Change log for F5_DNS
| Date | Changes |
|---|---|
| 2025-07-09 | Enhancement:
- event.idm.read_only_udm.principal.user.userid : Newly Mapped `User` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - Added an IP validation before mapping `host` and `src_ip` raw log fields with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - Added a grok pattern to parse message with `rule_id_val`. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `attemptCount` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly mapped `rule_id_val` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. |
| 2025-06-30 | Enhancement:
- Added a grok pattern to parse new format of logs. - event.idm.read_only_udm.principal.user.userid: Set `has_user` to `true` when `userName` raw field is mapped to`event.idm.read_only_udm.principal.user.userid` UDM field. |
| 2025-06-27 | Enhancement:
- Added grok patterns to retrieve dns data like `dns_name`, `dns_class`, `query_type`, `dnsAnswers`. - `event.idm.read_only_udm.network.dns.question.type`: Newly mapped `query_type`, `record_type` raw log field with `event.idm.read_only_udm.question.type` UDM field. - `event.idm.read_only_udm.network.dns.question.class`: Newly mapped `dns_class` raw log field with `event.idm.read_only_udm.network.dns.question.class` UDM field. - `event.idm.read_only_udm.network.dns.answer.data`: Newly mapped `intermediary_host` or `intermediary_ip` raw log field with `event.idm.read_only_udm.network.dns.answer.data` UDM field. - `event.idm.read_only_udm.network.dns.answer.ttl`: Newly mapped `ttl_data` raw log field with `event.idm.read_only_udm.network.dns.answer.ttl` UDM field. - `event.idm.read_only_udm.network.dns.answer.name`: Newly mapped `dns_answer_domain` raw log field with `event.idm.read_only_udm.network.dns.answer.name` UDM field. - `event.idm.read_only_udm.network.dns.answer.class`: Newly mapped `qclass` raw log field with `event.idm.read_only_udm.network.dns.answer.class` UDM field. - `event.idm.read_only_udm.network.dns.question.name`: Newly mapped `dns_name` raw log field with `event.idm.read_only_udm.question.name` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `src_ip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `dest_ip` raw log field with `event.idm.read_only_udm.target.asset.ip` UDM field. - Updated the mapping of `event.idm.read_only_udm.additional.fields` to utilize a generalized map for fields `partition`, `tty`, `attempts`, `start`, and `end`. - Added on_error for kv filter `kv_data`, `proto_version`, `application`, `userName`, `file_path`, `src_port`, and `desc`. - Added conditional check for field `cmd_data`, `status`. - Removed redundant mapping of `event.idm.read_only_udm.principal.process.command_line` - If url is not empty, then set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_HTTP`. - If `has_principal` is `true` and has_question is `true`, then set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_DNS` and set `event.idm.read_only_udm.network.application_protocol` to `DNS`. - If `has_principal` is `true` and has_target is `true`, then set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION`. - If `has_user` is `true`, then set `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED`. - If `has_principal` is `true` and has_target is false, then set `event.idm.read_only_udm.metadata.event_type` to `STATUS_UPDATE`. - If none of the above conditions are met, then set `event.idm.read_only_udm.metadata.event_type` to `GENERIC_EVENT`. |
| 2025-05-19 | Enhancement:
- Added support for new pattern of SYSLOG + KV logs by adding a Grok pattern followed by a kv filter. - event.idm.read_only_udm.principal.user.userid: Newly mapped `user` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field and set `has_user` to `true`. - event.idm.read_only_udm.principal.ip & event.idm.read_only_udm.principal.asset.ip: Newly mapped `host` raw log field with `event.idm.read_only_udm.principal.ip` & `event.idm.read_only_udm.principal.asset.ip` UDM fields and set `has_principal` to `true`. - event.idm.read_only_udm.additional.fields: Newly mapped `partition`, `level`, `attempts`, `tty`, `start` and `end` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.event_type: Set `event.idm.read_only_udm.metadata.event_type` to: `USER_UNCATEGORIZED` if `has_user` is `true`, else `STATUS_UPDATE` if `has_principal` is `true`. - Added null checks for `data12`, `action`, `desc_scriptd` and `file_path` fields before mapping their concatenation with `event.idm.read_only_udm.security_result.description` UDM field. - Added a gsub block to parse logs where `application` is `httpd` and `msg3` is not null. |
| 2025-04-17 | Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `datetime` field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2025-01-30 | Enhancement:
- Added support to parse logs with "httpd" application. |