Change log for CLEARPASS
| Date | Changes |
|---|---|
| 2025-08-20 | Enhancement:
- Added a new grok pattern for `not_json` data field to parse the following drop and unparsed logs. - `event.idm.read_only_udm.metadata.product_version` : Newly mapped `swVersion` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - `event.idm.read_only_udm.additional.fields` : Newly mapped `enterpriseId` and `software` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.principal.ip` : Newly mapped `ip` raw log fields with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - `event.idm.read_only_udm.principal.ip` : Newly mapped `CppmNode.CPPM-Node` raw log fields with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields if `CppmNode.CPPM-Node` is not equal to `ip` else mapped `CppmNode.CPPM-Node` raw log fields with `event.idm.read_only_udm.additional.fields` UDM fields. - `event.idm.read_only_udm.security_result.action_details` : Newly mapped `Action` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - Added a new gsub on `_principal_ip` to replace "\\\\" with "". |
| 2025-07-18 | Enhancement:
- Added a new grok patterns for `not_json` data field to parse the following drop and unparsed logs. - Added a new gsub to parse the following drop and unparsed logs. - `event.idm.read_only_udm.security_result.description` : Newly mapped `messagedetail` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.additional.fields` : Newly mapped `Thread_id`,`servicename` , and `Req_id` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.detection_fields` : Newly mapped `Internalserviceid`, `InternalChallengeID`, `Entityid`, `handlervalue`, and `instanceid` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.metadata.description` : Newly mapped `threadrequestinfo` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - Modified the mapping of `timestamp` raw log field to correctly map with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2025-07-14 | Enhancement:
- Added a gsub to replace "\\r" with "". - Added a Grok pattern to parse the raw log fields. - Removed a gsub to replace "\r\n" with " ". - event.idm.read_only_udm.principal.process.pid: Newly mapped `prin_pid` field with `event.idm.read_only_udm.principal.process.pid`. - event.idm.read_only_udm.additional.fields: Newly mapped `host_host` field with `event.idm.read_only_udm.additional.fields`. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `id1`,`TACACS_Privilege_Level`,`common_login_status` field with `event.idm.read_only_udm.security_result.detection_fields`. - Added a grok pattern on "kv_data_2" field to extract "common_request_timestamp". - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `common_request_timestamp` field with `event.idm.read_only_udm.metadata.event_timestamp`. - event.idm.read_only_udm.principal.user.userid: Newly mapped `Common_Username` raw log field with `event.idm.read_only_udm.principal.user.userid`. - Added a grok pattern on "TACACS_Remote_Address" to extract valid ip format. - `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly mapped `TACACS_Remote_Address` field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`. |
| 2025-06-25 | Enhancement:
- event.idm.read_only_udm.metadata.description: Newly mapped `RADIUS.Acct-Service-Name` raw log field with `event.idm.read_only_udm.metadata.description`. - event.idm.read_only_udm.intermediary.ip: Newly mapped `RADIUS.Acct-NAS-IP-Address` raw log field with `event.idm.read_only_udm.intermediary.ip`. - event.idm.read_only_udm.principal.labels: Newly mapped `RADIUS.Acct-NAS-Port-Type` raw log field with `event.idm.read_only_udm.principal.labels`. - event.idm.read_only_udm.network.session_id: Newly mapped `RADIUS.Acct-Session-Id` raw log field with `event.idm.read_only_udm.network.session_id`. - event.idm.read_only_udm.network.session_duration.seconds: Newly mapped `RADIUS.Acct-Session-Time` raw log field with `event.idm.read_only_udm.network.session_duration.seconds`. - event.idm.read_only_udm.network.sent_bytes: Newly mapped `RADIUS.Acct-Input-Pkts` raw log field with `event.idm.read_only_udm.network.sent_bytes`. - event.idm.read_only_udm.network.received_bytes: Newly mapped `RADIUS.Acct-Output-Pkts` raw log field with `event.idm.read_only_udm.network.received_bytes`. - Added Support to the event_type when `acct_service_name` has "Login" then event_type is "USER_LOGIN", when `acct_service_name` has "Logout" then event_type is "USER_LOGOUT". |
| 2025-05-09 | Enhancement:
- Added support to parse new format of SYSLOG + KV logs. - `event.idm.read_only_udm.metadata.product_version`: Newly mapped `swVersion` raw log field with `event.idm.read_only_udm.metadata.product_version`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `software` , `code_error` and `enterpriseId` raw log fields with `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `eventId` raw log field with `event.idm.read_only_udm.metadata.product_log_id`. - `event.idm.read_only_udm.principal.mac`: Newly mapped `Common.Host-MAC-Address` raw log field with `event.idm.read_only_udm.principal.mac`. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `Common.Service` , `Common.Enforcement-Profiles` , `req_time` raw log field with `event.idm.read_only_udm.security_result.detection_fields`. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`. - `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly mapped `Common.NAS-IP-Address` and `CppmNode.CPPM-Node` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`. - `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `RADIUS.Auth-Source` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.principal.user.group_identifiers`: Newly mapped `roles` raw log field with `event.idm.read_only_udm.principal.user.group_identifiers`. - `event.idm.read_only_udm.principal.application`: Newly mapped `auth_method` raw log field with `event.idm.read_only_udm.principal.application`. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `user_id` raw log field with `event.idm.read_only_udm.principal.user.userid`. - `event.idm.read_only_udm.security_result.description`: Newly mapped `alerts` raw log field with `event.idm.read_only_udm.security_result.description`. - If `roles` has value "Authenticated" then map the "event_type" as "USER_LOGIN" else map the "event_type" as "USER_UNCATEGORIZED". |
| 2024-09-12 | Enhancement:
- Added support to parse new format of SYSLOG and JSON logs. |
| 2024-08-08 | Enhancement:
- Mapped "Acct-NAS-IP-Address" to "principal.ip". - Mapped "Acct-Username" to "principal.user.userid". - Mapped "Acct-Calling-Station-Id" to "principal.user.product_object_id". |
| 2024-05-05 | Enhancement:
- Handled unparsing SYSLOG format logs. - Mapped "prin_port" to "principal.port". - Mapped "agent_ip" to "principal.ip" and "principal.asset.ip". - Mapped "descr" and "eventDescription" to "metadata.description". - Mapped "version" to "metadata.product_version". - Mapped "specificTrap_name", "uptime", "enterprise", "generic_num", "specificTrap_num", and "community" to "additional.fields". |
| 2024-01-11 | Enhancement:
- Mapped "Common.NAS-IP-Address" to "target.ip". - Mapped "Common.Service", "Common.Enforcement-Profiles", and "Common.Login-Status" to "security_result.detection_fields". |
| 2022-08-18 | Enhancement:
- Handled the dropped logs which are in CEF format and unparsed logs to improve the parsing rate. - Mapped "metadata.event_type" to "STATUS_UPDATE" where "principal.hostname/principal.ip" is not null else mapped it as "GENERIC_EVENT". |
| 2022-07-08 | Enhancement:
- Modified mapping for "_target_user_groupid" from "target.user.groupid" to "target.user.group_identifiers". - Modified mapping for "Common.Roles" from "principal.user.groupid" to "principal.user.group_identifiers". |