth pattern: sshd_connection_closed_preauth |
+| 15 | unrecognized auth pattern: sshd_timeout_or_disconnection |