Collect Nix System Red Hat logs

Supported in:

This document explains how to ingest RHEL Server (Unix System) logs to Google Security Operations using Bindplane. The parser ingests syslog and JSON formatted logs, initializes a wide array of UDM fields to empty strings, performs several string substitutions on the message field, and then attempts to parse the message as JSON. If JSON parsing fails, it uses grok patterns to extract fields based on the message and event_details.original content, mapping the extracted fields to the UDM based on the event type and various conditional checks, handling different log formats and structures from various Unix system processes and services.

Before you begin

Ensure that you have the following prerequisites:

  • Google SecOps instance
  • If running behind a proxy, firewall ports are open
  • Privileged access to a RHEL server

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c `$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)` install_unix.sh

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:
    • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux.
    • Open the file using a text editor (for example, nano or vi).

  2. Edit the config.yaml file as follows:

          receivers:
          filelog/linux:
          include:
            - /var/log/messages
            - /var/log/lastlog
            - /var/log/btmp
            - /var/log/wtmp
            - /var/log/secure
            - /var/log/cron
            - /var/log/maillog
            - /var/log/boot
          start_at: end
          poll_interval: 5s

      exporters:
          chronicle/linux:
              # Adjust the path to the credentials file you downloaded in Step 1
              creds: '/path/to/ingestion-authentication-file.json'
              # Replace with your actual customer ID from Step 2
              customer_id: <customer_id>
              endpoint: malachiteingestion-pa.googleapis.com
              # Add optional ingestion labels for better organization
              log_type: 'NIX_SYSTEM'
              override_log_type: false
              raw_log_field: body

      service:
        pipelines:
          logs/linux:
            receivers:
            - filelog/linux
        exporters: [chronicle/linux]
      ```
  1. Replace <customer_id> with the actual customer ID.

  2. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

    Start the Bindplane agent and apply changes

  3. Start the Bindplane agent:

    sudo systemctl start bindplane-agent

  4. Enable the observIQ otel collector Service:

    systemctl enable --now bindplane-agent

  5. Restart the Bindplane agent if needed:

    sudo systemctl restart bindplane-agent

UDM mapping table

Log Field UDM Mapping Logic
AccessControlRuleAction security_result.action If AccessControlRuleAction is Allow, set to ALLOW. If AccessControlRuleAction is Block, set to BLOCK.
ACPolicy security_result.rule_labels Key: ACPolicy, Value: ACPolicy
AccessControlRuleName security_result.rule_name Direct mapping.
acct event.idm.read_only_udm.target.user.userid Direct mapping after removing quotes and backslashes.
addr event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip Direct mapping if not empty, ?, or UNKNOWN.
ApplicationProtocol event.idm.read_only_udm.network.application_protocol Direct mapping.
auid event.idm.read_only_udm.additional.fields Key: auid, Value: auid
comm event.idm.read_only_udm.target.process.command_line Direct mapping.
command event.idm.read_only_udm.target.process.command_line Direct mapping after removing leading/trailing whitespace.
Computer event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname Direct mapping. If empty, use HostName.
ConnectionID security_result.detection_fields Key: Connection ID, Value: ConnectionID
cwd event.idm.read_only_udm.target.process.file.full_path Direct mapping after removing quotes.
data message Used in grok patterns.
desc security_result.description Direct mapping.
description event.idm.read_only_udm.metadata.description, security_result.description Direct mapping.
descript security_result.description Direct mapping after removing hashes.
DeviceUUID event.idm.read_only_udm.metadata.product_log_id Direct mapping.
DNSQuery event.idm.read_only_udm.additional.fields Key: DNSQuery, Value: DNSQuery
DNSRecordType event.idm.read_only_udm.additional.fields Key: DNSRecordType, Value: DNSRecordType
DNSResponseType event.idm.read_only_udm.additional.fields Key: DNSResponseType, Value: DNSResponseType
DNS_TTL event.idm.read_only_udm.additional.fields Key: DNS_TTL, Value: DNS_TTL
DstIP event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip Direct mapping.
DstPort event.idm.read_only_udm.target.port Direct mapping, converted to integer.
dvc event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip, event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname, event.idm.read_only_udm.intermediary.ip, event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip, event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname If valid IP, mapped to principal/target IP. If hostname, mapped to principal/target hostname. Also used for intermediary IP if valid IP.
EgressInterface event.idm.read_only_udm.principal.asset.attribute.labels Key: EgressInterface, Value: EgressInterface
EgressVRF event.idm.read_only_udm.principal.asset.attribute.labels Key: EgressVRF, Value: EgressVRF
EgressZone event.idm.read_only_udm.target.location.name Direct mapping.
eventType event.idm.read_only_udm.metadata.product_event_type, event.idm.read_only_udm.target.application Direct mapping. For SERVICE_START and SERVICE_STOP, mapped to target.application and then cleared.
EventTime @timestamp Parsed as timestamp.
exe event.idm.read_only_udm.target.process.command_line Direct mapping after removing quotes and backslashes.
extended_description event.idm.read_only_udm.metadata.description Direct mapping after removing hyphens and quotes.
Facility event.idm.read_only_udm.principal.resource.attribute.labels Key: Facility, Value: Facility
filepath event.idm.read_only_udm.principal.process.file.full_path Direct mapping.
file_path event.idm.read_only_udm.target.file.full_path Direct mapping.
file_path_value event.idm.read_only_udm.target.file.full_path Direct mapping.
FirstPacketSecond security_result.detection_fields Key: FirstPacketSecond, Value: FirstPacketSecond
from event.idm.read_only_udm.network.email.from Direct mapping after removing angle brackets.
generic_ip event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip Direct mapping if a valid IP and not A256:.
gid event.idm.read_only_udm.target.user.group_identifiers Direct mapping.
grp event.idm.read_only_udm.target.group.group_display_name Direct mapping after removing quotes and backslashes.
hashing_algo security_result.summary Direct mapping.
home event.idm.read_only_udm.target.file.full_path Direct mapping.
HostName Computer Used if Computer is empty.
HostIP event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip The part of HostIP before % is extracted and mapped as validated_ip.
hostname event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname, event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname Direct mapping if not empty or ?.
host_name event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname Direct mapping.
InitiatorBytes event.idm.read_only_udm.network.sent_bytes Direct mapping, converted to unsigned integer.
InitiatorPackets event.idm.read_only_udm.network.sent_packets Direct mapping, converted to integer.
insertId event.idm.read_only_udm.metadata.product_log_id Direct mapping.
InstanceID security_result.detection_fields Key: Instance ID, Value: InstanceID
int_dvc event.idm.read_only_udm.intermediary.hostname Direct mapping.
ip event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip, event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip Direct mapping.
ip_protocol event.idm.read_only_udm.network.ip_protocol Direct mapping.
laddr event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip Direct mapping if not empty or ?.
level security_result.severity If info, set to INFORMATIONAL.
log.syslog.facility.name event.idm.read_only_udm.target.application Direct mapping.
log.syslog.severity.name security_result.severity If Emergency, set to HIGH.
logName logname Direct mapping.
log_description security_result.description Direct mapping.
log_level security_result.severity If error, set to ERROR.
log_summary security_result.summary Direct mapping.
logger_name event.idm.read_only_udm.principal.resource.attribute.labels Key: logger_name, Value: logger_name
log_type event.idm.read_only_udm.metadata.log_type Hardcoded to NIX_SYSTEM.
lport event.idm.read_only_udm.principal.port Direct mapping, converted to integer.
MG event.idm.read_only_udm.principal.resource.attribute.labels Key: MG, Value: MG
method event.idm.read_only_udm.network.http.method Direct mapping, converted to uppercase.
msg1 event.idm.read_only_udm.metadata.description, event.idm.read_only_udm.additional.fields, security_result.description Parsed using grok patterns. If event_type is GENERIC_EVENT, mapped to description.
msg2 event.idm.read_only_udm.network.received_bytes, security_result.summary If contains digits, converted to unsigned integer and mapped to received_bytes. Otherwise, mapped to summary.
NAPPolicy security_result.rule_labels Key: NAPPolicy, Value: NAPPolicy
name event.idm.read_only_udm.target.process.file.full_path Direct mapping after removing quotes.
outcome security_result.action If Succeeded or contains success, set to ALLOW.
p_id event.idm.read_only_udm.target.process.pid Direct mapping.
pid event.idm.read_only_udm.target.process.pid, event.idm.read_only_udm.principal.process.pid Direct mapping.
principal_hostname event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname Direct mapping.
principal_ip event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip Direct mapping.
principal_present event.idm.read_only_udm.metadata.event_type If true and has_target is true, set event_type to NETWORK_UNCATEGORIZED. If true or user_present is true, set event_type to USER_UNCATEGORIZED.
process event.idm.read_only_udm.target.application, event.idm.read_only_udm.metadata.product_event_type Direct mapping. If eventType is empty, used as target.application.
ProcessID event.idm.read_only_udm.principal.process.pid Direct mapping, converted to string.
ProcessName event.idm.read_only_udm.principal.resource.attribute.labels Key: ProcessName, Value: ProcessName
prod_eve_type event.idm.read_only_udm.metadata.product_event_type Direct mapping.
product_event_type event.idm.read_only_udm.metadata.product_event_type Direct mapping.
Protocol event.idm.read_only_udm.network.ip_protocol If matches icmp, udp, or tcp (case-insensitive), mapped to corresponding uppercase value.
proto event.idm.read_only_udm.network.application_protocol If ssh or ssh2, set to SSH.
pwd event.idm.read_only_udm.target.file.full_path Direct mapping.
reason security_result.summary, security_result.description Used in combination with action and desc to create security_result.description. Also mapped to security_result.summary.
relayHostname event.idm.read_only_udm.intermediary.hostname Direct mapping.
relayIp event.idm.read_only_udm.intermediary.ip Direct mapping.
res security_result.summary Direct mapping.
resource.labels.instance_id event.idm.read_only_udm.target.resource.product_object_id Direct mapping.
resource.labels.project_id event.idm.read_only_udm.target.asset.attribute.cloud.project.id Direct mapping.
resource.labels.zone event.idm.read_only_udm.target.asset.attribute.cloud.availability_zone Direct mapping.
resource.type event.idm.read_only_udm.target.resource.resource_subtype Direct mapping.
response_code event.idm.read_only_udm.network.http.response_code Direct mapping, converted to integer.
ResponderBytes event.idm.read_only_udm.network.received_bytes Direct mapping, converted to unsigned integer.
ResponderPackets event.idm.read_only_udm.network.received_packets Direct mapping, converted to integer.
rhost event.idm.read_only_udm.additional.fields Key: rhost, Value: rhost
ruser srcUser Direct mapping.
sec_action security_result.action Mapped based on action or eventType.
sec_summary security_result.summary Direct mapping.
security_action security_result.action Direct mapping.
sent_bytes event.idm.read_only_udm.network.sent_bytes Direct mapping, converted to unsigned integer.
ses event.idm.read_only_udm.network.session_id, event.idm.read_only_udm.network.session_duration If numeric, parsed as UNIX timestamp and mapped to session_duration. Otherwise, mapped to session_id.
SeverityLevel security_result.severity Mapped to different severities based on value (notice/info -> INFORMATIONAL, warn -> HIGH, error -> ERROR, other -> UNKNOWN_SEVERITY).
sessionId event.idm.read_only_udm.network.session_id Direct mapping.
size event.idm.read_only_udm.network.received_bytes Direct mapping, converted to unsigned integer.
source event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname Direct mapping after removing leading whitespace.
SourceSystem event.idm.read_only_udm.principal.resource.attribute.labels, event.idm.read_only_udm.principal.platform Key: SourceSystem, Value: SourceSystem. Also mapped to platform (Linux -> LINUX, Window -> WINDOWS, Mac/iOS -> MAC).
SrcIP event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip Direct mapping.
SrcPort event.idm.read_only_udm.principal.port Direct mapping, converted to integer.
srcIp event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip Direct mapping.
srcPort event.idm.read_only_udm.principal.port Direct mapping, converted to integer.
srcUser event.idm.read_only_udm.principal.user.userid Direct mapping.
src_user event.idm.read_only_udm.principal.user.userid Direct mapping.
src_user_display_name event.idm.read_only_udm.principal.user.user_display_name Direct mapping.
status security_result.action If Deferred, set to BLOCK. If Sent, set to ALLOW.
summary security_result.summary Direct mapping.
SyslogMessage security_result.description Direct mapping.
targetEmail event.idm.read_only_udm.network.email.to Direct mapping.
targetEmailfrom event.idm.read_only_udm.network.email.from Direct mapping.
targetHostname event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname Direct mapping.
target_hostname event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname Direct mapping.
target_ip event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip Direct mapping.
target_mac event.idm.read_only_udm.target.mac Direct mapping.
target_uri event.idm.read_only_udm.target.url Direct mapping.
TenantId event.idm.read_only_udm.principal.user.product_object_id Direct mapping.
terminal event.idm.read_only_udm.additional.fields Key: terminal, Value: terminal if not empty or ?.
TimeGenerated event.idm.read_only_udm.metadata.collected_timestamp Parsed as timestamp.
timestamp @timestamp Parsed as timestamp.
tls_cipher event.idm.read_only_udm.network.tls.cipher Direct mapping.
Type event.idm.read_only_udm.principal.resource.attribute.labels Key: Type, Value: Type
uid event.idm.read_only_udm.principal.user.userid If 0, set to root. Otherwise, direct mapping.
uid_2 event.idm.read_only_udm.target.user.userid Direct mapping if uid is empty.
unit event.idm.read_only_udm.target.application Direct mapping.
url event.idm.read_only_udm.target.url Direct mapping.
user username Direct mapping.
username event.idm.read_only_udm.target.user.userid, event.idm.read_only_udm.principal.user.userid Direct mapping.
user_display_name event.idm.read_only_udm.target.user.user_display_name Direct mapping.
user_present event.idm.read_only_udm.metadata.event_type If true or principal_present is true, set event_type to USER_UNCATEGORIZED.
_Internal_WorkspaceResourceId event.idm.read_only_udm.target.resource.attribute.labels, event.idm.read_only_udm.target.resource.product_object_id Key: _Internal_WorkspaceResourceId, Value: _Internal_WorkspaceResourceId. The subscription ID is extracted and mapped to product_object_id.
_ItemId event.idm.read_only_udm.principal.resource.attribute.labels Key: _ItemId, Value: _ItemId
_ResourceId event.idm.read_only_udm.principal.resource.attribute.labels, event.idm.read_only_udm.principal.resource.product_object_id Key: _ResourceId, Value: _ResourceId. The subscription ID is extracted and mapped to product_object_id.
_timestamp @timestamp Parsed as timestamp.
_timestamp_tz @timestamp Parsed as timestamp.
  • event.idm.read_only_udm.metadata.event_type: Set to GENERIC_EVENT initially, then overwritten based on parser logic.
  • event.idm.read_only_udm.metadata.product_name: Hardcoded to Unix System.
  • event.idm.read_only_udm.extensions.auth.type: Set to MACHINE for certain event types.
  • event.idm.read_only_udm.target.asset.attribute.cloud.environment: Set to GOOGLE_CLOUD_PLATFORM for Google Cloud audit logs.
  • event.idm.read_only_udm.target.resource.resource_type: Set to VIRTUAL_MACHINE for Google Cloud audit logs.
  • event.idm.read_only_udm.extensions.auth.mechanism: Set to USERNAME_PASSWORD for login events.
  • has_target_resource: Set to true if resource.labels.instance_id or _Internal_WorkspaceResourceId is present.

Changes

2024-05-30

Enhancement:

  • Mapped APP-NAME from syslog message to target.application.

2024-05-26

Enhancement:

  • Mapped HostIP to principal.ip.
  • Mapped Computer to principal.hostname.
  • Mapped ProcessID to principal.process.pid.
  • Mapped TenantId to principal.user.product_object_id
  • Mapped target_url to target.url.
  • Mapped sec_summary to security_result.summary.
  • Mapped file_path_value to target.file.full_path.
  • Mapped SeverityLevel to security_result.severity.
  • Mapped SyslogMessage to security_result.description.
  • Mapped action_details_value to security_result.action_details.
  • Mapped _ResourceId to principal.resource.attribute.labels.
  • Mapped _Internal_WorkspaceResourceId to target.resource.attribute.labels.
  • Mapped Facility, MG, ProcessName, SourceSystem, Type, logger_name, and _ItemId to principal.resource.attribute.labels.
  • Extracted the value of resource_id_value from _ResourceId and mapped resource_id_value to principal.resource.product_object_id.
  • Extracted the value of target_resource_id_value from _Internal_WorkspaceResourceId and mapped target_resource_id_value to target.resource.product_object_id.
  • If the value of the field process is su and value of dvc is valid ip, mapped dvc to principal.ip.
  • If the value of the field process is su and value of dvc is not valid IP address, mapped dvc to principal.hostname.
  • If the value of the field process is su, mapped msg1 to additional.fields.
  • If the value of the field process is su, mapped user_display_name to target.user.user_display_name.
  • If the value of the field process is su, mapped src_user_display_name to principal.user.user_display_name.
  • If the value of the field prod_eve_type is null, mapped process to metadata.product_event_type.

2024-04-22

Enhancement:

  • Added a kv function over extended_description to split key-value fields.
  • Mapped pid to principal.process.pid.
  • Mapped uid to principal.user.userid.
  • Mapped res to security_result.summary.
  • Mapped ses to network.session_duration.
  • Mapped auid, cmd and terminal to additional.fields.

2024-04-10

Enhancement:

  • Added a Grok pattern to segregate reason and uid_2 from reason.
  • Mapped uid_2 to target.user.userid.
  • Mapped reason to security_result.description.

2024-04-09

Enhancement:

  • Mapped description to security_result.description.
  • Mapped userid to target.user.userId.

2024-04-03

Enhancement:

  • Added support of subProcess cleanup and qmgr for logs of process postfix.
  • When msg1 contains user NOT in sudoers or command not allowed, then set security_result.action to FAIL.

2024-03-26

Enhancement:

  • Added Grok to resolve issue leading to too long for type ACCOUNT_ID (336 bytes, max 256): invalid argument.

2024-02-08

Enhancement:

  • Mapped eventType to target.application.
  • Mapped description to security_result.description.
  • When description is nearly equal to fail, then set security_result.action to BLOCK.
  • Aligned principal.ip, principal.hostname and principal.asset.ip, principal.asset.hostname mappings.
  • Aligned target.ip, target.hostname and target.asset.ip, target.asset.hostname mappings.

2024-01-09

Enhancement:

  • If eventType is dispatcher, then mapped msg1 to metadata.description, dvc to principal.hostname and set metadata.event_type to STATUS_UPDATE.
  • Added support to parse logs with action as rexec by parsing msg1 and mapped dvc to principal.hostname, msg1 to metadata.description, and set metadata.event_type to STATUS_UPDATE.
  • Added support to parse logs with action as Postponed publickey by parsing msg1 and mapped dvc to principal.hostname, msg1 to metadata.description, srcIP to principal.ip, srcPort to principal.port and set metadata.event_type as STATUS_UPDATE.
  • Modified and added new Grok patterns to parse srcPort and mapped to principal.port.

2023-12-11

Enhancement:

  • Added a Grok pattern to match msg1 part.
  • Mapped insertId to metadata.product_log_id.
  • Mapped resource.labels.instance.id to target.resource.product_object_id.
  • Mapped resource.labels.project.id to target.asset.attribute.cloud.project.id.
  • Mapped resource.labels.zone to target.asset.attribute.cloud.availability_zone.
  • Mapped resource.type to target.resource.resource_subtype.
  • Mapped logname to additional.fields.

2023-11-10

Enhancement:

  • Added 'json' filter to properly parse newly added JSON logs.
  • Mapped DeviceUUID to metadata.product_log_id.
  • Mapped InstanceID, ConnectionID, FirstPacketSecond to security_result.detection_fields.
  • Mapped AccessControlRuleAction to security_result.action.
  • Mapped DstIP to target.ip.
  • Mapped DstPort to target.port.
  • Mapped SrcIP to principal.ip.
  • Mapped Protocol to network.ip_protocol.
  • Mapped IngressInterface, EgressInterface, IngressVRF, EgressVRF to principal.asset.attribute.labels.
  • Mapped IngressZone to principal.location.name.
  • Mapped EgressZone to target.location.name.
  • Mapped ACPolicy, NAPPolicy to security_result.rule_labels.
  • Mapped AccessControlRuleName to security_result.rule_name.
  • Mapped ApplicationProtocol to network.application_protocol.
  • Mapped InitiatorPackets to network.sent_packets.
  • Mapped ResponderPackets to network.received_packets.
  • Mapped InitiatorBytes to network.sent_bytes.
  • Mapped DNSQuery , DNSRecordType, DNSResponseType, DNS_TTL to additional_fields.

2023-10-30

Enhancement:

  • When user details are not present, set metadata.event_type to STATUS_UPDATE for systemd and systemd-logind logs.
  • Added Grok patterns to support new pattern of systemd and systemd-logind logs.
  • Mapped application_name to target.application for systemd logs.
  • Mapped p_id to target.process.pid for systemd logs.
  • Mapped username to target.user.userid for systemd logs.

2023-10-26

Bug fix:

  • Modified a Grok pattern to parse entire value in target.user.userid.
  • Mapped security_result.action to ALLOW if action is Accepted publickey.

2023-09-21

Enhancement:

  • Adjusted parser to support JSON format logs along with SYSLOG.
  • Mapped host.ip to principal.ip.
  • Mapped event_details.original to security_result.description.
  • Mapped log.syslog.facility.name to target.application.
  • Mapped log.syslog.severity.name to security_result.severity.

2023-09-15

Bug fix:

  • Added a Grok pattern to map the hostname of the Squid proxy server to intermediary.hostname.

2023-08-10

Enhancement:

  • Added a Grok pattern to map new format logs.

2023-04-27

Customer Issue:

  • Logs that come with action:OPENED changed the event_type from FILE_READ to FILE_OPEN.

2023-04-05

Customer Issue:

  • Mapped field exe to target.process.command_line and acct to target.user.userid.

2022-03-23

Customer Issue:

  • Added Grok pattern to parse logs with eventType = su.
  • Added include file to parse facility and severity for Syslog type of logs.

2023-03-10

Customer Issue:

  • Added Grok pattern to parse logs with eventType = cp, USER_CHAUTHTOK.
  • Added Grok pattern to parse logs with process = CRON.

2022-12-06

Enhancement:

  • Modified changed event_type from USER_UNCATEGORIZED to USER_LOGIN for action = Accepted publickey.
  • Mapped parser to map process name setroubleshoot to target.application.

2022-10-21

Enhancement:

  • Modified grok pattern to parse logs in which process_id may or may not be present.
  • Parsed logs of type -bash , su.
  • For SSHD logs with refused connect , modified mapping of hostname from target.hostname to principal.hostname.

2022-08-12

Enhancement:

  • Reduced GENERIC_EVENT percentage
  • Modified mapping for metadata.event_type from GENERIC_EVENT to STATUS_UPDATE by replicating the mapping for intermeidary.hostname/target.hostname to principal.hostname.
  • Parsed the logs of type postfix/smtpd,sudo,systemd-logind,sftp-server .

2022-06-28

Bug fix:

  • Added a new grok to parse dropped logs with tag TAG_NO_SECURITY_VALUE
  • Mapped pid to target.process.pid
  • Mapped comm to target.process.command
  • Mapped uid to principal.user.userid
  • Mapped grp to target.group.group_display_name
  • Mapped ip to principal.ip
  • Mapped ses to network.session_id

2022-06-13

Enhancement:

  • Added grok pattern for process == named.
  • Added grok pattern for process == unbound.
  • for process == named
  • Mapped action to security_result.action.
  • Mapped hostname to target.hostname.
  • Mapped ip tp principal.ip.
  • Mapped srcPort to principal.port.
  • for process == unbound
  • Mapped hostname to target.hostname.
  • Mapped ip tp principal.ip.

2022-06-07

Enhancement:

  • Removed leading or trailing spaces from principal.hostname and target.process.command_line`.

Need more help? Get answers from Community members and Google SecOps professionals.