Change log for ARUBA_WIRELESS
Date | Changes |
---|---|
2025-08-05 | Enhancement:
- Added a new grok pattern for the `msg_event_details` field to extract valid value. - event.idm.read_only_udm.principal.mac: Newly mapped `mac_1` raw log field to `event.idm.read_only_udm.principal.mac` and `event.idm.read_only_udm.principal.asset.mac`. - event.idm.read_only_udm.principal.ip: Newly mapped `IP` raw log field to `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`. - event.idm.read_only_udm.security_result.description: Newly mapped `reason` raw log field to `event.idm.read_only_udm.security_result.description`. |
2025-07-29 | Enhancement:
- Added a new grok pattern for the `message` field to parse the dropped logs in `aruba_wireless.include` file. - Newly added grok pattern for `event_details` data field to parse those logs correctly when `event_id` in `126048` and `126049` in `aruba_wireless.include` file. - `event.idm.read_only_udm.security_result.confidence_details` : Newly mapped `confidence_level` data field to `event.idm.read_only_udm.security_result.confidence_details` UDM field in `aruba_wireless.include` file. - `event.idm.read_only_udm.additional.fields` : Newly mapped `wifi_channel`, `band_frequency` data field with `event.idm.read_only_udm.additional.fields` UDM field in `aruba_wireless.include` file. - Newly added condition check for the `user_ip` data field when `event_id` value is equal to "USER" in `aruba_wireless.include` file. - Newly added grok pattern for the `msg_event_details` data field when `event_id` value is not equal to "NULL" and `msg_event_details` is not equal to `NULL` in `aruba_wireless.include` file to fetch the `prin_ip` and `tar_user_id` data field. - `event.idm.read_only_udm.target.user.userid` : Newly mapped `tar_user_id` data field to `event.idm.read_only_udm.target.user.userid` UDM field in `aruba_wireless.include` file. - `event.idm.read_only_udm.principal.ip` : Newly mapped `prin_ip` data field to `event.idm.read_only_udm.principal.ip` UDM field in `aruba_wireless.include` file. - `event.idm.read_only_udm.metadata.event_type` : Newly set `event.idm.read_only_udm.metadata.event_type` to `USER_LOGIN` when `tar_user_id` and `prin_ip` data field are not empty. - Newly added grok pattern for the `event_id` data field when `event_id` value is in "125063", "125067", "125069", "125065" in `aruba_wireless.include` file to fetch the `user_id` data field. - `event.idm.read_only_udm.target.user.userid` : Newly mapped `user_id` data field to `event.idm.read_only_udm.target.user.userid` UDM field in `aruba_wireless.include` file. - `event.idm.read_only_udm.principal.user.userid` : Newly mapped `tar_user_id` data field to `event.idm.read_only_udm.principal.user.userid` UDM field in `aruba_wireless.include` file. - `event.idm.read_only_udm.metadata.event_type` : Newly set `event.idm.read_only_udm.metadata.event_type` to `USER_CREATION` when `user_id` data field is not empty. - Newly added grok pattern for the `event_id` data field when `event_id` value is in "125022", "125024" in `aruba_wireless.include` file to fetch the `tar_user_id`, `prin_ip`, `principal_port` and `target_port` data field. - `event.idm.read_only_udm.principal.ip` : Newly mapped `prin_ip` data field to `event.idm.read_only_udm.principal.ip` UDM field in `aruba_wireless.include` file. - `event.idm.read_only_udm.principal.port` : Newly mapped `principal_port` data field to `event.idm.read_only_udm.principal.port` UDM field in `aruba_wireless.include` file. - `event.idm.read_only_udm.target.port` : Newly mapped `target_port` data field to `event.idm.read_only_udm.target.port` UDM field in `aruba_wireless.include` file. - `event.idm.read_only_udm.metadata.event_type` : Newly set `event.idm.read_only_udm.metadata.event_type` to `USER_LOGIN` when `prin_ip` and `tar_user_id` data field are not empty. |
2024-12-27 | Enhancement:
- Added a Grok pattern to support new pattern of syslog logs. |
2024-09-04 | Enhancement:
- Added support for a new pattern of SYSLOG logs. |
2024-08-26 | Enhancement:
- Added support to handle unparsed SYSLOG logs. - Mapped "details" to "metadata.description". |
2024-06-18 | Enhancement:
- Added support to handle unparsed SYSLOG logs. |
2024-04-18 | Enhancement :
- Added a Grok pattern to extract valid value from "ap_name". - Mapped "ap_name" to "additional.fields". |
2023-05-25 | Bug-Fix :
- Parsed logs failing due to a different log pattern. |
2022-09-15 | Bug-Fix :
- Modified grok pattern to parse logs which may have date field in the timestamp of log and also certain logs may not have key "userip" in the log. - Modified "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" wherever possible. |
2022-08-23 | Enhancement-
- Migrated customer specific parser to default parser. - Modified mapping for 'metadata.event_type' from 'GENERIC_EVENT' to 'USER_RESOURCE_ACCESS' where event_id is '132053'. |
2022-03-30 | Enhancement - Added following new Event Ids "124003", "126037", "126038", "199801", "235008", "235009", "304119", "306602", "326091", "326098", "326271", "326272", "326273", "326274", "326275", "326276", "326277", "326278", "326284", "341004", "350008", "351008", "358000", "393000", "399815", "520013", "522274", "541004"
Changed "metadata.event_type" where the "Event Id" is "126034", "126064", "127064", "132006", "132030", "132093", "132094", "132197" from "GENERIC_EVENT" to "SCAN_UNCATEGORIZED" Changed "metadata.event_type" where the "Event Id" is "132207" from "GENERIC_EVENT" to "NETWORK_CONNECTION" Changed "metadata.event_type" where the "Event Id" is "520002" from "GENERIC_EVENT" to "USER_UNCATEGORIZED" Mapped "intermediary.hostname", "intermediary.mac", "intermediary.ip", "target.application", "target.process.pid" Mapped "logstash.irm_site", "logstash.irm_environment", "logstash.irm_region" to "additional.fields" |