Change log for MIKROTIK_ROUTER
| Date | Changes |
|---|---|
| 2025-08-19 | Enhancement:
- `event.idm.read_only_udm.metadata.product_version`:Newly mapped `version` raw log field to `event.idm.read_only_udm.metadata.product_version` UDM field. - `event.idm.read_only_udm.target.hostname`:Newly mapped `dvchost` raw log field to `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.asset.hostname`:Newly mapped `dvchost` raw log field to `event.idm.read_only_udm.target.asset.hostname` UDM field. - `event.idm.read_only_udm.target.application`:Newly mapped `app` raw log field to `event.idm.read_only_udm.target.application` UDM field. - `event.idm.read_only_udm.target.application`:Newly mapped `application_name` raw log field (from msg) to `event.idm.read_only_udm.target.application` UDM field. - `event.idm.read_only_udm.target.user.userid`:Newly mapped `duser` raw log field to `event.idm.read_only_udm.target.user.userid` UDM field. - `event.idm.read_only_udm.target.user.userid`:Newly mapped `username` raw log field (from msg) to `event.idm.read_only_udm.target.user.userid` UDM field. - `event.idm.read_only_udm.principal.ip`:Newly mapped `src_ip` raw log field (from KV) to `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.ip`:Newly mapped `srcip` raw log field (from msg) to `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.target.ip`:Newly mapped dvc `raw log` field to `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.ip`:Newly mapped dstip `raw log` field (from msg) to `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.ip`:Newly mapped tar_ip `raw log` field (from msg) to `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.metadata.description`:Newly mapped `msg` raw log field to `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.network.dhcp.ciaddr`:Newly mapped `ciaddr` raw log field (from msg) to `event.idm.read_only_udm.network.dhcp.ciaddr` UDM field. - `event.idm.read_only_udm.network.dhcp.chaddr`:Newly mapped `chaddr` raw log field (from msg) to `event.idm.read_only_udm.network.dhcp.chaddr` UDM field. - `event.idm.read_only_udm.network.dhcp.client_hostname`:Newly mapped `dhcp_hostname` raw log field (from msg) to `event.idm.read_only_udm.network.dhcp.client_hostname` UDM field. - `event.idm.read_only_udm.network.dhcp.yiaddr`:Newly mapped `yiaddr` raw log field (from msg) to `event.idm.read_only_udm.network.dhcp.yiaddr` UDM field. - `event.idm.read_only_udm.principal.mac`:Newly mapped `smac` raw log field (from msg) to `event.idm.read_only_udm.principal.mac` UDM field. - `event.idm.read_only_udm.network.dhcp.siaddr`:Newly mapped `siaddr` raw log field (from msg) to `event.idm.read_only_udm.network.dhcp.siaddr` UDM field. - `event.idm.read_only_udm.principal.asset.ip`:Newly mapped `srcip` raw log field (from msg) to `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`:Newly mapped `dstip` raw log field (from msg) to `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.network.dns.id`:Newly mapped `dns_id` raw log field (from msg) to `event.idm.read_only_udm.network.dns.id` UDM field. - `event.idm.read_only_udm.network.dns.questions[0].name`:Newly mapped `question_name` raw log field (from msg) to `event.idm.read_only_udm.network.dns.questions[0].name` UDM field. - `event.idm.read_only_udm.additional.fields`:Newly mapped `outcome` (key "Outcome"), in (key "in"), out (key "out"), packet_mark (key "packet_mark"), connection_mark (key "connection_mark"), param_list (key "param_list"), max_dhcp_message_size (key "max_dhcp_message_size"), client_id (key "client_id"), action_id (key "action_id"), add_time (key "add_time") raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.principal.port`:Renamed from `srcport` to `event.idm.read_only_udm.principal.port`. - `event.idm.read_only_udm.target.port`:Renamed from `dstport` to `event.idm.read_only_udm.target.port`. - Added grok patterns to parse msg field. - `event.idm.read_only_udm.metadata.event_type`: - If msg contains "logged in", updated to USER_LOGIN. - If msg contains "logged out", updated to USER_LOGOUT. - If message contains "dns" and has_dns is "true", updated to NETWORK_DNS. - If message contains "dhcp" and has_dhcp is "true", updated to NETWORK_DHCP. - If has_target is "true" and not previously set, updated to NETWORK_CONNECTION. - Added support for parsing CEF formatted logs. - Added KV filter to parse key-value pairs from the kv_data field extracted from CEF. - Added gsub to rename src to src_ip in kv_data before KV processing. - Added gsub to rename dst to dst_ip in kv_data before KV processing. |
| 2025-02-25 | Enhancement:
- Added "gsub" to parse valid "client_mac" to "principal.mac". |
| 2025-02-07 | Enhancement:
- Changed "WORD" to "DATA" in the Grok pattern. |
| 2025-01-21 | Enhancement:
- Mapped "metadata.event_type" to "NETWORK_DHCP" for DHCP logs. - Mapped "client_mac" to "principal.mac". - When "details" has "assigned", then mapped "network.dhcp.type" to "ACK". - When "details" has "deassigned", then mapped "network.dhcp.type" to "RELEASE". - When "details" has "request", then mapped "network.dhcp.type" to "REQUEST". - When "details" has "offer", then mapped "network.dhcp.type" to "OFFER". |
| 2025-01-20 | Enhancement:
- Modified the Grok pattern to parse "intermediary.hostname" data. |
| 2024-12-18 | Enhancement:
- Added support for new format of syslog logs. |
| 2024-11-26 | Enhancement:
- Modified the Grok pattern to remove "period" from the data. - Mapped "server_name" to "target.hostname" and "target.asset. |
| 2024-11-15 | Enhancement:
- Mapped "action" to "security_result.action". |
| 2024-09-30 | - Changed mapping for "username" from "principal.user.userid", "src.user.userid" to "target.user.userid".
- For the login event, mapped "metadata.event_type" to "USER_LOGIN". - For the logout event, mapped "metadata.event_type" to "USER_LOGOUT". - Mapped "application" to "target.application". - Mapped "bytes_in" to "network.received_bytes". - Mapped "bytes_out" to "network.sent_bytes". - Mapped "connection_time_in_seconds", "packets_in" and "packets_out" to "security_result.detection_fields". |
| 2024-05-28 | Newly created parser.
|