loghunter-cli 0.1.0.dev0__py3-none-any.whl

loghunter_cli-0.1.0.dev0.dist-info/METADATA

@@ -0,0 +1,336 @@
+Metadata-Version: 2.4
+Name: loghunter-cli
+Version: 0.1.0.dev0
+Summary: ML-assisted network and log analysis toolkit for security practitioners and threat hunters.
+Author-email: David Augros <code@augros.org>
+License: MIT
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pandas>=2.0
+Requires-Dist: numpy>=1.26
+Requires-Dist: scikit-learn>=1.3
+Requires-Dist: hdbscan>=0.8
+Requires-Dist: drain3>=0.9
+Requires-Dist: tqdm>=4.0
+Requires-Dist: tldextract>=3.0
+Provides-Extra: fast
+Requires-Dist: fast-hdbscan>=0.2; extra == "fast"
+Provides-Extra: splunk
+Requires-Dist: splunk-sdk; extra == "splunk"
+Provides-Extra: cloudtrail
+Requires-Dist: boto3; extra == "cloudtrail"
+Requires-Dist: botocore[crt]; extra == "cloudtrail"
+Provides-Extra: all
+Requires-Dist: loghunt[fast]; extra == "all"
+Requires-Dist: loghunt[splunk]; extra == "all"
+Requires-Dist: loghunt[cloudtrail]; extra == "all"
+Dynamic: license-file
+
+# LogHunter
+
+LogHunter is a local-first command-line threat-hunting workbench for self-hosters. You
+point it at the logs you already have — Zeek, Pi-hole/dnsmasq, syslog, CloudTrail — and it
+tells you what's in them and runs transparent detectors over them: beaconing, suspicious
+DNS, port scans, rare syslog events, abnormally long connections, and unusual CloudTrail
+activity. Every run names the technique behind each detector, so you always know whether a
+finding came from a published algorithm or an honest heuristic.
+
+**Not a SIEM. Not an agent. Not magic.** Nothing to deploy, no database, no daemon, no
+account. Install it, point it at a directory of logs, read the output. It runs on the
+admin's own box, over logs at rest.
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](#license)
+![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-blue.svg)
+
+> **Status: early / pre-1.0 (`0.1.0.dev0`).** The six detectors below work and are
+> covered by tests, but interfaces may still move before 1.0. Feedback welcome.
+
+<!-- TODO(screenshots): a real terminal capture of `loghunter ~/zeek` and a `digest` card go here. -->
+
+A run opens with a summary banner — what was loaded, and which technique each detector
+used — then groups findings by detector (illustrative output; addresses are
+[RFC 5737](https://datatracker.ietf.org/doc/html/rfc5737) documentation space):
+
+```
+LogHunter  ·  Threat Hunt
+══════════════════════════════════════════════════════════════════════════════
+Data found:  2026-05-31 00:00  →  2026-06-01 00:00  (24h)
+Records:     1,284,402 conn.log  ·  318,221 dns.log  ·  44,019 *.log
+Detectors:   beacon (FFT)  ·  dns (fast-HDBSCAN)  ·  syslog (drain3)  ·  scan [pattern]  ·  duration [heuristics]
+══════════════════════════════════════════════════════════════════════════════
+
+beacon — 2 findings · 1 H  1 M
+────────────────────────────────────────────────────────────────────────────────
+[H]  192.0.2.37 → 198.51.100.20:443/tcp     score 0.91   period 60.0s    1,440 conns
+[M]  192.0.2.37 → 198.51.100.61:8443/tcp    score 0.74   period 300.0s     288 conns
+
+dns — 1 finding · 1 M
+────────────────────────────────────────────────────────────────────────────────
+[M]  dga-lookups.example   entropy 3.91   14 subdomains   cluster -1 (noise)
+```
+
+The two-tier styling of the `Detectors:` line is deliberate: published techniques glow in
+parentheses — `(FFT)`, `(HDBSCAN)`, `(drain3)` — while honest house methods are plain in
+brackets — `[pattern]`, `[heuristics]`, `[statistical]`. The restraint is the point. A
+heuristic is never dressed up as an algorithm, which is what makes the glow trustworthy.
+
+## Quick start
+
+```bash
+pip install loghunt
+
+# one-time, detection-driven setup — finds your logs and writes a config
+loghunter init
+
+# hunt across everything enabled in your config
+loghunter
+
+# or point at a directory / file directly
+loghunter ~/zeek-logs
+loghunter syslog /var/log
+
+# orient before you hunt — a fast, factual profile of a single file
+loghunter digest /var/log/messages
+```
+
+No config file is required to get started — `loghunter <path>` works against a directory or
+a single file. `loghunter init` just makes it repeatable.
+
+## Why use LogHunter?
+
+- **It runs where your logs are.** No services, no database, no daemon, no agent to push.
+  `pip install`, point it at a directory, get output. The only setup step that exists at all
+  is `loghunter init`, and that only writes a config file.
+- **Real methods, made visible.** Beaconing is found with an FFT over connection timing;
+  DNS with HDBSCAN clustering over per-query behavior; rare syslog events with drain3
+  log-templating plus rarity scoring; CloudTrail with a transparent per-principal z-score
+  composite. Every run tells you which technique ran. You can read *why* something was
+  surfaced — no black box.
+- **Big-tent ingestion.** One tool reads Zeek (NDJSON *and* TSV, flat *or* date-partitioned
+  directories), Pi-hole/dnsmasq, flat RFC 3164 syslog (Debian *and* RHEL/Fedora layouts),
+  and CloudTrail. Rotation and `.gz`/`.bz2`/`.xz` compression are handled transparently.
+- **Orient before you hunt.** `loghunter digest FILE` reads a log and reports facts about
+  it — time span, top talkers, the shape of the mix — with zero verdicts. It's sonar, not a
+  baggage scanner: it tells you what's there so you know where to point the detectors.
+- **Filter before analyze.** A flat-file allowlist suppresses known-good infrastructure
+  *before* any detector sees the data, so your noise floor is yours to set and detectors
+  never have to know the allowlist exists.
+- **Honest output.** Findings carry a severity, the evidence behind the score, and (with
+  `-v`/`-vv`) the analyst pivots to chase next. Machine formats (`json`, `csv`, `html`) are
+  lossless; the terminal view is the one that summarizes.
+
+## Why *not* use LogHunter?
+
+- **It is not real-time and not a SIEM.** It runs over logs at rest, in batches. There's no
+  streaming, no alerting pipeline, no live correlation across sources at scale. If you need an
+  always-on detection platform, you need a SIEM; LogHunter is the workbench you reach for to
+  *hunt*.
+- **It is stateless between runs.** There's no persisted baseline and no rolling history.
+  CloudTrail "first-seen" novelty, for example, is relative to the window you loaded — not to
+  all of recorded time.
+- **Detector coverage is v1.** Six detectors ship today (below). `auth`, `ssl`, `protocol`,
+  and `weird` are planned but not built.
+- **The richest network signal wants Zeek.** Pi-hole/dnsmasq gives you DNS only — no RTT,
+  TTL, or connection correlation. LogHunter will tell you so and keep working, but Zeek is
+  where it shines.
+- **It surfaces, it doesn't block.** This is a tool for a human triaging behavior, not a
+  signature IDS or an enforcement point.
+
+## What it hunts
+
+| Detector  | Surfaces                                            | Method                       | Source                         |
+|-----------|-----------------------------------------------------|------------------------------|--------------------------------|
+| `beacon`  | periodic C2-style callbacks                         | FFT over connection timing   | Zeek `conn.log`                |
+| `dns`     | DGA / tunneling / anomalous lookups                 | HDBSCAN clustering           | Zeek `dns.log` **or** Pi-hole  |
+| `syslog`  | rare events & reboots                               | drain3 templating + rarity   | syslog (flat) **or** Zeek `syslog.log` |
+| `scan`    | vertical / horizontal / block / slow port scans     | pattern (heuristic)          | Zeek `conn.log`                |
+| `duration`| abnormally long-lived connections                   | heuristics                   | Zeek `conn.log`                |
+| `aws`     | per-principal anomalous CloudTrail behavior         | statistical (z-score composite) | CloudTrail `*.json`         |
+
+`dns` and `syslog` each answer **one** question across **two** source families — Zeek and
+Pi-hole for DNS, flat rsyslog and Zeek's own `syslog.log` for syslog — and adapt to whichever
+fidelity they're handed.
+
+Run them all (`loghunter`), select some (`loghunter --detect=beacon,dns`), or exclude
+(`loghunter --detect='all,!syslog'`). Each detector is also its own subcommand:
+`loghunter beacon ~/zeek`.
+
+## How a run works
+
+```
+discover & parse  →  allowlist (suppress)  →  detect  →  render
+```
+
+Responsibilities don't bleed across that line. The **loader** finds files, decompresses,
+normalizes every connection source to one canonical schema, and absorbs storage variation
+(TSV vs. NDJSON, flat vs. dated directories, rotation). The **allowlist** suppresses
+known-good traffic *before* analysis. **Detectors** only analyze — they never open files,
+read config, or suppress. **Output handlers** only render. The CLI is the one place that
+turns an error into an actionable message and owns the exit code.
+
+Because detectors are pure analysis, every one is importable and callable as an ordinary
+Python function — useful in a notebook when you want to experiment.
+
+### Analysis window
+
+Pointed at a **directory**, an unqualified run looks back over the last `default_window`
+(`1d` out of the box) of *that source's own* data — the right default for a live log dir
+you don't want to read in full every time. Pointed at a **single file**, it reads the whole
+file. Override either way:
+
+```bash
+loghunter --since=7d ~/zeek            # last 7 days
+loghunter --since=2026-05-01 --until=2026-05-08 ~/zeek
+loghunter --days=2-4 ~/zeek            # 2 to 4 days ago
+loghunter --all ~/zeek                 # the entire archive
+```
+
+CloudTrail is the one source that opts out of the default window — novelty detection needs
+full history, so it always loads in full unless you narrow it explicitly.
+
+## Orient before the hunt: `digest`
+
+```bash
+loghunter digest /var/log/messages
+loghunter digest conn.log dns.log         # several files → several cards
+```
+
+`digest` content-sniffs each file, routes it to the right summarizer (conn, dns, syslog,
+cloudtrail), and falls back to a fast byte-profiler — **blob** — for anything it doesn't
+recognize. A card is flush-left and factual: the file's time window, line count and size, a
+scale-anchored histogram, and a handful of plain-language insights ("one client accounts for
+71% of queries"). It states facts and superlatives, never verdicts — no "suspicious," no
+"anomalous." It reads your data *before* the allowlist, because everything in the file,
+allowlisted or not, is part of "what's in here." The blob profiler is bounded: it samples a
+big file rather than reading it, so a one-gigabyte mystery file costs the same as a
+one-kilobyte one.
+
+## Installation
+
+LogHunter is published on PyPI as **`loghunt`** (the command, import package, and config
+section are all `loghunter`).
+
+```bash
+pip install loghunt                 # core
+pip install 'loghunt[fast]'         # fast-hdbscan accelerator for DNS clustering
+pip install 'loghunt[splunk]'       # Splunk exporter
+pip install 'loghunt[cloudtrail]'   # CloudTrail (S3) exporter
+pip install 'loghunt[all]'          # everything above
+```
+
+Requires **Python 3.11+**. A bare `pip install loghunt` always works — the DNS clustering
+runs on stock `hdbscan` (a base dependency); `[fast]` swaps in a numba-accelerated backend
+when you want it, and the tool tells you which one is active on every run.
+
+From source:
+
+```bash
+git clone https://github.com/spiralbend/loghunter
+cd loghunter
+pip install -e '.[all]'
+```
+
+## Configuration
+
+Configuration is optional — LogHunter runs against a path with none. When you want it
+repeatable, `loghunter init` looks at the conventional locations on your box, profiles what
+it finds (which log families, rough size, freshness — without reading a single log line),
+and writes a fully-annotated `~/.loghunter/config.toml`. It never clobbers settings you
+already have.
+
+Config is loaded from the first of:
+
+1. `--config=FILE`
+2. `~/.loghunter/config.toml`
+3. `/etc/loghunter/config.toml`
+
+Everything LogHunter owns lives under the hidden `~/.loghunter/` — config, allowlists,
+exports, reports — so it can't collide with a project directory. A trimmed example:
+
+```toml
+[loghunter]
+detect     = "all"                 # "all" | "dns,beacon" | "all,!syslog"
+zeek_dir   = "/var/log/zeek"
+syslog_dir = "/var/log"
+# pihole_dir     = "/var/log/pihole"
+# cloudtrail_dir = "/var/log/cloudtrail"
+
+home_net       = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+default_window = "1d"              # lookback for a directory; "" or "all" = full
+output_format  = "text"           # text | json | csv | html
+```
+
+Findings print to your terminal by default — keep it pipeable. Set `report_dir` (or pass
+`--out=PATH`) to write report files instead. Every tunable a detector exposes is documented
+as a commented "engine room" at the bottom of the generated config; you rarely need it, and
+`loghunter <detector> --help` lists the full surface.
+
+## Log sources it speaks
+
+- **Zeek** — `conn.log`, `dns.log`, `syslog.log`, in NDJSON or TSV, from a flat directory or
+  date-partitioned subdirectories. Rotation and gzip/bzip2/xz compression are transparent.
+- **Pi-hole / dnsmasq** — DNS event logs, aggregated per domain for clustering.
+- **syslog** — flat RFC 3164. Discovery is content-sniffed, not filename-matched, so it
+  handles both the Debian convention (`syslog`, `auth.log`, `kern.log`) and the RHEL/Fedora
+  one (extensionless `messages`, `secure`, `maillog`) — and won't mistake `dnf.log` or a
+  binary like `wtmp` for a log stream.
+- **CloudTrail** — gzipped JSON event records, read locally or pulled from S3 (below).
+
+## The allowlist
+
+Two kinds of allowlist file, never conflated:
+
+- **Flat files = suppression.** One rule per line — an IP, a CIDR, a `:port/proto`, or a
+  domain glob/regex. Matching traffic is dropped before any detector runs. LogHunter ships a
+  curated domain list and never ships numeric connection suppressions (those depend on your
+  hosts, and shipping them could hide real findings).
+- **TOML stanzas = classification.** When a detector needs to know *what* something is
+  (a nameserver, a backup client) rather than whether to drop it.
+
+A bare host IP with no port suppresses *all* traffic involving that host — powerful, and
+called out as such wherever it appears.
+
+## Pulling logs in: exporters
+
+LogHunter can fetch logs from external systems to local files, which it then analyzes like
+any other source — the syslog detector can't tell whether the data came from rsyslog or a
+Splunk export.
+
+```bash
+loghunter export            # run the configured "default" query
+loghunter export auth       # run a named query
+```
+
+- **Splunk** — named SPL queries under `[export.splunk.query.<name>]`. Prefer the
+  `LOGHUNTER_SPLUNK_USER` / `LOGHUNTER_SPLUNK_PASS` environment variables over plaintext
+  credentials in config.
+- **CloudTrail** — pulls gzipped JSON from an S3 prefix. AWS authentication is *not* handled
+  here: you authenticate your shell, and boto3 resolves the ambient credential chain.
+  LogHunter never reads, stores, or prompts for AWS credentials, and warns before a large
+  egress.
+
+## Output formats
+
+`text` (default, grouped and summarized), `json` (one finding per line, pipeable), `csv`
+(flattened), and `html` (a self-contained file). Pass `--output=json` or set `output_format`
+in config. `-v` adds the curated "why it scored" detail; `-vv` adds raw debug — template
+strings, cluster membership, full evidence. Color is enhancement-only and TTY-gated: piped
+or redirected output is always plain, and the machine formats never emit an escape code.
+
+## Building from source & running tests
+
+```bash
+git clone https://github.com/spiralbend/loghunter
+cd loghunter
+pip install -e '.[all]'
+python -m pytest
+```
+
+`main` is kept runnable. Architecture tests cover the boundaries that matter — detector
+discovery, run planning, loader metadata, allowlist suppression, output registration, and
+CLI error formatting.
+
+## License
+
+LogHunter is licensed under the [MIT License](LICENSE).

loghunter_cli-0.1.0.dev0.dist-info/RECORD

@@ -0,0 +1,122 @@
+loghunter/__init__.py,sha256=JnW8Vxk8h2j3xybPMLovIw1PKGc0XtQ7bVMgiczJZeo,114
+loghunter/cli.py,sha256=zME4pnkoPP268fEGytWwaCkqoyrljIDFwef8wBIND20,44799
+loghunter/cli_init.py,sha256=fM6OF-dpgoSadJ0Z2oeUEw5_y2XxLYpxwFWB5N-DGIY,21808
+loghunter/runner.py,sha256=SoXC-3MeEixpQDDiW3lDb5bClOrVzl5uuK0csGE0uCE,81179
+loghunter/common/__init__.py,sha256=OLqoJrEX505jlqZYM0ziUIGhtxGcpeWM3ohq7kyoD18,68
+loghunter/common/allowlist.py,sha256=VJdAtTXnnETxxuD-nC-YDRddGvS97CXjsYMV9Q20w8w,15943
+loghunter/common/clustering.py,sha256=LyY2njihWuKrWJWr_qqmloYlpPqXd0Rsifq4S-C_afM,13822
+loghunter/common/config.py,sha256=EVXlmvfLqfc7VMzsyW_Pyv19i1X7JZg38ZitHEpflZw,8266
+loghunter/common/display.py,sha256=tB-1FeFsHlava16Qhs8dGrKeY3oFJ_jVFeY_cUZNQog,12078
+loghunter/common/errors.py,sha256=43z9UPJv01Kx5uYcWI7QG5wKR4v6pYuUw5hxzpwZXBQ,1835
+loghunter/common/finding.py,sha256=dy_kDOxsjJbzb8ArxfpUZZA6Lqyftbzqs0g_3kWCXQw,9557
+loghunter/common/output.py,sha256=Q8REssHwUf7o79O5JYJPTrpDA3taP2b3DmqcJi6QwbE,3235
+loghunter/common/paths.py,sha256=h6lUBfjxBmaeW7tq4fsy_fL8dL_IAvthVEMpu11NQPY,4176
+loghunter/common/sources.py,sha256=gVtF9GhKHLuObkWhR2NBFh9JIGjwdwYRwtY0T7rO39M,16295
+loghunter/common/loader/__init__.py,sha256=l9wpHOvGG0SuZTJbyrdd7lggIT7wx6-4V1kftOgw_Pk,4327
+loghunter/common/loader/diagnostics.py,sha256=q4NoFpaP8H5FfLzxNUWr7F3bevbZHe1IjqfhxwJ5ZkM,3020
+loghunter/common/loader/discovery.py,sha256=A4U4sOMY3pI9OEKgIGqEyC2VPc-3gglP1hpI_oOzmfc,15053
+loghunter/common/loader/io.py,sha256=8oAwk5p1v0z4aX-xWAl9pCt4Rx49HYfMVQsR20JZReE,2893
+loghunter/common/loader/pipeline.py,sha256=9ANkonqPTekWy8_nFU6oyAuhnYxZTlS3CBA1arAaUtA,42457
+loghunter/common/loader/sniff.py,sha256=3Jhye2sUrFK6lFyMEjguqGOr0hrFCy9pp1HLQdfG4h4,7494
+loghunter/common/loader/types.py,sha256=rMEE4vXVv9n2NBc_N6Fnv0kMjafBjarwsZA9qfRMZhQ,8296
+loghunter/common/loader/windowing.py,sha256=f7YwMuKEkHO-21qd3je15I9zy1uI7nTQLeWKRjjfj6I,24237
+loghunter/data/config_example.toml,sha256=FqBHFypjZbfd_OylOwU8vlQs_YJk4vHl3uvJZJW43so,7874
+loghunter/data/allowlist/connections.txt,sha256=smNirWSiy8aKtfzt_Y5PEV-ifFs99DcJIpi30OED05E,2807
+loghunter/data/allowlist/domains_devices.txt,sha256=qXKZweOzkJQFcMxo7d36oD4i-8TKgx9h2Wa6HTSirrQ,262
+loghunter/data/allowlist/domains_homelab.txt,sha256=1MA3Zgf2ucofFP6jVWPjFeh9k8Jbj3X9J832Z8_lYMI,266
+loghunter/data/allowlist/domains_universal.txt,sha256=dHDgUkaWQ7u8rkk8nFnY7WGnqckFSzWe0UmydmvQSM8,5305
+loghunter/detectors/__init__.py,sha256=xp-UAxICRpgrLivPLx8xBeRjr2tgCKS0k1-PVCcMSXE,248
+loghunter/detectors/auth.py,sha256=BD3SaqPzjWTB2hYvRSlMKGYDKTelDNwK8mWv6BDikUU,753
+loghunter/detectors/aws.py,sha256=oPHIepYlIDn7pWpvFLfCRJckn1Oxm0bIk8zUZJDLXsQ,27678
+loghunter/detectors/beacon.py,sha256=Hq4nWG90V91rKpTdBmXs2WGVNCCSd9Pm7gs5aAE7zxU,8437
+loghunter/detectors/dns.py,sha256=H-gsRipx6wEzxcSG2oU5eOqs0IEW1M8JmH9jSoImhuY,29595
+loghunter/detectors/dnsblock.py,sha256=Pj_5DZ3HimaqoSuoSo2_ZZQecBtekgolZzVO380Dfmk,949
+loghunter/detectors/duration.py,sha256=zPyAj3RRAVkWQ12zWZkQZHQa2t9qUsSj5y8WkGp8QwI,6109
+loghunter/detectors/protocol.py,sha256=Xz1xda-cuxjxQPmLtZ20cvQqWC-kjbCL5ZwsZF_zvcI,808
+loghunter/detectors/scan.py,sha256=20O9nY01jxl8fdg1K27XLZXOTB6H8vSWkAFimgB20C8,29191
+loghunter/detectors/ssl.py,sha256=UMGNtcQ3O9jkII2RauGzh_dtMxArP5V-hKVOHSYV7GI,717
+loghunter/detectors/syslog.py,sha256=rRRwPgV7w2e3B20pNfXFs0WWCZ0TXXvIo2GaxIMpfBQ,9887
+loghunter/detectors/weird.py,sha256=dKTmo2BALl-zGMny0W7yTxnUzWqxByN3HmouMU_PXps,756
+loghunter/digest/__init__.py,sha256=G2HSlAqHpPgXMTrLqN4WoDgvKrVNO7s6R0N1AL0s818,1790
+loghunter/digest/_stats.py,sha256=DpC6NGMgRO5fUy_nQL3JSe4NjCCff8TH5UpwODk-FSA,7961
+loghunter/digest/blob.py,sha256=ec-2xy1klY1ifjtc96HgXas53KjT5cgow2Z0bsRglcw,30265
+loghunter/digest/cloudtrail.py,sha256=mNQs-F25gfYxWSo-TPxqf1Ex735-QQA3mp1mcLtSWto,13928
+loghunter/digest/conn.py,sha256=V4jupXKGntwimeUbj2ZwgxkxrhnQLGIIzHM1RIi-67U,13655
+loghunter/digest/dns.py,sha256=U89aGpbJOZ6wx1AfaxS3_s3in1WkGbnySPqx3qTdFAU,13645
+loghunter/digest/syslog.py,sha256=p7AabWoCyOpTHQr1XcJSOD25Lilu6dX4QYxj_uH6ROA,10771
+loghunter/exporters/__init__.py,sha256=SAcr6rq2v6JOEcSIHfO4SI9WMt2My9eZGf9KDCcwYwA,23483
+loghunter/exporters/cloudtrail.py,sha256=PJFTzu2iAh4WIyvSlGZEdJtq5sC1Zx2KBCD7Pr7-cFo,19627
+loghunter/exporters/splunk.py,sha256=VQH4dGYKpJqYEc0-82ehoVnuN99KKza4DoFOdo7vGAM,8333
+loghunter/outputs/__init__.py,sha256=KKGBVAJyvijLkkhydNU35UlHgMPCBtjwFYFUsBl95Qg,90
+loghunter/outputs/allowlist.py,sha256=pO30cUZtwecHNuYESkwL8jVEV-uPcbSLD3YUayMtxrQ,2390
+loghunter/outputs/csv.py,sha256=77iqHEzP42zwch0tXhHfymu1L0GbD9-xG7F-vO5kFlY,2559
+loghunter/outputs/email.py,sha256=gKXu-MqnJlT3QTP3Q2tgtGdgpLJN0ljljJfJ0hddc1U,1335
+loghunter/outputs/html.py,sha256=newe0pW9tVesqtDB7j-lb5QakdgMOsmNCQxTViYE78Q,3681
+loghunter/outputs/json.py,sha256=1C4klX8xGnuJVxbfNGZBZETm6jQ0puC6axywclEsQWU,2859
+loghunter/outputs/text.py,sha256=EFNZEEWyBiDmzq3W_UKhFpYaWFUHDMhy-m2eZSoQ1qc,59436
+loghunter/parsers/__init__.py,sha256=AbI3M68ELw0VpyAfeS2y3Xdl090hE5_4Kuu4RjKM8T8,81
+loghunter/parsers/cloudtrail.py,sha256=viEUH0VI_hnv1aW9dBP9sFTxIvAcUNYPDIyH4jUKF7E,11775
+loghunter/parsers/dnsmasq.py,sha256=F_L-ZfyklWVdrlUamHjSwada381Zjp-1sO1iuphcoHI,13902
+loghunter/parsers/syslog.py,sha256=rQhxfV0Jq6L6tjOeyjab1p6I1NdeyB_H8LC3kzyuCnA,5724
+loghunter/parsers/zeek.py,sha256=Skbt3VOL6XmHisnahBpteVzOd6VaXfSLV3NesoSOYHo,12530
+loghunter/parsers/zeek_tsv.py,sha256=VyTlFWdC98e-oylR3yb6Y_9o0jYhsM2N_KTJPOLZQ_s,10866
+loghunter_cli-0.1.0.dev0.dist-info/licenses/LICENSE,sha256=5fFNc6512wTlNpmNEVjE5ea6ZCN_1zUaNgjVaHM__3s,1069
+migrations/cloudtrail_parquet.py,sha256=RTygEpOpgkgBF0-fsN2RQebDpL_ulM6WYWskuqTFYNg,2541
+migrations/conn_fft.py,sha256=Ce0E9JisJOwP8JxZwKVN2NJLOdORlcvU-VuyFJ3vSWw,20955
+migrations/conn_scan.py,sha256=WLNC5etwXx5ed6QxhPJBaObe51krA0tmNAbbE9v0a-A,47659
+migrations/dns_dbscan.py,sha256=ZEse_mJbf1QzwH4qYntMPXTx4z32EqxyxYjAuQcMXoo,20437
+migrations/get_syslog.py,sha256=lF1EaSOTgFOGWX7zyQnjIc9n6pyzjSndxw6CnRvVJ2U,15827
+migrations/syslog_drain3.py,sha256=KFX9phlDVlsHNUJxuhDDnKrLB2FGzSkvcXxfGBZNwbs,17745
+scratch/junk/parquet.py,sha256=RTygEpOpgkgBF0-fsN2RQebDpL_ulM6WYWskuqTFYNg,2541
+tests/__init__.py,sha256=3012BSYwXeGf22gxMpxLqbMwWJqFGfYSWKkKseGSmqg,28
+tests/_cloudtrail_fakes.py,sha256=dTDjdsdbVmV0rwdwkI8UQYyS0I3_7D_C0rNvEkdSx9U,4114
+tests/conftest.py,sha256=zHaPHZSRmV7C-6k8aLpfdBB2vy60m3XBF92Qeeg9AJQ,629
+tests/test_allowlist_defaults_accessor.py,sha256=tZko1MWVqRBfZ6u7_qSNKrF7Hd0SM2tFOMOJy-jjL1w,3547
+tests/test_architecture_spine.py,sha256=LS6ta8shX0i5V2o4BQUs9PejafKTNzW7EM01WEa0-bU,11776
+tests/test_aws_detector.py,sha256=bHXzlj3KPPDf9wpVHWcUaeAUEYnGdP0WU1kRlD8MHgk,21548
+tests/test_be_like_water.py,sha256=3xNmCnZPubkbpp_7p2ngNi_cirUBsctHZxbSTJbPZik,4305
+tests/test_cli_help.py,sha256=17WxnGi2-axprMiHrcPE-Ma3YbW5J-Xvo2kUOtz0jxg,12196
+tests/test_cli_multi_positional.py,sha256=CPCgGiLNpyXpIM4XCkdR6S8rZD6lT7urF-_x_NQdorU,17315
+tests/test_cloudtrail_exporter.py,sha256=ZrWvDGJLyEwH1wEkaO2ug3jNLhm55_tikGOLItkkslo,28537
+tests/test_cloudtrail_exporter_botocore.py,sha256=UFJUTidxo_t5D3tFt1pYA-6FaT8sUeymN7TyquqTgpI,9325
+tests/test_cloudtrail_parser.py,sha256=1YEx-CBXkNVsgtEhrx8Lr5n01YF_iNW2oHa7iJQgFXE,14984
+tests/test_clustering.py,sha256=xWWGvOOzXanJmBx5PfGn37N9EzLjGqnmueerJPSLD6g,3217
+tests/test_clustering_interruptible.py,sha256=jKs9yz6h87jjpPmSHa8vaM5MgWkmjDjlbpdpbp-jmsY,15572
+tests/test_config_cli.py,sha256=TbH7GhCEztDLa3_-eLyigU5z2DqBntpX4UeOoRc6eyE,37853
+tests/test_config_example_drift.py,sha256=AAVMhZF4LGGK_rx0O4HMa6_qvkF1IBepVUfwOzIDqzI,6498
+tests/test_digest_blob.py,sha256=pFqN2D16XthRCuJCkf-DENtAXWbl4SwiaqRwJDQfgS0,47135
+tests/test_digest_cli.py,sha256=JkP67mrkpOb3I0cy7J3ptNWf-pTKGfa0rbzIr6Xyby8,39081
+tests/test_digest_cloudtrail.py,sha256=vhh0e05YAiJXSDZLG9IBv8y1m2Qtkd3lbllS8_vLEeY,41486
+tests/test_digest_conn.py,sha256=XS8V93DWlfCJSflkPUYGnVf7E7tSJVELfNk3A1MZ0_E,48378
+tests/test_digest_dns.py,sha256=6x7DCDMD8OKG_5-3hoFAAikBMf71DqYbCA6Om0XxDWQ,33067
+tests/test_digest_stats.py,sha256=Pzpa3igG2gmIuD6NcpovNqIOwuvlIDOduXO_v4TFrxE,11409
+tests/test_digest_syslog.py,sha256=ti9Wcl85YbKGkiVzXarCnERcRN6R-IeeEJpKHKZBMs8,29488
+tests/test_display.py,sha256=uJR3NbEYb9Gj0fSFw36auzs7QaZ0LTXBoeeE4_B-k-I,13659
+tests/test_dns_detector.py,sha256=8BQx_46O34SGOnPWUPp_-fAPMEer2XL9SiVxbs6oNqQ,44359
+tests/test_dnsmasq_parser.py,sha256=6JpuqV1XXRveGYUKtuv1b1q7kUZHwXDnlTXAntAVHdc,18164
+tests/test_duration_detector.py,sha256=QABfLZqOJS1imfgEqs-tJcbsahRShDbwfDT71cyX7tE,20711
+tests/test_export_orchestrator_shape.py,sha256=U0wOt73CTqr2olWolxjy4pR0MeL4xm3F1QWgj_A_750,6002
+tests/test_init_wizard.py,sha256=nSlcJaWKrEgaJpCYfuTmyhKj7nlxYB0bU0XgQ7FMxuc,28977
+tests/test_loader.py,sha256=4ZdLxE65NddAtTezTzk2Wt8oB_jZUps8xuoxJhvRElk,142998
+tests/test_loader_package_surface.py,sha256=8YKrjIG8j5bCedHK9ZMraEJFii466-a-Sp8ReKOgixw,4751
+tests/test_loader_window_model.py,sha256=I0JxPv1x8x1ym_LtpDBPKDL62ufCfzsAMUtgRoHbKmk,8149
+tests/test_output_path_cascade.py,sha256=9rwLs6bzXp-RmFKT4HCrPfwuUKNbrpDv1GgSoE3hxPs,23887
+tests/test_resolve_path.py,sha256=Fn9JZCBq2L9dpzOEn_wBUfrnYRMcKroxXNBKBRObHHE,4194
+tests/test_root_provenance.py,sha256=YQipG-Gk1zpN6gRf3pwW5T2sxhFkcUcBBWh7OVcwHeM,8526
+tests/test_runner.py,sha256=1juGXDIU4XaRJ0zkXSEPa382UBx7GSaNvLX8Q_L8EyA,100144
+tests/test_scan_detector.py,sha256=mMUxKi_2nLhe1pskGEF9dQgYKbAqT13Af4vjqB2HvKI,19061
+tests/test_search_paths.py,sha256=CCcRK3SnTcz47XzaJAYM9LxVCFAh27FpI0dCSU2rd78,1941
+tests/test_sniff_orchestrator.py,sha256=cApdN6_a9G_8WUw6qqkYqbJceEHf8phn9VP2o5UHac0,13161
+tests/test_sniff_recognizers.py,sha256=6ZTksrwiLMg6R9ibOmyM4Zdg0DqK88P6P80UgKlJr8k,23085
+tests/test_source_resolution_seam.py,sha256=_s1cXLCg1j5LfSjY9LDVubME5Ke5bQsq65xW6ULDLYE,18212
+tests/test_sources.py,sha256=zIp_9LbTT_zB7xEsw7h1n6Ncgnpnc7cRA23SpYgSRqY,23811
+tests/test_splunk_exporter.py,sha256=xgLdlAUTOPZno73RxvEmPt3rSUcIW1ACieoMq6XiRvU,13531
+tests/test_syslog_detector.py,sha256=U5nUviGL-Lls_oKhoE1Pzk8eZuQGn11GI8TN-_jYlq4,18834
+tests/test_syslog_parser.py,sha256=GY5b3p3dmy7Ub33MsrxQmboVdVrkBmNVC9klxoCmL9E,23917
+tests/test_text_output.py,sha256=xQ7ruLPoCBn9-cDJyaYGiQoZhbGLL8jCH1QB8rj2P90,50027
+tests/test_zeek_tsv_parser.py,sha256=0y3PEJ51OtAbtv6zagcWaQ4Cd9VQvubmqmZKt4sdItc,24504
+loghunter_cli-0.1.0.dev0.dist-info/METADATA,sha256=owWqBy4ZY1KNgqeEbr8cBDBFd0V7LtYtWV_5xefRd-c,16748
+loghunter_cli-0.1.0.dev0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+loghunter_cli-0.1.0.dev0.dist-info/entry_points.txt,sha256=UIjid5xRmph1b5_1BHEiMdOy51etHMo7iVBtd2rktv4,49
+loghunter_cli-0.1.0.dev0.dist-info/top_level.txt,sha256=5_xAFYP6ny5UGBOdWcEceM0sM11Yo_bePjQ_UUZoPdo,35
+loghunter_cli-0.1.0.dev0.dist-info/RECORD,,

loghunter_cli-0.1.0.dev0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

loghunter_cli-0.1.0.dev0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+loghunter = loghunter.cli:main

loghunter_cli-0.1.0.dev0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 David Augros
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

loghunter_cli-0.1.0.dev0.dist-info/top_level.txt

@@ -0,0 +1,4 @@
+loghunter
+migrations
+scratch
+tests

migrations/cloudtrail_parquet.py

@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+# flatten_own.py — one CloudTrail file → parquet (same projection as flaws)
+import json, sys, os
+import pandas as pd
+
+SRC = sys.argv[1] if len(sys.argv) > 1 else "cloudtrail_20260520_to_20260603_00h.json.log"
+OUT = os.path.splitext(SRC)[0] + ".parquet"
+
+READ_PREFIXES = ("Get","List","Describe","Head","Lookup","Search","BatchGet","Select","Query","Scan")
+
+def principal(ui):
+    p = ui.get("principalId","") or ""
+    return p.split(":")[-1] if ":" in p else (p or ui.get("type","?"))
+
+def flatten(e):
+    ui = e.get("userIdentity",{}) or {}
+    attrs = (ui.get("sessionContext",{}) or {}).get("attributes",{}) or {}
+    name = e.get("eventName") or ""
+    return {
+        "eventTime": e.get("eventTime"),
+        "eventSource": (e.get("eventSource") or "").replace(".amazonaws.com",""),
+        "eventName": name,
+        "eventType": e.get("eventType"),
+        "awsRegion": e.get("awsRegion"),
+        "sourceIP": e.get("sourceIPAddress"),
+        "userAgent": e.get("userAgent"),
+        "id_type": ui.get("type"),
+        "principal": principal(ui),
+        "arn": ui.get("arn"),
+        "accountId": ui.get("accountId") or e.get("recipientAccountId"),
+        "invokedBy": ui.get("invokedBy"),
+        "mfa": attrs.get("mfaAuthenticated") == "true",
+        "accessKeyId": ui.get("accessKeyId"),
+        "readOnly_raw": e.get("readOnly"),
+        "is_read": name.startswith(READ_PREFIXES),
+        "errorCode": e.get("errorCode"),
+        "errorMessage": e.get("errorMessage"),
+        "has_request": bool(e.get("requestParameters")),
+        "has_response": bool(e.get("responseElements")),
+        "has_resources": bool(e.get("resources")),
+        "eventVersion": e.get("eventVersion"),
+        "eventID": e.get("eventID"),
+    }
+
+# tolerate either {"Records":[...]} OR one-JSON-per-line (your sample was JSONL)
+with open(SRC) as f:
+    text = f.read().strip()
+try:
+    obj = json.loads(text)
+    recs = obj["Records"] if isinstance(obj, dict) and "Records" in obj else (obj if isinstance(obj, list) else [obj])
+except json.JSONDecodeError:
+    recs = [json.loads(ln) for ln in text.splitlines() if ln.strip()]
+
+df = pd.DataFrame(flatten(e) for e in recs)
+df["eventTime"] = pd.to_datetime(df["eventTime"], errors="coerce", utc=True)
+df = df.sort_values("eventTime").reset_index(drop=True)
+df.to_parquet(OUT, engine="pyarrow", compression="zstd", index=False)
+print(f"{len(df):,} events → {OUT}  ({os.path.getsize(OUT)/1e6:.1f} MB)")
+print(f"span: {df['eventTime'].min()} → {df['eventTime'].max()}")