Change log for IBM_I
| Date | Changes |
|---|---|
| 2025-04-11 | Enhancement:
- Added Grok patterns to parse the new log format of Syslog. - Mapped "time" to "yyyy-MM-dd-HH.mm.ss". - Modified the grok pattern for "PW" type of logs to map "prin_host" to "principal.hostname" and "principal.asset.hostname". - If "eventtype" is "CO" and "has_principal_user" is true and "has_target_user" is true then mapped "event.idm.read_only_udm.metadata.event_type" to "USER_RESOURCE_UPDATE_CONTENT". - If "eventtype" is "OR" and "has_principal_user" is true and "has_target_user" is true then mapped "event.idm.read_only_udm.metadata.event_type" to "USER_RESOURCE_ACCESS". - If "eventtype" is "ZC" and "has_principal_user" is true and "has_target_user" is true then mapped "event.idm.read_only_udm.metadata.event_type" to "USER_RESOURCE_UPDATE_CONTENT". - If "eventtype" is "ZR" and "has_principal_user" is true and "has_target_user" is true then mapped "event.idm.read_only_udm.metadata.event_type" to "USER_RESOURCE_DELETION". - If "eventtype" is "DO" and "has_principal_user" is true and "has_target_user" is true then mapped "event.idm.read_only_udm.metadata.event_type" to "STATUS_UPDATE". |
| 2025-04-07 | Enhancement:
- event.idm.read_only_udm.additional.fields:Newly mapped `jrn_seq` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields:Newly mapped `job_number` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields:Newly mapped `admin_user` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields:Newly mapped `auth_user` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields:Newly mapped `cmd_type` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.resource.name:Newly mapped `object` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field. - event.idm.read_only_udm.target.resource.type:Newly mapped `object_type` raw log field with `event.idm.read_only_udm.target.resource.type` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels:Newly mapped `object_library` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - Added a conditional check before setting "has_user" flag to "true" when "no_user_id" or "user_id" is empty. - Added a conditional check to set "event.idm.read_only_udm.metadata.event_type" to "USER_UNCATEGORIZED". |
| 2025-03-03 | Enhancement:
- Added Grok patterns to parse the new log format of Syslog. - Mapped "prin_host" to "principal.hostname" and "principal.asset.hostname". - Mapped "prin_pid" to "principal.process.pid". - Mapped "prin_resource" to "principal.resource.name". - Mapped "prin_user" to "principal.user.userid". - Mapped "tar_pid" to "target.process.pid". - Mapped "tar_host" to "target.hostname" and "target.asset.hostname". |
| 2024-07-03 | Enhancement:
- Added support for the new log format. |
| 2024-03-18 | - Newly created parser.
|