Change log for CISCO_SDWAN
| Date | Changes |
|---|---|
| 2025-06-23 | Enhancement:
- Added Grok patterns to parse the raw logs. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `logid` field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `logmodule` ,`logfeature`,`meta_sequenceId` field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `loguser`,`user1` field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.ip,event.idm.read_only_udm.principal.asset.ip: Newly mapped `logusersrcip`,`principal_ip1` field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - event.idm.read_only_udm.metadata.description: Newly mapped `logmsg` field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.target.ip,event.idm.read_only_udm.target.asset.ip: Newly mapped `logdeviceid` ,`peer_ip` ,`target_ip1` field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM fields. - event.idm.read_only_udm.intermediary.hostname,event.idm.read_only_udm.intermediary.asset.hostname: Newly mapped `host_name` field with `event.idm.read_only_udm.intermediary.hostname` and `event.idm.read_only_udm.intermediary.asset.hostname` UDM fields. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `process` field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.pid: Newly mapped `pid` field with `event.idm.read_only_udm.principal.pid` UDM field. - Added Grok patterns on "description_1" field. - event.idm.read_only_udm.network.dhcp.type: Newly mapped `type1` field with `event.idm.read_only_udm.network.dhcp.type` UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped `session_id` field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.principal.port: Newly mapped `principal_port1` field with `event.idm.read_only_udm.principal.port` UDM field. - event.idm.read_only_udm.target.port: Newly mapped `target_port1` field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `description_1` field with `event.idm.read_only_udm.security_result.summary` UDM field. - Mapped "NETCONF" to "event.idm.read_only_udm.network.application_protocol" UDM field if the message contains "netconf". - Mapped "TCP" to "event.idm.read_only_udm.network.ip_protocol" UDM field if the message contains "tcp". - Mapped "DHCP" to "event.idm.read_only_udm.network.application_protocol" UDM field if the message contains "dhcp". - Added a conditional check if "prod_type" contains "Connection closed" and "has_target" flag is equals to true then map "event.idm.read_only_udm.metadata.event_type" to "USER_LOGOUT" and "event.idm.read_only_udm.extensions.auth.type" to "AUTHTYPE_UNSPECIFIED". - Added a conditional check if "has_principal_user" flag is equals to true then map "event.idm.read_only_udm.metadata.event_type" to "USER_UNCATEGORIZED" . - Merged "intermediary" with "event.idm.read_only_udm.intermediary" UDM field. |
| 2025-03-19 | Enhancement:
- Added Grok patterns to parse the logs. - Mapped "username1" to "target.user.userid". - Mapped "security_result.action" to "ALLOW" or "BLOCK" based on the message. - Mapped "metadata.event_type" to "USER_LOGIN" when the message contains "success" and "has_principal" and "has_user" are true. - Mapped "metadata.event_type" to "USER_LOGOUT" when the message contains "LOGOUT" and "has_principal" and "has_user" are true. |
| 2025-03-04 | Enhancement:
- Mapped "timestamp" to "metadata.event_timestamp". - Mapped "ip_1" to "principal.ip" and "principal.asset.ip". - Mapped "ip_2" to "target.ip" and "target.asset.ip". - Mapped "port_1" to "principal.port". - Mapped "port_2" to "target.port" - Mapped "system_ip" to "principal.ip" and "principal.asset.ip". - Mapped "instance_id" to "target.resource.product_object_id". - Mapped "message_1" to "metadata.description". - Mapped "network_protocol" to "network.ip_protocol". - Mapped "hostname" to "principal.hostname". - Mapped "classification" to "security_result.category_details". - Mapped "priority" to "security_result.severity". - Mapped "policy" to "security_result.detection_fields". - Mapped "malware" to "security_result.detection_fields". - Mapped "filename" to "target.file.names". - Mapped "filetype" to "target.process.file.mime_type". |
| 2025-02-24 | - Added support to parse the unparsed logs.
|
| 2025-01-16 | - Newly created parser.
|