Change log for AIX_SYSTEM

Date Changes
2025-08-11 Enhancement:
- Added a grok pattern to parse `user_id` field.
- event.idm.read_only_udm.target.user.userid: Newly mapped 'user_id' raw log field with 'event.idm.read_only_udm.target.user.userid' UDM field.
- event.idm.read_only_udm.metadata.event_type: If `has_principal` is true and `has_target_user` is true, updated to USER_LOGIN.
- event.idm.read_only_udm.metadata.event_type: If `has_principal` is true and `has_target` is true, updated to NETWORK_CONNECTION.
2025-07-10 Enhancement:
- Added a Grok pattern to parse new format of logs.
- Added a gsub function to parse new format of logs.
-'event.idm.read_only_udm.security_result.action': Newly mapped 'action' raw log field with 'event.idm.read_only_udm.security_result.action' UDM field.
-'event.idm.read_only_udm.metadata.event_timestamp': Newly mapped 'date' and 'time' raw log field with 'event.idm.read_only_udm.metadata.event_timestamp' UDM field.
-'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname': Newly mapped 'devname' raw log field with 'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname' UDM field.
-'event.idm.read_only_udm.principal.asset.hardware.serial_number': Newly mapped '_hardware' raw log field with 'event.idm.read_only_udm.principal.asset.hardware.serial_number' UDM field.
-'event.idm.read_only_udm.metadata.product_event_type': Newly mapped 'type' raw log field with 'event.idm.read_only_udm.metadata.product_event_type' UDM field.
-'event.idm.read_only_udm.additional.fields': Newly mapped 'subtype', 'eventtime', 'poluuid', 'dstdevtype', 'dstfamily', 'trandisp', 'appcat', 'vpntype', 'sentdelta' and 'rcvddelta' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field.
-'event.idm.read_only_udm.security_result.severity' and 'event.idm.read_only_udm.security_result.severity_details': Newly mapped 'level' raw log field with 'event.idm.read_only_udm.security_result.severity' and 'event.idm.read_only_udm.security_result.severity_details' UDM field.
-'event.idm.read_only_udm.metadata.product_log_id': Newly mapped 'logid' raw log field with 'event.idm.read_only_udm.metadata.product_log_id' UDM field.
-'event.idm.read_only_udm.principal.administrative_domain': Newly mapped 'vd' raw log field with 'event.idm.read_only_udm.principal.administrative_domain' UDM field.
-'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip': Newly mapped 'srcip' raw log field with 'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip' UDM field.
-'event.idm.read_only_udm.principal.port': Newly mapped 'srcport' raw log field with 'event.idm.read_only_udm.principal.port' UDM field.
-'event.idm.read_only_udm.target.port': Newly mapped 'dstport' raw log field with 'event.idm.read_only_udm.target.port' UDM field.
-'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip': Newly mapped 'dstip' raw log field with 'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip' UDM field.
-'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname': Newly mapped 'srcname' raw log field with 'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname' UDM field.
-'event.idm.read_only_udm.principal.user.userid': Newly mapped 'unauthuser' raw log field with 'event.idm.read_only_udm.principal.user.userid' UDM field.
-'event.idm.read_only_udm.principal.resource.attribute.labels': Newly mapped 'unauthusersource', 'srcserver', 'srcintfrole' and 'srcintf' raw log field with 'event.idm.read_only_udm.principal.resource.attribute.labels' UDM field.
-'event.idm.read_only_udm.target.resource.attribute.labels': Newly mapped 'dstserver', 'dstintfrole' and 'dstintf' raw log field with 'event.idm.read_only_udm.target.resource.attribute.labels' UDM field.
-'event.idm.read_only_udm.principal.mac' and 'event.idm.read_only_udm.principal.asset.mac': Newly mapped 'srcmac' raw log field with 'event.idm.read_only_udm.principal.mac' and 'event.idm.read_only_udm.principal.asset.mac' UDM field.
-'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac': Newly mapped 'dstmac' raw log field with 'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac' UDM field.
-'event.idm.read_only_udm.principal.mac' and 'event.idm.read_only_udm.principal.asset.mac': Newly mapped 'mastersrcmac' raw log field with 'event.idm.read_only_udm.principal.mac' and 'event.idm.read_only_udm.principal.asset.mac' UDM field.
-'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac': Newly mapped 'masterdstmac' raw log field with 'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac' UDM field.
-'event.idm.read_only_udm.principal.location.country_or_region' and 'event.idm.read_only_udm.security_result.detection_fields': Newly mapped 'srccountry' raw log field with 'event.idm.read_only_udm.security_result.detection_fields' if 'srccountry' is equal to 'Reserved' else 'event.idm.principal.location.country_or_region' UDM field.
-'event.idm.read_only_udm.target.location.country_or_region' and 'event.idm.read_only_udm.security_result.detection_fields': Newly mapped 'dstcountry' raw log field with 'event.idm.read_only_udm.security_result.detection_fields' if 'dstcountry' is equal to 'Reserved' else 'event.idm.target.location.country_or_region' UDM field.
-'event.idm.read_only_udm.network.session_id': Newly mapped 'sessionid' raw log field with 'event.idm.read_only_udm.network.session_id' UDM field.
-'event.idm.read_only_udm.network.ip_protocol': Newly mapped 'proto' raw log field with 'event.idm.read_only_udm.network.ip_protocol' UDM field.
-'event.idm.read_only_udm.security_result.rule_id': Newly mapped 'policyid' raw log field with 'event.idm.read_only_udm.security_result.rule_id' UDM field.
-'event.idm.read_only_udm.security_result.rule_name': Newly mapped 'policyname' raw log field with 'event.idm.read_only_udm.security_result.rule_name' UDM field.
-'event.idm.read_only_udm.security_result.rule_type': Newly mapped 'policytype' raw log field with 'event.idm.read_only_udm.security_result.rule_type' UDM field.
-'event.idm.read_only_udm.network.application_protocol' and 'event.idm.read_only_udm.target.application': Newly mapped 'service' raw log field with 'event.idm.read_only_udm.network.application_protocol' if 'service' is the 'protocol name' else 'event.idm.read_only_udm.target.application' UDM field.
-'event.idm.read_only_udm.network.session_duration': Newly mapped 'duration' raw log field with 'event.idm.read_only_udm.network.session_duration' UDM field.
-'event.idm.read_only_udm.target.resource.attribute.labels': Newly mapped 'dsthwvendor' raw log field with 'event.idm.read_only_udm.target.resource.attribute.labels' UDM field.
-'event.idm.read_only_udm.network.sent_bytes': Newly mapped 'sentbyte' raw log field with 'event.idm.read_only_udm.network.sent_bytes' UDM field.
-'event.idm.read_only_udm.network.received_bytes': Newly mapped 'rcvdbyte' raw log field with 'event.idm.read_only_udm.network.received_bytes' UDM field.
-'event.idm.read_only_udm.network.sent_packets': Newly mapped 'sentpkt' raw log field with 'event.idm.read_only_udm.network.sent_packets' UDM field.
-'event.idm.read_only_udm.network.received_packets': Newly mapped 'rcvdpkt' raw log field with 'event.idm.read_only_udm.network.received_packets' UDM field.
-'event.idm.read_only_udm.principal.platform': Newly mapped 'osname' raw log field with 'event.idm.read_only_udm.principal.platform' UDM field.
-'event.idm.read_only_udm.target.platform': Newly mapped 'dstosname' raw log field with 'event.idm.read_only_udm.target.platform' UDM field.
-'event.idm.read_only_udm.principal.platform_version': Newly mapped 'srcswversion' raw log field with 'event.idm.read_only_udm.principal.platform_version' UDM field.
-'event.idm.read_only_udm.target.platform_version': Newly mapped 'dstswversion' raw log field with 'event.idm.read_only_udm.target.platform_version' UDM field.
-'event.idm.read_only_udm.security.rule_version': Newly mapped 'dsthwversion' raw log field with 'event.idm.read_only_udm.security.rule_version' UDM field.
-'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip': Newly mapped 'remip' raw log field with 'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip' UDM field.
-'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip': Newly mapped 'locip' raw log field with 'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip' UDM field.
-'event.idm.read_only_udm.target.port': Newly mapped 'remport' raw log field with 'event.idm.read_only_udm.target.port' UDM field.
-'event.idm.read_only_udm.principal.port': Newly mapped 'locport' raw log field with 'event.idm.read_only_udm.principal.port' UDM field.
-'event.idm.read_only_udm.metadata.description': Newly mapped 'msg' raw log field with 'event.idm.read_only_udm.metadata.description' UDM field.
-'event.idm.read_only_udm.security_result.summary': Newly mapped 'logdesc' raw log field with 'event.idm.read_only_udm.security_result.summary' UDM field.
-'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname': Newly mapped 'dst_host' raw log field with 'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname' UDM field.
- Added 'on_error' handling to KV filters to improve parser robustness.
2025-05-12 Enhancement:
- Added grok patterns to support new format of logs.
2025-02-16 Enhancement:
- Added support for SYSLOG logs.
2024-10-09 Bug-Fix:
- Added support for "RFC3339" format timestamp.
2024-08-29 Enhancement:
- Added a Grok pattern to parse new log type.
- Mapped "dis_name" to "principal.group.group_display_name".
- Mapped "action" to "security_result.action_details".
2024-04-30 Enhancement:
- Enhanced parser to support new log format.
2023-06-21 - Newly created parser.