Stay organized with collections
Save and categorize content based on your preferences.
Change log for LINUX_SYSMON
Date
Changes
2024-10-22
Enhancement:
- Added support for the new pattern of syslog logs.
2024-06-17
Enhancement:
- Added support for the new pattern of JSON logs.
2024-01-25
Enhancement :
- Removed extra escape characters from the "message" to avoid 'xml' filter failure.
- Changed mapping for "UserID" from "principal.user.windows_sid" to "principal.user.userid".
2023-11-09
Enhancement :
- Mapped "User" to "target.user.userid".
- Mapped "ParentUser" to "principal.user.userid".
- Mapped "ProcessId" to "target.process.pid".
- Mapped "FileVersion" to "principal.software.version".
- Mapped "Product" to "principal.software.name".
- Mapped "Company" to "principal.software.vendor_name".
- Mapped "LogonId" to "principal.network.session_id".
- Mapped "OriginalFileName", "CurrentDirectory", "LogonGuid", "TerminalSessionId", "IntegrityLevel" to "additional.fields".
2022-07-12
Enhancement :
- Added null check to EventID field prior mapping.
- Mapped insertId to metadata.product_log_id.
- Mapped logName to target_process_file.
- Mapped resource.type to target.resource.type.
- Mapped resource.labels.project_id to target.resource.product_object_id.
- Mapped resource.labels.instance_id to target.resource.id.
- Mapped refer_url to network.http.referral_url.
2022-05-10
Initial creation of the LINUX_SYSMON Chronicle parser, based upon WINDOWS_SYSMON - Supports events IDs 1, 3, 5, 9, 11, 16, 23.
- Uses the Chronicle Forwarder Regex Filter capabilities with an allow filter of 'sysmon' to exclude syslog logs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-06 UTC."],[[["The LINUX_SYSMON change log details updates and enhancements to the system's log parsing capabilities, starting with its initial creation in May 2022."],["Recent enhancements include support for new syslog and JSON log patterns, along with adjustments to escape characters and field mappings to improve data accuracy and filter compatibility."],["Multiple mapping changes have been implemented across versions to better categorize data, such as mapping \"User\" and \"ParentUser\" to \"principal.user.userid\" and mapping resource labels to target resource identifiers."],["The system now supports multiple event IDs (1, 3, 5, 9, 11, 16, 23), and leverages Chronicle Forwarder Regex Filter capabilities to exclude irrelevant syslog logs."]]],[]]
