From 4d049101213f987ec7ea9a95d9d08461c1d37229 Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Mon, 9 Mar 2026 15:42:26 +0100
Subject: [PATCH 01/16] unfinished draft for NewEventDetector.

---
 docs/detectors.md                             |   1 +
 docs/detectors/new_event.md                   |   4 +
 src/detectmatelibrary/detectors/__init__.py   |   3 +-
 .../detectors/new_event_detector.py           | 104 ++++++++++++++++++
 .../test_detectors/test_new_event_detector.py |   0
 5 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 docs/detectors/new_event.md
 create mode 100644 src/detectmatelibrary/detectors/new_event_detector.py
 create mode 100644 tests/test_detectors/test_new_event_detector.py

diff --git a/docs/detectors.md b/docs/detectors.md
index 5dad456..cb987f2 100644
--- a/docs/detectors.md
+++ b/docs/detectors.md
@@ -87,6 +87,7 @@ List of detectors:
 * [Random detector](detectors/random_detector.md): Generates random alerts.
 * [New Value](detectors/new_value.md): Detect new values in the variables in the logs.
 * [Combo Detector](detectors/combo.md): Detect new combination of variables in the logs.
+* [New Event](detectors/new_event.md): Detect new events in the variables in the logs.
 
 
 ## Auto-configuration (optional)
diff --git a/docs/detectors/new_event.md b/docs/detectors/new_event.md
new file mode 100644
index 0000000..dcfed58
--- /dev/null
+++ b/docs/detectors/new_event.md
@@ -0,0 +1,4 @@
+TODO PAGE
+
+TODO: new_event_detector
+TODO: test_new_event_detector
\ No newline at end of file
diff --git a/src/detectmatelibrary/detectors/__init__.py b/src/detectmatelibrary/detectors/__init__.py
index 7ca736e..96ecd3c 100644
--- a/src/detectmatelibrary/detectors/__init__.py
+++ b/src/detectmatelibrary/detectors/__init__.py
@@ -6,5 +6,6 @@
     "RandomDetectorConfig",
     "NewValueDetector",
     "NewValueDetectorConfig",
-    "RandomDetector"
+    "RandomDetector",
+    "NewEventDetector"
 ]
diff --git a/src/detectmatelibrary/detectors/new_event_detector.py b/src/detectmatelibrary/detectors/new_event_detector.py
new file mode 100644
index 0000000..4f0353d
--- /dev/null
+++ b/src/detectmatelibrary/detectors/new_event_detector.py
@@ -0,0 +1,104 @@
+from detectmatelibrary.common._config._compile import generate_detector_config
+from detectmatelibrary.common._config._formats import EventsConfig
+
+from detectmatelibrary.common.detector import CoreDetectorConfig, CoreDetector, get_configured_variables
+
+from detectmatelibrary.utils.persistency.event_data_structures.trackers.stability.stability_tracker import (
+    EventStabilityTracker
+)
+from detectmatelibrary.utils.persistency.event_persistency import EventPersistency
+from detectmatelibrary.utils.data_buffer import BufferMode
+
+from detectmatelibrary.schemas import ParserSchema, DetectorSchema
+
+from typing import Any
+
+
+class NewEventDetectorConfig(CoreDetectorConfig):
+    method_type: str = "new_value_detector"
+
+    events: EventsConfig | dict[str, Any] = {}
+
+
+class NewEventDetector(CoreDetector):
+    """Detect new values in log data as anomalies based on learned values."""
+
+    def __init__(
+        self,
+        name: str = "NewValueDetector",
+        config: NewEventDetectorConfig = NewEventDetectorConfig()
+    ) -> None:
+
+        if isinstance(config, dict):
+            config = NewEventDetectorConfig.from_dict(config, name)
+
+        super().__init__(name=name, buffer_mode=BufferMode.NO_BUF, config=config)
+        self.config: NewEventDetectorConfig  # type narrowing for IDE
+        self.persistency = EventPersistency(
+            event_data_class=EventStabilityTracker,
+        )
+        # auto config checks if individual variables are stable to select combos from
+        self.auto_conf_persistency = EventPersistency(
+            event_data_class=EventStabilityTracker
+        )
+
+    def train(self, input_: ParserSchema) -> None:  # type: ignore
+        """Train the detector by learning values from the input data."""
+        configured_variables = get_configured_variables(input_, self.config.events)
+        self.persistency.ingest_event(
+            event_id=input_["EventID"],
+            event_template=input_["template"],
+            named_variables=configured_variables
+        )
+
+    def detect(
+        self, input_:  ParserSchema, output_: DetectorSchema  # type: ignore
+    ) -> bool:
+        """Detect new values in the input data."""
+        alerts: dict[str, str] = {}
+        configured_variables = get_configured_variables(input_, self.config.events)
+        overall_score = 0.0
+
+        current_event_id = input_["EventID"]
+        known_events = self.persistency.get_events_data()
+
+        if current_event_id in known_events:
+            event_tracker = known_events[current_event_id]
+            for var_name, multi_tracker in event_tracker.get_data().items():
+                value = configured_variables.get(var_name)
+                if value is None:
+                    continue
+                if value not in multi_tracker.unique_set:
+                    alerts[f"EventID {current_event_id} - {var_name}"] = (
+                        f"Unknown value: '{value}'"
+                    )
+                    overall_score += 1.0
+
+        if overall_score > 0:
+            output_["score"] = overall_score
+            output_["description"] = f"{self.name} detects values not encountered in training as anomalies."
+            output_["alertsObtain"].update(alerts)
+            return True
+
+        return False
+
+    def configure(self, input_: ParserSchema) -> None:
+        self.auto_conf_persistency.ingest_event(
+            event_id=input_["EventID"],
+            event_template=input_["template"],
+            variables=input_["variables"],
+            named_variables=input_["logFormatVariables"],
+        )
+
+    def set_configuration(self) -> None:
+        variables = {}
+        for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
+            stable_vars = tracker.get_variables_by_classification("STABLE")  # type: ignore
+            variables[event_id] = stable_vars
+        config_dict = generate_detector_config(
+            variable_selection=variables,
+            detector_name=self.name,
+            method_type=self.config.method_type,
+        )
+        # Update the config object from the dictionary instead of replacing it
+        self.config = NewEventDetectorConfig.from_dict(config_dict, self.name)
diff --git a/tests/test_detectors/test_new_event_detector.py b/tests/test_detectors/test_new_event_detector.py
new file mode 100644
index 0000000..e69de29

From 8fbb34dd7c9cc8da286440846982f45562df19fe Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Tue, 10 Mar 2026 06:46:49 +0100
Subject: [PATCH 02/16] unfinished draft NewEventDetector.

---
 docs/detectors/new_event.md                   |   5 +-
 src/detectmatelibrary/common/detector.py      |   1 +
 src/detectmatelibrary/detectors/__init__.py   |   4 +-
 .../detectors/new_event_detector.py           |  19 +-
 .../test_detectors/test_new_event_detector.py | 257 ++++++++++++++++++
 5 files changed, 281 insertions(+), 5 deletions(-)

diff --git a/docs/detectors/new_event.md b/docs/detectors/new_event.md
index dcfed58..946bdab 100644
--- a/docs/detectors/new_event.md
+++ b/docs/detectors/new_event.md
@@ -1,4 +1,7 @@
 TODO PAGE
 
 TODO: new_event_detector
-TODO: test_new_event_detector
\ No newline at end of file
+TODO: test_new_event_detector
+- Tests need to be reworked, just copied from new_value_detector
+
+TODO: pipeline_config_Default.yaml
diff --git a/src/detectmatelibrary/common/detector.py b/src/detectmatelibrary/common/detector.py
index 18b67b9..e999441 100644
--- a/src/detectmatelibrary/common/detector.py
+++ b/src/detectmatelibrary/common/detector.py
@@ -52,6 +52,7 @@ def get_configured_variables(
     event_config = log_variables[event_id] if event_id in log_variables else None
     if event_config is None:
         return result
+   # print(event_id, event_config, log_variables)
 
     # Extract template variables by position
     if hasattr(event_config, "variables"):
diff --git a/src/detectmatelibrary/detectors/__init__.py b/src/detectmatelibrary/detectors/__init__.py
index 96ecd3c..c10328e 100644
--- a/src/detectmatelibrary/detectors/__init__.py
+++ b/src/detectmatelibrary/detectors/__init__.py
@@ -1,5 +1,6 @@
 from .random_detector import RandomDetector, RandomDetectorConfig
 from .new_value_detector import NewValueDetector, NewValueDetectorConfig
+from .new_event_detector import NewEventDetector, NewEventDetectorConfig
 
 __all__ = [
     "random_detector",
@@ -7,5 +8,6 @@
     "NewValueDetector",
     "NewValueDetectorConfig",
     "RandomDetector",
-    "NewEventDetector"
+    "NewEventDetector",
+    "NewEventDetectorConfig"
 ]
diff --git a/src/detectmatelibrary/detectors/new_event_detector.py b/src/detectmatelibrary/detectors/new_event_detector.py
index 4f0353d..28cd1b4 100644
--- a/src/detectmatelibrary/detectors/new_event_detector.py
+++ b/src/detectmatelibrary/detectors/new_event_detector.py
@@ -15,7 +15,7 @@
 
 
 class NewEventDetectorConfig(CoreDetectorConfig):
-    method_type: str = "new_value_detector"
+    method_type: str = "new_event_detector"
 
     events: EventsConfig | dict[str, Any] = {}
 
@@ -25,7 +25,7 @@ class NewEventDetector(CoreDetector):
 
     def __init__(
         self,
-        name: str = "NewValueDetector",
+        name: str = "NewEventDetector",
         config: NewEventDetectorConfig = NewEventDetectorConfig()
     ) -> None:
 
@@ -34,6 +34,7 @@ def __init__(
 
         super().__init__(name=name, buffer_mode=BufferMode.NO_BUF, config=config)
         self.config: NewEventDetectorConfig  # type narrowing for IDE
+        #print(self.config, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
         self.persistency = EventPersistency(
             event_data_class=EventStabilityTracker,
         )
@@ -45,6 +46,15 @@ def __init__(
     def train(self, input_: ParserSchema) -> None:  # type: ignore
         """Train the detector by learning values from the input data."""
         configured_variables = get_configured_variables(input_, self.config.events)
+        #print(input_)
+        #print(self.config.events)
+        #print(input_["logFormatVariables"]["Type"], self.config.events)
+        d = self.config.events[input_["EventID"]]
+        #print("bbb", d)
+        #print("ccc", hasattr(d, "header_variables"), d.header_variables.keys())
+        #print("ccc", configured_variables)
+        configured_variables = {k: v for k, v in configured_variables.items() if k in d.header_variables}
+        print("conf", configured_variables)
         self.persistency.ingest_event(
             event_id=input_["EventID"],
             event_template=input_["template"],
@@ -57,10 +67,13 @@ def detect(
         """Detect new values in the input data."""
         alerts: dict[str, str] = {}
         configured_variables = get_configured_variables(input_, self.config.events)
+        #print("br", configured_variables)
         overall_score = 0.0
 
         current_event_id = input_["EventID"]
         known_events = self.persistency.get_events_data()
+        #print(input_["logFormatVariables"]["Type"])
+        #print(current_event_id, input_)
 
         if current_event_id in known_events:
             event_tracker = known_events[current_event_id]
@@ -98,7 +111,7 @@ def set_configuration(self) -> None:
         config_dict = generate_detector_config(
             variable_selection=variables,
             detector_name=self.name,
-            method_type=self.config.method_type,
+            method_type=self.config.method_type
         )
         # Update the config object from the dictionary instead of replacing it
         self.config = NewEventDetectorConfig.from_dict(config_dict, self.name)
diff --git a/tests/test_detectors/test_new_event_detector.py b/tests/test_detectors/test_new_event_detector.py
index e69de29..2aae691 100644
--- a/tests/test_detectors/test_new_event_detector.py
+++ b/tests/test_detectors/test_new_event_detector.py
@@ -0,0 +1,257 @@
+"""Tests for NewEventDetector class.
+
+This module tests the NewEventDetector implementation including:
+- Initialization and configuration
+- Training functionality to learn known values
+- Detection logic for new/unknown values
+- Event-specific configuration handling
+- Input/output schema validation
+"""
+
+from detectmatelibrary.detectors.new_event_detector import NewEventDetector, BufferMode
+from detectmatelibrary.parsers.template_matcher import MatcherParser
+from detectmatelibrary.helper.from_to import From
+import detectmatelibrary.schemas as schemas
+
+from detectmatelibrary.utils.aux import time_test_mode
+
+
+# Set time test mode for consistent timestamps
+time_test_mode()
+
+
+config = {
+    "detectors": {
+        # "CustomInit": {
+        #     "method_type": "new_event_detector",
+        #     "auto_config": False,
+        #     "params": {},
+        #     "events": {
+        #         1: {
+        #             "instance1": {
+        #                 "params": {},
+        #                 "variables": [{
+        #                     "pos": 0, "name": "sad", "params": {}
+        #                 }]
+        #             }
+        #         }
+        #     }
+        # },
+        # "MultipleDetector": {
+        #     "method_type": "new_event_detector",
+        #     "auto_config": False,
+        #     "params": {},
+        #     "events": {
+        #         1: {
+        #             "test": {
+        #                 "params": {},
+        #                 "variables": [{
+        #                     "pos": 1, "name": "test", "params": {}
+        #                 }],
+        #                 "header_variables": [{
+        #                     "pos": "level", "params": {}
+        #                 }]
+        #             }
+        #         }
+        #     }
+        # },
+        "NewEventDetector": {
+            "method_type": "new_event_detector",
+            "auto_config": False,
+            "params": {},
+            # "events": {
+            #     3: {
+            #         "test": {
+            #             "params": {},
+            #             #"variables": [{
+            #             #    "pos": 1, "name": "test", "params": {}
+            #             #}],
+            #             "header_variables": [{
+            #                 "pos": "Type", "params": {}
+            #             }]
+            #         }
+            #     }
+            # }
+            "events": {}
+        }
+    }
+}
+
+
+# class TestNewEventDetectorInitialization:
+#     """Test NewEventDetector initialization and configuration."""
+#
+#     def test_default_initialization(self):
+#         """Test detector initialization with default parameters."""
+#         detector = NewEventDetector()
+#
+#         assert detector.name == "NewEventDetector"
+#         assert hasattr(detector, 'config')
+#         assert detector.data_buffer.mode == BufferMode.NO_BUF
+#         assert detector.input_schema == schemas.ParserSchema
+#         assert detector.output_schema == schemas.DetectorSchema
+#         assert hasattr(detector, 'persistency')
+#
+#     def test_custom_config_initialization(self):
+#         """Test detector initialization with custom configuration."""
+#         detector = NewEventDetector(name="CustomInit", config=config)
+#
+#         assert detector.name == "CustomInit"
+#         assert hasattr(detector, 'persistency')
+#         assert isinstance(detector.persistency.events_data, dict)
+#
+#
+# class TestNewEventDetectorTraining:
+#     """Test NewEventDetector training functionality."""
+#
+#     def test_train_multiple_values(self):
+#         """Test training with multiple different values."""
+#         detector = NewEventDetector(config=config, name="MultipleDetector")
+#         # Train with multiple values (only event 1 should be tracked per config)
+#         for event in range(3):
+#             for level in ["INFO", "WARNING", "ERROR"]:
+#                 parser_data = schemas.ParserSchema({
+#                     "parserType": "test",
+#                     "EventID": event,
+#                     "template": "test template",
+#                     "variables": ["0", "assa"],
+#                     "logID": "1",
+#                     "parsedLogID": "1",
+#                     "parserID": "test_parser",
+#                     "log": "test log message",
+#                     "logFormatVariables": {"level": level}
+#                 })
+#                 detector.train(parser_data)
+#
+#         # Only event 1 should be tracked (based on events config)
+#         assert len(detector.persistency.events_data) == 1
+#         event_data = detector.persistency.get_event_data(1)
+#         assert event_data is not None
+#         # Check the level values
+#         assert "INFO" in event_data["level"].unique_set
+#         assert "WARNING" in event_data["level"].unique_set
+#         assert "ERROR" in event_data["level"].unique_set
+#         # Check the variable at position 1 (named "test")
+#         assert "assa" in event_data["test"].unique_set
+#
+#
+# class TestNewEventDetectorDetection:
+#     """Test NewEventDetector detection functionality."""
+#
+#     def test_detect_known_value_no_alert(self):
+#         detector = NewEventDetector(config=config, name="MultipleDetector")
+#
+#         # Train with a value
+#         train_data = schemas.ParserSchema({
+#             "parserType": "test",
+#             "EventID": 1,
+#             "template": "test template",
+#             "variables": ["adsasd", "asdasd"],
+#             "logID": "1",
+#             "parsedLogID": "1",
+#             "parserID": "test_parser",
+#             "log": "test log message",
+#             "logFormatVariables": {"level": "INFO"}
+#         })
+#         detector.train(train_data)
+#
+#         # Detect with the same value
+#         test_data = schemas.ParserSchema({
+#             "parserType": "test",
+#             "EventID": 12,
+#             "template": "test template",
+#             "variables": ["adsasd"],
+#             "logID": "2",
+#             "parsedLogID": "2",
+#             "parserID": "test_parser",
+#             "log": "test log message",
+#             "logFormatVariables": {"level": "CRITICAL"}
+#         })
+#         output = schemas.DetectorSchema()
+#
+#         result = detector.detect(test_data, output)
+#
+#         assert not result
+#         assert output.score == 0.0
+#
+#     def test_detect_known_value_alert(self):
+#         detector = NewEventDetector(config=config, name="MultipleDetector")
+#
+#         # Train with a value
+#         train_data = schemas.ParserSchema({
+#             "parserType": "test",
+#             "EventID": 1,
+#             "template": "test template",
+#             "variables": ["adsasd", "asdasd"],
+#             "logID": "1",
+#             "parsedLogID": "1",
+#             "parserID": "test_parser",
+#             "log": "test log message",
+#             "logFormatVariables": {"level": "INFO"}
+#         })
+#         detector.train(train_data)
+#
+#         # Detect with the same value
+#         test_data = schemas.ParserSchema({
+#             "parserType": "test",
+#             "EventID": 1,
+#             "template": "test template",
+#             "variables": ["adsasd", "asdasd"],
+#             "logID": "2",
+#             "parsedLogID": "2",
+#             "parserID": "test_parser",
+#             "log": "test log message",
+#             "logFormatVariables": {"level": "CRITICAL"}
+#         })
+#         output = schemas.DetectorSchema()
+#
+#         result = detector.detect(test_data, output)
+#
+#         assert result
+#         assert output.score == 1.0
+#
+#
+_PARSER_CONFIG = {
+    "parsers": {
+        "MatcherParser": {
+            "method_type": "matcher_parser",
+            "auto_config": False,
+            "log_format": "type=<Type> msg=audit(<Time>:*): <Content>",
+            "time_format": None,
+            "params": {
+                "remove_spaces": True,
+                "remove_punctuation": True,
+                "lowercase": True,
+                "path_templates": "tests/test_folder/audit_templates.txt",
+            },
+        }
+    }
+}
+
+
+class TestNewEventDetectorEndToEnd:
+    """Regression test: full configure/train/detect pipeline on audit.log."""
+
+    def test_audit_log_anomalies(self):
+        parser = MatcherParser(config=_PARSER_CONFIG)
+        detector = NewEventDetector(config=config, name="NewEventDetector")
+
+        logs = list(From.log(parser, in_path="tests/test_folder/audit.log", do_process=True))
+        print("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", logs[2], type(logs[2]), dir(logs[2]))
+        print("GGGGGGGGGGGGGGG", logs[2]["logFormatVariables"])
+        print("HHHHHHHHHHHHHHH", logs[2]["variables"])
+
+        for log in logs[:1800]:
+            detector.configure(log)
+        detector.set_configuration()
+
+        for log in logs[:1800]:
+            detector.train(log)
+
+        detected_ids: set[str] = set()
+        for log in logs[1800:]:
+            output = schemas.DetectorSchema()
+            if detector.detect(log, output_=output):
+                detected_ids.add(log["logID"])
+
+        #assert detected_ids == {'1859', '1860', '1861', '1862', '1864', '1865', '1866', '1867'}

From 3ca95de91f4f036c18a2e5fb3113c9e88c1974f3 Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Mon, 16 Mar 2026 17:21:49 +0100
Subject: [PATCH 03/16] test outputs.

---
 src/detectmatelibrary/common/core.py                   |  2 ++
 src/detectmatelibrary/common/detector.py               |  1 +
 src/detectmatelibrary/detectors/new_event_detector.py  |  5 ++++-
 .../parsers/template_matcher/_matcher_op.py            | 10 ++++++++++
 .../parsers/template_matcher/_parser.py                |  2 ++
 .../utils/persistency/event_persistency.py             |  3 +++
 tests/test_detectors/test_new_value_combo_detector.py  |  4 ++--
 7 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/detectmatelibrary/common/core.py b/src/detectmatelibrary/common/core.py
index 5f6e274..b83ba7e 100644
--- a/src/detectmatelibrary/common/core.py
+++ b/src/detectmatelibrary/common/core.py
@@ -115,11 +115,13 @@ def process(self, data: BaseSchema | bytes) -> BaseSchema | bytes | None:
         output_ = self.output_schema()
         logger.info(f"<<{self.name}>> processing data")
         return_schema = self.run(input_=data_buffered, output_=output_)
+        #print(return_schema)
         if not return_schema:
             logger.info(f"<<{self.name}>> returns None")
             return None
 
         logger.debug(f"<<{self.name}>> processed:\n{output_}")
+        #print(SchemaPipeline.postprocess(output_, is_byte=is_byte))
         return SchemaPipeline.postprocess(output_, is_byte=is_byte)
 
     def get_config(self) -> Dict[str, Any]:
diff --git a/src/detectmatelibrary/common/detector.py b/src/detectmatelibrary/common/detector.py
index e999441..7f04991 100644
--- a/src/detectmatelibrary/common/detector.py
+++ b/src/detectmatelibrary/common/detector.py
@@ -50,6 +50,7 @@ def get_configured_variables(
 
     # Get the config for this event
     event_config = log_variables[event_id] if event_id in log_variables else None
+    #print("EV", event_config)
     if event_config is None:
         return result
    # print(event_id, event_config, log_variables)
diff --git a/src/detectmatelibrary/detectors/new_event_detector.py b/src/detectmatelibrary/detectors/new_event_detector.py
index 28cd1b4..7389cf8 100644
--- a/src/detectmatelibrary/detectors/new_event_detector.py
+++ b/src/detectmatelibrary/detectors/new_event_detector.py
@@ -46,7 +46,7 @@ def __init__(
     def train(self, input_: ParserSchema) -> None:  # type: ignore
         """Train the detector by learning values from the input data."""
         configured_variables = get_configured_variables(input_, self.config.events)
-        #print(input_)
+        #print("AAAAAAAAAAAAAAAAA", input_, "BBBBBBBBBBBBB\n", self.config.events)
         #print(self.config.events)
         #print(input_["logFormatVariables"]["Type"], self.config.events)
         d = self.config.events[input_["EventID"]]
@@ -96,6 +96,7 @@ def detect(
         return False
 
     def configure(self, input_: ParserSchema) -> None:
+        #print("DDDDDDDDDDDDDDDDDDDDDDDDD", input_)
         self.auto_conf_persistency.ingest_event(
             event_id=input_["EventID"],
             event_template=input_["template"],
@@ -105,6 +106,8 @@ def configure(self, input_: ParserSchema) -> None:
 
     def set_configuration(self) -> None:
         variables = {}
+        #print("LLEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEN", self.auto_conf_persistency.get_events_data().items())
+        #print("LLEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEN", len(self.auto_conf_persistency.get_events_data().items()))
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
             stable_vars = tracker.get_variables_by_classification("STABLE")  # type: ignore
             variables[event_id] = stable_vars
diff --git a/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py b/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
index 8760ab2..77caf72 100644
--- a/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
+++ b/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
@@ -125,12 +125,19 @@ def __init__(
     def extract_parameters(log: str, template: str) -> tuple[str, ...] | None:
         """Extract parameters from the log based on the template."""
         log = re.sub(r'\s+', ' ', log.strip())
+        #print("log", log)
         pattern_parts = template.split("<*>")
+        #print("pattern_parts", pattern_parts)
         pattern_parts_escaped = [re.escape(part) for part in pattern_parts]
+        #pattern_parts_escaped = [part.replace(" ", "\\ ") for part in pattern_parts]
+        #pattern_parts_escaped = pattern_parts
+        #print(pattern_parts_escaped)
         regex_pattern = "(.*?)".join(pattern_parts_escaped)
+        #print(regex_pattern)
         regex = "^" + regex_pattern + "$"
         # matches = re.search(regex, log)
         matches = safe_search(regex, log, 1)
+        #print("matches", matches)
         if matches:
             groups: tuple[str, ...] = matches.groups()
             return groups
@@ -145,6 +152,7 @@ def match_template_with_params(self, log: str) -> tuple[str, tuple[str, ...]] |
             if len(s) < t["min_len"]:
                 continue
             params = self.extract_parameters(log, t["raw"])
+            #print("params", params)
             if params is not None:
                 t["count"] += 1
                 return t["raw"], params
@@ -154,6 +162,7 @@ def __call__(self, log: str) -> Dict[str, Any]:
         """Batch matching that also returns the params list."""
         output: dict[str, Any] = {}
         res = self.match_template_with_params(log)
+        #print("res", res)
         if res is None:
             output["EventTemplate"] = "<Not Found>"
             output["Params"] = []
@@ -163,4 +172,5 @@ def __call__(self, log: str) -> Dict[str, Any]:
             output["Params"] = params
         tpl_to_id = {t["raw"]: i for i, t in enumerate(self.manager.templates)}
         output["EventId"] = tpl_to_id.get(tpl, -1) if output["EventTemplate"] != "<Not Found>" else -1
+        #print("output", output)
         return output
diff --git a/src/detectmatelibrary/parsers/template_matcher/_parser.py b/src/detectmatelibrary/parsers/template_matcher/_parser.py
index 3192a84..73966e6 100644
--- a/src/detectmatelibrary/parsers/template_matcher/_parser.py
+++ b/src/detectmatelibrary/parsers/template_matcher/_parser.py
@@ -81,7 +81,9 @@ def parse(
     ) -> None:
 
         parsed = self.template_matcher(input_["log"])
+        #print("parsed", parsed)
 
         output_["template"] = parsed["EventTemplate"]
         output_["variables"] = parsed["Params"]
         output_["EventID"] = parsed["EventId"]
+        #print("output", output_)
diff --git a/src/detectmatelibrary/utils/persistency/event_persistency.py b/src/detectmatelibrary/utils/persistency/event_persistency.py
index 42719d6..0e627bb 100644
--- a/src/detectmatelibrary/utils/persistency/event_persistency.py
+++ b/src/detectmatelibrary/utils/persistency/event_persistency.py
@@ -39,6 +39,7 @@ def ingest_event(
         named_variables: Dict[str, Any] = {}
     ) -> None:
         """Ingest event data into the appropriate EventData store."""
+        #print("VARIABLES", not variables, not named_variables)
         if not variables and not named_variables:
             return
         self.event_templates[event_id] = event_template
@@ -50,6 +51,8 @@ def ingest_event(
             self.events_data[event_id] = data_structure
 
         data = data_structure.to_data(all_variables)
+        #print("Ingesting event", event_id, event_template, variables, named_variables, all_variables, "\n")
+        #print("INGESTING EVENT", data_structure, data, "\n")
         data_structure.add_data(data)
 
     def get_event_data(self, event_id: int) -> Any | None:
diff --git a/tests/test_detectors/test_new_value_combo_detector.py b/tests/test_detectors/test_new_value_combo_detector.py
index c22de05..6aab264 100644
--- a/tests/test_detectors/test_new_value_combo_detector.py
+++ b/tests/test_detectors/test_new_value_combo_detector.py
@@ -550,7 +550,7 @@ def test_configure_only_selects_stable_event_types(self):
         "MatcherParser": {
             "method_type": "matcher_parser",
             "auto_config": False,
-            "log_format": "type=<Type> msg=audit\\(<Time>\\): <Content>",
+            "log_format": "type=<Type> msg=audit(<Time>): <Content>",
             "time_format": None,
             "params": {
                 "remove_spaces": True,
@@ -585,4 +585,4 @@ def test_audit_log_anomalies(self):
             if detector.detect(log, output_=output):
                 detected_ids.add(log["logID"])
 
-        print(detected_ids)
+        assert detected_ids == {'1859', '1862', '1866', '1865'}

From c5ed1991012073cb2e6aae314ab582fd31a17d70 Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Mon, 16 Mar 2026 21:30:44 +0100
Subject: [PATCH 04/16] add STATIC classification trackers to all detectors.

---
 src/detectmatelibrary/common/core.py          |  2 --
 src/detectmatelibrary/common/detector.py      |  2 --
 .../detectors/new_event_detector.py           | 19 +++----------------
 .../detectors/new_value_combo_detector.py     |  7 ++++---
 .../detectors/new_value_detector.py           |  5 +++--
 .../parsers/template_matcher/_matcher_op.py   | 11 -----------
 .../parsers/template_matcher/_parser.py       |  2 --
 .../utils/persistency/event_persistency.py    |  3 ---
 .../test_detectors/test_new_event_detector.py |  3 ---
 9 files changed, 10 insertions(+), 44 deletions(-)

diff --git a/src/detectmatelibrary/common/core.py b/src/detectmatelibrary/common/core.py
index 963b67c..17eaa9c 100644
--- a/src/detectmatelibrary/common/core.py
+++ b/src/detectmatelibrary/common/core.py
@@ -166,13 +166,11 @@ def process(self, data: BaseSchema | bytes) -> BaseSchema | bytes | None:
         output_ = self.output_schema()
         logger.info(f"<<{self.name}>> processing data")
         return_schema = self.run(input_=data_buffered, output_=output_)
-        #print(return_schema)
         if not return_schema:
             logger.info(f"<<{self.name}>> returns None")
             return None
 
         logger.debug(f"<<{self.name}>> processed:\n{output_}")
-        #print(SchemaPipeline.postprocess(output_, is_byte=is_byte))
         return SchemaPipeline.postprocess(output_, is_byte=is_byte)
 
     def get_config(self) -> Dict[str, Any]:
diff --git a/src/detectmatelibrary/common/detector.py b/src/detectmatelibrary/common/detector.py
index 848138b..331eae2 100644
--- a/src/detectmatelibrary/common/detector.py
+++ b/src/detectmatelibrary/common/detector.py
@@ -50,10 +50,8 @@ def get_configured_variables(
 
     # Get the config for this event
     event_config = log_variables[event_id] if event_id in log_variables else None
-    #print("EV", event_config)
     if event_config is None:
         return result
-   # print(event_id, event_config, log_variables)
 
     # Extract template variables by position
     if hasattr(event_config, "variables"):
diff --git a/src/detectmatelibrary/detectors/new_event_detector.py b/src/detectmatelibrary/detectors/new_event_detector.py
index 7389cf8..f6ce13b 100644
--- a/src/detectmatelibrary/detectors/new_event_detector.py
+++ b/src/detectmatelibrary/detectors/new_event_detector.py
@@ -34,7 +34,6 @@ def __init__(
 
         super().__init__(name=name, buffer_mode=BufferMode.NO_BUF, config=config)
         self.config: NewEventDetectorConfig  # type narrowing for IDE
-        #print(self.config, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
         self.persistency = EventPersistency(
             event_data_class=EventStabilityTracker,
         )
@@ -46,15 +45,8 @@ def __init__(
     def train(self, input_: ParserSchema) -> None:  # type: ignore
         """Train the detector by learning values from the input data."""
         configured_variables = get_configured_variables(input_, self.config.events)
-        #print("AAAAAAAAAAAAAAAAA", input_, "BBBBBBBBBBBBB\n", self.config.events)
-        #print(self.config.events)
-        #print(input_["logFormatVariables"]["Type"], self.config.events)
         d = self.config.events[input_["EventID"]]
-        #print("bbb", d)
-        #print("ccc", hasattr(d, "header_variables"), d.header_variables.keys())
-        #print("ccc", configured_variables)
         configured_variables = {k: v for k, v in configured_variables.items() if k in d.header_variables}
-        print("conf", configured_variables)
         self.persistency.ingest_event(
             event_id=input_["EventID"],
             event_template=input_["template"],
@@ -67,13 +59,10 @@ def detect(
         """Detect new values in the input data."""
         alerts: dict[str, str] = {}
         configured_variables = get_configured_variables(input_, self.config.events)
-        #print("br", configured_variables)
         overall_score = 0.0
 
         current_event_id = input_["EventID"]
         known_events = self.persistency.get_events_data()
-        #print(input_["logFormatVariables"]["Type"])
-        #print(current_event_id, input_)
 
         if current_event_id in known_events:
             event_tracker = known_events[current_event_id]
@@ -96,7 +85,6 @@ def detect(
         return False
 
     def configure(self, input_: ParserSchema) -> None:
-        #print("DDDDDDDDDDDDDDDDDDDDDDDDD", input_)
         self.auto_conf_persistency.ingest_event(
             event_id=input_["EventID"],
             event_template=input_["template"],
@@ -106,11 +94,10 @@ def configure(self, input_: ParserSchema) -> None:
 
     def set_configuration(self) -> None:
         variables = {}
-        #print("LLEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEN", self.auto_conf_persistency.get_events_data().items())
-        #print("LLEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEN", len(self.auto_conf_persistency.get_events_data().items()))
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-            stable_vars = tracker.get_variables_by_classification("STABLE")  # type: ignore
-            variables[event_id] = stable_vars
+            classified_vars = tracker.get_variables_by_classification("STABLE") + \
+                              tracker.get_variables_by_classification("STATIC")  # type: ignore
+            variables[event_id] = classified_vars
         config_dict = generate_detector_config(
             variable_selection=variables,
             detector_name=self.name,
diff --git a/src/detectmatelibrary/detectors/new_value_combo_detector.py b/src/detectmatelibrary/detectors/new_value_combo_detector.py
index 0445863..fe0c896 100644
--- a/src/detectmatelibrary/detectors/new_value_combo_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_combo_detector.py
@@ -175,9 +175,10 @@ def set_configuration(self, max_combo_size: int = 3) -> None:
         # run WITH auto_conf_persistency
         variable_combos = {}
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-            stable_vars = tracker.get_variables_by_classification("STABLE")  # type: ignore
-            if len(stable_vars) > 1:
-                variable_combos[event_id] = stable_vars
+            classified_vars = (tracker.get_variables_by_classification("STABLE") +  # type: ignore
+                               tracker.get_variables_by_classification("STATIC"))  # type: ignore
+            if len(classified_vars) > 1:
+                variable_combos[event_id] = classified_vars
         config_dict = generate_detector_config(
             variable_selection=variable_combos,
             detector_name=self.name,
diff --git a/src/detectmatelibrary/detectors/new_value_detector.py b/src/detectmatelibrary/detectors/new_value_detector.py
index eab00c6..140550a 100644
--- a/src/detectmatelibrary/detectors/new_value_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_detector.py
@@ -118,8 +118,9 @@ def configure(self, input_: ParserSchema) -> None:  # type: ignore
     def set_configuration(self) -> None:
         variables = {}
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-            stable_vars = tracker.get_variables_by_classification("STABLE")  # type: ignore
-            variables[event_id] = stable_vars
+            classified_vars = (tracker.get_variables_by_classification("STABLE") +  # type: ignore
+                           tracker.get_variables_by_classification("STABLE"))  # type: ignore
+            variables[event_id] = classified_vars
         config_dict = generate_detector_config(
             variable_selection=variables,
             detector_name=self.name,
diff --git a/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py b/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
index 77caf72..bd1e780 100644
--- a/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
+++ b/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
@@ -125,19 +125,11 @@ def __init__(
     def extract_parameters(log: str, template: str) -> tuple[str, ...] | None:
         """Extract parameters from the log based on the template."""
         log = re.sub(r'\s+', ' ', log.strip())
-        #print("log", log)
         pattern_parts = template.split("<*>")
-        #print("pattern_parts", pattern_parts)
         pattern_parts_escaped = [re.escape(part) for part in pattern_parts]
-        #pattern_parts_escaped = [part.replace(" ", "\\ ") for part in pattern_parts]
-        #pattern_parts_escaped = pattern_parts
-        #print(pattern_parts_escaped)
         regex_pattern = "(.*?)".join(pattern_parts_escaped)
-        #print(regex_pattern)
         regex = "^" + regex_pattern + "$"
-        # matches = re.search(regex, log)
         matches = safe_search(regex, log, 1)
-        #print("matches", matches)
         if matches:
             groups: tuple[str, ...] = matches.groups()
             return groups
@@ -152,7 +144,6 @@ def match_template_with_params(self, log: str) -> tuple[str, tuple[str, ...]] |
             if len(s) < t["min_len"]:
                 continue
             params = self.extract_parameters(log, t["raw"])
-            #print("params", params)
             if params is not None:
                 t["count"] += 1
                 return t["raw"], params
@@ -162,7 +153,6 @@ def __call__(self, log: str) -> Dict[str, Any]:
         """Batch matching that also returns the params list."""
         output: dict[str, Any] = {}
         res = self.match_template_with_params(log)
-        #print("res", res)
         if res is None:
             output["EventTemplate"] = "<Not Found>"
             output["Params"] = []
@@ -172,5 +162,4 @@ def __call__(self, log: str) -> Dict[str, Any]:
             output["Params"] = params
         tpl_to_id = {t["raw"]: i for i, t in enumerate(self.manager.templates)}
         output["EventId"] = tpl_to_id.get(tpl, -1) if output["EventTemplate"] != "<Not Found>" else -1
-        #print("output", output)
         return output
diff --git a/src/detectmatelibrary/parsers/template_matcher/_parser.py b/src/detectmatelibrary/parsers/template_matcher/_parser.py
index 73966e6..3192a84 100644
--- a/src/detectmatelibrary/parsers/template_matcher/_parser.py
+++ b/src/detectmatelibrary/parsers/template_matcher/_parser.py
@@ -81,9 +81,7 @@ def parse(
     ) -> None:
 
         parsed = self.template_matcher(input_["log"])
-        #print("parsed", parsed)
 
         output_["template"] = parsed["EventTemplate"]
         output_["variables"] = parsed["Params"]
         output_["EventID"] = parsed["EventId"]
-        #print("output", output_)
diff --git a/src/detectmatelibrary/utils/persistency/event_persistency.py b/src/detectmatelibrary/utils/persistency/event_persistency.py
index 9591bf0..c21cb76 100644
--- a/src/detectmatelibrary/utils/persistency/event_persistency.py
+++ b/src/detectmatelibrary/utils/persistency/event_persistency.py
@@ -39,7 +39,6 @@ def ingest_event(
         named_variables: Dict[str, Any] = {}
     ) -> None:
         """Ingest event data into the appropriate EventData store."""
-        #print("VARIABLES", not variables, not named_variables)
         if not variables and not named_variables:
             return
         self.event_templates[event_id] = event_template
@@ -51,8 +50,6 @@ def ingest_event(
             self.events_data[event_id] = data_structure
 
         data = data_structure.to_data(all_variables)
-        #print("Ingesting event", event_id, event_template, variables, named_variables, all_variables, "\n")
-        #print("INGESTING EVENT", data_structure, data, "\n")
         data_structure.add_data(data)
 
     def get_event_data(self, event_id: int | str) -> Any | None:
diff --git a/tests/test_detectors/test_new_event_detector.py b/tests/test_detectors/test_new_event_detector.py
index 2aae691..2787f07 100644
--- a/tests/test_detectors/test_new_event_detector.py
+++ b/tests/test_detectors/test_new_event_detector.py
@@ -237,9 +237,6 @@ def test_audit_log_anomalies(self):
         detector = NewEventDetector(config=config, name="NewEventDetector")
 
         logs = list(From.log(parser, in_path="tests/test_folder/audit.log", do_process=True))
-        print("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", logs[2], type(logs[2]), dir(logs[2]))
-        print("GGGGGGGGGGGGGGG", logs[2]["logFormatVariables"])
-        print("HHHHHHHHHHHHHHH", logs[2]["variables"])
 
         for log in logs[:1800]:
             detector.configure(log)

From d9ab23d2a3b4eef26e24850362dad7b6e082f76d Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Mon, 16 Mar 2026 21:40:59 +0100
Subject: [PATCH 05/16] fix prek issues.

---
 src/detectmatelibrary/detectors/new_event_detector.py | 4 ++--
 tests/test_detectors/test_new_event_detector.py       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/detectmatelibrary/detectors/new_event_detector.py b/src/detectmatelibrary/detectors/new_event_detector.py
index f6ce13b..f4b1cc6 100644
--- a/src/detectmatelibrary/detectors/new_event_detector.py
+++ b/src/detectmatelibrary/detectors/new_event_detector.py
@@ -95,8 +95,8 @@ def configure(self, input_: ParserSchema) -> None:
     def set_configuration(self) -> None:
         variables = {}
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-            classified_vars = tracker.get_variables_by_classification("STABLE") + \
-                              tracker.get_variables_by_classification("STATIC")  # type: ignore
+            classified_vars = (tracker.get_variables_by_classification("STABLE") +  # type: ignore
+                               tracker.get_variables_by_classification("STATIC"))  # type: ignore
             variables[event_id] = classified_vars
         config_dict = generate_detector_config(
             variable_selection=variables,
diff --git a/tests/test_detectors/test_new_event_detector.py b/tests/test_detectors/test_new_event_detector.py
index 2787f07..49ece9a 100644
--- a/tests/test_detectors/test_new_event_detector.py
+++ b/tests/test_detectors/test_new_event_detector.py
@@ -8,7 +8,7 @@
 - Input/output schema validation
 """
 
-from detectmatelibrary.detectors.new_event_detector import NewEventDetector, BufferMode
+from detectmatelibrary.detectors.new_event_detector import NewEventDetector  # , BufferMode
 from detectmatelibrary.parsers.template_matcher import MatcherParser
 from detectmatelibrary.helper.from_to import From
 import detectmatelibrary.schemas as schemas
@@ -251,4 +251,4 @@ def test_audit_log_anomalies(self):
             if detector.detect(log, output_=output):
                 detected_ids.add(log["logID"])
 
-        #assert detected_ids == {'1859', '1860', '1861', '1862', '1864', '1865', '1866', '1867'}
+        # assert detected_ids == {'1859', '1860', '1861', '1862', '1864', '1865', '1866', '1867'}

From ad040558bdfa0a229d3038393826a64885dd6b45 Mon Sep 17 00:00:00 2001
From: Ernst Leierzopf <e.leierzopf@gmail.com>
Date: Mon, 16 Mar 2026 21:56:43 +0100
Subject: [PATCH 06/16] fix prek issues.

---
 src/detectmatelibrary/detectors/new_event_detector.py | 4 +---
 src/detectmatelibrary/detectors/new_value_detector.py | 2 +-
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/detectmatelibrary/detectors/new_event_detector.py b/src/detectmatelibrary/detectors/new_event_detector.py
index f4b1cc6..51d345d 100644
--- a/src/detectmatelibrary/detectors/new_event_detector.py
+++ b/src/detectmatelibrary/detectors/new_event_detector.py
@@ -45,8 +45,6 @@ def __init__(
     def train(self, input_: ParserSchema) -> None:  # type: ignore
         """Train the detector by learning values from the input data."""
         configured_variables = get_configured_variables(input_, self.config.events)
-        d = self.config.events[input_["EventID"]]
-        configured_variables = {k: v for k, v in configured_variables.items() if k in d.header_variables}
         self.persistency.ingest_event(
             event_id=input_["EventID"],
             event_template=input_["template"],
@@ -84,7 +82,7 @@ def detect(
 
         return False
 
-    def configure(self, input_: ParserSchema) -> None:
+    def configure(self, input_: ParserSchema) -> None:  # type: ignore
         self.auto_conf_persistency.ingest_event(
             event_id=input_["EventID"],
             event_template=input_["template"],
diff --git a/src/detectmatelibrary/detectors/new_value_detector.py b/src/detectmatelibrary/detectors/new_value_detector.py
index 140550a..bf9f1a3 100644
--- a/src/detectmatelibrary/detectors/new_value_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_detector.py
@@ -119,7 +119,7 @@ def set_configuration(self) -> None:
         variables = {}
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
             classified_vars = (tracker.get_variables_by_classification("STABLE") +  # type: ignore
-                           tracker.get_variables_by_classification("STABLE"))  # type: ignore
+                               tracker.get_variables_by_classification("STABLE"))  # type: ignore
             variables[event_id] = classified_vars
         config_dict = generate_detector_config(
             variable_selection=variables,

From fc7cc186e823cd4bb3acefa8b4dc59fe86c495c6 Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Tue, 17 Mar 2026 15:20:21 +0100
Subject: [PATCH 07/16] update gitignore

---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index 3113ce1..b0a557c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -199,3 +199,6 @@ cython_debug/
 local/
 test.ipynb
 test.py
+
+# claude code
+CLAUDE.md

From f5bdc8c1ffd95ad202e402257d0113d397e4659d Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Tue, 17 Mar 2026 17:54:11 +0100
Subject: [PATCH 08/16] add option for combo and value detector to use static
 or stable variables

---
 config/pipeline_config_default.yaml           |  2 --
 docs/detectors.md                             |  2 +-
 docs/detectors/combo.md                       |  2 +-
 .../common/_config/_compile.py                |  4 +--
 .../detectors/new_value_combo_detector.py     | 22 ++++++++-----
 .../detectors/new_value_detector.py           |  9 ++++--
 .../trackers/stability/stability_tracker.py   |  6 ++--
 .../test_new_value_combo_detector.py          | 31 +++++++------------
 .../test_detectors/test_new_value_detector.py |  4 ---
 .../test_configuration_engine.py              |  3 --
 tests/test_utils/test_aux.py                  |  3 --
 tests/test_utils/test_stability_tracking.py   |  8 ++---
 12 files changed, 43 insertions(+), 53 deletions(-)

diff --git a/config/pipeline_config_default.yaml b/config/pipeline_config_default.yaml
index 0475495..4271752 100644
--- a/config/pipeline_config_default.yaml
+++ b/config/pipeline_config_default.yaml
@@ -68,8 +68,6 @@ detectors:
     NewValueComboDetector:
         method_type: new_value_combo_detector
         auto_config: False
-        params:
-            comb_size: 3
         events:
             1:
                 test:
diff --git a/docs/detectors.md b/docs/detectors.md
index 5dad456..5e17c0c 100644
--- a/docs/detectors.md
+++ b/docs/detectors.md
@@ -172,7 +172,7 @@ The `set_configuration()` method queries the tracker results and generates the f
 def set_configuration(self):
     variables = {}
     for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-        stable_vars = tracker.get_variables_by_classification("STABLE")
+        stable_vars = tracker.get_features_by_classification("STABLE")
         variables[event_id] = stable_vars
 
     config_dict = generate_detector_config(
diff --git a/docs/detectors/combo.md b/docs/detectors/combo.md
index 0272668..1440167 100644
--- a/docs/detectors/combo.md
+++ b/docs/detectors/combo.md
@@ -18,7 +18,7 @@ detectors:
         method_type: new_value_combo_detector
         auto_config: False
         params:
-            comb_size: 3
+            max_combo_size: 3
         events:
             1:
                 test:
diff --git a/src/detectmatelibrary/common/_config/_compile.py b/src/detectmatelibrary/common/_config/_compile.py
index 5198629..fca1a27 100644
--- a/src/detectmatelibrary/common/_config/_compile.py
+++ b/src/detectmatelibrary/common/_config/_compile.py
@@ -142,7 +142,7 @@ def generate_detector_config(
         detector_name: Name of the detector, used as the base instance_id.
         method_type: Type of detection method (e.g., "new_value_detector").
         **additional_params: Additional parameters for the detector's params
-            dict (e.g., comb_size=3).
+            dict (e.g., max_combo_size=3).
 
     Returns:
         Dictionary with structure compatible with detector config classes.
@@ -162,7 +162,7 @@ def generate_detector_config(
                 variable_selection={1: [("username", "src_ip"), ("var_0", "var_1")]},
                 detector_name="MyDetector",
                 method_type="new_value_combo_detector",
-                comb_size=2,
+                max_combo_size=2,
             )
     """
     var_pattern = re.compile(r"^var_(\d+)$")
diff --git a/src/detectmatelibrary/detectors/new_value_combo_detector.py b/src/detectmatelibrary/detectors/new_value_combo_detector.py
index 0445863..32dd9e8 100644
--- a/src/detectmatelibrary/detectors/new_value_combo_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_combo_detector.py
@@ -55,7 +55,10 @@ class NewValueComboDetectorConfig(CoreDetectorConfig):
 
     events: EventsConfig | dict[str, Any] = {}
     global_instances: Dict[str, _EventInstance] = {}
-    comb_size: int = 2
+
+    max_combo_size: int = 3
+    use_stable_vars: bool = True
+    use_static_vars: bool = False
 
 
 class NewValueComboDetector(CoreDetector):
@@ -162,7 +165,7 @@ def configure(self, input_: ParserSchema) -> None:  # type: ignore
             named_variables=input_["logFormatVariables"],
         )
 
-    def set_configuration(self, max_combo_size: int = 3) -> None:
+    def set_configuration(self, max_combo_size: int | None = None) -> None:
         """Set the detector configuration based on the stability of variable
         combinations.
 
@@ -172,17 +175,18 @@ def set_configuration(self, max_combo_size: int = 3) -> None:
         3. Re-ingest all events to learn the stability of these combos (testing all possible combos right away
         would explode combinatorially).
         """
+        config = cast(NewValueComboDetectorConfig, self.config)
         # run WITH auto_conf_persistency
         variable_combos = {}
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-            stable_vars = tracker.get_variables_by_classification("STABLE")  # type: ignore
+            stable_vars = tracker.get_features_by_classification("STABLE")  # type: ignore
             if len(stable_vars) > 1:
                 variable_combos[event_id] = stable_vars
         config_dict = generate_detector_config(
             variable_selection=variable_combos,
             detector_name=self.name,
             method_type=self.config.method_type,
-            comb_size=max_combo_size
+            max_combo_size=max_combo_size or config.max_combo_size
         )
         # Update the config object from the dictionary instead of replacing it
         self.config = NewValueComboDetectorConfig.from_dict(config_dict, self.name)
@@ -199,15 +203,17 @@ def set_configuration(self, max_combo_size: int = 3) -> None:
         # rerun to set final config WITH auto_conf_persistency_combos
         combo_selection = {}
         for event_id, tracker in self.auto_conf_persistency_combos.get_events_data().items():
-            stable_combos = tracker.get_variables_by_classification("STABLE")  # type: ignore
+            stable_combos = tracker.get_features_by_classification("STABLE") if self.config.use_stable_vars else []  # type: ignore
+            static_combos = tracker.get_features_by_classification("STATIC") if self.config.use_static_vars else []  # type: ignore
+            combos = stable_combos + static_combos
             # Keep combos as tuples - each will become a separate config entry
-            if len(stable_combos) >= 1:
-                combo_selection[event_id] = stable_combos
+            if len(combos) > 0:
+                combo_selection[event_id] = combos
         config_dict = generate_detector_config(
             variable_selection=combo_selection,
             detector_name=self.name,
             method_type=self.config.method_type,
-            comb_size=max_combo_size
+            max_combo_size=max_combo_size or self.config.max_combo_size
         )
         # Update the config object from the dictionary instead of replacing it
         self.config = NewValueComboDetectorConfig.from_dict(config_dict, self.name)
diff --git a/src/detectmatelibrary/detectors/new_value_detector.py b/src/detectmatelibrary/detectors/new_value_detector.py
index eab00c6..6f525f8 100644
--- a/src/detectmatelibrary/detectors/new_value_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_detector.py
@@ -24,6 +24,8 @@ class NewValueDetectorConfig(CoreDetectorConfig):
 
     events: EventsConfig | dict[str, Any] = {}
     global_instances: Dict[str, _EventInstance] = {}
+    use_stable_vars: bool = True
+    use_static_vars: bool = True
 
 
 class NewValueDetector(CoreDetector):
@@ -118,8 +120,11 @@ def configure(self, input_: ParserSchema) -> None:  # type: ignore
     def set_configuration(self) -> None:
         variables = {}
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-            stable_vars = tracker.get_variables_by_classification("STABLE")  # type: ignore
-            variables[event_id] = stable_vars
+            stable = tracker.get_features_by_classification("STABLE") if self.config.use_stable_vars else []  # type: ignore
+            static = tracker.get_features_by_classification("STATIC") if self.config.use_static_vars else []  # type: ignore
+            vars_ = stable + static
+            if len(vars_) > 0:
+                variables[event_id] = vars_
         config_dict = generate_detector_config(
             variable_selection=variables,
             detector_name=self.name,
diff --git a/src/detectmatelibrary/utils/persistency/event_data_structures/trackers/stability/stability_tracker.py b/src/detectmatelibrary/utils/persistency/event_data_structures/trackers/stability/stability_tracker.py
index a37ab3d..f29a78e 100644
--- a/src/detectmatelibrary/utils/persistency/event_data_structures/trackers/stability/stability_tracker.py
+++ b/src/detectmatelibrary/utils/persistency/event_data_structures/trackers/stability/stability_tracker.py
@@ -73,7 +73,7 @@ class MultiStabilityTracker(MultiTracker):
     """Tracks multiple features (e.g. variables or variable combos) using
     individual trackers."""
 
-    def get_variables_by_classification(
+    def get_features_by_classification(
         self,
         classification_type: Literal["INSUFFICIENT_DATA", "STATIC", "RANDOM", "STABLE", "UNSTABLE"]
     ) -> List[str]:
@@ -99,9 +99,9 @@ def __init__(self, converter_function: Callable[[Any], Any] = lambda x: x) -> No
             converter_function=converter_function,
         )
 
-    def get_variables_by_classification(
+    def get_features_by_classification(
         self, classification_type: Literal["INSUFFICIENT_DATA", "STATIC", "RANDOM", "STABLE", "UNSTABLE"]
     ) -> List[str]:
         """Get a list of variable names that are classified as the given
         type."""
-        return self.multi_tracker.get_variables_by_classification(classification_type)
+        return self.multi_tracker.get_features_by_classification(classification_type)
diff --git a/tests/test_detectors/test_new_value_combo_detector.py b/tests/test_detectors/test_new_value_combo_detector.py
index af45bd7..d3c123a 100644
--- a/tests/test_detectors/test_new_value_combo_detector.py
+++ b/tests/test_detectors/test_new_value_combo_detector.py
@@ -9,8 +9,6 @@
 
 from detectmatelibrary.utils.aux import time_test_mode
 
-import pytest
-
 # Set time test mode for consistent timestamps
 time_test_mode()
 
@@ -21,7 +19,7 @@
             "method_type": "new_value_combo_detector",
             "auto_config": False,
             "params": {
-                "comb_size": 4
+                "max_combo_size": 4
             },
             "events": {
                 1: {
@@ -38,7 +36,7 @@
             "method_type": "new_value_combo_detector",
             "auto_config": False,
             "params": {
-                "comb_size": 2
+                "max_combo_size": 2
             },
             "events": {
                 1: {
@@ -72,7 +70,7 @@ def test_custom_config_initialization(self):
         detector = NewValueComboDetector(name="CustomInit", config=config)
 
         assert detector.name == "CustomInit"
-        assert detector.config.comb_size == 4
+        assert detector.config.max_combo_size == 4
 
 
 class TestNewValueComboDetectorTraining:
@@ -215,14 +213,14 @@ def test_generate_detector_config_basic(self):
             variable_selection=variable_selection,
             detector_name="TestDetector",
             method_type="new_value_combo_detector",
-            comb_size=2
+            max_combo_size=2
         )
 
         assert "detectors" in config_dict
         assert "TestDetector" in config_dict["detectors"]
         detector_config = config_dict["detectors"]["TestDetector"]
         assert detector_config["method_type"] == "new_value_combo_detector"
-        assert detector_config["params"]["comb_size"] == 2
+        assert detector_config["params"]["max_combo_size"] == 2
         assert len(detector_config["events"]) == 1
 
     def test_generate_detector_config_multiple_events(self):
@@ -291,7 +289,7 @@ def test_set_configuration_updates_config(self):
 
         # Verify config was updated
         assert detector.config.events is not None
-        assert detector.config.comb_size == 2
+        assert detector.config.max_combo_size == 2
 
     def test_configuration_workflow(self):
         """Test complete configuration workflow like in notebook."""
@@ -362,8 +360,8 @@ def test_set_configuration_with_combo_size(self):
         # Set configuration with specific combo size
         detector.set_configuration(max_combo_size=4)
 
-        # Verify comb_size was updated
-        assert detector.config.comb_size == 4
+        # Verify max_combo_size was updated
+        assert detector.config.max_combo_size == 4
 
     def test_configuration_with_no_stable_variables(self):
         """Test configuration when no stable variables are found."""
@@ -551,14 +549,8 @@ def test_configure_only_selects_stable_event_types(self):
         "MatcherParser": {
             "method_type": "matcher_parser",
             "auto_config": False,
-            "log_format": "type=<Type> msg=audit\\(<Time>\\): <Content>",
-            "time_format": None,
-            "params": {
-                "remove_spaces": True,
-                "remove_punctuation": True,
-                "lowercase": True,
-                "path_templates": "tests/test_folder/audit_templates.txt",
-            },
+            "log_format": "type=<Type> msg=audit(<Time>): <Content>",
+            "params": {"path_templates": "tests/test_folder/audit_templates.txt"},
         }
     }
 }
@@ -566,7 +558,6 @@ def test_configure_only_selects_stable_event_types(self):
 
 class TestNewValueComboDetectorEndToEndWithRealData:
     """Regression test: full configure/train/detect pipeline on audit.log."""
-    @pytest.mark.skip(reason="no way of currently testing this")
     def test_audit_log_anomalies(self):
         parser = MatcherParser(config=_PARSER_CONFIG)
         detector = NewValueComboDetector()
@@ -586,4 +577,4 @@ def test_audit_log_anomalies(self):
             if detector.detect(log, output_=output):
                 detected_ids.add(log["logID"])
 
-        print(detected_ids)
+        assert detected_ids == {"1859", "1862", "1865", "1866"}
diff --git a/tests/test_detectors/test_new_value_detector.py b/tests/test_detectors/test_new_value_detector.py
index 99dcc95..f0918d3 100644
--- a/tests/test_detectors/test_new_value_detector.py
+++ b/tests/test_detectors/test_new_value_detector.py
@@ -20,8 +20,6 @@
 
 from detectmatelibrary.utils.aux import time_test_mode
 
-import pytest
-
 # Set time test mode for consistent timestamps
 time_test_mode()
 
@@ -245,7 +243,6 @@ class TestNewValueDetectorAutoConfig:
     """Test that process() drives configure/set_configuration/train/detect
     automatically."""
 
-    @pytest.mark.skip(reason="This test is too late")
     def test_audit_log_anomalies_via_process(self):
         parser = MatcherParser(config=_PARSER_CONFIG)
         detector = NewValueDetector()
@@ -278,7 +275,6 @@ def test_audit_log_anomalies_via_process(self):
 class TestNewValueDetectorGlobalInstances:
     """Tests event-ID-independent global instance detection."""
 
-    @pytest.mark.skip(reason="This test is too late")
     def test_global_instance_detects_new_type(self):
         """Global instance monitoring Type detects CRED_REFR, USER_AUTH,
         USER_CMD which only appear after the training window (line 1800+)."""
diff --git a/tests/test_pipelines/test_configuration_engine.py b/tests/test_pipelines/test_configuration_engine.py
index 875b489..272ae90 100644
--- a/tests/test_pipelines/test_configuration_engine.py
+++ b/tests/test_pipelines/test_configuration_engine.py
@@ -2,7 +2,6 @@
 from detectmatelibrary.parsers.template_matcher import MatcherParser
 from detectmatelibrary.helper.from_to import From
 
-import pytest
 import json
 
 AUDIT_LOG = "tests/test_folder/audit.log"
@@ -33,7 +32,6 @@ def load_expected_anomaly_ids() -> set[str]:
 
 class TestConfigurationEngineManual:
     """Mirrors the manual flow in 05_configuration_engine/detect.py."""
-    @pytest.mark.skip(reason="no way of currently testing this")
     def test_configure_train_detect(self) -> None:
         parser = MatcherParser(config=parser_config)
         detector = NewValueDetector()
@@ -60,7 +58,6 @@ def test_configure_train_detect(self) -> None:
 class TestConfigurationEngineAutomatic:
     """Tests the automated configure phase via process()."""
 
-    @pytest.mark.skip(reason="no way of currently testing this")
     def test_process_configure_train_detect(self) -> None:
         parser = MatcherParser(config=parser_config)
         config = NewValueDetectorConfig(data_use_configure=TRAIN_UNTIL)
diff --git a/tests/test_utils/test_aux.py b/tests/test_utils/test_aux.py
index 52c4466..6ef9545 100644
--- a/tests/test_utils/test_aux.py
+++ b/tests/test_utils/test_aux.py
@@ -4,8 +4,6 @@
 from datetime import datetime
 from time import sleep
 
-import pytest
-
 
 class TestTimestamp:
     def test_test_mode(self) -> None:
@@ -16,7 +14,6 @@ def test_no_test_mode(self) -> None:
         time_test_mode(False)
         assert get_timestamp() != 0
 
-    @pytest.mark.skip(reason="This test is too slow")
     def test_get_timestamp(self) -> None:
         time = get_timestamp()
         sleep(1)
diff --git a/tests/test_utils/test_stability_tracking.py b/tests/test_utils/test_stability_tracking.py
index 1b92a8d..c36b34b 100644
--- a/tests/test_utils/test_stability_tracking.py
+++ b/tests/test_utils/test_stability_tracking.py
@@ -290,7 +290,7 @@ def test_get_stable_variables(self):
                 "random_var": f"unique_{i}",
             })
 
-        stable_vars = trackers.get_variables_by_classification("STABLE")
+        stable_vars = trackers.get_features_by_classification("STABLE")
         assert isinstance(stable_vars, list)
         # "stable_var" should be classified as STATIC
 
@@ -360,7 +360,7 @@ def test_get_stable_variables(self):
                 "random_var": f"unique_{i}",
             })
 
-        stable_vars = evt.get_variables_by_classification("STABLE")
+        stable_vars = evt.get_features_by_classification("STABLE")
         assert isinstance(stable_vars, list)
 
     def test_integration_with_stability_tracker(self):
@@ -377,7 +377,7 @@ def test_integration_with_stability_tracker(self):
 
         # Get data and variables
         var_names = evt.get_variables()
-        stable_vars = evt.get_variables_by_classification("STABLE")
+        stable_vars = evt.get_features_by_classification("STABLE")
 
         assert len(var_names) == 3
         assert isinstance(stable_vars, list)
@@ -529,7 +529,7 @@ def test_event_variable_tracker_real_world_scenario(self):
             })
 
         var_names = evt.get_variables()
-        stable_vars = evt.get_variables_by_classification("STABLE")
+        stable_vars = evt.get_features_by_classification("STABLE")
 
         assert len(var_names) == 5
         assert isinstance(stable_vars, list)

From a52aa367ae7737093e17d41e5702b0d6ca079614 Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Tue, 17 Mar 2026 20:51:43 +0100
Subject: [PATCH 09/16] fix prek issues

---
 src/detectmatelibrary/detectors/new_value_detector.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/detectmatelibrary/detectors/new_value_detector.py b/src/detectmatelibrary/detectors/new_value_detector.py
index 6f525f8..2c3db66 100644
--- a/src/detectmatelibrary/detectors/new_value_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_detector.py
@@ -120,8 +120,12 @@ def configure(self, input_: ParserSchema) -> None:  # type: ignore
     def set_configuration(self) -> None:
         variables = {}
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
-            stable = tracker.get_features_by_classification("STABLE") if self.config.use_stable_vars else []  # type: ignore
-            static = tracker.get_features_by_classification("STATIC") if self.config.use_static_vars else []  # type: ignore
+            stable = []
+            if self.config.use_stable_vars:
+                stable = tracker.get_features_by_classification("STABLE")  # type: ignore
+            static = []
+            if self.config.use_static_vars:
+                static = tracker.get_features_by_classification("STATIC")  # type: ignore
             vars_ = stable + static
             if len(vars_) > 0:
                 variables[event_id] = vars_

From f5e4801093accfa26e62e3252e25664ea0974c07 Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Tue, 17 Mar 2026 20:53:45 +0100
Subject: [PATCH 10/16] fix prek issues

---
 .../detectors/new_value_combo_detector.py                 | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/detectmatelibrary/detectors/new_value_combo_detector.py b/src/detectmatelibrary/detectors/new_value_combo_detector.py
index 32dd9e8..9078dee 100644
--- a/src/detectmatelibrary/detectors/new_value_combo_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_combo_detector.py
@@ -203,8 +203,12 @@ def set_configuration(self, max_combo_size: int | None = None) -> None:
         # rerun to set final config WITH auto_conf_persistency_combos
         combo_selection = {}
         for event_id, tracker in self.auto_conf_persistency_combos.get_events_data().items():
-            stable_combos = tracker.get_features_by_classification("STABLE") if self.config.use_stable_vars else []  # type: ignore
-            static_combos = tracker.get_features_by_classification("STATIC") if self.config.use_static_vars else []  # type: ignore
+            stable_combos = []
+            if self.config.use_stable_vars:
+                stable_combos = tracker.get_features_by_classification("STABLE")  # type: ignore
+            static_combos = []
+            if self.config.use_static_vars:
+                static_combos = tracker.get_features_by_classification("STATIC")  # type: ignore
             combos = stable_combos + static_combos
             # Keep combos as tuples - each will become a separate config entry
             if len(combos) > 0:

From 0a55953d245d6a403e8388e790f87f2c8d8c0596 Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Mon, 30 Mar 2026 12:26:36 +0200
Subject: [PATCH 11/16] path_templates is not longer required by the
 MatcherParser

---
 .../parsers/template_matcher/_parser.py        |  7 +++++--
 tests/test_parsers/test_template_matcher.py    | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/detectmatelibrary/parsers/template_matcher/_parser.py b/src/detectmatelibrary/parsers/template_matcher/_parser.py
index 3192a84..67fb5a8 100644
--- a/src/detectmatelibrary/parsers/template_matcher/_parser.py
+++ b/src/detectmatelibrary/parsers/template_matcher/_parser.py
@@ -52,7 +52,7 @@ class MatcherParserConfig(CoreParserConfig):
     remove_punctuation: bool = True
     lowercase: bool = True
 
-    path_templates: str = "<PLACEHOLDER>"
+    path_templates: str | None = None
 
 
 class MatcherParser(CoreParser):
@@ -67,8 +67,11 @@ def __init__(
         super().__init__(name=name, config=config)
         self.config: MatcherParserConfig
 
+        templates = load_templates(
+            self.config.path_templates
+        ) if self.config.path_templates is not None else []
         self.template_matcher = TemplateMatcher(
-            template_list=load_templates(self.config.path_templates),
+            template_list=templates,
             remove_spaces=self.config.remove_spaces,
             remove_punctuation=self.config.remove_punctuation,
             lowercase=self.config.lowercase,
diff --git a/tests/test_parsers/test_template_matcher.py b/tests/test_parsers/test_template_matcher.py
index c5c892e..04e4bdc 100644
--- a/tests/test_parsers/test_template_matcher.py
+++ b/tests/test_parsers/test_template_matcher.py
@@ -13,6 +13,24 @@
 
 
 class TestMatcherParserBasic:
+    def test_no_path_templates(self):
+        config_dict = {
+            "parsers": {
+                "MatcherParser": {
+                    "auto_config": True,
+                    "method_type": "matcher_parser",
+                }
+            }
+        }
+        parser = MatcherParser(name="MatcherParser", config=config_dict)
+        input_log = schemas.LogSchema({"log": test_log_match})
+        output_data = schemas.ParserSchema()
+        parser.parse(input_log, output_data)
+
+        assert output_data.template == "<Not Found>"
+        assert output_data.EventID == -1
+        assert output_data.variables == []
+
     def test_templates_not_found(self):
         config_dict = {
             "parsers": {

From b2e00b34dff85e7ca4483bba89f93b95c48c968b Mon Sep 17 00:00:00 2001
From: "angre.garcia-gomez@ait.ac.at" <angre.garcia-gomez@ait.ac.at>
Date: Mon, 30 Mar 2026 14:42:22 +0200
Subject: [PATCH 12/16] add security file

---
 SECURITY.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..e7cbac5
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0.0   | :x:                |
+
+> [!IMPORTANT]
+> Currently DetectMateService is a work in progress and heavily under development. Possible vulnerabilities will not be treated any special and can be issued using [GitHub-Issues](https://github.com/ait-detectmate/DetectMateService/issues)
+
+## Reporting a Vulnerability
+
+Please email reports about any security related issues you find to aecid@ait.ac.at. This mail is delivered to a small developer team. Your email will be acknowledged within one business day, and you'll receive a more detailed response to your email within 7 days indicating the next steps in handling your report.
+
+Please use a descriptive subject line for your report email. After the initial reply to your report, our team will endeavor to keep you informed of the progress being made towards a fix and announcement.
+
+In addition, please include the following information along with your report:
+
+* Your name and affiliation (if any).
+* A description of the technical details of the vulnerabilities. It is very important to let us know how we can reproduce your findings.
+* An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. This will help us evaluate your report quickly, especially if the issue is complex.
+* Whether this vulnerability public or known to third parties. If it is, please provide details.
+* Whether we could mention your name in the changelogs.
+
+Once an issue is reported we use the following disclosure process:
+
+* When a report is received, we confirm the issue and determine its severity.
+* If we know of specific third-party services or software based on DetectMateService that require mitigation before publication, those projects will be notified.
+* Fixes are prepared for the last minor release of the latest major release.
+* Patch releases are published for all fixed released versions.

From 67dc28b1bb89e88b3018621bc1b90b27a883ebd7 Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Mon, 30 Mar 2026 17:59:07 +0200
Subject: [PATCH 13/16] Warn when detector config doesn't match training data

Adds a post-training validation step that logs warnings when a
manually-configured detector's EventIDs or variable names/positions
have no coverage in the training data, preventing silent no-op
detection (e.g. Apache logs where log_format captures all variables
with no templates). Also warns when auto_config=True produces an
empty configuration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../common/_core_op/_fit_logic.py             |  12 +
 src/detectmatelibrary/common/core.py          |   6 +
 src/detectmatelibrary/common/detector.py      |  45 ++++
 .../detectors/new_value_combo_detector.py     |  20 +-
 .../detectors/new_value_detector.py           |  19 +-
 .../utils/persistency/event_persistency.py    |   7 +
 tests/test_common/test_core.py                |  56 +++++
 tests/test_common/test_fit_logic.py           |  62 +++++
 .../test_detectors/test_mismatch_warnings.py  | 218 ++++++++++++++++++
 tests/test_utils/test_events_seen.py          |  66 ++++++
 10 files changed, 509 insertions(+), 2 deletions(-)
 create mode 100644 tests/test_common/test_fit_logic.py
 create mode 100644 tests/test_detectors/test_mismatch_warnings.py
 create mode 100644 tests/test_utils/test_events_seen.py

diff --git a/src/detectmatelibrary/common/_core_op/_fit_logic.py b/src/detectmatelibrary/common/_core_op/_fit_logic.py
index c702524..7a4aa61 100644
--- a/src/detectmatelibrary/common/_core_op/_fit_logic.py
+++ b/src/detectmatelibrary/common/_core_op/_fit_logic.py
@@ -74,6 +74,9 @@ def __init__(
         self._configuration_done = False
         self.config_finished = False
 
+        self._training_done = False
+        self.training_finished = False
+
         self.data_use_configure = data_use_configure
         self.data_use_training = data_use_training
 
@@ -84,6 +87,13 @@ def finish_config(self) -> bool:
 
         return False
 
+    def finish_training(self) -> bool:
+        if self._training_done and not self.training_finished:
+            self.training_finished = True
+            return True
+
+        return False
+
     def run(self) -> FitLogicState:
         if do_configure(
             data_use_configure=self.data_use_configure,
@@ -103,5 +113,7 @@ def run(self) -> FitLogicState:
             ):
                 self.data_used_train += 1
                 return FitLogicState.DO_TRAIN
+            elif self.data_used_train > 0 and not self._training_done:
+                self._training_done = True
 
         return FitLogicState.NOTHING
\ No newline at end of file
diff --git a/src/detectmatelibrary/common/core.py b/src/detectmatelibrary/common/core.py
index 34d5a00..02afb3c 100644
--- a/src/detectmatelibrary/common/core.py
+++ b/src/detectmatelibrary/common/core.py
@@ -54,6 +54,9 @@ def configure(
     def set_configuration(self) -> None:
         pass
 
+    def post_train(self) -> None:
+        pass
+
     def get_config(self) -> Dict[str, Any]:
         return self.config.get_config()
 
@@ -100,6 +103,9 @@ def process(self, data: BaseSchema | bytes) -> BaseSchema | bytes | None:
         if fit_state == FitLogicState.DO_TRAIN:
             logger.info(f"<<{self.name}>> use data for training")
             self.train(input_=data_buffered)
+        elif self.fitlogic.finish_training():
+            logger.info(f"<<{self.name}>> finalizing training")
+            self.post_train()
 
         output_ = self.output_schema()
         logger.info(f"<<{self.name}>> processing data")
diff --git a/src/detectmatelibrary/common/detector.py b/src/detectmatelibrary/common/detector.py
index e224f68..be79e36 100644
--- a/src/detectmatelibrary/common/detector.py
+++ b/src/detectmatelibrary/common/detector.py
@@ -3,6 +3,7 @@
 
 from detectmatelibrary.utils.data_buffer import ArgsBuffer, BufferMode
 from detectmatelibrary.utils.aux import get_timestamp
+from detectmatelibrary.utils.persistency.event_persistency import EventPersistency
 
 from detectmatelibrary.schemas import ParserSchema, DetectorSchema
 
@@ -10,6 +11,7 @@
 from typing import Dict, List, Optional, Any
 
 from detectmatelibrary.utils.time_format_handler import TimeFormatHandler
+from tools.logging import logger
 
 
 _time_handler = TimeFormatHandler()
@@ -89,6 +91,45 @@ def get_global_variables(
     return result
 
 
+def validate_config_coverage(
+        detector_name: str,
+        config_events: EventsConfig | dict[str, Any],
+        persistency: EventPersistency,
+) -> None:
+    """Log warnings when configured EventIDs or variables have no training
+    data.
+
+    Args:
+        detector_name: Name of the detector (used in warning messages).
+        config_events: The detector's events configuration.
+        persistency: The persistency object populated during training.
+    """
+    config_ids = (
+        config_events.events.keys()
+        if isinstance(config_events, EventsConfig)
+        else config_events.keys()
+    )
+    if not config_ids:
+        return
+
+    events_seen = persistency.get_events_seen()
+    events_with_data = set(persistency.get_events_data().keys())
+
+    for event_id in config_ids:
+        if event_id not in events_seen:
+            logger.warning(
+                f"[{detector_name}] EventID {event_id!r} is configured but was "
+                "never observed in training data. Verify that EventIDs in your "
+                "config match those produced by the parser."
+            )
+        elif event_id not in events_with_data:
+            logger.warning(
+                f"[{detector_name}] EventID {event_id!r} was observed in training "
+                "data but no configured variables were extracted. Verify that "
+                "variable names/positions in your config match those in the data."
+            )
+
+
 class CoreDetectorConfig(CoreConfig):
     component_type: str = "detectors"
     method_type: str = "core_detector"
@@ -158,3 +199,7 @@ def configure(
     @override
     def set_configuration(self) -> None:
         pass
+
+    @override
+    def post_train(self) -> None:
+        pass
diff --git a/src/detectmatelibrary/detectors/new_value_combo_detector.py b/src/detectmatelibrary/detectors/new_value_combo_detector.py
index c461526..e85f96f 100644
--- a/src/detectmatelibrary/detectors/new_value_combo_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_combo_detector.py
@@ -1,10 +1,12 @@
 from detectmatelibrary.common._config import generate_detector_config
+from detectmatelibrary.common._config._formats import EventsConfig
 
 from detectmatelibrary.common.detector import (
     CoreDetectorConfig,
     CoreDetector,
     get_configured_variables,
-    get_global_variables
+    get_global_variables,
+    validate_config_coverage,
 )
 
 from detectmatelibrary.utils.data_buffer import BufferMode
@@ -19,6 +21,9 @@
 from typing import Any, Dict, Sequence, cast, Tuple
 from itertools import combinations
 
+from typing_extensions import override
+from tools.logging import logger
+
 
 def get_combo(variables: Dict[str, Any]) -> Dict[Tuple[str, ...], Tuple[Any, ...]]:
     """Get a single combination of all variables as a key-value pair."""
@@ -144,6 +149,12 @@ def detect(
             return True
         return False
 
+    @override
+    def post_train(self) -> None:
+        config = cast(NewValueComboDetectorConfig, self.config)
+        if not config.auto_config:
+            validate_config_coverage(self.name, config.events, self.persistency)
+
     def configure(self, input_: ParserSchema) -> None:  # type: ignore
         """Configure the detector based on the stability of individual
         variables, then learn value combinations based on that
@@ -208,3 +219,10 @@ def set_configuration(self, max_combo_size: int = 3) -> None:
         )
         # Update the config object from the dictionary instead of replacing it
         self.config = NewValueComboDetectorConfig.from_dict(config_dict, self.name)
+        events = self.config.events
+        if isinstance(events, EventsConfig) and not events.events:
+            logger.warning(
+                f"[{self.name}] auto_config=True generated an empty configuration. "
+                "No stable variable combinations were found in configure-phase data. "
+                "The detector will produce no alerts."
+            )
diff --git a/src/detectmatelibrary/detectors/new_value_detector.py b/src/detectmatelibrary/detectors/new_value_detector.py
index e9fe7c6..01c6f0e 100644
--- a/src/detectmatelibrary/detectors/new_value_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_detector.py
@@ -1,10 +1,12 @@
 from detectmatelibrary.common._config._compile import generate_detector_config
+from detectmatelibrary.common._config._formats import EventsConfig
 
 from detectmatelibrary.common.detector import (
     CoreDetectorConfig,
     CoreDetector,
     get_configured_variables,
-    get_global_variables
+    get_global_variables,
+    validate_config_coverage,
 )
 from detectmatelibrary.utils.persistency.event_data_structures.trackers.stability.stability_tracker import (
     EventStabilityTracker
@@ -15,6 +17,9 @@
 from detectmatelibrary.schemas import ParserSchema, DetectorSchema
 from detectmatelibrary.constants import GLOBAL_EVENT_ID
 
+from typing_extensions import override
+from tools.logging import logger
+
 
 class NewValueDetectorConfig(CoreDetectorConfig):
     method_type: str = "new_value_detector"
@@ -109,6 +114,11 @@ def configure(self, input_: ParserSchema) -> None:  # type: ignore
             named_variables=input_["logFormatVariables"],
         )
 
+    @override
+    def post_train(self) -> None:
+        if not self.config.auto_config:
+            validate_config_coverage(self.name, self.config.events, self.persistency)
+
     def set_configuration(self) -> None:
         variables = {}
         for event_id, tracker in self.auto_conf_persistency.get_events_data().items():
@@ -121,3 +131,10 @@ def set_configuration(self) -> None:
         )
         # Update the config object from the dictionary instead of replacing it
         self.config = NewValueDetectorConfig.from_dict(config_dict, self.name)
+        events = self.config.events
+        if isinstance(events, EventsConfig) and not events.events:
+            logger.warning(
+                f"[{self.name}] auto_config=True generated an empty configuration. "
+                "No stable variables were found in configure-phase data. "
+                "The detector will produce no alerts."
+            )
diff --git a/src/detectmatelibrary/utils/persistency/event_persistency.py b/src/detectmatelibrary/utils/persistency/event_persistency.py
index c21cb76..3c6d178 100644
--- a/src/detectmatelibrary/utils/persistency/event_persistency.py
+++ b/src/detectmatelibrary/utils/persistency/event_persistency.py
@@ -26,6 +26,7 @@ def __init__(
         event_data_kwargs: Optional[dict[str, Any]] = None,
     ):
         self.events_data: Dict[int | str, EventDataStructure] = {}
+        self.events_seen: set[int | str] = set()
         self.event_data_class = event_data_class
         self.event_data_kwargs = event_data_kwargs or {}
         self.variable_blacklist = variable_blacklist or []
@@ -39,6 +40,7 @@ def ingest_event(
         named_variables: Dict[str, Any] = {}
     ) -> None:
         """Ingest event data into the appropriate EventData store."""
+        self.events_seen.add(event_id)
         if not variables and not named_variables:
             return
         self.event_templates[event_id] = event_template
@@ -52,6 +54,11 @@ def ingest_event(
         data = data_structure.to_data(all_variables)
         data_structure.add_data(data)
 
+    def get_events_seen(self) -> set[int | str]:
+        """Retrieve all event IDs observed via ingest_event(), regardless of
+        whether variables were extracted."""
+        return self.events_seen
+
     def get_event_data(self, event_id: int | str) -> Any | None:
         """Retrieve the data for a specific event ID."""
         data_structure = self.events_data.get(event_id)
diff --git a/tests/test_common/test_core.py b/tests/test_common/test_core.py
index f8d0183..2b4e594 100644
--- a/tests/test_common/test_core.py
+++ b/tests/test_common/test_core.py
@@ -330,3 +330,59 @@ def test_set_configuration_called_once(self) -> None:
             component.process(self._make_log(i))
 
         assert component.set_configuration_called == 1
+
+
+class MockConfigWithPostTrain(CoreConfig):
+    data_use_training: int | None = 3
+
+
+class MockComponentWithPostTrain(CoreComponent):
+    def __init__(self, name: str, config: CoreConfig = MockConfigWithPostTrain()) -> None:
+        super().__init__(
+            name=name, type_="Dummy", config=config, input_schema=schemas.LogSchema
+        )
+        self.post_train_called: int = 0
+
+    def train(self, input_) -> None:
+        pass
+
+    def post_train(self) -> None:
+        self.post_train_called += 1
+
+    def run(self, input_, output_) -> bool:
+        return False
+
+
+class TestPostTrain:
+    def _make_log(self, i: int) -> schemas.LogSchema:
+        return schemas.LogSchema({
+            "__version__": "1.0.0",
+            "logID": str(i),
+            "logSource": "test",
+            "hostname": "test_hostname"
+        })
+
+    def test_post_train_called_once_after_training(self) -> None:
+        component = MockComponentWithPostTrain(name="PostTrain1")
+        for i in range(10):
+            component.process(self._make_log(i))
+        assert component.post_train_called == 1
+
+    def test_post_train_not_called_without_training(self) -> None:
+        component = MockComponentWithPostTrain(name="PostTrain2", config=CoreConfig())
+        for i in range(10):
+            component.process(self._make_log(i))
+        assert component.post_train_called == 0
+
+    def test_post_train_called_on_first_detection_item(self) -> None:
+        """post_train fires on the item immediately after training ends."""
+        component = MockComponentWithPostTrain(name="PostTrain3")
+        # data_use_training=3, so 4th item triggers post_train
+        for i in range(3):
+            component.process(self._make_log(i))
+        assert component.post_train_called == 0
+        component.process(self._make_log(3))
+        assert component.post_train_called == 1
+        # subsequent items don't re-trigger it
+        component.process(self._make_log(4))
+        assert component.post_train_called == 1
diff --git a/tests/test_common/test_fit_logic.py b/tests/test_common/test_fit_logic.py
new file mode 100644
index 0000000..11e96c4
--- /dev/null
+++ b/tests/test_common/test_fit_logic.py
@@ -0,0 +1,62 @@
+"""Tests for FitLogic training lifecycle hooks."""
+
+from detectmatelibrary.common._core_op._fit_logic import (
+    FitLogic, FitLogicState, TrainState
+)
+
+
+class TestFinishTraining:
+    """Test that finish_training() fires exactly once after bounded training."""
+
+    def test_finish_training_fires_once_after_bounded_training(self) -> None:
+        logic = FitLogic(data_use_configure=None, data_use_training=3)
+        finish_calls = []
+        for _ in range(6):
+            logic.run()
+            finish_calls.append(logic.finish_training())
+        assert finish_calls.count(True) == 1
+
+    def test_finish_training_fires_on_first_nothing_after_training(self) -> None:
+        logic = FitLogic(data_use_configure=None, data_use_training=2)
+        states = []
+        finishes = []
+        for _ in range(5):
+            state = logic.run()
+            states.append(state)
+            finishes.append(logic.finish_training())
+        # First two calls are DO_TRAIN, third is first NOTHING
+        assert states[:2] == [FitLogicState.DO_TRAIN, FitLogicState.DO_TRAIN]
+        assert states[2] == FitLogicState.NOTHING
+        assert finishes[2] is True
+        assert all(not f for f in finishes[:2])
+        assert all(not f for f in finishes[3:])
+
+    def test_finish_training_not_called_without_training(self) -> None:
+        logic = FitLogic(data_use_configure=None, data_use_training=None)
+        for _ in range(5):
+            logic.run()
+            assert logic.finish_training() is False
+
+    def test_finish_training_not_called_during_training(self) -> None:
+        logic = FitLogic(data_use_configure=None, data_use_training=5)
+        for _ in range(5):
+            state = logic.run()
+            assert state == FitLogicState.DO_TRAIN
+            assert logic.finish_training() is False
+
+    def test_finish_training_not_called_with_keep_training(self) -> None:
+        logic = FitLogic(data_use_configure=None, data_use_training=None)
+        logic.train_state = TrainState.KEEP_TRAINING
+        for _ in range(10):
+            state = logic.run()
+            assert state == FitLogicState.DO_TRAIN
+            assert logic.finish_training() is False
+
+    def test_finish_training_after_configure_and_training(self) -> None:
+        """finish_training fires correctly even when configure phase precedes training."""
+        logic = FitLogic(data_use_configure=2, data_use_training=3)
+        finish_calls = []
+        for _ in range(8):
+            logic.run()
+            finish_calls.append(logic.finish_training())
+        assert finish_calls.count(True) == 1
diff --git a/tests/test_detectors/test_mismatch_warnings.py b/tests/test_detectors/test_mismatch_warnings.py
new file mode 100644
index 0000000..40242b0
--- /dev/null
+++ b/tests/test_detectors/test_mismatch_warnings.py
@@ -0,0 +1,218 @@
+"""Tests for config-data mismatch warnings in detectors.
+
+Covers two warning levels:
+1. Configured EventID never seen in training data.
+2. EventID seen in training data but configured variables not extracted.
+
+Also covers the auto_config=True empty-config warning.
+"""
+
+import logging
+import pytest
+import detectmatelibrary.schemas as schemas
+from detectmatelibrary.detectors.new_value_detector import NewValueDetector
+from detectmatelibrary.detectors.new_value_combo_detector import NewValueComboDetector
+
+
+def _make_parser_schema(
+    event_id: int,
+    variables: list,
+    log_format_variables: dict,
+) -> schemas.ParserSchema:
+    return schemas.ParserSchema({
+        "parserType": "test",
+        "EventID": event_id,
+        "template": "test template",
+        "variables": variables,
+        "logID": "1",
+        "parsedLogID": "1",
+        "parserID": "test_parser",
+        "log": "test log message",
+        "logFormatVariables": log_format_variables,
+    })
+
+
+# ---- Config fixtures --------------------------------------------------------
+
+def _nvd_config(event_id: int, pos: int = 0, header: str | None = None) -> dict:
+    """Build a minimal NewValueDetector config targeting one variable."""
+    instance: dict = {"params": {}}
+    if header is not None:
+        instance["header_variables"] = [{"pos": header, "params": {}}]
+    else:
+        instance["variables"] = [{"pos": pos, "name": f"var_{pos}", "params": {}}]
+    return {
+        "detectors": {
+            "TestDetector": {
+                "method_type": "new_value_detector",
+                "auto_config": False,
+                "params": {},
+                "events": {event_id: {"inst": instance}},
+            }
+        }
+    }
+
+
+# ---- NewValueDetector warning tests -----------------------------------------
+
+class TestNewValueDetectorMismatchWarnings:
+
+    def test_warn_event_id_never_seen(self, caplog: pytest.LogCaptureFixture) -> None:
+        """Warn when configured EventID is not present in training data at
+        all."""
+        detector = NewValueDetector(name="TestDetector", config=_nvd_config(event_id=99))
+        # Train on EventID=1 only — EventID=99 is never seen
+        for _ in range(3):
+            detector.train(_make_parser_schema(1, ["val"], {"status": "ok"}))
+
+        with caplog.at_level(logging.WARNING):
+            detector.post_train()
+
+        assert any("99" in r.message and "never observed" in r.message for r in caplog.records)
+
+    def test_warn_event_id_seen_but_no_variables_extracted(
+        self, caplog: pytest.LogCaptureFixture
+    ) -> None:
+        """Warn when EventID is seen but configured positional variable is out
+        of bounds."""
+        # Config expects var at position 0, but data has empty variables list
+        detector = NewValueDetector(name="TestDetector", config=_nvd_config(event_id=1, pos=0))
+        for _ in range(3):
+            # EventID=1 IS seen, but variables=[] so get_configured_variables returns {}
+            detector.train(_make_parser_schema(1, [], {"status": "ok"}))
+
+        with caplog.at_level(logging.WARNING):
+            detector.post_train()
+
+        assert any(
+            "1" in r.message and "no configured variables were extracted" in r.message
+            for r in caplog.records
+        )
+
+    def test_warn_header_variable_not_in_log_format(
+        self, caplog: pytest.LogCaptureFixture
+    ) -> None:
+        """Warn when EventID is seen but configured header_variable key is
+        absent."""
+        # Config expects header 'Time', but data has only 'status'
+        detector = NewValueDetector(
+            name="TestDetector", config=_nvd_config(event_id=1, header="Time")
+        )
+        for _ in range(3):
+            detector.train(_make_parser_schema(1, [], {"status": "ok"}))
+
+        with caplog.at_level(logging.WARNING):
+            detector.post_train()
+
+        assert any("no configured variables were extracted" in r.message for r in caplog.records)
+
+    def test_no_warning_when_config_matches_data(
+        self, caplog: pytest.LogCaptureFixture
+    ) -> None:
+        """No warning when configured variables are correctly extracted during
+        training."""
+        detector = NewValueDetector(
+            name="TestDetector", config=_nvd_config(event_id=1, header="status")
+        )
+        for _ in range(3):
+            detector.train(_make_parser_schema(1, [], {"status": "ok"}))
+
+        with caplog.at_level(logging.WARNING):
+            detector.post_train()
+
+        assert not any(r.levelno == logging.WARNING for r in caplog.records)
+
+    def test_auto_config_skips_mismatch_check(
+        self, caplog: pytest.LogCaptureFixture
+    ) -> None:
+        """post_train() does not run coverage check for auto_config=True
+        detectors."""
+        detector = NewValueDetector()  # auto_config=True by default
+        # Train on some data — no mismatch check should fire because auto_config=True
+        for _ in range(3):
+            detector.train(_make_parser_schema(1, ["x"], {"status": "ok"}))
+
+        with caplog.at_level(logging.WARNING):
+            detector.post_train()
+
+        mismatch_warnings = [
+            r for r in caplog.records
+            if "never observed" in r.message or "no configured variables" in r.message
+        ]
+        assert not mismatch_warnings
+
+    def test_auto_config_empty_config_warning(
+        self, caplog: pytest.LogCaptureFixture
+    ) -> None:
+        """Warn in set_configuration() when auto_config produces an empty
+        events config."""
+        detector = NewValueDetector()
+        # configure() with no data → auto_conf_persistency is empty → empty config
+        with caplog.at_level(logging.WARNING):
+            detector.set_configuration()
+
+        assert any("empty configuration" in r.message for r in caplog.records)
+
+
+# ---- NewValueComboDetector warning tests ------------------------------------
+
+class TestNewValueComboDetectorMismatchWarnings:
+
+    def test_warn_event_id_never_seen(self, caplog: pytest.LogCaptureFixture) -> None:
+        """Warn when configured EventID is not present in combo detector
+        training data."""
+        config = {
+            "detectors": {
+                "ComboDetector": {
+                    "method_type": "new_value_combo_detector",
+                    "auto_config": False,
+                    "params": {},
+                    "events": {
+                        99: {
+                            "inst": {
+                                "params": {},
+                                "header_variables": [{"pos": "status", "params": {}}],
+                            }
+                        }
+                    },
+                }
+            }
+        }
+        detector = NewValueComboDetector(name="ComboDetector", config=config)
+        for _ in range(3):
+            detector.train(_make_parser_schema(1, ["val"], {"status": "ok"}))
+
+        with caplog.at_level(logging.WARNING):
+            detector.post_train()
+
+        assert any("99" in r.message and "never observed" in r.message for r in caplog.records)
+
+    def test_no_warning_when_config_matches(
+        self, caplog: pytest.LogCaptureFixture
+    ) -> None:
+        """No warning when combo detector config matches training data."""
+        config = {
+            "detectors": {
+                "ComboDetector": {
+                    "method_type": "new_value_combo_detector",
+                    "auto_config": False,
+                    "params": {},
+                    "events": {
+                        1: {
+                            "inst": {
+                                "params": {},
+                                "header_variables": [{"pos": "status", "params": {}}],
+                            }
+                        }
+                    },
+                }
+            }
+        }
+        detector = NewValueComboDetector(name="ComboDetector", config=config)
+        for _ in range(3):
+            detector.train(_make_parser_schema(1, [], {"status": "ok"}))
+
+        with caplog.at_level(logging.WARNING):
+            detector.post_train()
+
+        assert not any(r.levelno == logging.WARNING for r in caplog.records)
diff --git a/tests/test_utils/test_events_seen.py b/tests/test_utils/test_events_seen.py
new file mode 100644
index 0000000..62467e3
--- /dev/null
+++ b/tests/test_utils/test_events_seen.py
@@ -0,0 +1,66 @@
+"""Tests for EventPersistency.events_seen tracking."""
+
+from detectmatelibrary.utils.persistency.event_persistency import EventPersistency
+from detectmatelibrary.utils.persistency.event_data_structures.trackers import EventStabilityTracker
+
+
+class TestEventsSeen:
+    """Test that events_seen tracks all event IDs passed to ingest_event()."""
+
+    def setup_method(self) -> None:
+        self.persistency = EventPersistency(event_data_class=EventStabilityTracker)
+
+    def test_events_seen_recorded_on_early_return(self) -> None:
+        """Event ID is tracked even when variables are empty (early-return
+        path)."""
+        self.persistency.ingest_event(
+            event_id="E1",
+            event_template="some template",
+            variables=[],
+            named_variables={}
+        )
+        assert "E1" in self.persistency.get_events_seen()
+        assert "E1" not in self.persistency.get_events_data()
+
+    def test_events_seen_recorded_with_data(self) -> None:
+        """Event ID is tracked when variables are present."""
+        self.persistency.ingest_event(
+            event_id="E2",
+            event_template="some template",
+            named_variables={"status": "ok"}
+        )
+        assert "E2" in self.persistency.get_events_seen()
+        assert "E2" in self.persistency.get_events_data()
+
+    def test_events_seen_not_duplicated(self) -> None:
+        """Repeated calls for the same event ID produce a single entry."""
+        for _ in range(5):
+            self.persistency.ingest_event(
+                event_id=42,
+                event_template="t",
+                named_variables={"x": "v"}
+            )
+        assert len(self.persistency.get_events_seen()) == 1
+        assert 42 in self.persistency.get_events_seen()
+
+    def test_events_seen_tracks_multiple_ids(self) -> None:
+        """Multiple distinct event IDs are all tracked."""
+        for eid in [1, 2, 3]:
+            self.persistency.ingest_event(
+                event_id=eid,
+                event_template="t",
+                named_variables={"x": str(eid)}
+            )
+        assert self.persistency.get_events_seen() == {1, 2, 3}
+
+    def test_get_events_seen_returns_set(self) -> None:
+        """get_events_seen() returns a set."""
+        result = self.persistency.get_events_seen()
+        assert isinstance(result, set)
+
+    def test_events_seen_mixed_empty_and_nonempty(self) -> None:
+        """Events seen with and without data are both in events_seen."""
+        self.persistency.ingest_event(event_id=1, event_template="t")
+        self.persistency.ingest_event(event_id=2, event_template="t", named_variables={"k": "v"})
+        assert {1, 2} == self.persistency.get_events_seen()
+        assert set(self.persistency.get_events_data().keys()) == {2}

From fe9f7c82004b0f214cbd568796e9b5ea693cd01b Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Mon, 30 Mar 2026 23:15:24 +0200
Subject: [PATCH 14/16] fix minor issue

---
 src/detectmatelibrary/detectors/new_value_combo_detector.py | 3 ---
 src/detectmatelibrary/detectors/new_value_detector.py       | 2 --
 2 files changed, 5 deletions(-)

diff --git a/src/detectmatelibrary/detectors/new_value_combo_detector.py b/src/detectmatelibrary/detectors/new_value_combo_detector.py
index 8b367cd..6d8efa3 100644
--- a/src/detectmatelibrary/detectors/new_value_combo_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_combo_detector.py
@@ -52,9 +52,6 @@ def get_all_possible_combos(
 class NewValueComboDetectorConfig(CoreDetectorConfig):
     method_type: str = "new_value_combo_detector"
 
-    events: EventsConfig | dict[str, Any] = {}
-    global_instances: Dict[str, _EventInstance] = {}
-
     max_combo_size: int = 3
     use_stable_vars: bool = True
     use_static_vars: bool = False
diff --git a/src/detectmatelibrary/detectors/new_value_detector.py b/src/detectmatelibrary/detectors/new_value_detector.py
index ab201d8..e7b6762 100644
--- a/src/detectmatelibrary/detectors/new_value_detector.py
+++ b/src/detectmatelibrary/detectors/new_value_detector.py
@@ -19,8 +19,6 @@
 class NewValueDetectorConfig(CoreDetectorConfig):
     method_type: str = "new_value_detector"
 
-    events: EventsConfig | dict[str, Any] = {}
-    global_instances: Dict[str, _EventInstance] = {}
     use_stable_vars: bool = True
     use_static_vars: bool = True
 

From f410dff59aa9416c92bf1f76a8f9e167f484730c Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Tue, 31 Mar 2026 14:23:25 +0200
Subject: [PATCH 15/16] add issue and PR templates

---
 .github/ISSUE_TEMPLATE/01_bug_report.md      | 21 ++++++++++++++++++++
 .github/ISSUE_TEMPLATE/02_feature_request.md | 20 +++++++++++++++++++
 .github/ISSUE_TEMPLATE/config.yml            |  1 +
 .github/pull_request_template.md             | 19 ++++++++++++++++++
 4 files changed, 61 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE/01_bug_report.md
 create mode 100644 .github/ISSUE_TEMPLATE/02_feature_request.md
 create mode 100644 .github/ISSUE_TEMPLATE/config.yml
 create mode 100644 .github/pull_request_template.md

diff --git a/.github/ISSUE_TEMPLATE/01_bug_report.md b/.github/ISSUE_TEMPLATE/01_bug_report.md
new file mode 100644
index 0000000..8495c6c
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/01_bug_report.md
@@ -0,0 +1,21 @@
+---
+name: 🐜 Bug report
+about: If something isn't working 🔧
+---
+
+### Subject of the issue
+Describe your issue here.
+
+### Your environment
+* Version of detectmate
+* Version of python
+* Docker or manual installation?
+
+### Steps to reproduce
+Tell us how to reproduce this issue.
+
+### Expected behaviour
+Tell us what should happen
+
+### Actual behaviour
+Tell us what happens instead
diff --git a/.github/ISSUE_TEMPLATE/02_feature_request.md b/.github/ISSUE_TEMPLATE/02_feature_request.md
new file mode 100644
index 0000000..442b05c
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/02_feature_request.md
@@ -0,0 +1,20 @@
+---
+name: 🚀 Feature request
+about: If you have a feature request 💡
+---
+
+**Context**
+
+What are you trying to do and how would you want to do it differently? Is it something you currently you cannot do? Is this related to an issue/problem?
+
+**Alternatives**
+
+Can you achieve the same result doing it in an alternative way? Is the alternative considerable?
+
+**Has the feature been requested before?**
+
+Please provide a link to the issue.
+
+**If the feature request is approved, would you be willing to submit a PR?**
+
+Yes / No _(Help can be provided if you need assistance submitting a PR)_
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 0000000..3ba13e0
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1 @@
+blank_issues_enabled: false
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..53dec30
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,19 @@
+# Task
+<!-- Please add link a relevant issue or task -->
+
+# Description
+<!-- Please include a summary of the change -->
+<!-- Any details that you think are important to review this PR? -->
+<!-- Are there other PRs related to this one? -->
+
+# How Has This Been Tested?
+<!-- Please describe how you tested your changes -->
+
+# Checklist
+<!-- Go over all the following points, and put an `x` in all the boxes that apply -->
+
+- [ ] This Pull-Request goes to the **development** branch.
+- [ ] I have successfully run prek locally.
+- [ ] I have added tests to cover my changes.
+- [ ] I have linked the issue-id to the task-description.
+- [ ] I have performed a self-review of my own code.

From f574b5535b0cf9f95cea3a08fe85ab6d7cf242b0 Mon Sep 17 00:00:00 2001
From: viktorbeck98 <viktor.beck98@gmail.com>
Date: Tue, 31 Mar 2026 15:38:11 +0200
Subject: [PATCH 16/16] feat(config): support named wildcards and named event
 IDs in template matcher
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Users can now write <label> instead of <*> in template files to give
wildcards meaningful names, and use an EventId column in CSV template
files to assign stable string identifiers to events. Both formats are
compiled to the existing positional representation at load time, so all
runtime code (ParserSchema, get_configured_variables) is unchanged.

- _compile_templates(): converts <label> → <*> and records label order
  and per-template event ID labels (from CSV EventId column)
- TemplatesManager / TemplateMatcher: accept metadata; expose
  compile_detector_config() to resolve string pos labels and string
  event keys to positional ints before pipeline startup
- Variable.pos: str | int (string = named label, compiled to int)
- Variable.name: optional (defaults to empty; label serves as name)
- load_templates(): returns (templates, event_id_labels); CSV files
  support an optional EventId column for named event IDs (.txt files
  remain positional-only)
- Tests and test fixtures for all new paths; roundtrip tests confirm
  string pos and string event keys survive YAML → Pydantic → YAML

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../common/_config/_formats.py                |  11 +-
 src/detectmatelibrary/common/detector.py      |   2 +-
 .../parsers/template_matcher/_matcher_op.py   |  78 +++++++++-
 .../parsers/template_matcher/_parser.py       |  91 +++++++++--
 tests/test_common/test_config_roundtrip.py    |  87 +++++++++++
 tests/test_folder/test_config.yaml            |  32 ++++
 tests/test_folder/test_named_templates.csv    |   2 +
 tests/test_folder/test_named_templates.txt    |   1 +
 tests/test_parsers/test_template_matcher.py   | 146 ++++++++++++++++++
 9 files changed, 430 insertions(+), 20 deletions(-)
 create mode 100644 tests/test_folder/test_named_templates.csv
 create mode 100644 tests/test_folder/test_named_templates.txt

diff --git a/src/detectmatelibrary/common/_config/_formats.py b/src/detectmatelibrary/common/_config/_formats.py
index 564d5e5..dcee7e2 100644
--- a/src/detectmatelibrary/common/_config/_formats.py
+++ b/src/detectmatelibrary/common/_config/_formats.py
@@ -6,16 +6,17 @@
 
 # Sub-formats ********************************************************+
 class Variable(BaseModel):
-    pos: int
-    name: str
+    pos: str | int
+    name: str = ""
     params: Dict[str, Any] = {}
 
     def to_dict(self) -> Dict[str, Any]:
         """Convert Variable to YAML-compatible dictionary."""
         result: Dict[str, Any] = {
             "pos": self.pos,
-            "name": self.name,
         }
+        if self.name:
+            result["name"] = self.name
         if self.params:
             result["params"] = self.params
         return result
@@ -38,7 +39,7 @@ def to_dict(self) -> Dict[str, Any]:
 class _EventInstance(BaseModel):
     """Configuration for a specific instance within an event."""
     params: Dict[str, Any] = {}
-    variables: Dict[int, Variable] = {}
+    variables: Dict[str | int, Variable] = {}
     header_variables: Dict[str, Header] = {}
 
     @classmethod
@@ -79,7 +80,7 @@ def _init(cls, instances_dict: Dict[str, Dict[str, Any]]) -> "_EventConfig":
         return cls(instances=instances)
 
     @property
-    def variables(self) -> Dict[int, Variable]:
+    def variables(self) -> Dict[str | int, Variable]:
         """Pass-through to first instance for compatibility."""
         if self.instances:
             return next(iter(self.instances.values())).variables
diff --git a/src/detectmatelibrary/common/detector.py b/src/detectmatelibrary/common/detector.py
index e224f68..e3fad55 100644
--- a/src/detectmatelibrary/common/detector.py
+++ b/src/detectmatelibrary/common/detector.py
@@ -56,7 +56,7 @@ def get_configured_variables(
     # Extract template variables by position
     if hasattr(event_config, "variables"):
         for pos, var in event_config.variables.items():
-            if pos < len(input_["variables"]):
+            if isinstance(pos, int) and pos < len(input_["variables"]):
                 result[var.name] = input_["variables"][pos]
 
     # Extract header/log format variables by name
diff --git a/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py b/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
index 8760ab2..399edfd 100644
--- a/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
+++ b/src/detectmatelibrary/parsers/template_matcher/_matcher_op.py
@@ -1,8 +1,17 @@
 from collections import defaultdict
-from typing import Dict, List, Any, Tuple
+from typing import Dict, List, Any, Tuple, TypedDict
 import regex
 import re
 
+from detectmatelibrary.common._config._formats import (
+    EventsConfig, _EventConfig, _EventInstance, Variable
+)
+
+
+class TemplateMetadata(TypedDict):
+    event_id_label: str | None
+    labels: list[str]
+
 
 def safe_search(pattern: str, string: str, timeout: int = 1) -> regex.Match[str] | None:
     """Perform regex search with a timeout to prevent catastrophic
@@ -64,6 +73,7 @@ class TemplatesManager:
     def __init__(
         self,
         template_list: list[str],
+        metadata: dict[int, TemplateMetadata] | None = None,
         remove_spaces: bool = True,
         remove_punctuation: bool = True,
         lowercase: bool = True
@@ -96,6 +106,61 @@ def __init__(
             first = tokens[0] if tokens else ""
             self._prefix_index[first].append(idx)
 
+        _metadata: dict[int, TemplateMetadata] = metadata or {}
+        self._event_label_to_idx: dict[str, int] = {
+            m["event_id_label"]: i
+            for i, m in _metadata.items()
+            if m["event_id_label"]
+        }
+        self._idx_to_var_map: dict[int, dict[str, int]] = {
+            i: {label: pos for pos, label in enumerate(m["labels"])}
+            for i, m in _metadata.items()
+            if m["labels"]
+        }
+
+    def compile_events_config(self, events_config: EventsConfig) -> EventsConfig:
+        """Resolve named event IDs and named variable labels to positional
+        ints.
+
+        Translates user-friendly named format to the internal positional
+        representation. Returns a new EventsConfig with only int keys
+        and int positions.
+        """
+        new_events: Dict[Any, _EventConfig] = {}
+
+        for event_key, event_config in events_config.events.items():
+            if isinstance(event_key, str) and event_key in self._event_label_to_idx:
+                resolved_key: str | int = self._event_label_to_idx[event_key]
+            else:
+                resolved_key = event_key
+
+            var_map = self._idx_to_var_map.get(resolved_key if isinstance(resolved_key, int) else -1, {})
+
+            new_instances: Dict[str, _EventInstance] = {}
+            for instance_id, instance in event_config.instances.items():
+                new_vars: Dict[str | int, Variable] = {}
+                for pos, var in instance.variables.items():
+                    if isinstance(pos, str):
+                        if pos not in var_map:
+                            raise ValueError(
+                                f"Label '{pos}' not found in template for event '{event_key}'. "
+                                f"Available labels: {list(var_map)}"
+                            )
+                        resolved_pos = var_map[pos]
+                        new_vars[resolved_pos] = Variable(
+                            pos=resolved_pos, name=pos, params=var.params
+                        )
+                    else:
+                        new_vars[pos] = var
+                new_instances[instance_id] = _EventInstance(
+                    params=instance.params,
+                    variables=new_vars,
+                    header_variables=instance.header_variables,
+                )
+            new_events[resolved_key] = _EventConfig(instances=new_instances)
+
+        return EventsConfig(events=new_events)
+
     def candidate_indices(self, s: str) -> Tuple[str, List[int]]:
         pre_s = self.preprocess(s)
         candidates = []
@@ -110,17 +175,28 @@ class TemplateMatcher:
     def __init__(
         self,
         template_list: list[str],
+        metadata: dict[int, TemplateMetadata] | None = None,
         remove_spaces: bool = True,
         remove_punctuation: bool = True,
         lowercase: bool = True
     ) -> None:
         self.manager = TemplatesManager(
             template_list=template_list,
+            metadata=metadata,
             remove_spaces=remove_spaces,
             remove_punctuation=remove_punctuation,
             lowercase=lowercase
         )
 
+    def compile_detector_config(self, events_config: EventsConfig) -> EventsConfig:
+        """Resolve named event IDs and variable labels to positional ints.
+
+        Call once at setup time. Returns a new EventsConfig using the
+        internal positional representation, compatible with
+        get_configured_variables().
+        """
+        return self.manager.compile_events_config(events_config)
+
     @staticmethod
     def extract_parameters(log: str, template: str) -> tuple[str, ...] | None:
         """Extract parameters from the log based on the template."""
diff --git a/src/detectmatelibrary/parsers/template_matcher/_parser.py b/src/detectmatelibrary/parsers/template_matcher/_parser.py
index 67fb5a8..edcae99 100644
--- a/src/detectmatelibrary/parsers/template_matcher/_parser.py
+++ b/src/detectmatelibrary/parsers/template_matcher/_parser.py
@@ -1,10 +1,13 @@
-from detectmatelibrary.parsers.template_matcher._matcher_op import TemplateMatcher
+from detectmatelibrary.parsers.template_matcher._matcher_op import TemplateMatcher, TemplateMetadata
 from detectmatelibrary.common.parser import CoreParser, CoreParserConfig
 from detectmatelibrary import schemas
 
 from typing import Any
 import csv
 import os
+import re
+
+_NAMED_WC_RE = re.compile(r'<([A-Za-z_]\w*)>')
 
 
 class TemplatesNotFoundError(Exception):
@@ -15,34 +18,93 @@ class TemplateNoPermissionError(Exception):
     pass
 
 
-def load_templates(path: str) -> list[str]:
+def _compile_templates(
+    raw_templates: list[str],
+    event_id_labels: list[str | None] | None = None,
+) -> tuple[list[str], dict[int, TemplateMetadata]]:
+    """Convert named wildcards to <*> and record label order and event ID
+    labels.
+
+    Args:
+        raw_templates: Raw template strings, possibly containing named wildcards.
+        event_id_labels: Optional per-template event ID labels (from CSV EventId column).
+                         If provided, must have the same length as raw_templates.
+
+    Returns:
+        compiled: Template strings with only <*> wildcards, ready for TemplatesManager.
+        metadata: Mapping of template index to TemplateMetadata.
+
+    Raises:
+        ValueError: If a template mixes <*> and named wildcards.
+    """
+    compiled: list[str] = []
+    metadata: dict[int, TemplateMetadata] = {}
+
+    for i, raw in enumerate(raw_templates):
+        has_anon = "<*>" in raw
+        labels = _NAMED_WC_RE.findall(raw)
+        has_named = bool(labels)
+
+        if has_anon and has_named:
+            raise ValueError(
+                f"Template mixes <*> and named wildcards: {raw!r}. "
+                "Use either <*> (positional) or <label> (named) exclusively."
+            )
+
+        compiled_tpl = _NAMED_WC_RE.sub("<*>", raw) if has_named else raw
+        idx = len(compiled)
+        compiled.append(compiled_tpl)
+        eid_label = event_id_labels[i] if event_id_labels else None
+        metadata[idx] = TemplateMetadata(event_id_label=eid_label, labels=labels)
+
+    return compiled, metadata
+
+
+def load_templates(path: str) -> tuple[list[str], list[str | None]]:
+    """Load templates from a .txt or .csv file.
+
+    Returns:
+        A tuple of (template_strings, event_id_labels). For .txt files, all
+        event_id_labels are None (positional IDs only). For .csv files, an
+        optional EventId column provides named event ID labels.
+    """
     if not os.path.exists(path):
         raise TemplatesNotFoundError(f"Templates file not found at: {path}")
     if not os.access(path, os.R_OK):
         raise TemplateNoPermissionError(
             f"You do not have the permission to access the templates file: {path}"
         )
+    templates: list[str] = []
+    eid_labels: list[str | None] = []
     if path.endswith(".txt"):
         with open(path, "r") as f:
-            templates = [line.strip() for line in f if line.strip()]
+            for line in f:
+                s = line.strip()
+                if s:
+                    templates.append(s)
+                    eid_labels.append(None)
     elif path.endswith(".csv"):
-        templates = []
-        # Use the lightweight built-in csv module instead of pandas
-        # Expect a header with a 'template' column
         with open(path, newline="", encoding="utf-8") as f:
             reader = csv.DictReader(f)
             if reader.fieldnames is None or "EventTemplate" not in reader.fieldnames:
                 raise ValueError("CSV file must contain a 'EventTemplate' column.")
+            has_event_id_col = "EventId" in (reader.fieldnames or [])
             for row in reader:
                 val = row.get("EventTemplate")
                 if val is None:
                     continue
                 s = str(val).strip()
-                if s:
-                    templates.append(s)
+                if not s:
+                    continue
+                templates.append(s)
+                if has_event_id_col:
+                    eid = str(row.get("EventId", "")).strip()
+                    eid_labels.append(eid or None)
+                else:
+                    eid_labels.append(None)
     else:
         raise ValueError("Unsupported template file format. Use .txt or .csv files.")
-    return templates
+    return templates, eid_labels
 
 
 class MatcherParserConfig(CoreParserConfig):
@@ -67,11 +129,14 @@ def __init__(
         super().__init__(name=name, config=config)
         self.config: MatcherParserConfig
 
-        templates = load_templates(
-            self.config.path_templates
-        ) if self.config.path_templates is not None else []
+        if self.config.path_templates is not None:
+            raw_templates, eid_labels = load_templates(self.config.path_templates)
+        else:
+            raw_templates, eid_labels = [], []
+        compiled_templates, metadata = _compile_templates(raw_templates, eid_labels)
         self.template_matcher = TemplateMatcher(
-            template_list=templates,
+            template_list=compiled_templates,
+            metadata=metadata,
             remove_spaces=self.config.remove_spaces,
             remove_punctuation=self.config.remove_punctuation,
             lowercase=self.config.lowercase,
diff --git a/tests/test_common/test_config_roundtrip.py b/tests/test_common/test_config_roundtrip.py
index 24359ff..24fee61 100644
--- a/tests/test_common/test_config_roundtrip.py
+++ b/tests/test_common/test_config_roundtrip.py
@@ -290,3 +290,90 @@ def test_parser_true_roundtrip(self):
 
         # Dicts should be identical
         assert dict1 == dict2
+
+
+class TestNamedVariablesRoundtrip:
+    """Test that named wildcard positions and named event IDs round-trip
+    correctly."""
+
+    def test_named_pos_preserved_as_string(self):
+        """String pos values must survive yaml -> pydantic -> yaml
+        unchanged."""
+        config_yaml = load_test_config()
+        method_id = "detector_named_pos"
+
+        config = MockupDetectorConfig.from_dict(config_yaml, method_id)
+        result_dict = config.to_dict(method_id)
+
+        original = config_yaml["detectors"][method_id]
+        result = result_dict["detectors"][method_id]
+
+        orig_vars = original["events"][1]["example_detector_1"]["variables"]
+        result_vars = result["events"][1]["example_detector_1"]["variables"]
+
+        assert len(result_vars) == len(orig_vars)
+        for orig_var, result_var in zip(orig_vars, result_vars):
+            assert result_var["pos"] == orig_var["pos"]
+            assert isinstance(result_var["pos"], str)  # must stay a string, not coerced to int
+
+    def test_named_pos_no_name_field_when_omitted(self):
+        """Variables with only a label pos must not emit a 'name' key."""
+        config_yaml = load_test_config()
+        config = MockupDetectorConfig.from_dict(config_yaml, "detector_named_pos")
+        result_dict = config.to_dict("detector_named_pos")
+
+        instance = result_dict["detectors"]["detector_named_pos"]["events"][1]["example_detector_1"]
+        no_params_var = instance["variables"][0]  # pos: pid, no params
+
+        assert "pos" in no_params_var
+        assert no_params_var["pos"] == "pid"
+        assert "name" not in no_params_var
+
+    def test_named_pos_params_preserved(self):
+        """Named pos variable with params must preserve those params."""
+        config_yaml = load_test_config()
+        config = MockupDetectorConfig.from_dict(config_yaml, "detector_named_pos")
+        result_dict = config.to_dict("detector_named_pos")
+
+        instance = result_dict["detectors"]["detector_named_pos"]["events"][1]["example_detector_1"]
+        with_params_var = instance["variables"][1]  # pos: op, params: {threshold: 0.5}
+
+        assert with_params_var["pos"] == "op"
+        assert with_params_var["params"] == {"threshold": 0.5}
+
+    def test_named_event_id_preserved_as_string(self):
+        """String event ID keys must survive yaml -> pydantic -> yaml
+        unchanged."""
+        config_yaml = load_test_config()
+        method_id = "detector_named_event_id"
+
+        config = MockupDetectorConfig.from_dict(config_yaml, method_id)
+        result_dict = config.to_dict(method_id)
+
+        result_events = result_dict["detectors"][method_id]["events"]
+        assert "login_failure" in result_events
+        assert isinstance(list(result_events.keys())[0], str)
+
+    def test_named_pos_true_roundtrip(self):
+        """Yaml -> pydantic -> yaml -> pydantic produces identical objects."""
+        config_yaml = load_test_config()
+        method_id = "detector_named_pos"
+
+        config1 = MockupDetectorConfig.from_dict(config_yaml, method_id)
+        dict1 = config1.to_dict(method_id)
+        config2 = MockupDetectorConfig.from_dict(dict1, method_id)
+        dict2 = config2.to_dict(method_id)
+
+        assert dict1 == dict2
+
+    def test_named_event_id_true_roundtrip(self):
+        """Yaml -> pydantic -> yaml -> pydantic produces identical objects."""
+        config_yaml = load_test_config()
+        method_id = "detector_named_event_id"
+
+        config1 = MockupDetectorConfig.from_dict(config_yaml, method_id)
+        dict1 = config1.to_dict(method_id)
+        config2 = MockupDetectorConfig.from_dict(dict1, method_id)
+        dict2 = config2.to_dict(method_id)
+
+        assert dict1 == dict2
diff --git a/tests/test_folder/test_config.yaml b/tests/test_folder/test_config.yaml
index ff679b1..0c38f27 100644
--- a/tests/test_folder/test_config.yaml
+++ b/tests/test_folder/test_config.yaml
@@ -165,3 +165,35 @@ detectors:
     method_type: new_value_combo_detector
     parser: example_parser_1
     auto_config: true
+
+  detector_named_pos:
+    method_type: ExampleDetector
+    parser: example_parser_1
+    auto_config: false
+    params: {}
+    events:
+      1:  # positional event_id; named wildcards in .txt templates use int event keys
+        example_detector_1:
+          params: {}
+          variables:
+            - pos: pid  # named label; no 'name' field needed
+            - pos: op
+              params:
+                threshold: 0.5
+          header_variables:
+            - pos: Level
+              params:
+                threshold: 0.2
+
+  detector_named_event_id:
+    method_type: ExampleDetector
+    parser: example_parser_1
+    auto_config: false
+    params: {}
+    events:
+      login_failure:  # named event_id; only valid for CSV templates with an EventId column
+        example_detector_1:
+          params: {}
+          variables:
+            - pos: pid
+            - pos: uid
diff --git a/tests/test_folder/test_named_templates.csv b/tests/test_folder/test_named_templates.csv
new file mode 100644
index 0000000..3ce1622
--- /dev/null
+++ b/tests/test_folder/test_named_templates.csv
@@ -0,0 +1,2 @@
+EventId,EventTemplate
+login_failure,"pid=<pid> uid=<uid> auid=<auid> ses=<ses> msg='op=PAM:<op> acct=<acct>"
diff --git a/tests/test_folder/test_named_templates.txt b/tests/test_folder/test_named_templates.txt
new file mode 100644
index 0000000..1ef130f
--- /dev/null
+++ b/tests/test_folder/test_named_templates.txt
@@ -0,0 +1 @@
+pid=<pid> uid=<uid> auid=<auid> ses=<ses> msg='op=PAM:<op> acct=<acct>
diff --git a/tests/test_parsers/test_template_matcher.py b/tests/test_parsers/test_template_matcher.py
index 04e4bdc..9e5cf5c 100644
--- a/tests/test_parsers/test_template_matcher.py
+++ b/tests/test_parsers/test_template_matcher.py
@@ -3,6 +3,8 @@
 from detectmatelibrary.parsers.template_matcher import (
     MatcherParser, MatcherParserConfig, TemplatesNotFoundError
 )
+from detectmatelibrary.parsers.template_matcher._parser import _compile_templates
+from detectmatelibrary.common._config._formats import EventsConfig
 from detectmatelibrary import schemas
 
 test_template = [
@@ -95,3 +97,147 @@ def test_custom_preprocessing_flags(self):
         parser.parse(input_log, output_data)
         # Still matches template even with preprocessing disabled
         assert output_data.template == test_template[0]
+
+
+class TestCompileTemplates:
+    def test_named_wildcards_compiled_to_anon(self):
+        raw = ["pid=<pid> uid=<uid> auid=<auid>"]
+        compiled, metadata = _compile_templates(raw)
+        assert compiled == ["pid=<*> uid=<*> auid=<*>"]
+        assert metadata[0]["labels"] == ["pid", "uid", "auid"]
+        assert metadata[0]["event_id_label"] is None
+
+    def test_anonymous_wildcards_unchanged(self):
+        raw = ["pid=<*> uid=<*>"]
+        compiled, metadata = _compile_templates(raw)
+        assert compiled == ["pid=<*> uid=<*>"]
+        assert metadata[0]["labels"] == []
+        assert metadata[0]["event_id_label"] is None
+
+    def test_event_id_label_stored(self):
+        raw = ["pid=<pid> uid=<uid>"]
+        eid_labels: list[str | None] = ["login_failure"]
+        compiled, metadata = _compile_templates(raw, eid_labels)
+        assert compiled == ["pid=<*> uid=<*>"]
+        assert metadata[0]["event_id_label"] == "login_failure"
+        assert metadata[0]["labels"] == ["pid", "uid"]
+
+    def test_mixing_raises_value_error(self):
+        raw = ["pid=<*> uid=<uid>"]
+        with pytest.raises(ValueError, match="mixes"):
+            _compile_templates(raw)
+
+    def test_multiple_templates(self):
+        raw = ["pid=<pid> uid=<uid>", "arch=<*> syscall=<*>"]
+        compiled, metadata = _compile_templates(raw)
+        assert compiled[0] == "pid=<*> uid=<*>"
+        assert compiled[1] == "arch=<*> syscall=<*>"
+        assert metadata[0]["labels"] == ["pid", "uid"]
+        assert metadata[1]["labels"] == []
+
+
+class TestNamedWildcardsTxt:
+    """Named wildcards in .txt template files (event IDs remain positional)."""
+
+    named_template_compiled = "pid=<*> uid=<*> auid=<*> ses=<*> msg='op=PAM:<*> acct=<*>"
+
+    def test_match_produces_correct_variables(self):
+        config = MatcherParserConfig(path_templates="tests/test_folder/test_named_templates.txt")
+        parser = MatcherParser(name="MatcherParser", config=config)
+        input_log = schemas.LogSchema({"log": test_log_match})
+        output_data = schemas.ParserSchema()
+        parser.parse(input_log, output_data)
+
+        assert output_data.template == self.named_template_compiled
+        assert output_data.EventID == 0
+        assert len(output_data.variables) == 6
+
+    def test_compile_resolves_named_positions(self):
+        config = MatcherParserConfig(path_templates="tests/test_folder/test_named_templates.txt")
+        parser = MatcherParser(name="MatcherParser", config=config)
+
+        raw_events: dict = {
+            0: {
+                "my_detector": {
+                    "params": {},
+                    "variables": [
+                        {"pos": "pid"},
+                        {"pos": "op"},
+                    ]
+                }
+            }
+        }
+        events_config = EventsConfig._init(raw_events)
+        compiled = parser.template_matcher.compile_detector_config(events_config)
+
+        # pid is label 0 → pos 0; op is label 4 → pos 4
+        resolved_vars = compiled.events[0].variables
+        assert 0 in resolved_vars
+        assert resolved_vars[0].name == "pid"
+        assert 4 in resolved_vars
+        assert resolved_vars[4].name == "op"
+
+    def test_compile_unknown_label_raises(self):
+        config = MatcherParserConfig(path_templates="tests/test_folder/test_named_templates.txt")
+        parser = MatcherParser(name="MatcherParser", config=config)
+
+        raw_events: dict = {
+            0: {"d": {"params": {}, "variables": [{"pos": "nonexistent"}]}}
+        }
+        events_config = EventsConfig._init(raw_events)
+        with pytest.raises(ValueError, match="nonexistent"):
+            parser.template_matcher.compile_detector_config(events_config)
+
+
+class TestNamedEventIdCsv:
+    """Named event IDs via CSV EventId column."""
+
+    named_template_compiled = "pid=<*> uid=<*> auid=<*> ses=<*> msg='op=PAM:<*> acct=<*>"
+
+    def test_match_produces_correct_variables(self):
+        config = MatcherParserConfig(path_templates="tests/test_folder/test_named_templates.csv")
+        parser = MatcherParser(name="MatcherParser", config=config)
+        input_log = schemas.LogSchema({"log": test_log_match})
+        output_data = schemas.ParserSchema()
+        parser.parse(input_log, output_data)
+
+        assert output_data.template == self.named_template_compiled
+        assert output_data.EventID == 0
+        assert len(output_data.variables) == 6
+
+    def test_compile_resolves_named_event_key(self):
+        config = MatcherParserConfig(path_templates="tests/test_folder/test_named_templates.csv")
+        parser = MatcherParser(name="MatcherParser", config=config)
+
+        raw_events: dict = {
+            "login_failure": {
+                "my_detector": {
+                    "params": {},
+                    "variables": [
+                        {"pos": "pid"},
+                        {"pos": "uid"},
+                    ]
+                }
+            }
+        }
+        events_config = EventsConfig._init(raw_events)
+        compiled = parser.template_matcher.compile_detector_config(events_config)
+
+        # "login_failure" → int key 0
+        assert 0 in compiled.events
+        resolved_vars = compiled.events[0].variables
+        assert 0 in resolved_vars and resolved_vars[0].name == "pid"
+        assert 1 in resolved_vars and resolved_vars[1].name == "uid"
+
+    def test_positional_int_event_key_still_works(self):
+        config = MatcherParserConfig(path_templates="tests/test_folder/test_named_templates.csv")
+        parser = MatcherParser(name="MatcherParser", config=config)
+
+        raw_events: dict = {
+            0: {"d": {"params": {}, "variables": [{"pos": 0, "name": "process_id"}]}}
+        }
+        events_config = EventsConfig._init(raw_events)
+        compiled = parser.template_matcher.compile_detector_config(events_config)
+
+        assert 0 in compiled.events
+        assert compiled.events[0].variables[0].name == "process_id"