Change log for CISCO_ROUTER
| Date | Changes |
|---|---|
| 2025-04-21 | Enhancement:
- `event.idm.read_only_udm.metadata.event_timestamp : Handled new pattern of timestamps for event.idm.read_only_udm.metadata.event_timestamp UDM field. - `event.idm.read_only_udm.principal.ip`, `event.idm.read_only_udm.principal.asset.ip` : Newly mapped `src_ip_msg` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - Newly added multiple grok patterns in order to parse the logs with syslog format. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped event.idm.read_only_udm.metadata.event_type UDM field as `NETWORK_CONNECTION` when owner `has_principal` and `has_target` are not null. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped event.idm.read_only_udm.metadata.event_type UDM field as `STATUS_UPDATE` when owner `has_principal` is not null. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped event.idm.read_only_udm.metadata.event_type UDM field as `GENERIC_EVENT` when `has_principal` and `has_target` are null. - `event.idm.read_only_udm.principal.ip`, `event.idm.read_only_udm.principal.asset.ip` : Newly mapped `src_ip_msg_data` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. |
| 2025-03-06 | Enhancement:
- Added support for SYSLOG logs. |
| 2025-02-26 | Enhancement:
- Removed "intermediary.hostname" mapping if the value is numeric. |
| 2024-12-12 | Enhancement:
- Mapped "intermediary_host" to "intermediary.hostname". |
| 2024-12-05 | Enhancement:
- Added a Grok pattern to support new pattern of syslog logs. - Mapped "srcip" to "principal.ip". |
| 2024-10-30 | Enhancement:
- Added support for "metadata.event_timestamp" in "BST" timezone. |
| 2024-10-15 | Enhancement:
- Mapped "inter_hostname" to "intermediary.ip" and "intermediary_host" to "intermediary.hostname". |
| 2024-09-12 | Enhancement:
- Added a Grok pattern to map "int_ip" to "intermediary.hostname". |
| 2024-06-26 | Enhancement:
- Added a new Grok pattern to parse a new format of SYSLOG logs. |
| 2024-06-09 | Enhancement:
- Mapped "hostname" from syslog header to "intermediary.hostname". |
| 2024-05-20 | Enhancement:
- Added a new Grok pattern to parse a new format of SYSLOG logs. - Mapped "MessageSourceAddress" to "principal.ip" and "principal.asset.ip". - Mapped "SourceModuleName" and "SourceModuleType" to "principal.resource.attribute.labels". |
| 2023-11-10 | Enhancement:
- Added new Grok patterns to parse failing SYSLOG logs. - Added "Unable", "exceeded", and "No space left on device" conditions for "AUTH_VIOLATION". |
| 2023-10-30 | Enhancement:
- Added new Grok patterns to parse failing syslog logs. - Mapped "resourcename" to "principal.resource.name". - Mapped "app_protocol" to "network.application.protocol". - Mapped "app" to "target.application". - Mapped "source_port" to "principal.port". - Mapped "source_ip" to "principal.ip". - Mapped "device_ip" to "target.ip". - Mapped "username" to "target.user.userid". - Mapped "intermediary_ip" to "intermediary.ip". - Mapped "mnemonics" to "metadata.event_type". - Mapped "sec_action" to "security_result.action". - Mapped "sec_category" "security_result.category". - Mapped "sec_summary" to "security_result.summary". - For authentication type logs, set "metadata.event_type" to "USER_LOGIN". |
| 2023-05-09 | Enhancement-
- Logs with value "FMANFP-6-IPACCESSLOGP" are parsed as "NETWORK_CONNECTION" events. |
| 2022-12-02 | Enhancement-
- Added grok to support unparsed Syslog logs. - If "principal.hostname" changed event_type mapping from GENERIC_EVENT to STATUS_UPDATE. |
| 2022-11-10 | Enhancement-
- Added support for SYS-5-CONFIG_I event logs. - Modified grok to support logs having timezone. |
| 2022-10-27 | Enhancement-
Parse following syslog fields of log type IOSXE-6-PLATFORM -Mapped "ip" to "intermediary.ip" -Mapped "src_ip" to "principal.ip" -Mapped "src_port" to "principal.port" -Mapped "dst_ip" to "target.ip" -Mapped "dst_port" to "target.port" -Mapped "protocol" to "network.ip_protocol" -Mapped "facility" to "principal.resource.type" -Mapped "mnemonics" to "metadata.product_event_type" -Mapped "sc_summary" to "metadata.description" -Mapped "sr_action" to "security_result.action" -Mapped "summary" to "security_result.summary" |
| 2022-08-23 | Enhancement-
-Corrected mapping of principal and target ip -Mapped "target_ip" to "event.idm.read_only_udm.target.ip" -Mapped "src_ip" to "event.idm.read_only_udm.principal.asset.ip" |
| 2022-07-01 | Enhancement-
Fixed an error to parse logs containing product_event_type as SYS-3-LOGGINGHOST_FAIL,SEC_LOGIN-5-LOGIN_SUCCESS,SYS-6-LOGGINGHOST_STARTSTOP,SYS-6-LOGOUT and timestamp is not present. Changed metadata.event_type of SYS-3-LOGGINGHOST_FAIL logs to STATUS_UPDATE from GENERIC_EVENT |