Change log for CLEARPASS
| Date | Changes |
|---|---|
| 2025-05-09 | Enhancement:
- Added support to parse new format of SYSLOG + KV logs. - `event.idm.read_only_udm.metadata.product_version`: Newly mapped `swVersion` raw log field with `event.idm.read_only_udm.metadata.product_version`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `software` , `code_error` and `enterpriseId` raw log fields with `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `eventId` raw log field with `event.idm.read_only_udm.metadata.product_log_id`. - `event.idm.read_only_udm.principal.mac`: Newly mapped `Common.Host-MAC-Address` raw log field with `event.idm.read_only_udm.principal.mac`. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `Common.Service` , `Common.Enforcement-Profiles` , `req_time` raw log field with `event.idm.read_only_udm.security_result.detection_fields`. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`. - `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly mapped `Common.NAS-IP-Address` and `CppmNode.CPPM-Node` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`. - `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `RADIUS.Auth-Source` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.principal.user.group_identifiers`: Newly mapped `roles` raw log field with `event.idm.read_only_udm.principal.user.group_identifiers`. - `event.idm.read_only_udm.principal.application`: Newly mapped `auth_method` raw log field with `event.idm.read_only_udm.principal.application`. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `user_id` raw log field with `event.idm.read_only_udm.principal.user.userid`. - `event.idm.read_only_udm.security_result.description`: Newly mapped `alerts` raw log field with `event.idm.read_only_udm.security_result.description`. - If `roles` has value "Authenticated" then map the "event_type" as "USER_LOGIN" else map the "event_type" as "USER_UNCATEGORIZED". |
| 2024-09-12 | Enhancement:
- Added support to parse new format of SYSLOG and JSON logs. |
| 2024-08-08 | Enhancement:
- Mapped "Acct-NAS-IP-Address" to "principal.ip". - Mapped "Acct-Username" to "principal.user.userid". - Mapped "Acct-Calling-Station-Id" to "principal.user.product_object_id". |
| 2024-05-05 | Enhancement:
- Handled unparsing SYSLOG format logs. - Mapped "prin_port" to "principal.port". - Mapped "agent_ip" to "principal.ip" and "principal.asset.ip". - Mapped "descr" and "eventDescription" to "metadata.description". - Mapped "version" to "metadata.product_version". - Mapped "specificTrap_name", "uptime", "enterprise", "generic_num", "specificTrap_num", and "community" to "additional.fields". |
| 2024-01-11 | Enhancement:
- Mapped "Common.NAS-IP-Address" to "target.ip". - Mapped "Common.Service", "Common.Enforcement-Profiles", and "Common.Login-Status" to "security_result.detection_fields". |
| 2022-08-18 | Enhancement:
- Handled the dropped logs which are in CEF format and unparsed logs to improve the parsing rate. - Mapped "metadata.event_type" to "STATUS_UPDATE" where "principal.hostname/principal.ip" is not null else mapped it as "GENERIC_EVENT". |
| 2022-07-08 | Enhancement:
- Modified mapping for "_target_user_groupid" from "target.user.groupid" to "target.user.group_identifiers". - Modified mapping for "Common.Roles" from "principal.user.groupid" to "principal.user.group_identifiers". |