Change log for CISCO_SDWAN

Date Changes
2025-08-25 Enhancement:
- Modified Grok patterns to parse `metadata.product_event_type` and `intermediary.hostname` UDM fields correctly.
- event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Removed mapping of `peer_ip` raw log field from `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM fields in order to introduce a more accurate mapping for the raw log field.
- event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped `peer_ip` raw log field to `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields.
- event.idm.read_only_udm.principal.process.parent_process.pid: Newly mapped `parent_pid` raw log field to `event.idm.read_only_udm.principal.process.parent_process.pid` UDM field.
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped `log_id` raw log field to `event.idm.read_only_udm.metadata.product_log_id` UDM field.
- event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `process_name` raw log field to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field.
- event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `process_path` raw log field to `event.idm.read_only_udm.principal.process.file.full_path` UDM field.
2025-08-11 Enhancement:
- Modified a grok pattern on "message" field to parse the new format of raw logs.
- Added a new grok pattern on "msgs" field to parse "session_id", "ipaddress","username" fields for the new format of raw logs.
- event.idm.read_only_udm.network.session_id: Newly mapped `session_id` field with `event.idm.read_only_udm.network.session_id` UDM field.
- Modified a flag used for "username" field mapping from "has_principal" to "has_principal_user".
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped "time_t" field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- event.idm.read_only_udm.intermediary.hostname: Newly mapped `inter_host` field with `event.idm.read_only_udm.intermediary.hostname` UDM field.
2025-06-26 Enhancement:
- Added Grok patterns to parse the raw logs.
- event.idm.read_only_udm.target.resource.name: Newly mapped `target_name` field with `event.idm.read_only_udm.target.resource.name` UDM field.
- event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `parent_identifier` field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field.
- event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `specific_identifier` field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field.
- event.idm.read_only_udm.principal.ip: Newly mapped `initiator_ip` field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field.
- event.idm.read_only_udm.principal.port: Newly mapped `initiator_port` field with `event.idm.read_only_udm.principal.port` UDM field.
- event.idm.read_only_udm.target.ip: Newly mapped `responder_ip` field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field.
- event.idm.read_only_udm.target.port: Newly mapped `responder_port` field with `event.idm.read_only_udm.target.port` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `vlan_id`, `src_vrf`, `dst_vrf`, `qfp`, `Tunnel_id`, `vpn_id`, `tos`, `count`, `tenant_vpn_id`, `sequence`, `result`, `unknown_tenant` and `thread` field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `sent_bytes_1`, `sent_bytes_2`, `log_prefix`,`protocol`, `log_reason`, `ingress_interface`, `egress_interface`, `direction`, `policy`, `udp_packets` and `tty` field with `event.idm.read_only_udm.security_result.detection_fields` UDM field.
- event.idm.read_only_udm.principal.ip: Newly mapped `src_ip` field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field.
- event.idm.read_only_udm.principal.port: Newly mapped `src_port` field with `event.idm.read_only_udm.principal.port` UDM field.
- event.idm.read_only_udm.target.ip: Newly mapped `dst_ip` field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field.
- event.idm.read_only_udm.target.port: Newly mapped `dst_port` field with `event.idm.read_only_udm.target.port` UDM field.
- event.idm.read_only_udm.principal.user.userid: Newly mapped `user_id` field with `event.idm.read_only_udm.principal.user.userid` UDM field.
- event.idm.read_only_udm.network.tls.cipher: Newly mapped `network_host` field with `event.idm.read_only_udm.network.tls.cipher` UDM field.
- event.idm.read_only_udm.network.application_protocol: Newly mapped `application_protocol` field with `event.idm.read_only_udm.network.application_protocol` UDM field.
- event.idm.read_only_udm.network.sent_bytes: Newly mapped `bytes` field with `event.idm.read_only_udm.network.sent_bytes` UDM field.
2025-06-23 Enhancement:
- Added Grok patterns to parse the raw logs.
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped `logid` field with `event.idm.read_only_udm.metadata.product_log_id` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `logmodule` ,`logfeature`,`meta_sequenceId` field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.principal.user.userid: Newly mapped `loguser`,`user1` field with `event.idm.read_only_udm.principal.user.userid` UDM field.
- event.idm.read_only_udm.principal.ip,event.idm.read_only_udm.principal.asset.ip: Newly mapped `logusersrcip`,`principal_ip1` field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields.
- event.idm.read_only_udm.metadata.description: Newly mapped `logmsg` field with `event.idm.read_only_udm.metadata.description` UDM field.
- event.idm.read_only_udm.target.ip,event.idm.read_only_udm.target.asset.ip: Newly mapped `logdeviceid` ,`peer_ip` ,`target_ip1` field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM fields.
- event.idm.read_only_udm.intermediary.hostname,event.idm.read_only_udm.intermediary.asset.hostname: Newly mapped `host_name` field with `event.idm.read_only_udm.intermediary.hostname` and `event.idm.read_only_udm.intermediary.asset.hostname` UDM fields.
- event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `process` field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field.
- event.idm.read_only_udm.principal.pid: Newly mapped `pid` field with `event.idm.read_only_udm.principal.pid` UDM field.
- Added Grok patterns on "description_1" field.
- event.idm.read_only_udm.network.dhcp.type: Newly mapped `type1` field with `event.idm.read_only_udm.network.dhcp.type` UDM field.
- event.idm.read_only_udm.network.session_id: Newly mapped `session_id` field with `event.idm.read_only_udm.network.session_id` UDM field.
- event.idm.read_only_udm.principal.port: Newly mapped `principal_port1` field with `event.idm.read_only_udm.principal.port` UDM field.
- event.idm.read_only_udm.target.port: Newly mapped `target_port1` field with `event.idm.read_only_udm.target.port` UDM field.
- event.idm.read_only_udm.security_result.summary: Newly mapped `description_1` field with `event.idm.read_only_udm.security_result.summary` UDM field.
- Mapped "NETCONF" to "event.idm.read_only_udm.network.application_protocol" UDM field if the message contains "netconf".
- Mapped "TCP" to "event.idm.read_only_udm.network.ip_protocol" UDM field if the message contains "tcp".
- Mapped "DHCP" to "event.idm.read_only_udm.network.application_protocol" UDM field if the message contains "dhcp".
- Added a conditional check if "prod_type" contains "Connection closed" and "has_target" flag is equals to true then map "event.idm.read_only_udm.metadata.event_type" to "USER_LOGOUT" and "event.idm.read_only_udm.extensions.auth.type" to "AUTHTYPE_UNSPECIFIED".
- Added a conditional check if "has_principal_user" flag is equals to true then map "event.idm.read_only_udm.metadata.event_type" to "USER_UNCATEGORIZED" .
- Merged "intermediary" with "event.idm.read_only_udm.intermediary" UDM field.
2025-03-19 Enhancement:
- Added Grok patterns to parse the logs.
- Mapped "username1" to "target.user.userid".
- Mapped "security_result.action" to "ALLOW" or "BLOCK" based on the message.
- Mapped "metadata.event_type" to "USER_LOGIN" when the message contains "success" and "has_principal" and "has_user" are true.
- Mapped "metadata.event_type" to "USER_LOGOUT" when the message contains "LOGOUT" and "has_principal" and "has_user" are true.
2025-03-04 Enhancement:
- Mapped "timestamp" to "metadata.event_timestamp".
- Mapped "ip_1" to "principal.ip" and "principal.asset.ip".
- Mapped "ip_2" to "target.ip" and "target.asset.ip".
- Mapped "port_1" to "principal.port".
- Mapped "port_2" to "target.port"
- Mapped "system_ip" to "principal.ip" and "principal.asset.ip".
- Mapped "instance_id" to "target.resource.product_object_id".
- Mapped "message_1" to "metadata.description".
- Mapped "network_protocol" to "network.ip_protocol".
- Mapped "hostname" to "principal.hostname".
- Mapped "classification" to "security_result.category_details".
- Mapped "priority" to "security_result.severity".
- Mapped "policy" to "security_result.detection_fields".
- Mapped "malware" to "security_result.detection_fields".
- Mapped "filename" to "target.file.names".
- Mapped "filetype" to "target.process.file.mime_type".
2025-02-24 - Added support to parse the unparsed logs.
2025-01-16 - Newly created parser.