Change log for CITRIX_NETSCALER
| Date | Changes |
|---|---|
| 2025-06-19 | Enhancement:
- `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field for `LOGIN` and `LOGOUT` message types. |
| 2025-04-14 | Enhancement:
- Removed drop statement on kv failure to parse logs with non-utf characters. |
| 2025-04-03 | Enhancement:
- Added a condition check before mapping "User" to "principal.user.userid". - Added a condition check before mapping "Command" to "target.process.command_line". - Added a condition to check if "has_prin_hostname" is "true" before setting the event_type to "PROCESS_UNCATEGORIZED". - Added a condition check if "User" is not equal to null before mapping "event_type" to "USER_UNCATEGORIZED". |
| 2025-02-26 | Enhancement:
- Changed mapping for "ClientIP" from "target.ip" to "principal.ip". - Mapped "intermediary_ip" to "intermediary.ip". - Removed invalid "target.user.userid" mappings for "SSLVPN Message" logs. - Changed "metadata.event_type" from "USER_UNCATEGORIZED" to "PROCESS_UNCATEGORIZED" for "CMD_EXECUTED" logs. - Changed "metadata.event_type" from "GENERIC_EVENT" to "USER_LOGIN" When "message_data" is "SSO: cached credentials". - Changed "metadata.event_type" from "NETWORK_CONNECTION" to "USER_LOGIN" for "REMOVE_SESSION_DEBUG" logs. - Mapped "Remote_ip" to "target.ip". - Mapped "Username" to "principal.user.userid". |
| 2025-02-25 | Enhancement:
- Added a new Grok pattern to parse the logs. - Mapped "Nat_ip" to "principal.ip" and "principal.asset.ip". - Mapped "VserverIP" to "src.ip". - Mapped "VserverPort" to "src.port". - Mapped "Start_time" to "sec_result.first_discovered_time". - Mapped "End_time" to "sec_result.last_discovered_time". - Mapped "target_port" to "target.port". |
| 2025-02-24 | Enhancement:
- Modified the Grok pattern to parse "intermediary.hostname". |
| 2025-02-13 | Enhancement:
- If the feature is "AAA" and the message type is "LOGIN_FAILED", then "security_result.action" is mapped to "BLOCK". - If the feature is "SSLVPN" and the message type is "LOGIN", then "security_result.action" is mapped to "ALLOW". - Mapped "User" to "target.user.userid" for "AAATM - LOGIN and LOGOUT" logs. |
| 2025-02-05 | Enhancement:
- Added a Grok pattern to parse the logs. - Mapped "prin_ip" to "principal.ip and principal.asset.ip". - Mapped "user_prin" to "principal.user.userid". - Mapped "SPCBId" to "security_result.detection_fields" - Mapped "login_count" to "security_result.detection_fields". - Mapped "ica_conn_owner_refmask" to "security_result.detection_fields". - Mapped "session_id" to "network.session_id". - Mapped "sso_flags" to "security_result.detection_fields". - Mapped "copied_nsb" to "security_result.detection_fields". - Mapped "trans id" to "security_result.detection_fields". |
| 2025-01-30 | Enhancement:
- Added a Grok pattern to parse the log. - Mapped "src" to "principal.ip" and "principal.asset.ip". - Mapped "spt" to "principal.port". - Mapped "method" to "network.http.method". - Mapped "request" to "principal.url". - Mapped "msg" to "metadata.description". - Mapped "geolocation" to "principal.location.city". - Mapped "cn1" to "additional.fields". - Mapped "cn2" to "additional.fields". - Mapped "cs1" to "additional.fields". - Mapped "cs2" to "additional.fields". - Mapped "cs4" to "additional.fields". - Mapped "cs5" to "additional.fields". - Mapped "cs6" to "additional.fields". - Mapped "act" to "security_result.detection_fields". |
| 2025-01-20 | Enhancement:
- Added a Grok pattern to support new pattern of syslog logs. |
| 2025-01-16 | Enhancement:
- Added the Grok pattern to support new format of syslog logs. - Mapped "Client_ip" to "principal.ip" and "principal.asset.ip". - Mapped "ip_x" to "principal.ip" and "principal.asset.ip". - Mapped "caseId" to "additional.fields". - Mapped "summ" to "security_result.summary". - Mapped "User" to "principal.user.userid". - Mapped "SessionId" to "network.session_id". |
| 2025-01-14 | Enhancement:
- Added conditional check for "principal_ip" and "target_ip". - Defined "session_guid". |
| 2025-01-09 | Enhancement:
- Modified the Grok pattern to support new format of syslog logs. - When "principal_ip" and "target_ip" is then mapped "event_type" to NETWORK_CONNECTION. |
| 2025-01-02 | Enhancement:
- Modified the Grok pattern to support new format of syslog logs. |
| 2024-12-19 | Enhancement:
- Added support for new format of syslog logs. |
| 2024-12-05 | Enhancement:
- Added support for new format of syslog logs. |
| 2024-12-05 | Enhancement:
- Added support for new format of syslog logs. |
| 2024-11-21 | Enhancement:
- Added support to parse new format of syslog logs. |
| 2024-11-21 | Enhancement:
- Added support to parse new format of syslog logs. |
| 2024-11-07 | Enhancement:
- Mapped "SubjectName" to null. - Added support to parse logs where "message_type" is "REMOVE_SESSION_DEBUG". - Mapped "Errmsg" to "metadata.description". - Mapped "Sessionid" to "network.session_id". - Mapped "User" to "principal.user.userid". - Mapped "Client_ip" to "principal.ip" and "principal.asset.ip". - Mapped "Vserver_ip" to "target.ip" and "target.asset.ip". |
| 2024-10-15 | Enhancement:
- When "message_type" is equal to "LOGIN" then mapped "user_name" and "user" to "target.user.userid". - When "message_type" is equal to "LOGIN_FAILED" then mapped "User" to "principal.user.userid". |
| 2024-10-11 | Enhancement:
- Added "gsub" to parse the unparsed syslogs. |
| 2024-09-25 | Enhancement:
- Added support to parse the new format of unparsed syslogs. |
| 2024-09-05 | Enhancement:
- Mapped "VserverServiceIP" field to "target.ip" UDM field. - Mapped "VserverServicePort" field to "target.port" UDM field. - Mapped "ClientVersion" field to "network.tls.version_protocol" UDM field. - Mapped "CipherSuite" field to "network.tls.cipher" UDM field. |
| 2024-08-14 | Enhancement:
- Added a Grok pattern to extract "hostname" and mapped it to "intermediary.hostname". - Added a Grok pattern to extract "userid" and added conditional checks before mapping it to "target.user.userid". |
| 2024-08-12 | Enhancement:
- Added a Grok pattern to extract "userid" and mapped it to "principal.user.userid". - Added a Grok pattern to extract "principal_ip" and mapped it to "principal.ip". - Added a Grok pattern to extract "target_ip" and mapped it to "target.ip". - Added a Grok pattern to extract "principal_hostname" and mapped it to "principal.hostname". - Added a Grok pattern to extract "target_hostname" and mapped it to "target.hostname". - Modified the Grok pattern to parse "Authentication details", "userid" and "error message". - Mapped "Authentication details" to "security_result.description", "userid" to "principal.user.userid", and "error message" to "security_result.detection_fields" |
| 2024-07-02 | Enhancement:
- Modified a Grok pattern to parse dropped logs. - Mapped the "Client_IP" to "additional.fields". |
| 2024-05-21 | Enhancement:
- Modified a Grok pattern to parse dropped logs. |
| 2024-05-20 | Enhancement:
- Added new Grok pattern to parse unparsed logs. |
| 2024-05-08 | Enhancement:
- Updated mapping of the duration information from "security_results" to "network.session_duration". |
| 2024-04-29 | Enhancement:
- Added conditional check for "Browser_type" and mapped it to "network.http.parsed_user_agent". - Added conditional check for "userId" and "user_email". - Mapped "Browser" to "network.http.parsed_user_agent". |
| 2024-02-23 | Enhancement:
- Updated Grok pattern to parse hostname as expected in the UDM field. |
| 2024-01-25 | Enhancement:
- Added new Grok patterns to parse logs where "message_type" is "Message", "NONHTTP_RESOURCEACCESS_DENIED", "UDPFLOWSTAT", and "EXTRACTED_GROUPS". - Added support to parse logs where "feature" is "GUI" and "EVENT". - Mapped "principal_port" to "principal.port". - Mapped "ClientIP" to "principal.asset.ip". - Mapped "principal_ip" to "principal.ip" and "principal.asset.ip". - Mapped "target_ip" to "target.ip" and "target.asset.ip". - Mapped "target_port" to "target.port". - Mapped "description" to "metadata.description". - Mapped "type", "aaa_trans_id", "pcb_trans_id", "pcb_state", "pcb_label", "trans_id", "authPolicyLen", "login_attempts", "PromptLen", "partitionLen", "cmdPolicyLen", and "ssh_pubkey_len" to "security_result.detection_fields". - Mapped "principal_hostname" to "principal.hostname" and "principal.asset.hostname". - Mapped "hostname" to "intermediary.asset.hostname". - Mapped "hostname" to "observer.asset.hostname". - Mapped "cip", "ServerIP", "VIP", "VserverServiceIP", and "Remote_ip" to "target.asset.ip". - When "message_type" is "Message", then mapped "User" to "principal.user.userid". - When "principal_ip" and "target_ip" is present, then set "metadata.event_type" to "NETWORK_CONNECTION". - When "Client_ip" and "target_ip" is present, then set "metadata.event_type" to "NETWORK_CONNECTION". - When "message_type" is "NONHTTP_RESOURCEACCESS_DENIED" and "UDPFLOWSTAT", then set "metadata.event_type" to "USER_STATS". - When "message_type" is "Message" and "User" is present, then set "metadata.event_type" to "USER_UNCATEGORIZED". - When "principal_ip" is present, then set "metadata.event_type" to "STATUS_UPDATE". |
| 2023-11-26 | Enhancement-
- Added new Grok patterns to parse logs where "message_type" is "Message". |
| 2023-07-21 | Enhancement - Updated the parser to correctly parse the logs containing feature - 'CLI'.
|
| 2022-09-26 | Enhancement - Migrated custom parsers to default parser.
|
| 2022-06-09 | Enhancement- Added requested mappings:
-Mapped "startTime", "endTime", "Duration" to "security_result.detection_fields". -Updated the parser to parse the logs containing message_type - "CHANNEL_UPDATE", "NETWORK_UPDATE", "AAATM Message". |
| 2022-05-09 | Bug-fix - Updated the parser to correctly parse the logs containing message_type - "TCPCONNSTAT".
-Updated the grok to include the full domain name in "principal.administrative_domain". -Parsed the logs failing during Validation API testing. |
| 2022-04-27 | Enhancement- Added requested mappings
-Mapped intermediary.hostname field -Parsed Api failed logs |