Change log for BARRACUDA_WAF
| Date | Changes |
|---|---|
| 2025-07-22 | Enhancement:
- event.idm.read_only_udm.principal.hostname: Newly mapped `host` raw log field to event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `_time` raw log field to event.idm.read_only_udm.metadata.event_timestamp. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `recid` raw log field to event.idm.read_only_udm.metadata.product_log_id. - event.idm.read_only_udm.intermediary.ip: Newly mapped `host_ip` raw log field to event.idm.read_only_udm.intermediary.ip and event.idm.read_only_udm.intermediary.asset.ip. - event.idm.read_only_udm.metadata.collected_timestamp: Newly mapped `cribl_processing_time` raw log field to event.idm.read_only_udm.metadata.collected_timestamp. - event.idm.read_only_udm.additional.fields: Newly mapped `cribl_wp_id`, `logType`, `timeTaken` and `query` raw log field to event.idm.read_only_udm.additional.fields. - event.idm.read_only_udm.metadata.description: Newly mapped `_raw` raw log field to event.idm.read_only_udm.metadata.description. - event.idm.read_only_udm.security_result.first_discovered_time: Newly mapped `time` raw log field to event.idm.read_only_udm.security_result.first_discovered_time. - event.idm.read_only_udm.principal.ip: Newly mapped `src` raw log field to event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip. - event.idm.read_only_udm.principal.port: Newly mapped `srcPort` raw log field to event.idm.read_only_udm.principal.port. - event.idm.read_only_udm.target.ip: Newly mapped `dst` raw log field to event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip. - event.idm.read_only_udm.target.port: Newly mapped `dstPort` raw log field to event.idm.read_only_udm.target.port. - event.idm.read_only_udm.target.url: Newly mapped `url` raw log field to event.idm.read_only_udm.target.url. - event.idm.read_only_udm.network.sent_bytes: Newly mapped `srcBytes` raw log field to event.idm.read_only_udm.network.sent_bytes. - event.idm.read_only_udm.network.received_bytes: Newly mapped `dstBytes` raw log field to event.idm.read_only_udm.network.received_bytes. - event.idm.read_only_udm.network.tls.version: Newly mapped `proto` raw log field to event.idm.read_only_udm.network.tls.version. - event.idm.read_only_udm.network.http.response_code: Newly mapped `httpStatus` raw log field to event.idm.read_only_udm.network.http.response_code. - event.idm.read_only_udm.network.http.referral_url: Newly mapped `referer` raw log field to event.idm.read_only_udm.network.http.referral_url. - event.idm.read_only_udm.target.hostname: Newly mapped `hostname_1` raw log field to event.idm.read_only_udm.target.hostname. - event.idm.read_only_udm.target.asset.hostname: Newly mapped `hostname_1` raw log field to event.idm.read_only_udm.target.asset.hostname. - event.idm.read_only_udm.network.application_protocol_version: Newly mapped `httpVersion` raw log field to event.idm.read_only_udm.network.application_protocol_version. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `usrName` raw log field to event.idm.read_only_udm.network.http.user_agent. - Set event.idm.read_only_udm.metadata.product_name to LEEF and event.idm.read_only_udm.metadata.product_event_type to WAF for JSON-based logs. - Added logic to merge security_result into event.idm.read_only_udm.security_result. |
| 2025-02-10 | Enhancement:
- Mapped "inter_host" to "null" if it is not present in the log. |
| 2025-01-16 | Enhancement:
- Added a Grok pattern to support new format of syslog logs. - Mapped "inter_host" to "intermediary.hostname". |
| 2024-11-19 | Enhancement:
- Added support for CEF format logs. |
| 2024-11-18 | Enhancement:
- Removed unnecessary drop condition to fix the parsing issue. |
| 2024-09-25 | Enhancement:
- Added support for a new pattern of SYSLOG logs. |
| 2024-09-05 | Enhancement:
- Added support for a new pattern of SYSLOG logs. |
| 2023-07-19 | Bug-Fix:
-Parsed uparsed raw logs using a Grok pattern. -Mapped 'server' to 'target.ip'. |
| 2022-09-09 | Enhancement: Created a default parser and Migrated the custom parsers into default parser.
The following fields are mapped: - 'duser' mapped to 'target.user.user_display_name'. - 'suser' mapped to '.principal.user.user_display_name'. - 'suid' mapped to 'principal.user.userid'. - 'src' mapped to 'principal.ip'. - 'dst' mapped to 'target.ip'. - 'shost' mapped to 'principal.hostname'. - 'severity' mapped to 'security_result.severity'. - 'action' mapped to 'security_result.action'. - 'user_name' mapped to 'target.user.userid'. - 'domain_name' mapped to 'target.domain.name'. - 'mac_address' mapped to 'principal.mac'. - 'direction' mapped to 'network.direction'. - 'ip_protocol' mapped to 'network.ip_protocol'. - 'summary' mapped to 'security_result.summary'. |