Change log for EPIC
Date | Changes |
---|---|
2025-07-24 | Enhancement:
- Added a new grok pattern to support for CEF format logs. - Included additional date formats for timestamp parsing. - Added gsubs to handle " - Refactored key-value splitting logic in `kv_data` to handle space-separated keys using gsub. - Added 'on_error' for KV filter. - Rearranged the conditions for determining `event.idm.read_only_udm.metadata.event_type`. - Extracted `severity` from raw log and renamed it to `sev` if `sev` raw log field is empty. - event.idm.read_only_udm.additional.fields: Newly mapped `act` raw log field to `event.idm.read_only_udm.additional.fields`. - event.idm.read_only_udm.additional.fields: Newly mapped `cnt` raw log field to `event.idm.read_only_udm.additional.fields`. - event.idm.read_only_udm.additional.fields: Newly mapped `end` raw log field to `event.idm.read_only_udm.additional.fields`. - event.idm.read_only_udm.metadata.product_version: Newly mapped `product_version` raw log field to `event.idm.read_only_udm.metadata.product_version`. - event.idm.read_only_udm.principal.asset.asset_id: Newly mapped `workstationID` raw log field to `event.idm.read_only_udm.principal.asset.asset_id`. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped `shost` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - event.idm.read_only_udm.principal.hostname: Newly mapped `shost` raw log field to `event.idm.read_only_udm.principal.hostname`. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `suser` raw log field to `event.idm.read_only_udm.principal.user.user_display_name`. - event.idm.read_only_udm.principal.user.userid: Newly mapped `suser` raw log field to `event.idm.read_only_udm.principal.user.userid`. - event.idm.read_only_udm.target.asset.ip: Newly mapped `IP` raw log field to `event.idm.read_only_udm.target.asset.ip`. - event.idm.read_only_udm.target.ip: Newly mapped `IP` raw log field to `event.idm.read_only_udm.target.ip`. |
2024-07-01 | Enhancement:
- Changed mapping of "metadata.event_timestamp" from "devTime" to "timestamp" by extracting year from the field "devTime". - Mapped "devTime" to "additional.fields". |
2022-10-31 | Bugfix- Added support for multiple events.
|
2022-06-09 | Bugfix - added support for multiple events containing center dot "·".
Added conditional checks for field "devTime", "usrName", "shost", "sev", "IP". |
2022-04-14 | Bugfix-added support for multiple events
|